REST identity propagation
by Jef Verelst
Hello,
I would like to present a usecase to you where we struggle a bit to see how
to implement it properly using keycloak... We are creating a solution where
we have some legacy components using X.509 and SAML to identify users in
our front-end applications. These applications now need to call some REST
services, and pass on the identity. Our front-end system would call the
REST service by presenting a token obtained via client credentials grant,
based on a signed JWT. This way, we can establish a circle of trust between
the front-end applications and the REST service. The REST service is
prepared to accept that the user is the one that our front-end applications
vow that he is.
Question is now : how do we transport this claim from the front-end to the
backend REST service? We have found an RFC in internet-draft status that
addresses this problem :
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-08. But since
this is not yet approved, I assume you do not support this yet.
One way of solving this problem is sending the identity of the user
out-of-band, in an HTTP header. This is however a bit of a pain, since then
we need to make the REST service aware that for certain users (our
frontends), the header needs to be interpreted. However, for other callers
(both machine and user), this HTTP header must not be interpreted (we do
not want a normal user adding this header and impersonating who he wants).
So we are moving the configuration of who may impersonate/delegate to the
business service... which is not great. Also, when we want to pass on the
token, we need to repeat/set the header as well, which means we could
potentially change the content... and the idea is that our front-end is
stating that this is the user, not that any intermediate service can alter
that.
So it would be nice to have this in the token, taking over a value set in
the initial signed JWT that we present to keycloak. Is this possible (I
cannot seem to find if you pass any of the token information on the user
session so that we could map this)? Furthermore, we would like to get some
control on that value... because we would like to be able to place
restrictions on who is impersonated (not every front-end has the same
audience, so we should be able to limit for which persons they are making
claims). Is this possible with the current extension points? If so, could
you give us a hint on which one(s) to use?
Thanks in advance.
Jef
6 years, 9 months
Infinispan JMX Cache Stats return zero?
by Dan Corbett
We have a Keycloak 3.1.0 standalone cluster of 3 instances in docker.
I’m trying to get Infinispan distributed cache stats out (via JMX) for operational monitoring.
We are getting 0’s for all values on the cache metrics when we review.
We’ve set <cache-container statistics-enabled="true” … /> on all cache-managers in standalone xml.
Via JMX we set statisticsEnabled == true for “jboss.infinispan:type=Cache,name="loginFailures(dist_sync)",manager="keycloak",component=ClusterCacheStats”.
(We do that programatically after startup …)
Any tips or good info/docs on getting stats out for all the Keycloak distributed caches.
Any other options for getting cache metrics out?
Thanks!
Dan
6 years, 9 months
Error when keycloak.js is bundled with application but not otherwise
by Karthik Jayaraman
Hi all,
I am having the following issue:
Scenario 1:
In my application index.html (bundled in a JAR file and deployed in Jetty),
I have the following code:
<script src="keycloak.js"></script>
<script>
var keycloak = Keycloak(
{
"realm": "master",
"clientId": "client1",
"auth-server-url": "http://
<<keycloak-server-ip>>:<<keycloak-server-port>>/auth",
"public-client": true
});
keycloak.init({
onLoad: 'login-required'
}).success(function () {
alert("login success");
});
</script>
And I have the following client configuration in Keycloak server
Client Protocol - openid-connect
Access Type - public
Standard Flow Enabled - ON
Implicit Flow Enabled - OFF
Direct Access Grants Enabled - ON
Authorization Enabled - OFF
Root URL -
Valid Redirect URIs - http://
<<myapplicationIP>>:<<myapplicationPort>>/admin/*
Base URL - http://<<myapplicationIP>>:<<myapplicationPort>>/admin
Admin URL -
Web Origins -
With this configuration, the first time when I hit
http://<<myapplicationIP>>:<<myapplicationPort>>/admin/
, I am getting redirected to http://
<<myapplicationIP>>:<<myapplicationPort>>/realms/master/protocol/openid-connect
/auth?client_id=client1&redirect_uri=http%3A%2F%2F<<myapplicationIP>>%3A<<myapplicationPort>>%2Fadmin%2F&state=c524eb6c-9245-4f82-87e9-e767dd733b0d&nonce=760809b5-b2d5-4c3e-9d76-40cd43bdef0d&response_mode=fragment&response_type=code&scope=openid
and I get 404 which is expected since keycloak is trying to redirect to
http://<<myapplicationIP>>:<<myapplicationPort>>/realms/... which does not
exist in our application.
Scenario 2:
When I do the same thing as scenario 1 except the way keycloak.js is
loaded, everything works as expected.
<script src="http://
<<keycloakServerIP>>:<<keycloakServerPort>>/auth/js/keycloak.js"></script>
So, what is operationally different between bundling keycloak.js and
loading it at run time ?
- Karthik
6 years, 9 months
ProviderFactory::postInit not called with hot deployment
by Dmitry Telegin
Hi,
Seems like o.k.provider.ProviderFactory::postInit() is called only upon
server startup, no matter which way the provider has been deployed, as
a module or via the deployments dir. However, if the provider is hot
(re)deployed on the running server, the method is not called.
(ProviderFactory::init() is called always, but it's insufficient for
most init phase tasks since normally a KeycloakSessionFactory instance
is required.)
Indeed, o.k.services.DefaultKeycloakSessionFactory::deploy() doesn't
contain mentions of postInit, contrary to
DefaultKeycloakSessionFactory::init(). Seems like a bug to me, OK to
file JIRA issue and PR?
Regards,
Dmitry
6 years, 10 months
Sign out on account page
by Marc Tempelmeier
Hi,
Just a short question, the Sign out on the account page, should that terminate the client sessions too or just log out from account page?
Best regards
Marc
6 years, 10 months
