Health Checks
by John D. Ament
Hi,
I was wondering, from an operational standpoint, does Keycloak provide any
healthcheck mechanisms (e.g.a URI) that can be used to check if the service
is running?
John
7 years, 9 months
ADFS integration issue
by Dmitry Korchemkin
Hello,
I was trying to configure adfs brokering in keycloak using this article
from a few days ago:
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
However, i faced an issue when setting up relying trust in ADFS. The
article suggests i give adfs this url:
https://<hostname>:8443/auth/realms/saml-broker-authentication-realm/broker/adfs/endpoint/descriptor.
This page indeed produces an xml with all the configuration option.
It is consumed by ADFS with no visible errors (when i had cert mismatch it
was refusing to import), but Keycloak prints the following in its log:
15:06:57,850 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-3) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
RESTEASY003210: Could not find resource for full path:
https://10.0.2.2:8443/auth/realms/saml-broker-authentication-realm/broker...
I'm pretty sure keycloak does not have FederationMetadata.xml, which is why
the error appears. However, i don't see any option to tell ADFS which xml
to use when importing from url. When imported from File there were no
problems and i've finished the integration successfully.
I'm using keycloak 2.5.4.Final and Windows Server 2016.
7 years, 9 months
Custom (Moderated) Self Registration Flow
by Adam Perry
Hi,
I am fairly new to Keycloak and evaluating it for our organisation.
For our system, I would like to enable self-registration; but to customise
the self registration flow. (I have seen this requirement named “moderated
registration” in other products/discussions).
For example, when a user signs up,
- They should initially be blocked (or if not, they just won’t have any
roles/permissions assigned);
- An email should be sentl to administrator(s) informing them of the signup
- Within the email provide a link to “confirm access” (or the link would
add user to a group)
Any hints as to how I might go about this? I can see that SPIs and/or
“Script Execution” within a new registration flow might help.
Or do I need to build a custom registration application using the API?
Regards,
Adam.
7 years, 9 months
Custom (Moderated) Self Registration Flow
by Adam Perry
Hi,
I am fairly new to Keycloak and evaluating it for our organisation.
For our system, I would like to enable self-registration; but to customise
the self registration flow. (I have seen this requirement named “moderated
registration” in other products/discussions).
For example, when a user signs up,
- They should initially be blocked (or if not, they just won’t have any
roles/permissions assigned);
- An email should be sentl to administrator(s) informing them of the signup
- Within the email provide a link to “confirm access” (or the link would
add user to a group)
Any hints as to how I might go about this? I can see that SPIs and/or
“Script Execution” within a new registration flow might help.
Or do I need to build a custom registration application using the API?
Regards,
Adam.
7 years, 9 months
AccessToken authorization is always null using Jetty adapter
by Gabriel Trisca
Hello,
I'm attempting to set up resource permission enforcement on a simple
Dropwizard application (Jersey->Jetty).
I believe the PolicyEnforcer is set up correctly, because I see debugging
info along these lines:
DEBUG [19:04:23.574] [dw-41] o.k.a.PreAuthActionsHandler - adminRequest
http://localhost:9090/v1/XXXX
DEBUG [19:04:23.601] [dw-41] o.k.a.j.c.JettyRequestAuthenticator -
Completing bearer authentication. Bearer roles: [uma_authorization]
DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - User
'c9e8208e-56f5-42e0-9efb-f8d05600f5de' invoking '
http://localhost:9090/v1/XXXX' on client 'XXXX-api'
DEBUG [19:04:23.601] [dw-41] o.k.a.RequestAuthenticator - Bearer
AUTHENTICATED
DEBUG [19:04:27.781] [dw-41] o.k.a.AuthenticatedActionsHandler -
AuthenticatedActionsValve.invoke http://localhost:9090/v1/XXXX
DEBUG [19:04:30.341] [dw-41] o.k.a.a.PolicyEnforcer - Policy enforcement
is enable. Enforcing policy decisions for path [
http://localhost:9090/v1/XXXX].
DEBUG [19:05:22.741] [dw-41] o.k.a.a.AbstractPolicyEnforcer - Checking
permissions for path [http://localhost:9090/v1/XXXX] with config
[PathConfig{name='XXXX Resources', type='uma:XXXXXX', path='/v1/XXXX/*',
scopes=[], id='43bd3cdf-c15b-487a-a259-79e8de00d764',
enforcerMode='ENFORCING'}].
DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Policy enforcement
result for path [http://localhost:9090/v1/XXXX] is : DENIED
DEBUG [19:11:56.719] [dw-41] o.k.a.a.PolicyEnforcer - Returning
authorization context with permissions:
127.0.0.1 - c9e8208e-56f5-42e0-9efb-f8d05600f5de [24/Mar/2017:23:11:56
+0000] "GET /v1/XXXX HTTP/1.1" 401 0 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
453164
Specifically, the error occurs when Keycloak attempts to retrieve an
"Authorization" object from the AccessToken. This authorization object is
always null and the permissions cannot be loaded.
Without permissions, the request is marked as Unauthorized.
Is there something that I'm missing here? As far as I know everything is
configured correctly, I can evaluate policies on the Keycloak admin
console, and the client is set up as access type "confidential". I can see
the resource definitions from Keycloak being loaded when the app launches.
Any help greatly appreciated.
