Migrating existing system vs. resource mangement
by Yannick Lazzari
Hi,
We're currently evaluating Keycloak to migrate an existing system. For the
sake of the discussion, let's use the photoz example and pretend we are an
online pictures hosting service and that we have millions of albums,
belonging to thousands of users (users typically have more than one album,
so we have more albums than users).
If we were to implement the same permissions and wanted to constraint the
deletion of an album to its owner, does that mean that we would first need
to "sync" all our existing albums in Keycloak by "pushing" a
ResourceRepresentation for each of them, so that we can then have a policy
that uses the owner?
And what if we actually have dozens of other resource types for which we
want to enforce similar "resource owner" policies, each of them having
millions of records and living in different databases? Is it also expected
for all of them to do the same, essentially maintaining duplicates (in some
form) of all existing records in our system inside Keycloak's single
database, just so that we can use the resource owner in some policies?
We understand the simple photoz example, for something that starts from
scratch and with little data, but we have a hard time seeing how such an
approach can scale well for an existing system with millions of resources
of different types. Or perhaps we're completely missing the point or an
important piece of the puzzle.
Instead of having to push resources to Keycloak, is there a way to provide
arbitrary attributes that would be stored in the evaluation context of
policies and made available for the duration of a single authorization
request? For instance, when authorizing access to /album/123, could we tell
Keycloak that the owner of this album is actually user id 456, have it
stored in some attribute in the evaluation context and then use that
attribute in a policy (whether it's Javascript or Drools), along with some
other arbitrary attributes? We've seen discussions around the usage of
custom user claims, but this does not really seem to apply here since those
are not resource-specific. Or would there be a way to "extend" Keycloak and
use a hook that is provided that would allow us to somehow add this
information to the evaluation context?
Looking for help to see how we would start tackling such a problem, if we
were to adopt Keycloak.
Thank you very much for any insight anyone can provide!
Yannick
7 years
SAML to SAML
by Shih Oon Liong
Hi,
I was wondering if Keycloak is able to support SAML to SAML workflow. What
part of the documentation should I be reading that deals with this?
To clarify, my backend is a SAML-based login and then I want to enable
login via SAML on the frontend.
So it would look something like
[My-Org] --SAML--> [KeyCloak] --SAML--> [Application]
I'm not sure if that makes sense but is one way I am looking at it. At the
moment I do not have access to LDAP/AD, this was the only other access we
can get from the organisation. I hoping to use Keycloak to help organise
the users to the appropriate groups and to utilize the MFA feature of SAML.
Thanks
- Shih Oon
7 years
Sync users from external user storage
by rohit chaudhary
Hi,
I connected an external db with keycloak and now want to sync it with
keycloak periodically or whenever there is a update in external db.
I have connected postgres db.
How to proceed?
Thanks,
Rohit
7 years
OIDC spring security adapter
by Pulkit Gupta
Hi All,
We are planning to use OIDC based spring security adapter to secure our
application using keycloak.
I am not sure if this will work with Implicit flow for OIDC as our identity
provider or the team maintaining keycloak server instance currently support
only implicit flow.
Please let me know in case anyone has used Keyclaok OIDC spring security
adapter using implicit flow.
Regards,
Pulkit
7 years
Implementing Keycloak in Android app
by Raquel Júdez Bello
Hi all,
I have implemented Keycloak in my Tomcat server (via Keycloak Spring
Adapter).
Now, I am programming an Android App to communicate it with my server, but
I have not found any information about how to manage the login to a server
with Android.
Has anyone implemented Keycloak with Android? Any ideas on how to approach
this problem??
Thank you very much.
--
Raquel Júdez.
7 years
Migration from 2.4.0 to 2.5.5
by Wim Vandenhaute
Hello list,
When migrating a custom user federation provider it seems the
validateAndProxy callback from the UserFederationProvider SPI no longer has
an alternative since it has been removed.
Before whenever a UserModel was pulled from Keycloak, this callback was
made and our custom user federation provider could add some transient
attributes each time.
In 2.5.5 it is my understanding that implementing the
ImportedUserValidation SPI is the way to go yet whenever the
authorization/access code is exchanged (
TokenEndpoint.buildAuthorizationCodeAccessTokenResponse ) the
ImportedUserValidation.validate is never called as the UserSessionAdapter
always goes straight to the UserCacheSession userprovider implementation
instead of the UserStorageManager.
Before whenever the TokenEndpoint was called, it always went to the
UserFederationManager class which fetched the UserModel but afterwards
check if the user had a federation link and then called the
UserFederationProvider.validateAndProxy hook.
So my questions are:
1. What is the right way to go to make sure a customer user federation
provider can always add some custom attributes to the UserModel via a
delegate, even if the UserModel comes from the keycloak cache.
2. Or do we have to disable the keycloak cache for this and if so how?
Kind regards,
Wim.
7 years
update password failed - invalid code
by Michael Mok
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim
IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET
/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
7 years
JavaScript adapter: how to get error message
by Mehdi Sheikhalishahi
Hi,
With the following code, I am not able to get error message. How should I
do that? thanks.
Uncaught TypeError: Cannot read property 'error_description' of undefined
at Object.errorCallback (index.js:49)
at Object.setError (keycloak.js:775)
at Object.errorCallback (keycloak.js:198)
at Object.setError (keycloak.js:775)
at XMLHttpRequest.req.onreadystatechange (keycloak.js:600)
return kc.init({onLoad: 'login-required'}).success(authenticated => {
console.log("AUTH STATUS: " + authenticated);
if(!authenticated) {
kc.login();
} else {
dispatch(loginSucceed(kc));
}}).error(function(error) {
console.log(error.error_description);
console.log(error.error);
console.log(JSON.stringify(error));
dispatch(loginFailed(JSON.stringify(error)));
});
7 years
Help with SSO
by Jorge M.
Hi,
In the past some systems inside my company were using a custom made sso
implementation that had the ability to do silent login among them.
On of that systems was completly refactored and is using keycloak for
authentication and authorization. Since than, we lost that silent login
feature with the other systems.
We assumed that it was ok to lost this feature for a while but now we are
trying to implement the silent login again.
So..summing up:
- System "A" is using keycloak with a realm "RealmA" with multiple clients
(modules) with sso between them.
- Other systems "B", "C" with their custom authentication and authorization
- We are using a custom federation on keycloak over the same users database
that is shared among all the systems.
What's the best practise to achieve sso between all the systems?
We are thinking about a proxy that detects if the user has a session on
some of the other systems and if that is true, we programatically create a
session on keycloak for a given (Is this possible with the API?).
Thank you,
JM
7 years
