Problem with custom login using Keycloak + Spring Security Adapter in Multi Tenancy mode
by mattia.bello
Hello,
i am using keycloak with the keycloak Spring Security and multi-tenancy
configuration.
I need to manage the following use case:
I want to use only a single login page where user must enter the realm,
username and password.
I can not use the standard keycloak login page because the keycloak needs to
know the realm before showing the relative login page.
How can I do that?
I thought the follow solution:
I would like to login to the keycloak, using the mechanism of the remember
me, creating the necessary cookies after my login with the realm, username
and password informations.
Is it possible? How do i do that?
Thank's to all.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 2 months
Direct Access grant vs SPA theme
by Wyns Dean
Hi
We're developing an application that has a more extensive login flow than Keycloak offers by default.
Our first thought was to develop the login flow ourselves in our web application, using the Direct Access grant. In this case, we'd need to maintain the login session ourselves. We'd need to proxy the requests and inject the access token in the headers, and renew the access token using the refresh token if necessary.
So we're instead looking to implement a theme that implements this login flow using a small SPA. Is this something that the theme system is capable of? Is this recommended over the previously mentioned approach (direct grant)?
Thanks in advance for any feedback
Dean
6 years, 2 months
authz-rest-employee quickstart: fails to query Protection API for employee resource (/api/alice doesn't match /api/{employee}/*)
by Milan Simonovic
allright, found a solution.
matchingUri from the source code: https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcf... <https://github.com/keycloak/keycloak/blob/f99299ee3956d138c001769b0fe4bcf...> looks like a flag that should trigger extra search if no resource is found, calling PathMatcher on each client resource. PathMatcher, https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e7... <https://github.com/keycloak/keycloak/blob/b478472b3578b8980d7b5f1642e91e7...>, seems capable of matching /api/alice to /api/{employee}/*, this test passes:
@Test
public void matches() throws Exception {
PathMatcher<Map.Entry<String, String>> pathMatcher = new PathMatcher<Map.Entry<String, String>>() {
@Override
protected String getPath(Map.Entry<String, String> entry) {
return entry.getKey();
}
@Override
protected Collection<Map.Entry<String, String>> getPaths() {
Map<String, String> result = new HashMap<>();
result.put("/api/{employee}/*", "employee resource");
return result.entrySet();
}
};
Map.Entry<String, String> matches = pathMatcher.matches("/api/alice");
assertNotNull(matches);
assertEquals("employee resource", matches.getValue());
}
so the matchingUri param should be set to true and then the resource is found:
curl -H “Authorization: Bearer $access_token” \
“$SRV/authz/protection/resource_set?matchingUri=true&uri=%2Fapi%2Falice”
[“deed8ae3-41a9-4781-b6c7-cb297516c2c6”]
regards,
Milan
6 years, 2 months
How to implement PasswordHashProvider for the Bcrypt password using existing library
by Deepa Gaddigoudar
Hello There!,
I need to migrate my existing applications user credentials to keycloak
database(i setup a RDBMS i.e mysql). I have used simpleloginsecure
library to hash the password while creating application user account.
This library uses md5 Bcrypt method to hash the password. I know i need
to implement PasswordHashProvider.
My question:
1. Is it possible to use the simpleloginsecure library in keycloak.
2. How to implement PasswordHashProvider ?
3. Later how to move user credentials from existing database to
keycloak mysql schema?
Regards,
Deepa M G
--
------------------------------------------------------------------------
*Deepa M Gaddigoudar | Software Developer*
Aissel Technologies Pvt. Ltd.
A Block, Floor 2, IT Park, Hubli – 580029. India
Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181
Cell: +91 8951519616
E-Mail: deepag(a)aissel.com
6 years, 2 months
org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update user roles
by Philippe Gauthier
Hi
I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot find any answers for his question.
http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html
This post was about ClaimToRoleMapper class of the OIDC broker component. This class search for a claim, check for its value and grant a role if the value is equals to the value specified in the configuration.
If the user from the IdP is not known by Keycloak, it will be created by the First Broker Login Flow and the role will be granted.
If the user is already known by Keycloak, he have the role specified by the mapper and he don't have the claim anymore, the role will be revocated.
But. If the user is known by Keycloak, he don't have the role specified by the mapper and he have the claim, Keycloak does not grant him the role.
It is clear why it does this in the code but it is not clear why this have been done that way:
Here is the code.
