Access permission as member of a specific group
by Julien Deruere
I would like to know how my resource-server can know which resource I can
access as a member of a specific group.
For now I'm doing this:
request.post(`${kcConfig['auth-server-url']}/realms/${kcConfig.realm}/protocol/openid-connect/token`)
.send({
grant_type: 'urn:ietf:params:oauth:grant-type:uma-ticket',
audience: 'nimbee-gateway',
response_mode: 'permissions'
})
.set('Authorization', request.headers.authorization)
.set('Content-Type', 'application/x-www-form-urlencoded')
.set('X-Client', 'keycloak-nodejs-connect');
Which give me a list of all resources with permission I have since I'm in
multiple groups. But how can I do to have only resources I can access for a
specific group?
Thanks
6 years
use JBoss/Javaadapter to verify both realm and client roles
by Adrian Matei
Hi everyone,
Is there a possibility to *declaratively* verify in the JBoss/JavaAdapter
that the user(service account) has both REALM and Client roles?
In the documentation I found the following:
use-resource-role-mappingsIf set to true, the adapter will look inside the
token for application level role mappings for the user. If false, it will
look at the realm level for user role mappings. This is *OPTIONAL*. The
default value is *false*.
It sounds like is one or the other, which is kind of limited....
Thanks and regards,
Adrian
6 years
NullPointerExeception when trying to obtain Requesting Party Token
by Julien Deruere
II need to access resources that the user is allow to:
In my client I'm starting by obtaining a PAT:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}'
\
"http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/t..."
And then using the access_token in the body to get my RPT:
curl -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience={resource_server_client_id}"
But I got this exception in Keycloak (I'm not sure what I'm doing wrong):
21:15:19,307 ERROR
[org.keycloak.authorization.authorization.AuthorizationTokenService]
(default task-10) Unexpected error while evaluating permissions:
java.lang.RuntimeException: Failed to evaluate permissions
at
org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.onError(DecisionPermissionCollector.java:141)
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:69)
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:81)
at
org.keycloak.authorization.authorization.AuthorizationTokenService.evaluateAllPermissions(AuthorizationTokenService.java:239)
at
org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:166)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1148)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:192)
at sun.reflect.GeneratedMethodAccessor796.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
at
org.keycloak.authorization.policy.evaluation.DefaultEvaluation$1.getUserGroups(DefaultEvaluation.java:255)
at
org.keycloak.authorization.policy.provider.group.GroupPolicyProvider.evaluate(GroupPolicyProvider.java:53)
at
org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51)
at java.lang.Iterable.forEach(Iterable.java:75)
at
java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
at
org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43)
at
org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52)
at
org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107)
at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:981)
at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:879)
at
org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:400)
at
org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:68)
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:64)
... 75 more
6 years
How to get "current" AuthenticatorConfigModel without access to AuthenticationFlowContext
by Luis Cardozo
Hello,
I am doing an Authenticator provider based on
the SecretQuestionAuthenticator example. (Let's call it MyAuthenticator)
In the SecretQuestionAuthenticator example, in
*setCookie(AuthenticationFlowContext context)* we can get the "actual"
AuthenticatorConfigModel directly: context.getAuthenticatorConfig()
I want to use a new entry (added by the Factory, as in the example) in
which I have an URL of an external service (the key is called
"url.externalservice").
I can get the config entry it in
MyAuthenticator#action(AuthenticationFlowContext context) without problem:
AuthenticatorConfigModel config = context.getAuthenticatorConfig().
if (config != null) {
externalServiceURL =
config.getConfig().get("url.externalservice");
}
But I also need to get the entry from another place. In this case in
configuredFor(KeycloakSession session, RealmModel realm, UserModel user)
Searching a lot, reading code and trying things, I got it from realm:
realm.getAuthenticatorConfigs().get(0).getConfig().get("url.externalservice");
I also need to use it in MyAuthenticator*RequiredAction*, in
processAction(RequiredActionContext context).
But I don't have a context.getAuthenticatorConfig() in
RequiredActionContext, so I also use it as:
context.getAuthenticationSession().getRealm().getAuthenticatorConfigs().get(0).getConfig().get("url.externalservice");
But I am not sure that my "current configuration" will be always the
position 0 of the array.
We have realm.getAuthenticatorConfigByAlias()
and getAuthenticatorConfigById(), but, how do I know wich is the alias or
ID of the "current" context?
So, how can I know the "current" AuthenticatorConfig Alias or ID, or how
can I get the current AuthenticatorConfig from these places?
Thanks,
Luis Cardozo
Ciudad del Este, Paraguay
6 years
OIDC Identity Provider userinfo parsing problem
by Simon Buch Vogensen
Hi
We are using keycloak 2.5.5 (redhat sso 7.1) as an identity broker with Signicat.com as oidc identity provider.
When keycloak requests userinfo from signicat the response does not parse correctly.
Here is an example response.
{"sub":"xxxxxxxxxxxxxx","name":"Simon Vogensen","signicat.national_id":"123412341234","given_name":"Simon","locale":"SV","family_name":"Vogensen"}
The problem is the dot in the parametername "signicat.national_id" conflicts with the JSON_PATH_DELIMITER in AbstractJsonUserAttributeMapper resulting in the value not getting parsed at all.
The fix I have come up with would be a
currentNode = baseNode.get(fieldPath);
call after no node has been found. See line 206.
I guess this little problem does not qualify for a fix of 2.5.5 - and I don't want to patch our installation - so I guess my best option is to create a specific Signicat Identity Provider - and fix the response in there before sending it into keycloak?
Is this problem fixed in newer versions of keycloak?
Thanks in advance
Regards
Simon Buch Vogensen
6 years
Public client token to Bearer Token
by Hariprasad N
Hi All,
How can I use JWT token created with public client to access Rest API in
Bearer-Only client.
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
6 years