Encryption of OIDC client secret
by Muein Muzamil
Hi,
I noticed KeyCloak stores OIDC client secret in plain text in Database. Is
there a way to extend Keycloak so that we can encrypt OIDC secret before
storing it in DB?
Thanks,
Muein
9 years
Overriding AssertionConsumerServiceURL in
by Jacobs, Michael
For our application we created a SAML Identity Provider to proxy authentication to an outside source. However we need their response to be sent back to a load-balanced URL on our F5. The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request. Redirect URI is not editable in the UI. Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
MJ
9 years
Keycloak vs RH SSO - cluster/load balancer
by java_os
Hi
To jboss devs - wanted to know if latest RH SSO (7.1) ships bundled with
JBoss EAP ?
My req is to domain cluster Keycloak under Apache with mod_cluster and
balance with http mod_proxy_balancer.
I know this cannot be done with Keycloak and reason why am looking at RH
SSO relating to EAP - I may be wrong.
Please help.
BTW - so quiet in the forum comparing with previous months
9 years
Building and testing keycloak custom modules/SPIs
by Martin Hardselius
Hi,
I would like to know more on how people are approaching building and
testing of custom modules / installations.
In our current setup we have a repo where we develop all our custom code.
We use gradle and the 'com.github.zhurlik.jbossmodules' plugin to build
wildfly modules from that code. Then we create a new custom docker image
from the keycloak base image and those built modules. After we've built our
custom image, a separate repo with integration tests / security tests /
etc. is built, targeting the newly created image. If everything checks out,
the image is deployed in our kubernetes cluster. Every step of the process
is automated and works kind of ok.
What I really don't like is the separation of our "module/SPI repo" and our
test suite. Ideally, I would like to write all my integration tests in the
same repo as the code that I'm testing and be able to fire them against a
running keycloak server (with my code deployed) from within my IDE. Does
this make sense? Has anyone done something like this? Is there an
alternative way to build our custom images that is better suited?
Looking forward to a discussion on this.
Regards,
Martin
9 years
Securing an EAR file with Wildfly adapter subsystem
by Ulrik Nejsum Madsen
Hi,
We are trying to secure our application using the Wildfly adapter for Keycloak.
In the standalone.xml we have a subsystem configuration which works well when referencing a WAR file but we can't figure out how to reference a specific WAR file contained in an EAR file.
<secure-deployment name="vanilla.war">
...
</secure-deployment>
Is this even possible? Could we do something like this:
<secure-deployment name="vanilla.ear.vanilla.war">
...
</secure-deployment>
Thanks,
Anders and Ulrik
9 years
How to configure docker-v2 auth from the UI
by Antoine Vianey
Hello,
I'm trying to use the docker-v2 protocol from
https://issues.jboss.org/browse/KEYCLOAK-3592
>From the PR, I manage to have a running KC and I'm able to create a REALM
"docker-registry" with a docker-v2 client but authentication through docker
cli is not working :
The docker cli is making the request right :
GET
/auth/realms/docker/protocol/docker-v2/auth?account=###&client_id=docker&offline_token=true&service=docker-registry
HTTP/1.1
User-Agent: docker/17.03.1-ce go/go1.7.5 git-commit/c6d412e
kernel/4.4.0-71-generic os/linux arch/amd64
UpstreamClient(Docker-Client/17.03.1-ce (linux))
Authorization: Basic ##############
Accept-Encoding: gzip
Connection: close
but Keycloak answer with the HTML login page...
which lead to "Error response from daemon: Get http://registry/v2/: unable
to decode token response: invalid character '<' looking for beginning of
value"
I performed the following actions :
- add "docker" realm
- add "docker-registry" client
- save (after setting * as valid redirect url)
I noticed that "BASIC authentication is configured for you realm. Since
docker auth requires HTTP Basic auth, this should be the only authenticator
configured for the realm hosting the docker registry client." but didn't
get it.
What step should I follow so that the docker cli request succesfully
retrieve a token instead of a login page ?
Can u help so it work with manual setup on clean realm ?
