Re: [keycloak-user] CEK key for alg:dir
by Tim Rademacher
...I suddenly had the idea, that the auth request returns the auth code that
is then used to get an access token. So the auth code is just returned to
its origin. So the "share secret" CEK is not a shared secret, but only known
by the Keycloak server. So it makes sense, that I could not find the
information, where to get the CEK, since the Keycloak server is the only one
who needs it.
Could someone please confirm?
Thanks
Tim
Von: Tim Rademacher <t.rademacher(a)gmx.de>
Gesendet: Dienstag, 6. November 2018 13:21
An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Betreff: CEK key for alg:dir
Hi all,
I am somewhat struggling with Keycloak (Version 4.5.0) and I would like to
view the data return from an authorization request. I retrieve the token and
would like to look into it.
I see, there are 5 parts:
1. Header
2. CEK
3. Init Vector
4. Content (encrypted)
5. Auth Tag
The header mentions the Algorithm to be DIR and the Encryption Algorithm tob
e A128CBC-HS256.
The RFC7518 says, that DIR means "Direct use of a shared symmetric key as
the CEK".
So I wonder, how would the shared key come to the client to decrypt the
content?
How would I be able to decrypt the token (where would I get the token from)?
Thank you very much!
Tim
5 years, 5 months
RPT endpoint responds unexpectedly for resources created with an explicit _id
by Geoffrey Cleaves
The token endpoint sends an unexpected response while using grant_type
urn:ietf:params:oauth:grant-type:uma-ticket and a ticket with permissions
to a resource created via the resource UMA endpoint that has an explicit
_id.
When access is denied, endpoint sends a HTTP 400 and invalid_resource /
Resource with id [resource2] does not exist. instead of sending 403. The
same test but using a resource which has the Keycloak-assigned _id returns
403 as expected.
I believe the key point here is that the resource has been created using
the resource_set endpoint and had the _id set explicitly instead of letting
Keycloak assign the id.
Could the issue be related the fact that my Keycloak Docker install began
as 4.3.0.Final with the database being Postgres, and then I upgraded
Keycloak to 4.5.0.Final by downloading the latest Docker image? Could any
DB migrations have been missed which could cause this issue?
To reproduce the issue, try the following: Create resources rA and rB via
the resource_set endpoint. When creating rB, include a explicit _id. Then,
using an auth_token which does not have access to rB, try getting a RPT
which includes permissions to rB. Token end point will respond with 400
resource_not_found. But in fact the resource exists.
I have opened Jira ticket: https://issues.jboss.org/browse/KEYCLOAK-8729
5 years, 5 months
Re: [keycloak-user] Java 11 (Docker container base)
by Sebastian Laskawiec
I believe using the commercial Hotspot JVM provided by Oracle will not be
an option. We will probably stick with OpenJDK.
BTW, all JDK LTS releases will receive much longer updates. Please see this
blog post for the reference:
https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-open...
On Thu, Oct 25, 2018 at 4:37 PM Pavel Micka <Pavel.Micka(a)zoomint.com> wrote:
> It was mainly a question about how the support/updates will be handled -
> if Keycloak will rely on „community only“ updates for Java 8 or if there
> will be switch to new Java (updated by Oracle in the half-year window).
>
> I am sure that our customers will ask in reviews, how we have the security
> updates are handled throughout our solution. And if all parts of our
> solution rely only on secure resources.
>
>
>
> So the question should more be: Will Java under Keycloak be periodically
> updated (without commercial support) after January 2019?
>
>
>
> Regards,
>
>
>
> Pavel
>
>
>
> *From:* Sebastian Laskawiec <slaskawi(a)redhat.com>
> *Sent:* Thursday, October 25, 2018 4:00 PM
> *To:* Pavel Micka <Pavel.Micka(a)zoomint.com>
> *Cc:* Meissa M'baye Sakho <msakho(a)redhat.com>; keycloak-user <
> keycloak-user(a)lists.jboss.org>
>
>
> *Subject:* Re: [keycloak-user] Java 11 (Docker container base)
>
>
>
> From the support perspective, Red Hat offers extended support till June
> 2023 [1].
>
>
>
> Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess
> we still have plenty of time to do the switch, so I wouldn't rush things
> too much.
