Multiple direct access flows within a realm
by Shailesh Kochhar
Hi everyone,
I am trying to understand if keycloak can support an authentication
scenario. I have a realm which has multiple trusted clients authenticating.
Some are mobile clients and some are web based clients. These clients use
direct access token flow to exchange user credentials for a token.
We'd like to support different credentials based on the client. I'd one
client (web) to be able to use username/password for a token while another
(mobile) client uses username and secure token like an OTP or a RSA
SecurID.
I have been able to create custom flows in my relam from the admin console
and I can setup a flow which requires OTPs. However, I am unable to
configure the flow per client. The only option I have been able to find is
to change the flow for an entire realm.
So my question is, is it possible to configure the OAuth flow in keycloak
at the client level? If not, are there extension possibilities which could
make this feasible?
Thanks,
Shailesh
7 years, 4 months
Re: [keycloak-user] [keycloak-dev] Searching for a class named org.keycloak.services.filters.ClientConnectionFilter
by Bruno Oliveira
btw, that class was removed a long time ago. See:
https://github.com/keycloak/keycloak/tree/1.2.0.Final/services/src/main/j...
On Sun, Aug 6, 2017 at 3:30 AM Burghard Britzke <bubi(a)charmides.in-berlin.de>
wrote:
> I posted it already on the [keycloak-user] mailing list without a reply.
> I want to run the keycloak server on a tomcat 8/9 instance. For that, I
> found an article
> https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/
> <
> https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/>
> which describes, how to deploy keycloak on tomcat. Unfortunately it
> describes the version 1.1.0-Beta2, which is very old. It his web.xml a
> filter is with the name
> org.keycloak.services.filters.ClientConnectionFilter referenced. When
> starting the context on tomcat8/9, a ClassNotFoundException is thrown.
> I have been unable to resolve the dependency in 1.1.0-Beta2 and
> 3.2.0-Final, too.
>
> The name of the class intends that it is from the keycloak project. Can
> anybody post me a hint, where to find this class? I also asked the author
> of the above article, but until now he did not answer.
>
> --
> Gruß
> burghard.britzke
> https://britzke.berlin/ <https://britzke.berlin/>
>
> > Anfang der weitergeleiteten Nachricht:
> >
> > An: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> >
> > in order to run a keycloak-server on tomcat, I am searching for a class
> named org.keycloak.services.filters.ClientConnectionFilter. Could anybody
> send me a hint where to find it? Could anybody share a link to a
> documentation of this filter?
> > --
> > Gruß
> > burghard.britzke
> > https://britzke.berlin/ <https://britzke.berlin/>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
7 years, 4 months
Re: [keycloak-user] [keycloak-dev] Searching for a class named org.keycloak.services.filters.ClientConnectionFilter
by Bruno Oliveira
I don't think this is supported. Also, like Bill and Stian stated in 2015 (
http://lists.jboss.org/pipermail/keycloak-dev/2015-November/006018.html) in
theory it would be possible, but new issues may happen as we update.
On Sun, Aug 6, 2017 at 3:30 AM Burghard Britzke <bubi(a)charmides.in-berlin.de>
wrote:
> I posted it already on the [keycloak-user] mailing list without a reply.
> I want to run the keycloak server on a tomcat 8/9 instance. For that, I
> found an article
> https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/
> <
> https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/>
> which describes, how to deploy keycloak on tomcat. Unfortunately it
> describes the version 1.1.0-Beta2, which is very old. It his web.xml a
> filter is with the name
> org.keycloak.services.filters.ClientConnectionFilter referenced. When
> starting the context on tomcat8/9, a ClassNotFoundException is thrown.
> I have been unable to resolve the dependency in 1.1.0-Beta2 and
> 3.2.0-Final, too.
>
> The name of the class intends that it is from the keycloak project. Can
> anybody post me a hint, where to find this class? I also asked the author
> of the above article, but until now he did not answer.
>
> --
> Gruß
> burghard.britzke
> https://britzke.berlin/ <https://britzke.berlin/>
>
> > Anfang der weitergeleiteten Nachricht:
> >
> > An: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> >
> > in order to run a keycloak-server on tomcat, I am searching for a class
> named org.keycloak.services.filters.ClientConnectionFilter. Could anybody
> send me a hint where to find it? Could anybody share a link to a
> documentation of this filter?
> > --
> > Gruß
> > burghard.britzke
> > https://britzke.berlin/ <https://britzke.berlin/>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
7 years, 4 months
Delegated User Self-Administration
by Michael Poettgen
Hello Everyone,
I've got questions on how to properly do delegated user self-administration with Keycloak.
Some background information:
* We are working with hundreds or even thousands of organizations for which we want to manage access to our applications.
* Some of these organizations are our internal divisions for which we have active directories. Users from these organizations can be integrated through "User Storage Federation" and they will continue to be maintained in the respective directories.
* Some of these organizations are part of larger organizations which have proper identity providers. Users from these organizations can be integrated through "Identity Brokering" and they will continue to be maintained in the respective identity providers.
* For the remaining external organizations (and there are a lot of them) we would have to maintain user accounts ourselves and we would like to delegate that maintenance work to a designated user self-administrator within the external organization.
* A user self-administrator should be able to view, create, lock and unlock user accounts within the same organization.
