Authorization on resources that belong to different "groups"
by Gabriel Trisca
HI there,
We've integrated Keycloak auth and authz to an existing REST service which
serves endpoints like this:
GET /api/report?country={country}
GET /api/status?country={country}
GET /api/history?country={country}
As far as I understand, the only way to protect these resources is to
create "global" resources (/api/report, /api/status etc.), but then we
can't validate if the current user is authorized to make requests for a
given "country":
The other alternative would be to include the country name in the URI, but
this would lead to duplication of resource definitions:
/api/report/country1
/api/report/country2
/api/status/country1
/api/status/country2
...
We considered including a list of the countries the user has access to as
an attribute in the access_token but that would require manually
maintaining said attribute
Is there another way that would accommodate this kind of authentication
requirements?
Thanks in advance!
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
7 years, 9 months
Creating group mappers for ldap
by Sumit Das
Hi
We are using Keycloak 2.5.4. We are trying to create custom group mappers
for ldap by creating a Myfactory.class which extends
AbstractLdapStorageMapperFactory and tge implementation of the mapper as
MyMapperLdapProvider which extends AbstractLdapStorageMapper.
We have followed the documentation provided on the Keycloak for deployment
of jar and implementation of the mapper.
Once done in providers or deploy folder we do not see our custom mapper in
the drop down of the mapper section of user federation provider.
We are not sure whether we are following the right approach or right design
to create the mapper.
Please help us to indentify where we are doing wrong. Any suggestions or
direction is highly appreciated.
Regards
Sumit
7 years, 9 months
How to mock LDAP user login with expired password
by Adrian Madaras
Hi everyone,
I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class.
Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer.
Can someone help me?
Thanks,
Adrian
7 years, 9 months
(no subject)
by JiJesH V U
I have these 2 keycloak configurations for per app role mapping.I have
configured the role per app and assigned to the user. When I remove a
particular role from app1 it can login. This does not happen.What I'm doing
wrong here.
regards,
jijesh v u
mob: +91 9037329817
7 years, 9 months
Disabling token Host validation for introspect?
by Dmitry Korchemkin
I have 2 gateway proxies, through which i can access realm and retrieve
oidc token, A and B. Issuer is set in token to either A or B.
When i then send a request to an introspect endpoint with a token A through
gateway B i get {"active": false} as a response.
Through testing i've found that request returns proper data when issuer in
the token equals the gateway i access it from.
Is there a way to disable that Host check for introspect? I do not have
direct control through which gateway introspect will be accessed and
manually fixing Host header proves difficult due to numerous security fixes
in java.
7 years, 9 months
How to retrieve Organiational Unit from LDAP?
by Celso Agra
Hi all,
I'd like to retrieve the organizational unit (ou) from LDAP Mapper and set
this in the User Attributes.
When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN, with
value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1"
So, I'd like to retrieve just the ou info "group", and set this to the user
attribute.
Would be possible to do that? Is there some mapper type just to retrieve
this information?
Best Regards,
--
---
*Celso Agra*
7 years, 9 months
Using the nodejs-connect adapter without a logout route
by Jonathan Little
The nodejs-connect adapter's middleware() function includes automatic setup
of a logout route which redirects to the keycloak server to logout the
authenticated user. The relative path to the logout route is customizable
via the options object, but there is no specified way to opt out of the
logout route. Looking at logout.js in the source I can see that passing
something which will never resolve as equal to request.url would result in
the logout route always being skipped, which is workable but is a hack.
I'm looking at using this for a backend service which will not do user
login/logout management at all but will only be doing checks for
authorization details. I don't see a need for logout functionality on such
a service. I can see three possibilities:
1) I'm looking at this the wrong way, and I actually do want logout
functionality for some reason.
2) I'm looking at it the right way, and the aforementioned hack is the
"normal" way to do it, but undocumented.
3) There's a feature request hiding here for a config option on
middleware() to opt out of the logout middleware.
(3) seems most plausible to me at this point but I don't want to jump into
feature request mode with an incomplete understanding of the situation. Any
opinions?
7 years, 9 months
Keycloak and rfc7523#section-2.1
by jim-keycloak@spudsoft.co.uk
Hi,
I need Keycloak to support something equivalent to
https://tools.ietf.org/html/rfc7523#section-2.1 (Using JWTs as
Authorization Grants).
