Delegating sharing responsibilities for UMA resources?
by Ulrik Sjölin
Hello,
I find the request-response mechanism of UMA very interesting and
think it would
be very useful where I work. But I have not found a way to scale it…
Is it possible for a resource owner to delegate the responsibilities
for sharing
resources to other users? Consider a large organisation that owns a
large set or
resources and has a large number of users. The organisation wants to
have a group
of admins to handle answering the requests that comes in from the users asking
for access to different resources.
What is the best-practice way for handling a use case like this?
Is it possible to assign a group as resource owner?
Best Regards,
Ulrik Sjölin
5 years, 5 months
Active Directory LDAP Server Signing required
by Graham Nixon
Hi. I'm new to Keycloak. A quick question on Keycloak version 4.3.0. I've searched the online documentation and forums but can't find an answer.
Does Keycloak support Simple LDAP BIND over tcp 389 (no LDAPS/TLS) to Active Directory if the Active Directory Domain Controllers (the LDAP server) have LDAP server signing set to Require Signature?
Cheers
Graham Nixon
Senior Systems Architect
MAXIMUS Canada
DeltaWare Division
176 Great George Street, Suite 300
Charlottetown, PE, Canada C1A 4K9
Office: 902.628.4598
graham.nixon(a)maximuscanada.ca
Confidentiality Notice:
This electronic transmission, and any documents attached to it, may contain confidential information belonging to the sender. This information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance upon the contents of this information is prohibited. If you have received this transmission in error, please notify the sender immediately and delete the message and all documents.
5 years, 5 months
WFLYRS0015: No Servlet declaration found for JAX-RS application
by Ulrik Lejon
Hi,
I'm currently investigating upgrading from version 3.3.0 to 3.4.2 (as a
part of in the end upgrading to the latest 4.5 version).
When I boot up version 3.4.2 on out test server I see the following warning
in the log:
WARN [org.jboss.as.jaxrs] (MSC service thread 1-7) WFLYRS0015: No Servlet
declaration found for JAX-RS application. In custom-rest-endpoing-1.7.war
either provide a class that extends javax.ws.rs.core.Application or declare
a servlet class in web.xml.
The custom-rest-endpoing.war is a realm-restapi-extension that we deploy to
our Keycloak instance. Indeed we haven't subclassed
javax.ws.rs.core.Application
nor have we any web.xml. However, looking at the rest provider example (
https://github.com/keycloak/keycloak/tree/master/examples/providers/rest) I
can't find anything about that there either. Is this warning anything I
need to pay attention to?
Cheers,
Ulrik
5 years, 5 months
Keycloak realm certificates be passed to Knox?
by Jamie McDowell
Hi,
I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.
Knox is used to decrypt singed JWT's.
Is this something that can be achieved?
Thanks
Jamie
5 years, 5 months
Organization Based Accounts and Permissions
by Charles Henck
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
5 years, 5 months
Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources
by Andreas Lau
Hey,
I forgot to bounce back to the list. Sorry
________________________________
Von: Andreas Lau <andreas.lau(a)outlook.com>
Gesendet: 30. Oktober 2018 23:08:06 MEZ
An: Dmitry Telegin <dt(a)acutus.pro>
Betreff: Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources
Hello Dmitry,
thanks for your response and informations. My problem with that many calls of the resolve methode was not a performance concern in first place. I was surprised for sure and I did indeed thought that I mad a mistake somewhere following the instructions.
As you pointed out the behavior is not wrong. The resolver should be called that many times. That's OK I'm fine with this.
The first call to the jsf page is not a problem at all, because in the URL we have set the parameter who determines which keycloak.json file has to be used. But I have a problem at the time where the jsf loading process starts to load the resources.
It fires get request with the URL to the resources the jsf needs. But now I have lost my scope because the URL used to load the resource has no identifier in it. How should I determine which keycloak.json I should take?
Cheers,
Andreas
Am 30. Oktober 2018 06:29:56 MEZ schrieb Dmitry Telegin <dt(a)acutus.pro>:
Hello Andreas,
I'm afraid this is by design - one of the reasons may be Java EE programmatic security [1], where the application can instigate login even from the resources not protected by web.xml security constraints.
But I don't think you should be bothered - in your resolver, there is a cache for KeycloakDeployments, and cache calls are cheap (and you will always have a cache hit, except for the very first invocation).
Even if there had been the code to determine whether the resolver should or should not kick in, according to web.xml rules, - this code would have been more expensive, let alone it would have broken programmatic security. If you are super determined, you can craft a simple performance test using e.g. Gatling [2] - I'm pretty sure the results for resolver vs. no resolver will differ insignificantly.
[1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003.htm
[2] https://gatling.io/
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote:
Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper for us. We need to have multi-tenancy for our application, but as it works now it is not feasible.
So we desparatly ask for your help.
Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau <andreas.lau(a)outlook.com>:
Hello,
we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver.
We configured the web.xml like this:
[web.xml]
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/portal/pages/willkommen.jsf</url-pattern>
<url-pattern>/portal/pages/logout.jsf</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
...
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>de.sample.security.MandantBasedKeycloakConfigResolver</param-value>
</context-param>
...
</web-app>
As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1".
After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected.
Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls?
While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs.
Regards,
Andreas
[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
[2] public KeycloakDeployment resolve(HttpFacade.Request request) {
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++);
final String mandantId = request.getFirstParam("kId");
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId);
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI());
if (mandantId == null || mandantId.isEmpty()) {
// throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!");
return null;
}
KeycloakDeployment deployment = cache.get(mandantId);
if (deployment == null) {
String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId);
InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename);
if (is == null) {
// throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename);
return null;
}
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null));
deployment = KeycloakDeploymentBuilder.build(is);
cache.put(mandantId, deployment);
}
return deployment;
}
[3]
17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0
17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen
17:28:50,933 INFO [stdout] (default task-4) initialized mandant <<<<<<<<<<<<<
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1
17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found!
at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:]
at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
.......
17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout
17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found!
at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:]
at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 5 months
Backup strategies for Keycloak + Docker?
by Rémy Grünblatt
Hello,
I'm wondering: what are your backup strategies for keycloak?
I plan to use docker and keycloak, and of course I'll be backuping the data.
The backup for the database side is ok: just launching psql in the
container will do it.
But for the keycloak side: do I need any backup? In there,
https://www.keycloak.org/docs/2.5/server_admin/topics/export-import.html,
a method for backuping the « entire database » is mentioned, and I was
wondering if this would be useful in addition of the database
(container) backup.
I thought about modifying the entry point to include this backup (what I
have done), but saving it to a volume is tricky as it seems keycloak is
running with 1000/1000 uid/gid (which is the first non-root user on many
linux distribution…).
Any hints? How do you do it, in your production?
Rémy
5 years, 5 months