November 2018 - keycloak-user - Jboss List Archives

How should my application users get a token to directly access my API?

by Geoffrey Cleaves

Let's say that in addition to letting my end users access my REST API via the single page web app, I also want to let the end users access the REST API in a machine-to-machine fashion. So that, for example, the end user could run a report every night automatically via cron/curl instead of generating the report via the front end SPA. My SPA gets tokens using keycloak.js and the Authorizaton Code Flow. But I don't think this is appropriate for the scenario above. Curl can't be entering a username/password into Keycloak's login page when a session expires. Are my end users to use the Resource Owner Password Credentials Grant? If so, which clientid/secret should be used? Thanks for shedding light on this. Geoff

7 years, 5 months

1
0
0 / 0

keycloak-gatekeeper bearer-only

by Eric Boyd Ramirez

Dear All, I am trying to test Keycloak-gatekeeper, have read the docs I could find (keaycloak-proxy as well) but I still have a few questions: 1- I am trying to secure a number of REST APIs, configured behind bearer-only clients. I think I need to first get a access token trough a confidential client using a 'grant-type=password' request and then do a second request to the REST client resource. Is this the right approach, how would I implement this using Keycloak-Gatekeeper?. 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. Is there a way to use Keycloak's authorization settings to manage access to a client's resource (i.e. policies, permissions, uma-ticket, etc.)? 3- How do I set up multiple clients, do I have to run and configure separate instances of Keycloak-Gatekeeper? Thanks in advance for your time and help. Regards,

7 years, 5 months

4
6
0 / 0

Bug? Shared UMA resource not accessible

by Ulrik Sjölin

Hello there, I wonder if anyone is experiencing this problem and if anyone out there has a workaround (I am running 4.5.0). The problem I have comes up in a really simple situation: JDoe has 1 resource (JDoeResource) that he shares with Alice (scope: JDoeScope). Alice tries to access that resource with permission=JDoeResource#JDoeScope. This fails with a “400 bad request” when it should return the resource in question. I wonder if this is [KEYCLOAK-8448] that I am seeing. When alice tries to access the resource with permission=<JDoeResource-ID>#JDoeScope or by just specifying permission=#JDoeScope everything works fine. Below there is a small script that recreates and demonstrates the problem. Any help in this matter would be greatly appreciated. Best Regards, Ulrik Sjölin In order to run the script below you need to have the tools ‘jwt-cli’ and ‘jq’ installed. #!/bin/bash export host=keycloak export port=8080 export realm=myrealm export resource_server_client_id=my-service export resource_server_client_secret=88888888-8888-8888-8888-888888888888 export username=alice export password=alice export resource_owner=jdoe export resource_name=JDoeResource export scope=JDoeScope export access_token=\ `curl --silent \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -d client_id=${resource_server_client_id} \ -d client_secret=${resource_server_client_secret} \ -d username=${username} \ -d password=${password} \ -d grant_type=password \ | jq -r ".access_token"` export result=\ `curl --silent -X GET \ http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name} \ -H "Authorization: Bearer ${access_token}" \ | jq -r ".[0]"` if [ "$result" = "null" ]; then export new_id=`curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set \ -H "content-type: application/json" \ -H "Authorization: Bearer ${access_token}" \ --data @<(cat <{ "name":"${resource_name}", "type":"Entities", "owner":"${resource_owner}", "ownerManagedAccess":"true", "resource_scopes":["JDoeScope"] } EOF ) | jq -r "._id"` echo "Created resource with id: ${new_id}" echo "Log in with user ${resource_owner} into keycloak" echo "and share ${resource_name} with ${username}" echo "When that is done, run this script again" else echo "Found resource with id: ${result}" resource_id=$result fi export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=#${scope}: ${result}" export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=${resource_id}#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=${resource_id}#${scope}: $result" export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=${resource_name}#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=${resource_name}#${scope}: ${result}"

7 years, 5 months

2
1
0 / 0

Ability for users to manage their own resources

by Geoffrey Cleaves

How can we enable the ability for users to manage their own resources as described in section *8.3.3. Managing Access to Users Resources* at this link https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... ? This picture looks so nice : https://www.keycloak.org/docs/latest/authorization_services/keycloak-imag... I am using a confidential client with Authorization enabled on Keycloak 4.5.0 Final. I have used the UMA2 endpoints directly to create a resource owned by a user, yet that user (me :) can't see the My Resources screen. Any help is appreciated! Geoff