@Override
public void importNewUser(KeycloakSession session, RealmModel realm,
UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
if (hasClaimValue(mapperModel, context)) {
RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
user.grantRole(role);
}
}
@Override
public void updateBrokeredUser(KeycloakSession session, RealmModel
realm, UserModel user, IdentityProviderMapperModel mapperModel,
BrokeredIdentityContext context) {
String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE);
if (!hasClaimValue(mapperModel, context)) {
RoleModel role = KeycloakModelUtils.getRoleFromString(realm, roleName);
if (role == null) throw new IdentityBrokerException("Unable to
find role: " + roleName);
user.deleteRoleMapping(role);
}
/* Maybe we should add an else here that does what the importNewUser does.
}
Thankyou
Philippe Gauthier.
6 years, 2 months
User Storage SPI with Mongo
by Meikle, Anthony
As Keycloak no longer supports Mongo does this extend to User Storage SPI as well? Meaning, is it possible to write a SPI to interact with MongoDB based on the structure of the current Provider Interfaces?
6 years, 2 months
SAML Token contains carriage returns (
)
by Dean Peterson
Is there a way to remove the carriage returns keycloak uses in the saml
assertion token? This is incompatible with Websphere idAssertion using
keycloak as the Identity provider. Ex, notice the 
 characters in the
content:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_a42073de-3815-4951-8db4-5d07d46dbf75"
IssueInstant="2018-09-17T05:35:29.198Z" Version="2.0"><saml:Issuer>
http://localhost:8080/auth/realms/unemployment-insurance</saml:Issuer><dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:CanonicalizationMethod><dsig:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></dsig:SignatureMethod><dsig:Reference
URI="#ID_a42073de-3815-4951-8db4-5d07d46dbf75"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></dsig:Transform><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:Transform></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256
"></dsig:DigestMethod><dsig:DigestValue>8aoA9CDfFV8PXBnuafSS3JU/MXuGX3to93E+go9DJrk=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>UpQPIpNTXMuds8BP5a/N08sXeVMV9Bo6/gxb+rZo38tJwu9GGdrX2SeUlQUWVKRcH0qQRlWzVLfO
nvb9gbIs/qGrIRQf2nvb40ywN0V8QqCaQr8VU++2rOJGSUfByGjazopvp2WrOM0JdlD6WjeqCs27
L+fpbVKC8GGZQB+KblqQ08xJ17yN0VDxwDAk+QDwkGpioe9p6/nSZZYCIimPF8BR0TxgwCm9KZl7
ASNv+d7m6Zaarj/CnqjLG0zDWPfAdW6R5sWuRmUzHiDG3AwpOaxxLP2d5HGPCRCfmiCHMVN3EVx4
FoQg/ej8QQ1Z0fCOg/N9qRJnFxYbnjMdc1w4rw==</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyName>Ayvm2xqFD1Xb_CeLG0LbFdh2PuBAflqKnI7kCiTwqjw</dsig:KeyName><dsig:X509Data><dsig:X509Certificate>MIICuzCCAaMCBgFlsHW+ezANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZVbmVtcGxveW1lbnQg
SW5zdXJhbmNlMB4XDTE4MDkwNjE5NTUzMVoXDTI4MDkwNjE5NTcxMVowITEfMB0GA1UEAwwWVW5l
.....
6 years, 2 months
Re: [keycloak-user] Dynamically branded login?
by Craig Setera
Following up on this conversation. I was unable to find a way to do this
via the Freemarker templates unfortunately. The templates are not
receiving anything useful in determining the full path and query
parameters. The only approach that I've found to do what I need is to add
a small Javascript snippet to my theme that is able to look at the query
parameters and insert a new stylesheet reference into the code based on a
query parameter. Ugly, but seems effective assuming I can get my query
parameter set in all of the URL's that matter.
=================================
*Craig Setera*
*Chief Technology Officer*
On Wed, Aug 29, 2018 at 9:36 AM Craig Setera <craig(a)baseventure.com> wrote:
> Dmitry,
>
> I've put Keycloak on the back burner for the moment. I do intend to pick
> it back up toward the end of the year and I expect I will be digging into
> this heavily. If I figure anything out, I will be sure to report back.
>
> Craig
>
>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
>
> *415-324-5861**craig(a)baseventure.com <craig(a)baseventure.com>*
>
>
>
>
> On Wed, Aug 1, 2018 at 7:50 PM Dmitry Telegin <dt(a)acutus.pro> wrote:
>
>> Craig, Will,
>>
>> Sorry for having fooled you :-\ turns out that the ${url} object is
>> actually not what it seems.