My use case is that we are an SAAS provider with a number of different
products.
Where we have common functionality between different products we have a
plugin UI (Angular) that is embedded within the host product and that
talks to a dedicate REST endpoint (that is independent of the host product).
The plugin UI has to provide authorisation through to its REST endpoint,
and that authorisation has to identify the specific state of the user (a
client access token is not sufficient).
My intention is for the host product to ask KeyCloak for an assertion
(creating a federated user on the fly), then give that assertion to the
plugin UI, which will ask KeyCloak to exchange it for an access token.
The host product cannot directly request an access token because it will
be a different client from the plugin UI (quite apart from it being
'wrong' to pass an access token around) (the host product is a
confidential client, the plugin UI is not).
In a general implemention of "Using JWTs as Authorization Grants" the
assertion ought to generatable via any mechanism as long as KeyCloak is
able to validate the signature.
For my usage it is important that the assertion contains information
that the client (the plugin UI) cannot access, which would require
support for JWEs in a general implementation.
By having the assertion generated by KeyCloak I am able to store
information from the assertion request and not put that information into
the assertion itself, getting around the need for JWEs.
So I've been doing some playing with SPIs in KeyCloak to see what I can
achieve without requiring changes to the core.
I have a "GenerateAssertionResource" that is implemented using
RealmResourceProvider.
This generates a token based on passed in arguments (after
authenticating the client), and also stores a federated user.
I also have a BearerTokenUserStorageProvider that can validate passwords
that contain assertions.
This setup works, I can satsify my use case, but it's not exactly RFC
compliant.
To make this better, what I'd like to have is:
* Suport for JWEs.
At the moment the only Java JWE library that I've come across is
Nimbus JOSE, but I suspect you consider that a competitor :)
Support for JWEs would also enable opaque access tokens, which would
be nice to see.
* Support for a grant_type of
urn:ietf:params:oauth:grant-type:jwt-bearer in TokenEndpoint.
This would be easy to add as another hard coded grant type, though
it might be nice to see an SPI used to validate grant_types enabling
further extension in future.
* Somehow the DirectGrant flow would need to support authenticators
that are not based on passwords.
It's easy to write another authenticator (that was my first approach
to this problem) but the Direct Grant flow has Password as Required
(and it's not possible to set Password as Alternative).
I need to support password grants as well, so replacing the flow
doesn't work for me.
This would still require the implementation of SPIs to actually use JWTs
as Authorization Grants, but there are different approaches that they
could take.
A generic implementation would have to be quite complex.
I'd be happy to produce a PR for the changes to TokenEndpoint and the
Password authenticator if that would help.
Jim
7 years, 9 months
Installing keycloak behind IIS to secure a WildFly app
by Steven Ireland
I had success installing keycloak locally and securing a local WildFly application running locally. I log in, WildFly hands me off to keycloak and Keycloak passes me back and the app kicks off.
However when I run outside of the local network I can have WildFly pass me to Keycloak but after I provide valid credentials I do not get passed back. I'm running behind IIS and use URL rerouting (https externally to http internally). I've installed SSL for IIS but have not installed keycloak to run using SSL.
Is it required that keycloak run under its own SSL configuration (instead of using the SSL I installed for IIS?). If so can I use the same certificate I installed for IIS? And does my WildFly app need to run under its own SSL setup in order for Keycloak to be able to handshake with it?
This is new territory for me so I apologize if my questions don't make sense. But if anyone has this scenario I would appreciate knowing which path I should be going down.
Thanks.
Steve
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of keycloak-user-request(a)lists.jboss.org
Sent: Friday, April 7, 2017 6:38 AM
To: keycloak-user(a)lists.jboss.org
Subject: keycloak-user Digest, Vol 40, Issue 10
Send keycloak-user mailing list submissions to
keycloak-user(a)lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request(a)lists.jboss.org
You can reach the person managing the list at
keycloak-user-owner(a)lists.jboss.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. How to mock LDAP user login with expired password (Adrian Madaras)
2. 401 for spring security adapter + spring boot + long session
(Aritz Maeztu)
3. Using the nodejs-connect adapter without a logout route
(Jonathan Little)
4. Creating group mappers for ldap (Sumit Das)
5. Re: [EXTERNAL] Re: Overriding AssertionConsumerServiceURL in
(Jacobs, Michael)
6. Parametric Client Configuration (matteo restelli)
7. (no subject) (JiJesH V U)
----------------------------------------------------------------------
Message: 1
Date: Thu, 6 Apr 2017 14:17:51 +0000 (UTC)
From: Adrian Madaras <madaras_adrian(a)yahoo.com>
Subject: [keycloak-user] How to mock LDAP user login with expired
password
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID: <835449372.1172754.1491488271883(a)mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8
Hi everyone,
I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class.
Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer.
Can someone help me?
Thanks,
Adrian
------------------------------
Message: 2
Date: Thu, 6 Apr 2017 18:22:43 +0200
From: Aritz Maeztu <amaeztu(a)tesicnor.com>
Subject: [keycloak-user] 401 for spring security adapter + spring boot
+ long session
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID: <91ce51df-90bf-f9f7-e0ce-30e6013baf8b(a)tesicnor.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
I have an application where I want its users to be able to keep logged in during long time (about one year before the session ends). I'm using Spring Boot + Spring security and the keycloak Spring security adapter
(2.5.4 final). The keycloak server is 2.2.1. What I've done:
Set up the realm to permit long lived sessions:
Session Idle: 365 days
Session max: 365 days
Offline session idle: 30 days
Access token lifespan: 1 Minute
Lifespan for implicit flow: 365 days
Then, in my application (single server and single keycloak client, confidential access type) I set up this environment variable:
server.session-timeout: 525600
Then in my front-end I've got AngularJs integrated, works as a Single page application and performs some routing without refreshing the whole page.
My problem:
When I leave the application idle (for around 30 minutes), after performing some request to any rest endpoint, I get 401 code. The application works again when I press F5 and refresh the page. The problem is only related when I access the REST endpoints while I don't request the whole page again.
Am I missing something?
--
Aritz Maeztu Ota?o
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.
------------------------------
Message: 3
Date: Thu, 6 Apr 2017 11:49:34 -0700
From: Jonathan Little <rationull(a)gmail.com>
Subject: [keycloak-user] Using the nodejs-connect adapter without a
logout route
To: keycloak-user(a)lists.jboss.org
Message-ID:
<CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
The nodejs-connect adapter's middleware() function includes automatic setup
of a logout route which redirects to the keycloak server to logout the
authenticated user. The relative path to the logout route is customizable
via the options object, but there is no specified way to opt out of the
logout route. Looking at logout.js in the source I can see that passing
something which will never resolve as equal to request.url would result in
the logout route always being skipped, which is workable but is a hack.
I'm looking at using this for a backend service which will not do user
login/logout management at all but will only be doing checks for
authorization details. I don't see a need for logout functionality on such
a service. I can see three possibilities:
1) I'm looking at this the wrong way, and I actually do want logout
functionality for some reason.
2) I'm looking at it the right way, and the aforementioned hack is the
"normal" way to do it, but undocumented.
3) There's a feature request hiding here for a config option on
middleware() to opt out of the logout middleware.
(3) seems most plausible to me at this point but I don't want to jump into
feature request mode with an incomplete understanding of the situation. Any
opinions?
------------------------------
Message: 4
Date: Fri, 7 Apr 2017 00:38:12 +0530
From: Sumit Das <sumitdas66(a)gmail.com>
Subject: [keycloak-user] Creating group mappers for ldap
To: keycloak-user(a)lists.jboss.org
Message-ID:
<CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi
We are using Keycloak 2.5.4. We are trying to create custom group mappers
for ldap by creating a Myfactory.class which extends
AbstractLdapStorageMapperFactory and tge implementation of the mapper as
MyMapperLdapProvider which extends AbstractLdapStorageMapper.
We have followed the documentation provided on the Keycloak for deployment
of jar and implementation of the mapper.
Once done in providers or deploy folder we do not see our custom mapper in
the drop down of the mapper section of user federation provider.
We are not sure whether we are following the right approach or right design
to create the mapper.
Please help us to indentify where we are doing wrong. Any suggestions or
direction is highly appreciated.