7 years, 5 months

2
2
0 / 0

Keycloak Gatekeeper CORS problem

by Geoffrey Cleaves

I'm having a problem accessing a REST service protected by Gatekeeper via AJAX. I have tried many different combinations of settings in the config file to no avail. I suspect the Gatekeeper has a bug. I can access the protected endpoint directly (via Gatekeeper) with no issue as there is no CORS. I can use the AJAX method successfully when I use a Chrome plugin to enable CORS for these endpoints. The message from Chrome is: Access to XMLHttpRequest at 'http://domain.com:3001/endpoint.php' from origin 'http://domain2.com:8888' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. I see that Chrome only sends an OPTIONS request to Gatekeeper, which does not respond with a Access-Control-Allow-Origin header at all, despite my config settings below. My config.yml file looks like this: client-id: {id} client-secret: {secret} discovery-url: {keyclock end point} enable-default-deny: true encryption_key: {32characters} listen: 0.0.0.0:3000 redirection-url: http://domain2.com:3001 upstream-url: http://localhost:8888 secure-cookie: false verbose: true #preserve-host: true resources: - uri: /admin* methods: - GET roles: - test-php-api:test1 - client:test2 require-any-role: true groups: - admins - users - uri: /endpoint.php roles: - test-php-api:test1 - uri: /backend* roles: - test-php-api:test1 - uri: /public/* white-listed: true - uri: /favicon white-listed: true - uri: /css/* white-listed: true - uri: /img/* white-listed: true cors-origins: - '*' cors-methods: - GET - POST Any ideas? Geoff

7 years, 5 months

2
1
0 / 0

Multitenant KeycloakConfigResolver

by Vagelis Savvas

Hello, in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to protect I would like some URLs to not be secured. So I would like my custom KeycloakConfigResolver implementation to not be called when those URLs are hit but it is. The reason I don't want my KeycloakConfigResolver to be called is simply because I have no clue as to what to return in that case: its a non-secured REST endpoint so a Keycloak realm doesn't make sense in my understanding. My setup follows the docs: I've installed the adapter for Wildfly and the web.xml has the necessary setup for not securing some URLs (no auth-constraint for those URLs) Also in jboss-web.xml the security-domain element isn't defined, although I don't know if that plays any role. My final goal is to have some URLs secured by using the JBoss specific @SecurityDomain and the standard @RolesAllowed etc annotations. Can you please shed some light on this matter? I'd greatly appreciate any detailed explanation of the mechanisms involved in this area. Cheers, Vagelis

7 years, 5 months

3
4
0 / 0

Cannot Migrate Database from 3.2.0 to 4.5.0

by Mandy Fung

Hello Keycloakers, We are currently running into an issue when upgrading Keycloak from 3.2.0 to 4.5.0 directly. The issue appears to be related to the database migration specifically and from a change introduced in August 2018 which references a previously dropped column. Here is the Jira issue containing some more details with the error and some more analysis: https://issues.jboss.org/browse/KEYCLOAK-8702 Is there anything we can do to help expedite the resolution of this issue aside from the details we have provided on the ticket? Best regards, Mandy -- *Mandy Fung **|* Software Engineer 1 *| *Tasktop *email: *mandy.fung(a)tasktop.com

7 years, 5 months

1
0
0 / 0

Integration keycloak with application UI

by K Chandra Sekar

Hey, I want to integrate application with Keycloak IAM system.I am trying to use KeyCloak to protect my application using OpenID connect.But I want to use application's login UI and don't want to direct user to keycloak login UI page to authenticate.Keycloak has Spring boot adapter which does the job it still it directs to the keycloak UI for login.I searched for any api to use from my app UI but i am nit getting anything and i am struck here.Kindly suggest me a a workaround or solution so that i can move forward.Anticipating a positive reply. Thanks and regards, K.Chandra Sekar

7 years, 5 months

4
3
0 / 0

PKCE and Keycloak

by Bojan Milosavljević

Hello, Is PKCE (if my adapter supports PKCE of course) automatically supported by default by Keycloak or do I have to implement it myself? Thank you. Kind regards, Bojan Milosavljevic.

7 years, 5 months

2
3
0 / 0

How to increase logging

by Saranya Mahalingam

Hello, Authentication component is not coming up. I don't see any errors in logs. So thought of improving the logs using JAVA_OPTS like: name: JAVA_OPTS value: -Dkeycloak.logging.level=debug But I don't see any changes in the logs even after setting the above value. Tried few other options too without success. Do you have any suggestions here? Let me know if you need any other information. Thanks, Saranya

7 years, 5 months

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2018