Re: [keycloak-user] Spring Boot Multi-tenancy
by Pedro Igor Silva
Based on other adapters, requests to unprotected resources should not be
processed by Keycloak mechanisms. I need to check why spring is behaving
differently.
Let me look at that and I'll update that JIRA.
Thanks.
On Thu, Oct 18, 2018 at 12:31 PM jeff victor <jeffvictor(a)gmail.com> wrote:
> Hi Pedro. I have created KEYCLOAK-8616
> <https://issues.jboss.org/browse/KEYCLOAK-8616>.
>
> Could you tell me what the expected behavior for a custom
> KeycloakConfigResolver should be when it is invoked when being redirected
> to /sso/login? Or for any other path that doesn't contain information to
> determine the deployment? I've noticed, for instance, that the resolver
> also gets invoked for other unprotected resources in the project such as /
> or /some-unprotected-path.
>
> Should the resolver return null? Or is the issue that the resolver
> shouldn't be getting invoked at all if the path isn't protected by spring
> security?
>
>
> Thanks,
>
> Jeff
>
> On Thu, Oct 18, 2018 at 3:17 PM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> We recently added support for node registration, but I missed the fact
>> that it should only run when a deployment could be resolved. Could you open
>> a JIRA, please ?
>>
>> Regards.
>> Pedro Igor
>>
>> On Wed, Oct 17, 2018 at 8:39 PM Jeff Victor <jeff(a)sweetjacket.com> wrote:
>>
>>> I'm trying to get multi-tenancy working in a spring boot project. I've
>>> built the latest 4.6.0 snapshot and as a result am able to register my
>>> own
>>> MultiTenantConfigResolver - as per
>>> https://issues.jboss.org/browse/KEYCLOAK-8444. I have also verified
>>> that my
>>> custom resolver is being called.
>>>
>>> My application requires security to kick in at /admin/** and /customer/**
>>> which correspond to two realms - admin and customer.
>>>
>>> However, anything else should be open. Here is the configuration:
>>>
>>> http.authorizeRequests()
>>>
>>> .antMatchers("/admin*").authenticated()
>>>
>>> .antMatchers("/customer*").authenticated()
>>>
>>> .anyRequest().permitAll();
>>>
>>> The issue I'm having is that I don't know what KeycloakDeployment to
>>> return
>>> if someone accesses an unprotected resource like / or even /sso/login.
>>>
>>> In both of those cases my config resolver gets invoked and I return null
>>> which then results in the following exception:
>>>
>>> java.lang.NullPointerException: null
>>>
>>> at
>>> org.keycloak.adapters.NodesRegistrationManagement.tryRegister(NodesRegistrationManagement.java:43)
>>>
>>> at
>>> org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)
>>>
>>> at
>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
>>>
>>> at
>>> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
>>>
>>> at
>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
>>>
>>> I've seen in other examples of a multi-tenant config resolver that always
>>> return a KeycloakDeployment or if it one can't be determined then it
>>> throws
>>> an exception such as here
>>>
>>> https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/sr...
>>> .
>>>
>>> As an example, when debugging it seems that if I return the appropriate
>>> KeycloakDeployment for /admin everything goes well but straight away the
>>> resolver gets invoked again as there has been a redirect to /sso/login.
>>> In
>>> this case how am I to determine which KeycloakDeployment / realm to use?
>>>
>>> Thanks,
>>> Jeff
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
5 years, 6 months
No ID token in headers OpenID connect, apache OIDC
by Dereck Jacobsen
Hi all,
Sorry for the newbie question. I have keycloak set up and the apache OIDC
adapter protecting a php website. However, when I look at the headers after
login (using the OIDCResponseType code) , I am only seeing the access token
and no ID token. Is there a setting I am missing in the keycloak
configuration?
Thanks!
5 years, 6 months
Re: [keycloak-user] Admin rest api / admin console to export users
by Bruce Wings
Thanks for the reply. But I am looking for a non command line way to
import/export users. Is there an admin rest API or admin web console option
for the same?
