Restrict access to clients based on Group membership
by Prashant Bapat
Hi,
In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users in a Windows AD. We heavily use SAML and OIDC and both work great.
Is there a way to restrict access to a OIDC client based on a group membership ? I’ve been reading up the docs and trying to get this working without success.
For example, let’s say we have 2 clients;
client-dev-api
client-prod-api
Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group “Developers” and client-prod-api to members AD group “Production” ?
Any guidance on getting this to work would be appreciated.
Thanks.
--Prashant
5 years, 5 months
How can I use Keycloak to support my architecture?
by ola rob
Hi,
I need some help in securing my applications with keycloak:
I have couple of grails applications (App1 and App2) using spring security.
However, currently I am using keycloak REST API to authenticate users by
passing username and password and receive token without registering these
applications as clients in the keycloak. But this approach seems to be
inefficient when we want to support SSO, kerberos and other lot of powerful
features that Keycloak offers.
So I came up with the below approach to support SSO/kerberos but wanted to
know if Keycloak can solve our problem.
"Create a new spring boot master application (App3) and register with
Keycloak and redirect the login page to Keycloak. Once login is successful,
use the token that keycloak provides and pass it on to App1 and App2 and
tweak my existing code flow to handle this. Can this be possible because I
am not registering/creating any clients for app1 and app2 in keycloak here
but only creating for app3 which is the master application and using the
access token? Is it mandatory to register/create all clients in Keycloak to
support SSO?"
Any help would be highly appreciated.
Thanks in advance!
5 years, 5 months
OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server
by Usai, Fabrizio
Dear,
We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good.
When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/pr....
This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue.
How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/?
We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration.
Kind regards,
Fabrizio Usai
5 years, 5 months
TLS configuration issues with 4.5.0
by Balazs Kovacs
Hi,
I run a test instance of keycloak from public docker hub.
I'm able to set up the server with TLS on default port 8443 up until KC
4.3.0 with my own certificates. I did not try with 4.4.0, but 4.5.0 never
succeeds and ends up with a auto-generated self-signed certificate in any
case.
I attached the standalone.xml configuration I use. When I turn on DEBUG log
level, I get the below suspicious error that I thought is related:
ESC[0mESC[32m10:07:51,880 DEBUG [org.jboss.as.domain.management] (MSC
service thread 1-2) Starting 'ApplicationRealm' Security Realm Service
ESC[0mESC[32m10:07:52,028 DEBUG [org.jboss.modcluster] (MSC service thread
1-1) MODCLUSTER000005: Received add context event for
default-host:/wildfly-services
ESC[0mESC[32m10:07:52,032 DEBUG [org.jboss.modcluster] (MSC service thread
1-1) MODCLUSTER000007: Received start context event for
default-host:/wildfly-services
ESC[0mESC[32m10:07:52,124 DEBUG [io.undertow] (MSC service thread 1-1) JDK9
ALPN not supported: java.lang.NoSuchMethodException:
javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;)
at java.lang.Class.getMethod(Class.java:1786)
at
io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47)
at
io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43)
at java.security.AccessController.doPrivileged(Native Method)
at
io.undertow.protocols.alpn.JDK9AlpnProvider.<clinit>(JDK9AlpnProvider.java:43)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at
java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at
io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
at
io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
at
io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:68)
at
io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:94)
at
org.wildfly.extension.undertow.HttpsListenerService.createAlpnOpenListener(HttpsListenerService.java:123)
at
org.wildfly.extension.undertow.HttpsListenerService.createOpenListener(HttpsListenerService.java:108)
at
org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:177)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
at java.lang.Thread.run(Thread.java:748)
Any idea what's going wrong with this version of keycloak docker image and
TLS setup?
Thanks,
Balazs
5 years, 5 months
How to enable keycloak for Embedded Jetty 9.3 server
by ola rob
Hi,
I wanted to use jetty 9.3 adapter to secure my applications using keycloak.
But I see that keycloak doc talks about configuration on standalone jetty
servers but not on embedded jetty servers:
java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
My application uses embedded jetty server. Can you please provide steps to
enable keycloak module for embedded jetty server?
Thanks in advance!
5 years, 5 months
Verification of Access Token failed
by Tim Rademacher
Hi all,
I am struggling with access token verification.
So here is what I am doing (using Keycloak 4.5):
1. Generate an offline auth code from Client A.
2. Generate a refresh token from Client A.
3. Generate an access token from Client A. This token has an *ES256*
Signatur.
When using this token, I got an error from my Spring Boot application, that
the used public key was not available: "Didn't find publicKey for specified
kid".
I set the public-key-cache-ttl to 1 sec and the log level to debug and could
see, that only one pubilc key was retrieved for my configured Client: "Realm
public keys successfully retrieved for client xxxxxxxxxx. New kids:
[xxxxx]".
As I could see in the realm settings, the key was created using *RS256*.
When I force the Client A to just use RS256 signature by setting the "Access
Token Signature Algorithm", then it works fine. But I wonder, how I could
also use other signature algorithms!? Release notes are stating, that both
(and more) algorithms are supported.
Thanks for your help!
Regards
Tim
5 years, 5 months
/authz/protection/permission/ticket usage?
by Ulrik Sjölin
Hello,
I have a question on how to use the API: /authz/protection/permission/ticket
I can call the endpoint successfully if I do the call with only ids:
curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
\
-H "Authorization: Bearer ${service_access_token}" \
-H "Content-Type: application/json" \
-d "{
\"resource\":\"${resource_id}\",
\"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\",
\"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\",
\"granted\":\"true\"
}”
It would however be a lot more workable for me if I could use names like:
curl --silent -X POST \
http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket
\
-H "Authorization: Bearer ${service_access_token}" \
-H "Content-Type: application/json" \
-d "{
\"resource\":\"${resource_id}\",
\"scope\":\”Read\",
\"requester\":\”alice\",
\"granted\":\"true\"
}”
But when I do this I get:
{"error":"invalid_scope","error_description":"Scope [Read] is invalid”}
{"error":"invalid_permission","error_description":"Requester does not
exists in this server as user.”}
Looking at the code there seems to be lookups from names to id, but
for some reason it fails. What
am I doing wrong? Any help is greatly appreciated.
Best Regards,
Ulrik Sjölin
5 years, 5 months
Set sessions lifespan by realm?
by Nicolas Ocquidant
Hello
Would it be possible to have several cache "sessions" with different
configurations associated with different realms?
I mean, I need to configure different lifespans for sessions, for different
realm. How could I do that?
Does the "SSO Session Max" entry from the GUI override the definition from
the file standalone-ha.xml, for each realm:
<distributed-cache name="sessions" owners="2" statistics-enabled="true">
<binary-memory eviction-type="COUNT" size="10000"/>
<expiration lifespan="1800000"/>
...
I yes, does it mean I need to set expiration lifespan in standalone-ha.xml
as the maximum of all "SSO Session Max" GUI entries?
Thanks a lot for clarification
--nick
5 years, 5 months