Keycloak logout not working for “bearer-only” application exposing REST services
by Dan Nemes
Hello,
I am unable to logout an user. The logout works for a "confidential" applications but it doesn't for a "bearer-only" application (the REST services are still accessible after logout).
I have the following configuration:
- I have one "database" client application defined in Keycloak having access type "bearer-only" (created with the intent of exposing REST web services protected by Keycloak based on user roles)
- I have one "rest_service" client application defined in keycloak having access type "confidential" (created with the intent of logging in users and allowing access to the "bearer-only" REST services after a successful login). The below described workflow is implemented in this application using REST web services
I am performing the following steps:
- An http GET request is performed on URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth which redirects the user to the login page handled by Keycloak
- The user performs the login using his credentials (using the credentials of a user defined in Keycloak)
- Keycloak redirects the user to the "redirect_uri" which was passed in step 1. In this step Keycloak also provides as request parameters the "state" and "code" values.
- After the user has been redirected back to the application I exchange the "code" received in step 3 for a token doing a POST request on http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which is done successfully
- After the access token is available I proceed to access the "bearer-only" REST web services.
note: the REST web services exposed by the "bearer-only" service are not accessible unless the user has been logged in and it has the correct "role" assigned to it.Problem: As stated at the start of the post the user is still able to access the "bearer-only" REST web services after the logout has been done. The only thing that seems to work is the logout from the "confidential" application (the user is not able to access the application unless he logs in again).If I perform the logout of the user then the REST web services exposed by the bearer-only application are still accessible. In the Keycloak server I get the following WARN message: " Some clients have been not been logged out for user adminuser in demo realm: rest_service"I tried implementing the logout in three ways:
- A redirect to URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the redirect_uri and client_id parameters
- A POST request to http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the Authorization Bearer in the header and the client_id, refresh_token, client_secret and redirect_uri
- A REST service exposed by the "bearer-only" service which does the following method call: HttpServletRequest request.logout()
Neither of the above methods is working.PS: I did not want to go in to many details because even so the post is long enough. If I missed something please tell me and I will provide the additional information (if possible I can also attach the actual projects)
Thank you,Dan Nemes
| | Virus-free. www.avg.com |
6 years, 11 months
Atrributes in resources into Keycloak Authorization services
by Thiago Presa
Hi,
We're looking into Keycloak Authorization services, but currently, we can't
get our heads around configuring in Keycloak a policy the following
authorization requirement:
Suppose we have a corporate Google-docs-like app, where every document has
a clearance level (e.g. confidential, internal, public). Every user has its
own permission level, which indicates whether the user is allowed to access
confidential, internal or public documents.
Could you please advise as to how to implement such requirements into
Keycloak Authorization services?
Assuming this isn't currently supported, a simple solution seems to be
implementing the ability to set resource attributes and make them available
to policy construction. Would you be considering implementing such approach
(or any other)?
Best regards,
Thiago Presa
6 years, 11 months
Refreshing Tokens
by Christopher Davies
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
6 years, 11 months
Validate User Credentials Without Creating a Session
by Scott Finlay
Hi,
We're currently using Keycloak 2.5.5.Final, and in this version it's not possible
to validate a user's credentials (username / password combination) without
actually logging the user in which results in a session (and our sessions are long-
lived). Is there any new functionality introduced in the later versions of Keycloak
to validate the credentials without actually logging the user in?
Our use-case is that we have very long-lived tokens, but we want to require the
user to re-enter his/her password in order to perform some certain sensitive tasks
such as changing the password or username.
If such functionality is not available, would it be possible to add this?
Regards,
Scott
6 years, 11 months
Fwd: how retrievie access token only with roles for specific target service(keycloak client)?
by Daniel Charczyński
Hi
I'd like to talk with you about
https://github.com/keycloak/keycloak/pull/4910
and
https://issues.jboss.org/browse/KEYCLOAK-6092
we have CRITICAL security issue that target service is able to receive
access token with roles to other services so it is able to reuse it.
We need to implement feature thet makes it possible to get access token
with roles per target service(client in keycloak)
Out idea is to use client roles that requires scope.
But in order to get all roles assigned from specific target service we need
to chance current behaviour.
At the moment there is possibility to get specific role using scope
parameter
<clinetId>/<role-name>
but we need
<clientId>/.*
Have you got any idea to make it possible ASAP?
We do not want to make any break changes...
maybe we use wildcard instead od regexp like <clientId>/* ?
Just let me know how to do it in order to be compatible with your future
plans and make it possible to merge...
Regards
Daniel
6 years, 11 months
User registration flow - Can UID mapped into SN and CN ?
by Min Han Lee
Hello guys,,
Our LDAP environment have a schema which required sn and cn to be stated
when creating a new user, therefore the User Registration in the KC will
not work as the KC can only use UID as the main attribute to register a new
user,
I'm thinking if anyone able to work this around by changing the UID to
another attribute?
Kind Regards
6 years, 11 months
Keycloak with NGINX proxy server not authenticating rest api
by karan shah
I have a sample app which correctly secures the rest api locally. Now when I put this in production behind a nginx proxy it does not work. No errors. It allows all request.
Front end serer with ssl is https://frontend.com<https://frontend.com/>
Back end server with ssl is https://backend.com<https://backend.com/>
Keycloak proxy forward is true
Front end server(node server on 9000) <-> NGINX <-> Keycloak (running on 8180)
nginx file sample
upstream keycloak_server {
server localhost:8180;
}
upstream node_server {
server localhost:9000;
}
location /auth/ {
proxy_pass http://keycloak_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://node_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Front end server calls a backend api using Angular. REST api calls looks like https://backend.com/callTest
Backend server(running on tomcat) <-> NGINX <-> Spring Boot(with keycloak)
nginx sample
location / {
proxy_pass http://127.0.0.1:8080/dt-1.0/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
in angular keycloak.json looks like
{
"realm": "demo",
"auth-server-url": "https://frontend.com/auth",
"ssl-required": "none",
"resource": "tutorial-frontend",
"public-client": true
}
in spring boot keycloak properties look like
keycloak.auth-server-url=https://frontend.com/auth
keycloak.realm=demo
keycloak.resource=1040nra-client
keycloak.public-client=true
keycloak.bearer-only = true
keycloak.cors = true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
Please let me know how to correct this. I would really appreciate it.
6 years, 11 months
Keycloak Middleware for node with support for multiple realms
by Cesar Salazar
Hi,
I was needing a node middleware to connect my app to keycloak. I was trying
to use the official adapter, but it has the limitation that it works only
for one realm. For my use case I need my app to work with any realm in my
keycloak server.
So, I created a module that allows multiple realms. I shared it on github:
https://github.com/devsu/keycloak-nodejs-multirealm and uploaded to npm:
keycloak-connect-multirealm.
I'm sharing in this list for anyone that might need it, and to receive
feedback. Feedback is always appreciated.
Thanks!
--
*Cesar Salazar*
Development Manager
DEVSU | www.devsu.com
skype: cesarsalazar007
P: (213)-291-0752
M: +593 9 2917 160 (Ecuador)
6 years, 11 months
