March 2017 - keycloak-user - Jboss List Archives

by Anunay Sinha

Hi I am using keycloak as security layer and working towards enabling social login. Social login was working and I was able to integrate Facebook with just configurations using the doicuments. However I have a requirement where in I need to provide an API end points for the same. Our mobile devices will be communicating to facebook via the app and will have the token from the facebook (Implicit Flow). I will then be exchanging the token with keycloak for the keycloak access token. I have two questions 1. Is this approach correct, if not why 2. How can I achieve this. I was thinking of writing a custom authenticator (Am not sure if thats the right approoach as I have to register user are well if FB Access token user is not available with us (We can afford to login user and with jsut emailID as we can onbaord new users later) I am blocked because authenticator is not working with any build from 2.4.0 onwards Let me know if my approach is correct and if so how to proceed about it.

7 years, 2 months

3
2
0 / 0

Not able to invoke keycloak admin REST apis from wildfly container

by Ganga Lakshmanasamy

Hi, I am not able to invoke keycloak admin REST apis from our wildfly container. Both keycloak and wildfly are ssl enabled and our app is using keycloak authentication. We are getting SSLHandshakeFailure error while trying to invoke keycloak's admin rest api to disable user. We are just making a client request. Below is the error, "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" Regards, Ganga Lakshmanasamy

7 years, 2 months

2
1
0 / 0

ParsingException Unknown xsi:type

by Daniel Janoška

Hi, I'm trying to setup my keycloak as SAML broker identity with external IDp but with no luck. I've setup my Identity Provider with IDP FederationMetadata/2007-06/FederationMetadata.xml. I login with external Idp successfully but after Keycloak receives SAML Assertion I'm getting some Parser exception [1] Could you please provide me some solution? Thank you 1. Error in base64 decoding saml message: ParsingException [location=null]org.keycloak.saml.common.exceptions.ParsingException: PL0065: Parser : Unknown xsi:type=tn:countryCodeOfBirth UT005023: Exception handling request to /auth/realms/test-auth0/broker/saml/endpoint: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException ... Caused by: java.lang.NullPointerException at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:420) Disclaimer: I'm novice. My setup: Keycloak server 2.5.4 final Oracle jdk 8 Windows 7 64bit

7 years, 2 months

1
0
0 / 0

Additional token claims dynamically set via login by external Id Provider

by Matuszak, Eduard

Hello Keycloak Team For logins taking place via keycloak login mask, I am able to edit a user property "on the fly" in user-storage-provider's isValid-method and can add it into the token (after adding an appropriate mapper for the corresponding client): @Override public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) .. List<String> attr_dyn_list = new ArrayList<String>(); attr_dyn_list.add("attr_dyn_val"); local.setAttribute("attr_dyn", attr_dyn_list); .. Now I also want to set an additional claim dynamically into an access token when a user tries to log in (not only the first time) via an external Id Provider. Is there any hook I can override to do so or is this feature planned to be implemented in near future? Best regards, Eduard Matuszak

7 years, 2 months

2
2
0 / 0

JAAS plugin and roles

by Amat, Juan (Nokia - US)

I was trying to use this login module with an application deployed on Wildfly 10: org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule And it kind of worked. By that I mean that when you log in, you are authenticated fine but then calling HttpServletRequest.isUserInRole(xxx) did not work. The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific group. This page https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_M... says: "The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal. The Roles group is the collection of Principals for the named roles as known in the application domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. The CallerPrincipalGroup consists of the single Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login." A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing work. Am I doing something wrong? Thank you.