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
7 years, 9 months
Custom attributes on login page.
by Ishwar Kanse
Hi,
We have added a custom attribute birthyear for all our Keycloak users. Our requirement is to ask the user his username, password and birth year when he logs in. Can you guide us on how to achieve this ?
Thanks
7 years, 9 months
Policy Enforcer in Spring Security Adapter
by Илья Король
Hi. I've just tried to make it working again but failed. I defined all
resources in keycloak and add appropriate configs to keycloak.json for
adapter.
I used default configs for adapter spring beans, taken from docs:
...
<security:http auto-config="false"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter
ref="keycloakAuthenticationProcessingFilter" before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"
/>
</security:http>
example of spring controller:
@RestController
public class ProfileController {
@RequestMapping(method = RequestMethod.GET, value = "/profile")
public AccessToken getUserByToken() throws KeycloakApiException {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
KeycloakPrincipal principal = (KeycloakPrincipal)
auth.getPrincipal();
return principal.getKeycloakSecurityContext().getToken();
}
...
}
Application is running on localhost:8080/apps/{spring-endpoint}, so
spring-root is localhost:8080/apps, and i set this url as base in client
settings in keycloak.
So far the most strange for me is that adapter doesn't print any logs
related to authorization during requests, i see only this:
DEBUG org.keycloak.adapters.PreAuthActionsHandler - adminRequest
http://localhost:8080/apps/profile
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Request is to process authentication
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Attempting Keycloak authentication
DEBUG
org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator
- Completing bearer authentication. Bearer roles: [ROLE_USER, ROLE_ADMIN]
DEBUG org.keycloak.adapters.RequestAuthenticator - User
'aa93b5d9-f02a-4557-a8b6-c7f083475bd5' invoking '
http://localhost:8080/apps/profile' on client 'apps-backend'
DEBUG org.keycloak.adapters.RequestAuthenticator - Bearer AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Auth outcome: AUTHENTICATED
DEBUG
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
- Authentication success using bearer token/basic authentication. Updating
SecurityContextHolder to contain:
org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken@4259cc27:
Principal: aa93b5d9-f02a-4557-a8b6-c7f083475bd5; Credentials: [PROTECTED];
Authenticated: true; Details:
org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount@c4e0280;
Granted Authorities: KeycloakRole{role='ROLE_USER'},
KeycloakRole{role='ROLE_ADMIN'}
keycloak.json: ===========================================
{
"realm": "test",
"auth-server-url": "http://localhost:8081/auth",
"ssl-required": "external",
"resource": "apps-backend",
"bearer-only": true,
"credentials": {
"secret": "74070785-cabf-4d28-83d7-f2dc31f081f5"
},
"policy-enforcer": {
"user-managed-access": {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name": "User Info",
"path" : "/profile/userinfo",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:userinfo:view"]
},
{
"method": "POST",
"scopes" : ["urn:apps-backend:scopes:userinfo:edit"]
}
]
},
{
"name" : "User Permissions",
"path" : "/profile/permissions",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:permissions:view"]
}
]
},
{
"name" : "User Profile",
"path" : "/profile",
"methods" : [
{
"method": "GET",
"scopes" : ["urn:apps-backend:scopes:profile:view"]
}
]
},
{
"name" : "User Token",
"path" : "/profile/token"
},
{
"name" : "User Id Token"
}
]
}
}
keycloak-server authz-dump:=====================================
{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
{
"name": "User Info",
"uri": "/profile/userinfo",
"type": "urn:apps-backend:resources:profile:userinfo",
"scopes": [
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
}
],
"typedScopes": []
},
{
"name": "User Profile",
"uri": "/profile",
"type": "urn:apps-backend:resources:profile",
"scopes": [
{
"name": "urn:apps-backend:scopes:profile:view"
}
],
"typedScopes": []
},
{
"name": "User Permissions",
"uri": "/profile/permissions",
"type": "urn:apps-backend:resources:profile:permissions",
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
}
],
"typedScopes": []
},
{
"name": "User Token",
"uri": "/profile/token",
"type": "urn:apps-backend:resources:profile:token",
"typedScopes": []
},
{
"name": "User Id Token",
"uri": "/profile/idtoken",
"type": "urn:apps-backend:resources:profile:idtoken",
"typedScopes": []
}
],
"policies": [
{
"name": "Is user",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"ROLE_USER\",\"required\":true}]"
}
},
{
"name": "Is merchant",
"type": "role",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"roles": "[{\"id\":\"ROLE_MERCHANT\",\"required\":true}]"
}
},
{
"name": "Edit User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes": "[\"urn:apps-backend:scopes:userinfo:edit\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Permissions",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Permissions\"]",
"scopes": "[\"urn:apps-backend:scopes:permissions:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View User Info",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Info\"]",
"scopes": "[\"urn:apps-backend:scopes:userinfo:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "View Profile",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"scopes": "[\"urn:apps-backend:scopes:profile:view\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Access Profile",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Profile\"]",
"applyPolicies": "[\"Is user\"]"
}
},
{
"name": "Token Access",
"type": "resource",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"User Token\"]",
"applyPolicies": "[\"Is merchant\"]"
}
}
],
"scopes": [
{
"name": "urn:apps-backend:scopes:permissions:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:view"
},
{
"name": "urn:apps-backend:scopes:userinfo:edit"
},
{
"name": "urn:apps-backend:scopes:profile:view"
}
]
}
7 years, 9 months
