Multitenancy and further segmentation
by BlackBellamy
Hey there,
we are currently developing the following web service and are uncertain
how to achieve our goals with the aid of Keycloak as IAM:
To understand the problem I'll try to explain the case from the
non-technical side:
Youth welfare sector; organizational head managing different facilities;
these facilities provide different offers; each facility has it's own
employees which belong to 1..n of these offers; the employees shall
document data online about e.g. the attendees (e.g. to record progress
etc); we have to take care of very strict data protection guidelines
(especially in this sector)
Now more technically:
1) Several tenants/OUs (the facilities) will use a single web service to
record sensitive data about their patients
2) These tenants are not allowed to view other tenant's records
3) Furthermore these tenants will be graduated into departments (the
different offers)
4) A tenants user shall be able to e.g. 'write record type A' for 1..n
departments. We'd need these roles per user (and preferably per
department, as user A may not have the same rights in each dept)
5) A tenant will have one user to manage the other users, but without
the possibility to grant himself superior rights than that
6) There shouldn't be any admin (master or other realms) that is able to
manage 'everything' online (as it implies to many possibilities for data
abuse)
Our thoughts for now are as follows:
1/2) Each facility will be represented by one realm -> strict bounds
3) A department(offer) will be represented by a group -> employees can
belong to 1..n offers
4) A user will be assigned to the roles (e.g. 'write record type A'),
BUT we won't be able to differentiate between department-specific roles
(user A may write in dept 1, but only read in dept 2)
5) Create a user with the only role: manage-users, BUT as stated here:
http://lists.jboss.org/pipermail/keycloak-user/2015-August/002814.html
He can grant himself superior rights. As JIRA is not accessible at the
moment I cannot examine the progress on that ticket.
6) Not sure about the feasibility: delete any admins and create/manage
realms over API
So far we have covered most of our goals, but have some critical
problems on items 4 - 6. Do you see any solution? Or would recommend a
completely different strategy to cover our goals?
Thanks a lot in advance!
--
Fair winds,
Black Bellamy
7 years, 8 months
Why use keycloak-nodejs-connect instead of general OID client?
by Alex Berg
I am trying to install the keycloak-nodejs-connect middleware into my app.
It isn't working well, so of course I'm thinking of trying a different
openid-connect client library.
What does the keycloak-nodejs-connect library do that other openid-connect
client libraries doesn't do? It looks like one unique thing is that it
listens for a logout request to be sent from the keycloak admin console,
but I'm not sure as docs don't exist.
7 years, 8 months
Token Request Problems when Reverse Proxying to Keycloak Server
by Roger Turnau (US - Advisory)
Hi all,
We have Keycloak set up in front of an AngularJS app. The app is served up
by an Apache server that lives in the DMZ, and it reverse proxies all
requests to a separate server behind the DMZ. We've noticed, however, that
token requests are not being successfully returned to the app, resulting in
users being logged out when, for instance, they do a page refresh. Or they
get logged out instantly when the Javascript adapter's authentication
iframe does its heartbeat check with the Keycloak server.
Our best guess at this point is that this is an Apache issue rather than a
Keycloak issue -- that our eventual solution will probably involve checking
our virtual host configuration, etc -- but I still wanted to see if anyone
could answer the following questions:
1. Has anyone run into the same sorts of reverse proxying issues? If so,
how did you solve them?
2. What are the risks if, while searching for a solution, we were to
temporarily move the Keycloak server into the DMZ, so that it is hosted on
the same server that Apache is set up on? Is that an acceptable temporary
fix while we work to resolve the underlying problem?
Thank you,
--
*Roger Turnau*
PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau(a)pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us
Save energy. Save a tree. Save the printing for something really important.
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
7 years, 8 months
NullPointerException with empty attribute
by Rains, Chris
Hi,
I’m seeing Keycloak throw a NullPointerException whenever an access token is being generated for a user with an empty attribute value. Here’s a snippet of the stack trace:
Caused By: java.lang.NullPointerException
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.convertToType(OIDCAttributeMapperHelper.java:103)
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapAttributeValue(OIDCAttributeMapperHelper.java:77)
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(OIDCAttributeMapperHelper.java:147)
at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:98)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:520)
at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:324)
at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:674)
Looking at OIDCAttributeMapperHelper.java, this seems to be happening because no null check is being performed on attributeValue in convertToType. Therefore, I think we would just need to add a null check at the beginning of convertToType:
if (attributeValue == null) return null;
Would this be a reasonable solution?
Thanks!
- Chris Rains
7 years, 8 months
Tracking user session lifecycle in providers
by Dmitry Telegin
Hi,
Is it possible for a Keycloak provider to track user session
creation/disposal/etc., for example, by subscribing to some events?
I've looked through different event types in Keycloak, but couldn't
find anything relevant to user session lifecycle.
If not possible ATM, do you think this is worth being added to mainline
Keycloak?
Thanks,
Dmitry
7 years, 8 months
Grabbing messages flow between oidc client and Kc
by Tech
Dear experts,
we are running the following test between a client written in PHP and
deployed on IIS and KC (2.5.4) using OIDC.