7 years, 2 months

2
4
0 / 0

Multi tenancy quesiton

by Roman Nikolaevich

Hello Guys, We are testing example from official documentation regarding multi tenancy https://keycloak.gitbooks.io/securing-client-applications- guide/content/topics/oidc/java/multi-tenancy.html So we are getting realm name from path but at some point our request is getting redirected to /sso/login url and as result realm name is lost, simply because of this method org.keycloak.adapters.springsecurity.authentication. KeycloakAuthenticationEntryPoint#commenceLoginRedirect protected void commenceLoginRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException { String contextAwareLoginUri = request.getContextPath() + loginUri; log.debug("Redirecting to login URI {}", contextAwareLoginUri); response.sendRedirect(contextAwareLoginUri); } Could you please advise how to handle such situation ? We see an option to override commenceLoginRedirect method, but we are not sure that it is correct way. Thanks in advance. Br, Roma

7 years, 2 months

1
0
0 / 0

Admin REST New User Client Roles

by Sven Thoms

I am having trouble adding a default client role when posting a new user to the ADMIN REST interface. According to one data migration code, it would work: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39 d10143b920/examples/authz/photoz/photoz-realm.json curl -v -X POST \ -H "Content-Type:application/json" \ -H 'Authorization: bearer xxxx' \ -d '{ "username": "my_user", "enabled": true, "credentials": [ { "value" : "my_password", "temporary" : false } ], "realmRoles": [ "offline_access", "uma_authorization" ], "clientRoles": { "realm-management": [ "view-clients" ] } }' \ https://mydomain/auth/admin/realms/myrealm/users The new user is created, but role mappings are not assigned. Is this another case of Admin REST API and AuthZ not working together?

7 years, 2 months

2
1
0 / 0

Keycloak is granting broader authorization entitlements to scopes on resources than specified

by KLIMPFINGER Koloman

Hi keycloak users! I've a question about using scope and resource permissions to protect my resources. To me it seems that keycloak is granting broader authorization entitlements than I specified it with the policies & permissions - a security issue from my point of view. For example keycloak - according to the entitlement token of a user - grants access to a resource and ALL its scopes, even if I only specified a permission to access only ONE scope on that resource for that user (with a policy). Is It wrong to assume that the user should only have access to the one scope? Another issue is that keycloak grants access to a resource and ALL its scopes, even if I only specified a permission to access only that resource for that user (with a policy) without a scope. Is the assumption wrong that the user should only know about the resource but not the scopes? Or is my understanding of how to handle the authorization entitlements for resources and their scopes with keycloak wrong? What would be the best practice to secure the resources and their scopes? Here I describe the scenario & point to a live example: _ The scenario _ Created Entities: User: Marta Policy: Policy-IsUser-Marta Scopes: read, write, execute Resource: resource-a (with all three scopes) Resource: resource-c (with all three scopes) Resource-Permission: resource-c -> Policy-IsUser-Marta Scope-Permission: resource-a + scope read -> Policy-IsUser-Marta Retrieve entitlements: Get your (Martas) entitlements token and check the granted permissions - they are: - resource-a -> read + write + execute - resource-c -> read + write + execute What I would expect: - resource-a -> read - resource-c -> (no scopes) _ Sample Project _ I created a sample to see it live in action: https://github.com/kklimpfi/keycloak-scenarios It contains a keycloak-migration.json with some sample data (in master realm) + an java application that retrieves the Permissions. you can clone it and try it (configure setup script for importing and pass the system property for the java application to its configuration). (Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on Linux) kind regards, Koloman

7 years, 2 months

2
2
0 / 0

[keycloak-spring-boot-adapter] disable security via application.properties file

by Pavel Maslov

Hi all, Sometimes (for testing purposes) I need to disable keycloak security Is it possible to do so via application.properties file? Right now apart from the properties file I also have to comment out these dependencies and rebuild the project: compile 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' Regards, Pavel Maslov, MS

7 years, 2 months

1
0
0 / 0

Session timeout settings on a per application basis

by Alexander Chriztopher

Hi, We would like to know whether this is now available or not ? I have found the following thread that was sent in 12/2014 : http://lists.jboss.org/pipermail/keycloak-user/2014-December/001295.html Thanks for your answers.

7 years, 2 months

2
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2017