On Thursday, October 18, 2018, Deepa Gaddigoudar <deepag(a)aissel.com> wrote:
> https://github.com/Codingpedia/codingmarks.org/
> wiki/Move-keycloak-database-from-H2-to-MySql
>
> *https://www.keycloak.org/docs/latest/server_installation/index.html#_database*
> <https://www.keycloak.org/docs/latest/server_installation/index.html#_data...>
>
>
> Use below command to export users:
>
>
> KEYCLOAK_HOME/standalone.sh -Dkeycloak.migration.action=export
> -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=exported_realms
> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>
>
>
>
> On Thursday 18 October 2018 04:58 PM, Bruce Wings wrote:
>
> Is the only way to export users via* kcadm.sh/.bat <http://kcadm.sh/.bat> <http://kcadm.sh/.bat> *or
> is there a way to export users via admin console / admin rest API?
> _______________________________________________
> keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> ------------------------------
> *Deepa M Gaddigoudar | Software Developer*
> Aissel Technologies Pvt. Ltd.
> A Block, Floor 2, IT Park, Hubli – 580029. India
> Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181
> Cell: +91 8951519616
> E-Mail: deepag(a)aissel.com
>
5 years, 6 months
Spring Boot Multi-tenancy
by Jeff Victor
I'm trying to get multi-tenancy working in a spring boot project. I've
built the latest 4.6.0 snapshot and as a result am able to register my own
MultiTenantConfigResolver - as per
https://issues.jboss.org/browse/KEYCLOAK-8444. I have also verified that my
custom resolver is being called.
My application requires security to kick in at /admin/** and /customer/**
which correspond to two realms - admin and customer.
However, anything else should be open. Here is the configuration:
http.authorizeRequests()
.antMatchers("/admin*").authenticated()
.antMatchers("/customer*").authenticated()
.anyRequest().permitAll();
The issue I'm having is that I don't know what KeycloakDeployment to return
if someone accesses an unprotected resource like / or even /sso/login.
In both of those cases my config resolver gets invoked and I return null
which then results in the following exception:
java.lang.NullPointerException: null
at org.keycloak.adapters.NodesRegistrationManagement.tryRegister(NodesRegistrationManagement.java:43)
at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
I've seen in other examples of a multi-tenant config resolver that always
return a KeycloakDeployment or if it one can't be determined then it throws
an exception such as here
https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/sr...
.
As an example, when debugging it seems that if I return the appropriate
KeycloakDeployment for /admin everything goes well but straight away the
resolver gets invoked again as there has been a redirect to /sso/login. In
this case how am I to determine which KeycloakDeployment / realm to use?
Thanks,
Jeff
5 years, 6 months
Error 'secure-deployment' isn't an allowed element here when change wildfly config for keycloak
by Erik Haugen
I'm trying secure a war file in Wildfly 14.0.1.Final with keycloak.
I followed the documentation given here : https://www.keycloak.org/docs/latest/securing_apps/index.html#_jboss_adapter
I installed the keycloak wildfly adapter 4.5.0. I'm trying to secure a war via the Adapter Subsystem and followed the documentation and modified the standalone.xml of the wildfly Keycloak subsystem definition
<>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
<secure-deployment name="simple-rest-0.0.1-SNAPSHOT.war">
<realm>master</realm>
<auth-server-url>https://keycloak.test.online/auth</auth-server-url>
<ssl-required>none</ssl-required>
<resource>account</resource>
<credential name="secret">46a3091a-abc-9f9a-8895949d4cdf</credential>
</secure-deployment>
</subsystem>
after adding this information to the standalone.xml, I try to start wildfly and get the following error message :
09:19:13,164 ERROR [stderr] (Controller Boot Thread) [Fatal Error] :422:11: The element type "profile" must be terminated by the matching end-tag "". 09:19:13,193 ERROR [org.jboss.as.controller] (Controller Boot Thread)
OPVDX001: Validation error in standalone.xml ----------------------------------- | | 413: | 414: | 415: | ^^^^ 'secure-deployment' isn't an allowed element here | | 416: master | 417: https://keycloak.test.online/auth <https://keycloak.test.online/auth> | 418: none | | The primary underlying error message was: | > ParseError at [row,col]:[415,13] | > Message: WFLYCTL0198: Unexpected element | > '{urn:jboss:domain:8.0}secure-deployment' encountered | |-------------------------------------------------------------------------------
09:19:13,195 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143) at org.jboss.as.server.ServerService.boot(ServerService.java:377) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) at java.lang.Thread.run(Thread.java:748)
09:19:13,198 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
Any ideas what could be wrong?
