Token issuer validation fails (internal vs external, NATed environments, etc.)
by Juan José Díaz Montaña
Hi everyone,
I'm currently using Keycloak to authenticate a bunch of applications in a
private network. I'm using the Javascript, node.js, spring security and
spring boot adapters, Some using bearer token and some not.
Everything works nicely except that our support engineers need to connect
sometimes over a NAT gateway. The problem is that the IP/URL used by the
support engineers is different than the one seen by the internal network
users. So I get error validating the jwt issuer, specially when using
bearer token that are generated by external users and pass back to internal
services.
I've seen that there use to be the `*auth-server-url-for-backend-requests*`
property just for this use case but it was removed.
I've also seen many questions online about this matter but no solution
apart from using a DNS which is not an option for me because of certain
restrictions I have.
Finally, I've recently seen someone with the same problem proposing
setting checkRealmUrl
to false to skip the issuer validator (http://lists.jboss.
org/pipermail/keycloak-user/2017-May/010640.html). Is that possible??? I
haven't found how without modifying the adapter's code.
Is there any other workaround?
Solutions I could think are:
- Include a config option to make issuer validation optional
(setting checkRealmUrl
to false)
- Modify the `*auth-server-url*` to allow partial URLs that are resolved
based on the calling host.
- Modify the `*auth-server-url*`, to be a list so several URLs are
accepted or to allow regexs so all the URLs that match are accepted. This
probably requires separating the valid URLs from the URL use for
redirections.
This is a deciding factor of whether we can use Keycloak or not, and I'm
sure that other people is having the same problem. So if there is no
existing workaround, I 'm happy to discuss and contribute any changes to
the adapters that could help me with this.
--
*Juanjo Díaz*
Software Architect @Intopalo Oy <https://intopalo.com>
7 years, 7 months
Rebalancing problem while adding a new node to a domain
by Elnaz razmi
hello
please help me about this problem:
We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3
7 years, 7 months
CORS problems
by sesnor.silva@sapo.pt
Hello,
I have protected a Java web application that's compiled in a WAR
package and accessible through a Tomcat 8 sever. To do this I followed
the steps here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
My Java Application is a RESTful API which can only be accessed by
authorized users that bear a token.
In Keycloak I configured my client (and keycloak.json) as follows:
{
"realm": "MainDomain",
"bearer-only": true,
"auth-server-url": "http://<My Keycloak Server>:8081/auth",
"ssl-required": "none",
"resource": "main-domain-server"
}
If I have a valid token I can access the service fine through cURL
requests. However, using any browser (Firefox, Chrome, Opera, expect
IE, which for some reason works) I can't access any resource through
AJAX as I get CORS problems:
"Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:3000' is therefore not allowed
access. The response had HTTP status code 401."
I searched around and found I should put "enable_cors": true in my
keycloak.json, however this causes the following CORS problem:
"The 'Access-Control-Allow-Origin' header contains multiple values
'http://localhost:3000, http://localhost:3000', but only one is
allowed. Origin 'http://localhost:3000' is therefore not allowed
access."
I think I'm out of ideas at the moment on what could be causing this.
Does anyone have any idea what could be wrong in my configuration?
My best regards,
Silva
7 years, 7 months
Spring checks Bearer token for permitted requests
by Hylton Peimer
I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
the following configuration:
protected void configure(HttpSecurity httpSecurity) throws Exception {
super.configure(httpSecurity);
httpSecurity
.antMatcher("/mobile/**")
.authorizeRequests()
.antMatchers("/mobile/api/login",
"/mobile/api/refresh").permitAll()
.antMatchers("/mobile/api/**").authenticated()
..........
The Client is setup for bearer-only.
It works fine, except when the access token expires.
Some mobile clients send the expired token as a header in the call to
"/mobile/api/refresh".
The problem is that even though "/mobile/api/refresh" is marked as
permitAll, the request is blocked.
Its not possible to fix all the mobile clients. How could I configure
Spring to ignore the bearer token for the "permitAll" calls, or remove the
header?
