Custom authentication
by Vagelis Savvas
Hello,
I'd like some advice on how to go about implementing the following
custom authentication scenario:
- A user besides the standard username and password optionally
provides one more secret in the login screen.
- The secret is associated with a realm role (one to one) by the realm
admin, and if matched the user is dynamically added to the corresponding
role.
- If the secret isn't provided the user is normally authenticated and
gets whatever roles he is assigned, like the default behavior
Of course I would like to avoid implementing an SPI for that :-) but if
it is not possible to avoid it I'd appreciate any insights and advice.
I admit I haven't carefully read the relevant SPI extension docs yet,
hoping that there is some way of doing it without an SPI extension.
Cheers,
Vagelis
5 years, 6 months
Notify Keycloak Bearer Clients on Admin Actions
by Miguel Haber
Hi,
I'm just wondering about one scenario where I'm running:
- Keycloak server (using it as a user base, and for
authentication/authorization)
- 3 resource servers connected to the Keycloak as bearer-only clients
These resource servers store separate information about users.
One use case I need to investigate:
- Keycloak admin logs in, deletes one user that has data in all 3 resource
servers
Questions:
1) Do the 3 resource servers get notified at the moment in order to purge
the user data from their DBs?
2) What if 1 resource server is offline, does it get notified as soon as it
goes back online?
Thanks
5 years, 6 months
EVENTTYPE for a temporarily disabled user
by Anneke Breust
Hi,
in context with customized Prometheus metrics I am looking for an Event,
which is emitted whenever a user is temporarily disabled (and a
counterpart, which is emitted when the disabled user is enabled again).
The goal is to be able to monitor the number of currently disabled users
as well as how many times in a specific time span a user has been
disabled. I looked through the EventTypes here
https://www.keycloak.org/docs-api/3.2/javadocs/org/keycloak/events/EventT...
but I didn't find anything useful- did I overlook something?
Thanks in advance,
Anneke
5 years, 6 months
Keycloak + Custom AuthenticatorFactory + Spring 5
by Tommaso Tamantini
Hi to all,
I'm trying to develope a custom AuthenticatorFactory with a custom
Authenticator.
I would like to inject my custom Authenticator as Spring Bean into my
custom AuthenticatorFactory (because my authenticator should use an existing
spring library).
My authenticator is like:
@Component
public class MyAuthenticator extends AbstractUsernameFormAuthenticator
implements Authenticator {
[.]
To achieve it, I created an ApplicationContextAware bean
@Service
public class BeanUtil implements ApplicationContextAware {
private static ApplicationContext applicationContext;
public BeanUtil() {
}
@Override
public void setApplicationContext(ApplicationContext
applicationContext) throws BeansException {
this.applicationContext = applicationContext;
}
public static Authenticator getAuthenticatorBean() {
return applicationContext.getBean(MyAuthenticator.class);
}
}
My factory is:
public class MyAuthenticatorFactory implements AuthenticatorFactory,
ConfigurableAuthenticatorFactory {
public static final String PROVIDER_ID = "aruba-alias-authenticator";
public static final String G_RECAPTCHA_RESPONSE =
"g-recaptcha-response";
public static final String RECAPTCHA_REFERENCE_CATEGORY = "recaptcha";
public static final String SITE_KEY = "site.key";
public static final String NUMBER_KEY = "number.key";
public static final String SITE_SECRET = "secret";
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public MyAuthenticator create(KeycloakSession session) {
return BeanUtil.AuthenticatorBean();
}
[.]
Keycloak starts up correctly.
When I try to use myAuthenticator, i get:
16:46:48,484 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http
management interface listening on http://0.0.0.0:9990/management
sia-keycloak | 16:46:48,484 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://0.0.0.0:9990
sia-keycloak | 16:46:48,485 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in
23456ms - Started 943 of 1231 services (653 services are lazy, passive or
on-demand)
sia-keycloak | 16:47:12,357 WARN [org.keycloak.services] (default task-3)
KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
sia-keycloak | at
...authenticator.alias.BeanUtil.getArubaAliasAuthenticatorBean(BeanUtil.java
:22)
sia-keycloak | at
..authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.jav
a:35)
sia-keycloak | at
...authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.ja
va:1)
The reason in that the Spring Context is null.
Any idea about how to fix this issue?
Many thanks,
Tom
5 years, 6 months
File based cache store migration
by Nicolas Ocquidant
Hi
When using a file based cache store for sessions, and assuming that I have
millions of sessions in the file I don't want to loose, could Keycloak
helps me migrate this file when upgrading for a new version of Keycloak?
It is serialized data inside, so migration may be difficult that's why I am
asking.