Regards
Sumit
------------------------------
Message: 5
Date: Fri, 7 Apr 2017 00:34:05 +0000
From: "Jacobs, Michael" <Michael.Jacobs(a)nuance.com>
Subject: Re: [keycloak-user] [EXTERNAL] Re: Overriding
AssertionConsumerServiceURL in
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<BN6PR05MB2964114EDDF4239B0C29A99BF80C0(a)BN6PR05MB2964.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I solved this by making my own identity provider SPI that extends from SAMLIdentityProvider, but adds this feature, taking the override from the standalone.xml
I will try to do something similar with the Email Template SPI.
From: Jacobs, Michael [mailto:michael_jacobs@nuance.com]
Sent: Wednesday, April 05, 2017 8:32 AM
To: Bill Burke <bburke(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [EXTERNAL] Re: [keycloak-user] Overriding AssertionConsumerServiceURL in
So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5?
Also, re: the second part of my question, can anything be done about the password reset URL, to have those target our F5?
Thanks for you help with this,
MJ
On Apr 5, 2017 8:01 AM, Bill Burke <bburke(a)redhat.com<mailto:bburke@redhat.com>> wrote:
The SP can send ACS URL, this URL will only be used if it is validated
against the Redirect URI patterns that are registered in the
configuration of the client. Does that answer your question?
On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source. However we need their response to be sent back to a load-balanced URL on our F5. The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request. Redirect URI is not editable in the UI. Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
------------------------------
Message: 6
Date: Fri, 7 Apr 2017 12:24:01 +0200
From: matteo restelli <teoreste(a)gmail.com>
Subject: [keycloak-user] Parametric Client Configuration
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<CABZhS3y4y55-fKbLktUBZUgKmOQ2=K6WdwzESgoBL_z9VQOg3g(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi all,
is it possible to make client urls parametric?
I mean, is it possible to set environmental variables and reference them
inside the client configuration panel?
Thank you in advance,
Matteo
------------------------------
Message: 7
Date: Fri, 7 Apr 2017 16:08:11 +0530
From: JiJesH V U <jijeshvu07(a)gmail.com>
Subject: [keycloak-user] (no subject)
To: keycloak-user(a)lists.jboss.org
Message-ID:
<CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g(a)mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
I have these 2 keycloak configurations for per app role mapping.I have
configured the role per app and assigned to the user. When I remove a
particular role from app1 it can login. This does not happen.What I'm doing
wrong here.
regards,
jijesh v u
mob: +91 9037329817
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 40, Issue 10
*********************************************
7 years, 9 months
Request for ${REALM} support for path field in policy enforcer (keycloak, json)
by Stephane Granger
Hi,
It would be nice to be able to use ${REALM} in the path field of the policy
enforcer config.
The use case is to simplify (a bit) multi tenant support. I'm working on a
system to support multiple tenants with many applications. When adding a
tenant, a realm is created in keycloak. Then, the kecyloak clients are
added in that realm based on the tenant application selection.
Some of these clients use the authorization support feature and also use
policy enforcer in their keycloak.config file.
Our system has a small database containing the list of clients for each
application, corresponding basically to the frontend and a backend of
these applications. For each client, we have a client representation
template, an optional resource server representation template. These are
used to create the client configuration under the tenant's realm in
keycloak when adding an application to a client.
There is also have an optional policy enforcer field in the db. This one
is used to create the keycloak configuration corresponding to the
realm/client combination. We have a component called keycloak
configuration builder. Its role is to retrieve the client configuration
from keycloak and to add the corresponding policy enforcer. Since, we have
multi tenant application, the realm is part of the url and therefore ends
up in the path. For example, we have something like this:
{
"realm":"acme",
...
"policy-enforcer": {
"paths" : [
{
"name" : "Resource name",
"path" : "/acme/operation/*",
""methods": [....]
}
]
}
For this application, the policy enforcer config template would look like
this:
"policy-enforcer": {
"paths" : [
{
"name" : "Resource name",
"path" : "/${REALM}/operation/*",
""methods": [....]
}...
]
}
It would be a lot simpler if the keycloak policy enforcer could use
${REALM} in the path. Currently, application developer will have to create
their config using keycloak for their development, then extract the policy
enforcer, and replace the realm in the paths with ${REALM}. Our keycloak
configuration builder then have to substitute ${REALM} with the realm.
Thanks,
Stephane
7 years, 9 months