5 years, 6 months
Configure existing hashing library with keycloak
by Deepa Gaddigoudar
Hello Keycloak Team!,
My existing user passwords are hashed using SimpleLoginSecure
<https://dialect.ca/code/ci-simple-login-secure/> Library. As I am not
sure about the *salt* they have used, can I integrate this same library
with keycloak for PasswordHashProvider.
If yes how? Which piece of code I need to alter. I am not familiar with
java.
Regards,
Deepa M G
--
------------------------------------------------------------------------
*Deepa M Gaddigoudar | Software Developer*
Aissel Technologies Pvt. Ltd.
A Block, Floor 2, IT Park, Hubli – 580029. India
Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181
Cell: +91 8951519616
E-Mail: deepag(a)aissel.com
5 years, 6 months
Forbidden on Post Method
by Fabio Ebner
I trying to use spring boot with keycloak, so I create 2 clients in keycloak
1 - "central-front" is public where my user will get a token
2 - "central-api" is "bearer-only" where my api will validate the token
in my "centra-api" I create 2 roles CLIENTE and CARTORIO, then I create one
user with CLIENTE ROLE and other with CARTORIO.
in my back I configure just like this:
package br.com.lumera.centralback.config;
import org.keycloak.adapters.KeycloakConfigResolver;
import
org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import
org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import
org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import
org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import
org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import
org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import
org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfigurer extends
KeycloakWebSecurityConfigurerAdapter {
@Bean
public GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
//o Springboot espera que toda role comeca com "ROLE_" essa
configuracao coloca o ROLE_ nas roles que estao cehgando
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
mapper.setConvertToUpperCase(true);
return mapper;
}
@Override
protected KeycloakAuthenticationProvider
keycloakAuthenticationProvider() {
final KeycloakAuthenticationProvider provider =
super.keycloakAuthenticationProvider();
provider.setGrantedAuthoritiesMapper(grantedAuthoritiesMapper());
return provider;
}
@Override
protected void configure(final AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
@Override
protected SessionAuthenticationStrategy
sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/estado/*").hasRole("CLIENTE")
.antMatchers("/natureza/*").hasRole("CLIENTE")
.antMatchers("/cartorio/*").hasRole("CLIENTE")
.antMatchers("/mensagem/*").hasRole("CLIENTE")
.anyRequest().permitAll();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
final KeycloakAuthenticationProcessingFilter filter) {
final FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(
final KeycloakPreAuthActionsFilter filter) {
final FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
and my keycloak.json
{
"realm" : "Lumera",
"bearer-only" : true,
"auth-server-url" : "http://localhost:9090/auth",
"ssl-required" : "external",
"resource" : "central-api",
"use-resource-role-mappings" : true,
"principal-attribute" : "preferred_username"
}
So when I try to accessa GET URI the roles works fine, If I log an CARTORIO
I can't access any of that url listed above, and if I log an CLIENTE I
access normally. but in my url /mensagem/ I have one POST in /mensagem/ and
when I try to POST something I always get ant Forbidden, I already try to
put
.antMatchers(HttpMethod.POST, "/mensagem/**")
I alredy try to remove the
.antMatchers("/mensagem/*").hasRole("CLIENTE")
with no success too
5 years, 6 months
Best practices for permission-based resource lookup
by Lamina, Marco
Hi folks,
I have a project with several resources that are created and owned by users. Access to these resources can be shared with groups or other users via Keycloak permissions. My API needs to implement endpoints for accessing these resources in a permission-based manner, meaning that for example GET /my-resource should return all resources that the provided access token has permission to view (e.g. via “view” scope).
Right now, this is my implementation:
1. POST /my-resource creates an object in my DB and a corresponding Keycloak resource via the Protection API. Resources in Keycloak are named using a schema (<resource-prefix>.<database-id>)
2. Send POST token endpoint with response_mode=permissions. This gives me a list of all resources the token can access, including the scopes. See [1]
3. Filter the list by name and scope using the resource prefix
4. Extract object IDs from resource names and load DB objects using the extracted IDs
While this works, I still see some issues with this approach:
* The resulting list of resources in 2) could potentially become quite big and increase response time
* The “naming schema solution” for mapping Keycloak resources to database objects seems more like a workaround
Are there best practices for doing this kind of thing with Keycloak? If not, I’d be grateful for any tips on how to turn this into a more robust / efficient solution.
Thanks,
Marco
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
5 years, 6 months