9 years
Mapping Azure Ad token_id groups to users roles
by Adrien Voisin
Hi all,
I have the following configuration :
*My application :*
Front : Angular 2
Backend : Springboot rest api
*Auth:*
Keycloak 3.0.0
Windows Azure AD
The goal is to use Keyloack and Windows Azure for authentication and
permissions management of my web app.
(I followed this tutorial :
http://slackspace.de/articles/authentication-with-spring-boot-angularjs-a...
)
*Windows Azure AD* : I registered my webapp into Azure AD
*Keycloak *: I added two clients (front & back) + an identity provider
(Azure).
The authentication part works well. (Each request is redirected to the
Microsoft auth, then a user in Keycloak is added (first login).
Now I would like to use information of the token of Azure (doc :
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-di...)
for permissions management.
A token from azure ad looks like below :
{
typ: "JWT",
alg: "RS256",
x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
}.
{
aud: "https://contoso.onmicrosoft.com/scratchservice",
iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
iat: 1416968588,
nbf: 1416968588,
exp: 1416972488,
ver: "1.0",
tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
amr: [
"pwd"
],
roles: [
"Admin"
],
oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
upn: "sample.user(a)contoso.onmicrosoft.com",
unique_name: "sample.user(a)contoso.onmicrosoft.com",
sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
family_name: "User",
given_name: "Sample",
*groups: [
"0e129f6b-6b0a-4944-982d-f776000632af",
"323b13b3-1851-4b94-947f-9a4dacb595f4",
"6e32c250-9b0a-4491-b429-6c60d2ca9a42",
"f3a161a7-9a58-4e8f-9d47-b70022a07424",
"8d4c81b2-b1ad-476d-9574-544d155aa6ff",
"1bf80164-ff24-4866-b19c-6212e5b9a847",
"76f80127-f2cd-46f4-8c52-8edd8bc749b1",
"0ba27160-44d0-42b5-b90c-47b3fcc48e35"
],*
appid: "b075ddef-0efa-123b-997b-de1337c29185",
appidacr: "1",
scp: "user_impersonation",
acr: "1"
}.
The goal is to map each group item into a user role. And to update this
role assignment for each new token generated.
For example, in the Identity provider / mapper section, I can add a mapper
to add a role regarding a claim in the token ("Claim to role mapper type").
UnfortunatelyI can't see how can I do that with a list of IDs.
Moreover, if the user already exists in the Keycloak database, this kind of
mapping doesn't work.
Can you tell me if
1. If it's possible to do this kind of mapping with Keycloak
2. If I'm in the good direction about the glocal architecture for
authentication.
Thank you in advance,
Best regards,
Adrien
9 years
Integration Tests
by Gabriel Trisca
Hi all,
What is the best way to run integration tests with Keycloak? I would like
to have an embedded Keycloak server that can be brought up as a @ClassRule
or something along those lines, and then I can validate that different
users have or don't have access to resources/scopes.
I found that there is a testsuite path in Git that contains many useful
classes, like a KeycloakServer that can be initialized with a realm
exported as JSON, but this module (keycloak-testsuite-integration) is not
deployed to Maven central.
I tried to clone the repository and install that artifact locally, but I
face different errors that hint at mismatched versions in dependencies:
Caused by: java.lang.NoSuchMethodError:
org.hibernate.engine.spi.SessionFactoryImplementor.getProperties()Ljava/util/Properties;
at
org.hibernate.jpa.internal.EntityManagerFactoryImpl.<init>(EntityManagerFactoryImpl.java:124)
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:890)
at
org.keycloak.connections.jpa.util.JpaUtils.createEntityManagerFactory(JpaUtils.java:63)
...
Thanks in advance.
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
P: +1 857-209-2685 • M: +1 301-433-2221 | www.cignifi.com
9 years
Re: [keycloak-user] Overriding AssertionConsumerServiceURL in
by Jacobs, Michael
I should add we are running 2 nodes in Standalone Clustered Mode
From: Jacobs, Michael
Sent: Tuesday, April 04, 2017 3:07 PM
To: keycloak-user(a)lists.jboss.org
Subject: Overriding AssertionConsumerServiceURL in
For our application we created a SAML Identity Provider to proxy authentication to an outside source. However we need their response to be sent back to a load-balanced URL on our F5. The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request. Redirect URI is not editable in the UI. Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
MJ
9 years