Thanks
--nick
5 years, 6 months
Persist Keycloak session cache into JDBC store, no data is written into table
by Röck, Cedric
Hi,
we are currently trying to persist the in-memory session cache of our Keycloak (9.5.0.Final) deployment into a persistent store, preferably JDBC based.
In order to achieve this, we already updated the configuration and ended up with this config for the Infinispan subsystem:
<subsystem xmlns="urn:jboss:domain:infinispan:6.0">
<cache-container name="keycloak">
<transport lock-timeout="60000"/>
<local-cache name="realms">
<object-memory size="10000"/>
</local-cache>
<local-cache name="users">
<object-memory size="10000"/>
</local-cache>
<local-cache name="authorization">
<object-memory size="10000"/>
</local-cache>
<local-cache name="keys">
<object-memory size="1000"/>
<expiration max-idle="3600000"/>
</local-cache>
<replicated-cache name="work"/>
<distributed-cache name="sessions" statistics-enabled="true" owners="${env.CACHE_OWNERS:1}">
<jdbc-store data-source="KeycloakDS" dialect="SQL_SERVER" fetch-state="true" passivation="false" preload="true" purge="false" shared="true" singleton="false">
<property name="dropTableOnExit">
false
</property>
<property name="createTableOnStart">
true
</property>
<table/>
</jdbc-store>
</distributed-cache>
<distributed-cache name="clientSessions" statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"/>
<distributed-cache name="authenticationSessions" statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"/>
[...]
</cache-container>
[...]
</subsystem>
Even though the table „ispn_entry_sessions“ gets created once Keycloak starts, no data is being persisted there. Not after 5min and also not once several hours passed. To exclude batch sizes and alike as error cause, our test creates 300 users and performs repeated logins for all of them, so there should also be enough load on the system.
Some more details:
* The statistics already show more than 600 cache-loader-misses for the jdbc store, but no successful load.
* Our deployment consists of three Keycloak instances running in Kubernetes pods / docker containers.
* Target JDBC Database is an Azure managed SQL DB / SQL Server
* We can’t see any errors in the logs and also the cache distribution appears to still work amongst all nodes in the cluster.
If you need more details, log excerpts, the full config, …, just give me a ping.
What are we missing? Any help is very much appreciated.
Thanks and kind regards
Cedric
Cedric Röck
______________________________
Senacor Technologies AG
Äußere Cramer-Klett-Str. 21
90489 Nürnberg
M +49 (170) 2274 878
Cedric.Roeck(a)senacor.com
www.senacor.com
Senacor Technologies Aktiengesellschaft - Sitz: Eschborn - Amtsgericht Frankfurt am Main - Reg.-Nr.: HRB 110482
Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender: Daniel Grözinger
Diese E-Mail inklusive Anlagen enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten, informieren Sie bitte den Absender
und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.
This e-mail including any attachments may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. Any unauthorized copying, disclosure or distribution of the materials in this e-mail is
strictly forbidden.
5 years, 6 months
4.6.0 Final
by Geoffrey Cleaves
Anybody know when 4.6.0 is expected to roll out? I'm waiting for some nice
bug fixes...
5 years, 6 months
setting up TLS(SSL) through the X509_CA_BUNDLE environment variable
by Meissa M'baye Sakho
hello everyone,
I'm using the jboss/keycloak:4.5.0.Final docker image.
I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment
variable as explained in the Jboss/keycloak docker image documentation.
I've mounted a volume to the image pointing to the cert file and defined
the env variable.
I'm running the image with the following command:
*docker run -d --name opengie -e KEYCLOAK_USER=meissa -e
KEYCLOAK_PASSWORD=meissa \*
* -e PROXY_ADDRESS_FORWARDING=true \*
* -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \*
* -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https
\*
* -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \*
* -e
JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \*
* -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \*
* jboss/keycloak:4.5.0.Final*
When The container starts, I've checked that the cert has been corectly
mounted to the expected folder /var/run/secrets
But I see in the log that the certificat import fails (extract below):
*Creating HTTPS keystore via OpenShift's service serving x509 certificate
secrets..*
*HTTPS keystore successfully created at:
/opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks*
*Creating Keycloak truststore..*
*Keycloak truststore successfully created at:
/opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks*
*Importing certificates from system's Java CA certificate bundle into
Keycloak truststore..*
*Failed to import certificates from system's Java CA certificate bundle
into Keycloak truststore!*
*Setting JGroups discovery to dns.DNS_PING with properties
{dns_query=>bdf-opengie-test.paas.eclair.local}*
I've checked in the script that handle the TLS import [1], but I'm not able
to guess why the import is failing.
The following extract is a part of the scripts that is used by the image to
import the cert.