Our main configuration:
* ClientID and Name: IIS-client
* Enabled [On]
* Consent Required [Off]
* Protocol [Oidc]
* Access type [confidential]
* Standard flow enabled [On]
* Implicit Flow enabled [Off]
* Direct access grant enabled [On]
* Service accounts enabled [Off]
* Authorization Enabled [Off]
* Root Url [http://localhost:56579/*]
* Valid redirect [http://localhost:56579/]
* Admin [http://localhost:56579/]
We challenge this configuration from our VB code where:
Redirection
code =
WbCGHl6Btf5QemAJ3aGEsaBx-0zxnyiC1Hsx7hYIQFU.4ead731d-871a-4ba9-bbdd-1bcb251616dc
state = ayyd9co1zzcar83
sClientId = IIS-client
sClientSecret = b1c08260-5f8d-4f18-95e4-6928e340d1d2
*Token Request*:
Header:
authorization = Basic
SVNNLWNsaWVudDpiMWMwODI2MC01ZjhkLTRmMTgtOTVlNC02OTI4ZTM0MGQxZDI=
content-type = application/json
charset = utf-8
FormField:
grant_type=authorization_code&code=WbCGHl6Btf5QemAJ3aGEsaBx-0zxnyiC1Hsx7hYIQFU.4ead731d-871a-4ba9-bbdd-1bcb251616dc&state=ayyd9co1zzcar83&scope=openid&redirect_uri=http%3a%2f%2flocalhost%3a56579%2f
Try POST oWebClient.UploadString at :
sTokenUrl =
http://localhost:8080/auth/realms/Test/protocol/openid-connect/token
Keycloak is replying with an error 400, we have the feeling that is not
correctly receiving the message in the format it is expecting, but we
are not neither able to grab the message from the Keycloak's to read
what is actually Keycloak receiving.
Could you please support?
Thanks
7 years, 8 months
Resteasy client SSLHandshakeException
by Rajkiran K
Hi all,
We are trying to get all roles data of realm from keycloak. We are
getting "SSLHandshakeException", can any one help on this issue
*Keycloak version*: 1.9.8 Final
*resteasy-client version*: resteasy-client-3.0.14.Final
build 19-Apr-2017 02:00:18 2017-04-19 02:00:18 INFO
KeycloakRestUserDataLoader:228 - Retrieving Roles from Keycloak
error 19-Apr-2017 02:00:19 javax.ws.rs.ProcessingException:
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Remote
host closed connection during handshake
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
error 19-Apr-2017 02:00:19 at
com.sun.proxy.$Proxy27.list(Unknown Source)
error 19-Apr-2017 02:00:19 at
com.sample.loader.KeycloakRestUserDataLoader.getRealmRoles(KeycloakRestUserDataLoader.java:230)
error 19-Apr-2017 02:00:19 at
com.sample.loader.KeycloakRestUserDataLoader.loadUserData(KeycloakRestUserDataLoader.java:199)
error 19-Apr-2017 02:00:19 at
com.sample.loader.KeycloakDataManager.main(KeycloakDataManager.java:34)
error 19-Apr-2017 02:00:19 Caused by: java.lang.RuntimeException:
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:174)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.invoke(URLConnectionEngine.java:47)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
error 19-Apr-2017 02:00:19 at
com.sun.proxy.$Proxy19.grantToken(Unknown Source)
error 19-Apr-2017 02:00:19 at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85)
error 19-Apr-2017 02:00:19 at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65)
error 19-Apr-2017 02:00:19 at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60)
error 19-Apr-2017 02:00:19 at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413)
error 19-Apr-2017 02:00:19 ... 6 more
error 19-Apr-2017 02:00:19 Caused by:
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
error 19-Apr-2017 02:00:19 at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
error 19-Apr-2017 02:00:19 at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
error 19-Apr-2017 02:00:19 at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
error 19-Apr-2017 02:00:19 at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
error 19-Apr-2017 02:00:19 at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
error 19-Apr-2017 02:00:19 at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
error 19-Apr-2017 02:00:19 at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
error 19-Apr-2017 02:00:19 at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)
error 19-Apr-2017 02:00:19 at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
error 19-Apr-2017 02:00:19 at
org.jboss.resteasy.client.jaxrs.engines.URLConnectionEngine.executeRequest(URLConnectionEngine.java:167)
error 19-Apr-2017 02:00:19 ... 16 more
error 19-Apr-2017 02:00:19 Caused by: java.io.EOFException: SSL
peer shut down incorrectly
error 19-Apr-2017 02:00:19 at
sun.security.ssl.InputRecord.read(InputRecord.java:505)
error 19-Apr-2017 02:00:19 at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
error 19-Apr-2017 02:00:19 ... 25 more
build 19-Apr-2017 02:00:19 2017-04-19 02:00:19 ERROR
KeycloakDataManager:38 - java.lang.RuntimeException:
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
--
Thanks in advance,
Rajkiran K
7 years, 8 months