May 2017 - keycloak-user - Jboss List Archives

by Sander Geerts

Hello, Currently we (as a company) are trying to determine if Keycloak can meet our requirements of authorization for our products. The authentication part seems obvious and will be enough for what we are trying to do, but we do have some questions about the authorization part. In our application a user can create a so called 'Process'. This process goes through a workflow-engine, which determines the next status based on some business rules and configured steps. What we are trying to achieve through Keycloak is the following: - Is user X (with role R) authorized for action (/resource) Y with scope Write? (This looks like a basic question which Keycloak can answer for sure) - Is user X (with role R) authorized for action (/resource) Y with scope Write when the given resource (process) is in status A? In abstract terms we are trying to determine: Is user [X] with role [R] authorized for resource [Y] with scope [S] when the requested resource instance [Y1] has a property [Prop] with value [V]? We did some research in the Keycloak documentation, and there is spoken of CBAC (Context-Based Access Control) but there are no examples or specific documentation to be found. My summarized question(s): - Is the given use-case above possible with Keycloak? - If so, how would the status of a process be defined? Is this a resource? Or should/can we use the CBAC engine? - If we have to implement a custom 'Authorization' provider for this, could you give a short example? We have the option to possibly buy Keycloak support, but we first want to verify if it is even an option for our use-cases. Kind regards, Sander

7 years, 7 months

2
1
0 / 0

Problem with example provider authenticator in version 3.0.0.Final

by Fabien HINAULT

Hello, I have a problem with the example provider called authenticator which is released with keycloak-demo-3.0.0.Final. After having added the provider, and added the execution "Secret Question" to the browser flow, I don't have a page "Secret Question" while logging into the client app. Instead, I am directly redirected to the application. There is a warning in keycloak's output: "10:48:24,009 WARN [org.keycloak.services.managers.AuthenticationManager] (default task-44) Could not find configuration for Required Action secret_question_config, did you forget to register it?" Did I miss something? Fabien ------ Included: a log in debug, with just the logging of user u, with execution "Secret Question" added. See complete scenario below: I have built the jar authentication-required-action-example.jar and I have put it in the directory keycloak/providers. I run keycloak/bin/standalone.sh In the admin console (http://localhost:8080/auth/admin/master/console/): I create a new realm called "demo", I switch to this realm, I create a user with username "u", I change its password, I create a role "ROLE_USER", I give the role ROLE_USER to user u, I create a client with client ID "test-fabien", redirect URIs http://localhost:8081/*, authorization enabled to ON. I run a test client application with adequate configuration settings. In a private session in Firefox: I type http://localhost:8081/test.html in the address bar, I am redirected to keycloak's authentication page for realm "demo" I enter username u and password, the first time, I am redirected to the password change page, then I am redirected back to the page test.html. In the Authentication part of Keycloak admin console: I copy the brower flow into "Copy of browser", I add the execution "Secret Question", which comes from the added provider, I set it as "required", In the binding tab, I bind "Copy of browser" as browser flow, then save. In a new private session in Firefox: I type http://localhost:8081/test.html in the address bar, I am redirected to keycloak's authentication page for realm "demo" I enter username u and password. Here, I would expect a "Secret Question" page. Instead, I am directly redirected back to the page test.html. In the output of standalone.sh, I can read: "10:48:24,009 WARN [org.keycloak.services.managers.AuthenticationManager] (default task-44) Could not find configuration for Required Action secret_question_config, did you forget to register it?"

7 years, 8 months

1
0
0 / 0

Keycloak in Docker Swarm

by Marc Tempelmeier

Hi, we could spawn multiple Slave Container with same slave name in domain clustered mode or use multiple slaves with different names. What is the preferred way? BR Marc Tempelmeier

7 years, 8 months

1
0
0 / 0

Cloud hosted keycloak integration with local LDAP/AD

by vin14976

Hi, My cloud service is making use of keycloak, which is also hosted on cloud. Now i want to integrate local LDAP so that keycloak can authenticate local users of my customers. Is it feasible? How? Vinay -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Cloud-hosted-keycloak-integratio... Sent from the keycloak-user mailing list archive at Nabble.com.

7 years, 8 months

2
1
0 / 0

Re: [keycloak-user] SAML response parsing failed

by Erwin Steffens | Rovecom

Here it is: https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw.xml... ----------------------------- Rovecom Erwin Steffens | Rovecom softwareontwikkelaar Elbe 2, 7908 HB Hoogeveen Postbus 2126, 7900 BC Hoogeveen 0528 22 35 35 Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. ----------------------------- -----Oorspronkelijk bericht----- Van: Hynek Mlnarik [mailto:hmlnarik@redhat.com] Verzonden: woensdag 26 april 2017 11:48 Aan: Erwin Steffens | Rovecom <esteffens(a)rovecom.nl> Onderwerp: Re: [keycloak-user] SAML response parsing failed Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it? --Hynek On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens(a)rovecom.nl> wrote: > > > We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response. > > The error we get is: > > 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023: > Exception handling request to > /realms/datahub/login-actions/first-broker-login: > org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx > ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds" > > When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid. > > Can I somehow attach the XML here? > > Erwin > > > > > ----------------------------- > Rovecom > > Erwin Steffens | Rovecom > softwareontwikkelaar > > Elbe 2, 7908 HB Hoogeveen > Postbus 2126, 7900 BC Hoogeveen > 0528 22 35 35 > > > Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. > Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. > > > ----------------------------- > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek

7 years, 8 months

2
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2017