>
>
>
> BTW, why do you need JDK11, especially in the container?
>
>
>
> [1] https://access.redhat.com/articles/1299013
>
>
>
> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka(a)zoomint.com>
> wrote:
>
> Sorry, end of january (my fault):
> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java
> and OpenJDK will most probably start to diverge, as OpenJDK will not have
> access to Oracle repos (afaik). So the speed of security fixes will depend
> on willigness of community to fix the upcomming issues.
>
> Pavel
>
> From: Meissa M'baye Sakho <msakho(a)redhat.com>
> Sent: Tuesday, October 23, 2018 11:04 AM
> To: Pavel Micka <Pavel.Micka(a)zoomint.com>
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
> Subject: Re: [keycloak-user] Java 11 (Docker container base)
>
> Hello,
> Pavel, where did you get the information that the official Java 8 support
> will cease at the end of december?
> https://access.redhat.com/articles/1299013
> https://www.oracle.com/technetwork/java/javase/eol-135779.html
> Meissa
>
> Le lun. 22 oct. 2018 à 16:33, Pavel Micka <Pavel.Micka(a)zoomint.com<mailto:
> Pavel.Micka(a)zoomint.com>> a écrit :
> Hello everyone,
>
> What is the plan for Java 11 support? The point is that current versions
> of Docker containers are based on OpenJDK 8, but the official Java 8
> support will cease at the end of December. Will Keycloak use Java 11 by
> that time or will it rely on updates provided by the community.
>
> This is important to us, as Keycloak is important part of our app security.
>
> Thanks,
>
> Pavel
>
> // I have found this ticket in Jira, but it does not provide too many
> details: https://issues.jboss.org/browse/KEYCLOAK-7811
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
5 years, 5 months
API Create user
by Jannes Vandepitte
Hi,
I’m having trouble with usage of the API. When creating a user via POST on
the /users resource I can add a user no problem. But when I try to create a
user and set it’s role/groups at the same time, it just ignores the
provided roles and groups.
Body:
{
"username": "testerrr",
"email": "testt(a)aptus.bee",
"realmRoles": ["0085814a-b946-494b-924d-c8bd20fe077c"],
"groups":["098d95a5-9875-4e3c-90ab-cfacdef70fed"]
}
I gave the user that uses the api realm-admin roles just to make sure it
wasn’t a permission problem.
Any ideas on how to fix this (without adding 2 extra calls for adding the
group and the role)
Thanks in advance,
Jannes V
5 years, 5 months
CEK key for alg:dir
by Tim Rademacher
Hi all,
I am somewhat struggling with Keycloak (Version 4.5.0) and I would like to
view the data return from an authorization request. I retrieve the token and
would like to look into it.
I see, there are 5 parts:
1. Header
2. CEK
3. Init Vector
4. Content (encrypted)
5. Auth Tag
The header mentions the Algorithm to be DIR and the Encryption Algorithm tob
e A128CBC-HS256.
The RFC7518 says, that DIR means "Direct use of a shared symmetric key as
the CEK".
So I wonder, how would the shared key come to the client to decrypt the
content?
How would I be able to decrypt the token (where would I get the token from)?
Thank you very much!
Tim
5 years, 5 months
Customize Execute Actions Email Subject
by Nadim Elbaba
Hello,
I would like to customize the subject of the emails sent using
"execute-actions-email" REST endpoint depending on the required actions,
e.g. :
- "Update your password" when the UPDATE_PASSWORD action is present
- "Verify your e-mail" when only the VERIFY_EMAIL action is present
The only solution I could think about was to provide a custom
EmailTemplateProvider implementation by extending the
FreeMarkerEmailTemplateProvider to override the "sendExecuteActions" method
in order to use different properties for the email subject.
Is there any simpler way ?
Anyway, thanks for this wonderful IAM solution !
Cheers,
Nadim
5 years, 5 months
Keycloak got into Excited state because of Garbage Collector Issue
by Lahari Guntha
?Hi all,
We are Using Keycloak to have SSO enabled for different applications. It was working fine. All of a sudden we were unable to access keycloak.
After checking logs we came to know that "GC overhead limit exceeded".
May I know how to resolve this Issue?
Thanks and Regards,
Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
5 years, 5 months