# Import existing system CA certificates into the newly generated truststore
local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which
keytool)))"/../lib/security/cacerts")
if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >
/dev/null; then
echo "Importing certificates from system's Java CA certificate bundle into
Keycloak truststore.."
keytool -importkeystore -noprompt \
-srckeystore "${SYSTEM_CACERTS}" \
-destkeystore "${JKS_TRUSTSTORE_PATH}" \
-srcstoretype jks -deststoretype jks \
-storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
if [ "$?" -ne "0" ]; then
echo "Successfully imported certificates from system's Java CA certificate
bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
else
echo "Failed to import certificates from system's Java CA certificate
bundle into Keycloak truststore!"
fi
Any advice?
[1]=
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...
Meissa
5 years, 6 months
Re: [keycloak-user] [keycloak-dev] There is already a httpSessionManager
by Thomas Darimont
Hello Calixto,
this is more a question for keycloak-user instead of keycloak-dev.
There are some issues with Spring Security and the latest version of the
keycloak spring-boot / spring-security adapter 4.5.0.Final.
You can have a look at the following two examples for a working
configuration.
see:
https://github.com/thomasdarimont/wjax2018-spring-keycloak/tree/master/demos
- spring-boot-2-frontend
- spring-boot-2-backend
The examples are currently using
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
but the configuration works as well with
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.0.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
in combination with the following setting in application.yml /
application.properties:
spring:
main:
allow-bean-definition-overriding: true
which seems to be required since Spring Boot 2.1
Cheers,
Thomas
Am Di., 13. Nov. 2018 um 01:18 Uhr schrieb Calixto Meleán <cmelean(a)gmail.com
>:
> I’m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0.
> When I start my app, I am getting the error below. It’s like the session
> manager bean is being registered more than once.
>
> org.springframework.beans.factory.support.BeanDefinitionOverrideException:
> Invalid bean definition with name 'httpSessionManager' defined in class
> path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot
> register bean definition [Root bean: class [null]; scope=; abstract=false;
> lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true;
> primary=false; factoryBeanName=securityConfig;
> factoryMethodName=httpSessionManager; initMethodName=null;
> destroyMethodName=(inferred); defined in class path resource
> [com/example/demo/configuration/SecurityConfig.class]] for bean
> 'httpSessionManager': There is already [Generic bean: class
> [org.keycloak.adapters.springsecurity.management.HttpSessionManager];
> scope=singleton; abstract=false; lazyInit=false; autowireMode=0;
> dependencyCheck=0; autowireCandidate=true; primary=false;
> factoryBeanName=null; factoryMethodName=null; initMethodName=null;
> destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m!
> 2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]]
> bound.
>
> Relevant maven dependencies I have are:
>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-spring-boot-starter</artifactId>
> <version>${keycloak.version}</version>
> </dependency>
>
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-security</artifactId>
> </dependency>
>
> SecurityConfig.class is:
>
> @KeycloakConfiguration
> public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
>
> @Bean
> public KeycloakConfigResolver KeycloakConfigResolver() {
> return new KeycloakSpringBootConfigResolver();
> }
>
> /**
> * Registers the KeycloakAuthenticationProvider with the authentication
> manager.
> */
> @Autowired
> public void configureGlobal(AuthenticationManagerBuilder auth) throws
> Exception {
> auth.authenticationProvider(keycloakAuthenticationProvider());
> }
>
> /**
> * Defines the session authentication strategy.
> */
> @Bean
> @Override
> protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
> return new RegisterSessionAuthenticationStrategy(new
> SessionRegistryImpl());
> }
>
> @Override
> protected void configure(HttpSecurity http) throws Exception
> {
> super.configure(http);
> http
> .authorizeRequests()
> .antMatchers("/customers*").hasRole("pharmacist")
> .anyRequest().permitAll();
> }
> }
>
>
> Appreciate any help. Thanks
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
5 years, 6 months
Login via SAML RESPONSE from an IdP
by Karsten Honsack
Hello everybody,
I am trying to figure out if Keycloak is capable to fulfil the following requirement. I read through the documentation but was not able to figure it out.
Scenario:
A user is on a website where he has the possibility to jump to web applications of different partners via SSO. The website provider only supports IdP Initiated SSO and the button links provided are SAML Assertion Consumer URLs. The flow describes what should be happening for my understanding:
Flow:
1. User login on website.
2. User clicks on button.
3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there.
4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user.
5. Keycloak redirects user to the application.
6. User uses application.
Is this possible? How has it to be configured? Do you need any more information to help me? Thank you in advance!
Best regards
Karsten Honsack
**************************************
5 years, 6 months