7 years, 7 months
rolling upgrade
by mathias.goeppel@daimler.com
Hello everyone,
for a few months we are using keycloak at car2go. Currently we are on keycloak version 2.5.4.Final but we’d like to upgrade. Is there any documented way how to do this in a clustered environment without downtime?
Are older versions compatible to the new database scheme so we can perform a rolling upgrade? Are objects cached in Infinispan compatible?
The only documentation I found so far ishttps://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html but this does involve downtime. Am I missing something? What is the approach you would recommend?
Thanks in advance - mat
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
7 years, 7 months
basic saml attribute send question
by lists
Hi,
Running keycloak 2.5.0 with AD federation provider. We configured the
group-ldap-mapper, this all works beautifully.
Created a simplesamlphp test page, and all AD groups memberships are
displayed in a list after a successful logon. Good start.
But now, to make this more secure and confidential, we would like to NOT
display ALL groups after login, but only send specific SAML attributes,
depending on group memberships.
So suppose a user is member of AD group1, group2 and group3. We would
like to make a config to sent attribute "group1", but keep the rest of
the groups hidden.
I'm sure this _very_ basic functionality... But can anyone give us some
pointers/keywords how to do this..?
Best regards,
MJ
7 years, 7 months
How to create a Validation Flow to Registration Form using Authentication SPI?
by Celso Agra
Hi all,
Need help please.
I'm trying to create a validation class to add some rules when a user try
to do a registration (just to validate the username).
So, I saw this link:
https://keycloak.gitbooks.io/documentation/server_development/topics/auth...
and this project:
https://github.com/keycloak/keycloak/tree/master/examples/providers/authe...
But I still have some questions to know how could I create my own
validation form in the register.ftl
So, My question is:
Should I create just one class as the example of
"org.keycloak.authentication.forms.RegistrationProfile"?
Here is the example below:
*file:* br.gov.pe.sso.keycloak.forms.UsernameFormRegistrationProfile.java
package br.gov.pe.sso.keycloak.forms;
> public class UsernameFormRegistrationProfile implements FormAction,
> FormActionFactory {
> @Override
> public void validate(ValidationContext context) {
> /*... my validation here!! ...*/
> }
> }
and finally
*file:* META-INF/services/org.keycloak.authentication.FormActionFactory
br.gov.pe.sso.keycloak.forms.UsernameFormRegistrationProfile
So, for now, I just need to create my own jar and add into a specific
folder. is that right? Or should I need to add into keycloak projeto and
then re-generate the war project?
Would be possible to extends the RegistrationProfile class?
I'm sorry for that bunch of questions :)
Thanks a lot!
Best regards
--
---
*Celso Agra*
7 years, 7 months
Policy Evaluation Tool - "No scopes available"
by Hübner, Bettina
Hi,
It seems the representation of the evaluation result has been changed in version 3.1.0.Final (Policy evaluation tool, admin console) (compared to 2.5.0.Final and also 3.0.0.Final).
Before, it showed <Resource Name> with scopes [list of all scopes of the resource] and the details for the resource listed all allowed scopes.
Now, in version 3.1.0.Final, it shows <Resource Name> with scopes [apparently allowed scopes] and the details for the resource always show “no scopes available” as scopes, even if the user has the permission for some or all scopes of the resource (tooltip still shows “The list of allowed scopes.”).
I find this new representation a little bit confusing. At least I would expect that “scopes” lists the allowed scopes for a resource as it was before.
Kind regards
Bettina
7 years, 7 months
LDAP Password as Environment Variable
by Denny Israel
Hi,
i am running keycloak as docker container and have configured an ldap
server for user federation. Keycloak needs a username and a password to
access the ldap server (Bind DN, Bind Credential). When the password
changes i have to manually change it in keycloak admin console. Is there a
way to tell keycloak to read the password from an environment variable?
This way i could specify the password when starting my docker container and
maintain the password within my docker environment.
Best regards
Denny
7 years, 7 months