>>
>> I'd suggest the following trick. Could someone please try dumping all the
>> available FTL variables using the below approach?
>>
>> https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-d...
>>
>> This is for Liferay, but I hope it works with Keycloak FTLs without any
>> major modifications. So hopefully we can fish something useful out of there.
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info(a)acutus.pro
>>
>> On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote:
>> > Hi Dmitry,
>> >
>> > I have a use case for this same need: conditionally rendering a block
>> of HTML in in the login.ftl based on the value of a query string param.
>> >
>> > I have an a question with more details here:
>> https://stackoverflow.com/questions/51619158/keycloak-make-query-string-p...
>> >
>> > I attempted to use ${ur} as you suggested, however it does not have a
>> public method that provides the request url :(
>> >
>> >
>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
>> >
>> > I am missing something? Or is there any other way to access the login
>> request url in login.ftl?
>> >
>> > Thanks, Will
>> >
>> > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin <dt(a)acutus.pro>
>> wrote:
>> > >
>> > > Hi Craig, sorry for late response,
>> > >
>> > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote:
>> > > > We build and host a multitenant application that is currently using
>> > > > homegrown authentication and authorization (using Picketlink). We
>> are
>> > > > considering a move to Keycloak. My preference would be to use the
>> login
>> > > > flows that are built in to Keycloak rather than building our own,
>> however
>> > > > that is dependent on whether we can properly brand those login
>> flows on a
>> > > > per-customer basis in some dynamic way.
>> > >
>> > > In Keycloak parlance, the term "login flow" has a very particular
>> > > meaning. Basically, it's what you see in the Authentication section in
>> > > the Admin Console. It defines how authentication *works* rather than
>> > > how it *looks like* (i.e. logic rather than appearance).
>> > >
>> > > Do you really mean "login flows"? From the second part of your message
>> > > I can deduce you're mainly interested in customizing the GUI.
>> > >
>> > > > In looking at the theme SPI support, it appears to be mostly
>> targeted to
>> > > > supporting mulitple "static" themes. Is it possible to make a
>> theme that
>> > > > is dynamic based on, for example, a query parameter?
>> > >
>> > > By default, Keycloak uses FreeMarker templates for login screens. In
>> > > the templates, the URL object is exposed as ${url}, so you can analyze
>> > > it and add conditional statements. If you're ok with that, probably
>> you
>> > > won't need to implement any SPIs.
>> > >
>> > > Otherwise, you can either implement custom theme selection logic based
>> > > on request parameters (Theme Selector SPI), or completely redefine
>> > > theming mechanism (Theme SPI).
>> > >
>> > > > Are there any
>> > > > examples anywhere on how that might be possible?
>> > >
>> > > Well, builtin Keycloak themes are the best example IMO :) you can find
>> > > the default login theme under
>> > > themes/src/main/resources/theme/base/login in the source tree.
>> > >
>> > > > Would Keycloak carry
>> > > > through query parameters if they were provided when launching the
>> login
>> > > > flow?
>> > >
>> > > It's best to create a custom theme and see :)
>> > >
>> > > Good luck!
>> > > Dmitry Telegin
>> > > CTO, Acutus s.r.o.
>> > > Keycloak Consulting and Training
>> > >
>> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> > > +42 (022) 888-30-71
>> > > E-mail: info(a)acutus.pro
>> > >
>> > > > Thanks,
>> > > > Craig
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user(a)lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user(a)lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>>
>
6 years, 2 months
Managing Mysql relational database setup
by Deepa Gaddigoudar
Hello All,
I have configured keycloak DB from H2 to Mysql. My applications are
working fine too. What i want is,
1. Can i manage the user credentials? (Because i want to import
existing users credentials generated before integrating application
with keycloak, as we dont want to create new user credentials and
make it difficult for end users).
2. If i could import a existing credentials(username and password) to
keycloak mysql , then to which table?(Because i am not finding the
passwords) anywhere in table.
Thanks you
--
------------------------------------------------------------------------
*Deepa M Gaddigoudar | Software Developer*
Aissel Technologies Pvt. Ltd.
A Block, Floor 2, IT Park, Hubli – 580029. India
Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181
Cell: +91 8951519616
E-Mail: deepag(a)aissel.com
6 years, 2 months