* Optionally a user self-administrator should be able to grant or revoke access to particular (sets of) applications for the users he is allowed to administer.
I do understand that this could probably be achieved through separate realms and "Dedicated Realm Admin Consoles", but as far as I understand these realms would be entirely separate. This would mean that we would have to set up clients hundreds of times for each of the organizations. We would have to figure out how to direct each user to the proper realm for authentication and each organization would have its own login page.
* Does Keycloak have something like the notion of "sub-realms" where a user can authenticate against a realm, if there is a corresponding user account in the realm itself or in one of the sub-realms?
* It is probably possible to use the "User Storage SPI" to write a custom User Storage Federation Provider, but does that make sense? Would it perform well?
* Another option would probably be to write a custom User Self-Administration application using the "Admin REST API". (Unfortunately there is not even an API to retrieve users filtered by anything other than base properties, so the application could end up retrieving thousands of user accounts to find five accounts belonging to a particular organization.)
* The third option would be to customize Keycloak itself, but we are no Java experts, so is this advisable?
* Has anyone implemented a scenario like this with Keycloak?
* Does anyone know whether there are any plans to extend Keycloak to better support a scenario like this?
Thanks,
Michael
This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
7 years, 4 months
Re: [keycloak-user] Migration from Picketlink IDM
by Thomas DELHOMENIE
Funny, the application I am talking about is Gatein/eXo actually :)
Thanks for your answers Marek.
Looks like replacing Picketlink by Keycloak will not be as straight forward
as I initially thought. It will require architecture changes, will impact
configuration, custom developments and will require data migration if we
want to use it.
Le 7 août 2017 12:53, "Marek Posolda" <mposolda(a)redhat.com> a écrit :
Glad that someone is still using picketlink 1.4. It reminds me some old
days when, I was working on GateIn Portal, which was using Picketlink 1.4
:) But I agree that it is good to migrate :) Answers inline.
On 07/08/17 11:07, Thomas DELHOMENIE wrote:
> Hello,
>
> We currently use PicketLink (in a quite old version : 1.4), especially the
> IDM part. As Picketlink is a dead project, we are evaluating alternative
> solutions, which naturally led us to Keycloak. I have some questions :
> * I understand that Keycloak must be run as a server, but isn't there a way
> to embed only the User Federation capability in an application (so not in
> server mode) ? We basically need to be able to manage users/groups,
> aggregate them from multiple sources (LDAP, AD, custom data store, ...) and
> expose them in our API. That's what we did with Picketlink IDM, but I am
> not sure it is feasible with Keycloak.
>
Not directly. Keycloak is meant to be used as a server and do it for you.
Once user successfully authenticates, the details are available in his
accessToken. Application doesn't know from which source (LDAP server) this
info came from, it's not the responsibility of the application. Also
Keycloak has admin REST API, which allows you to search for users and
return corresponding JSON objects with user details. We have nice admin
client, which allows you to easily execute this REST API from Java
application.
* we provide the capability for the administrators of our application to
> configure their users and groups storages, by configuration. Is it still
> possible with Keycloak or can this only be done via the admin console ?
>
We have admin REST API and everything, which is doable in Keycloak admin
console, can be also done through admin REST API. In latest 3.2.1 version
there is more fine grained admin permissions model, which should allow you
to specify permission for admins in more fine grained way if needed.
Marek
>
> Regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
7 years, 4 months
Password Reset Issue for Outlook Users
by N. C. Deepak Ramesh
Hi All,
We have deployed Keycloak 3.1.0.Final and everything works fine. However,
password reset fails for all users using Outlook (Webmail/Client). When
clicking on the password reset link the user gets the following message:
*We're sorry, An error occurred, please login through your application
again*
I suspect this is the same issue as what is described on
http://lists.jboss.org/pipermail/keycloak-user/2017-May/010586.html
Is this fixed in later versions of Keycloak? Or if it is deemed not to be a
Keycloak bug are there are any recommended work-arounds for this user base
that is primarily on Outlook? How do other installations get around this
problem? Any help would be greatly appreciated.
Thanks in advance.
Deepak
7 years, 4 months
Migration from Picketlink IDM
by Thomas DELHOMENIE
Hello,
We currently use PicketLink (in a quite old version : 1.4), especially the
IDM part. As Picketlink is a dead project, we are evaluating alternative
solutions, which naturally led us to Keycloak. I have some questions :
* I understand that Keycloak must be run as a server, but isn't there a way
to embed only the User Federation capability in an application (so not in
server mode) ? We basically need to be able to manage users/groups,
aggregate them from multiple sources (LDAP, AD, custom data store, ...) and
expose them in our API. That's what we did with Picketlink IDM, but I am
not sure it is feasible with Keycloak.
* we provide the capability for the administrators of our application to
configure their users and groups storages, by configuration. Is it still
possible with Keycloak or can this only be done via the admin console ?
Regards,
Thomas
7 years, 4 months
Isssue impersonate functionality Keycloak 3.2.0
by van der Vliet, Rody
Hi Keycloak Community,
We have recently upgraded our application landscape to use Keycloak 3.2.0.
Within this version we have noticed some unstable behavior regarding the impersonate function in the admin console of keycloak.
Regards,
Rody van der Vliet
Technology Consultant - Financial Services
+31622484548
rody.van.der.vliet(a)accenture.com
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
7 years, 4 months
