Keycloak logout not working for “bearer-only” application exposing REST services
by Dan Nemes
Hello,
I am unable to logout an user. The logout works for a "confidential" applications but it doesn't for a "bearer-only" application (the REST services are still accessible after logout).
I have the following configuration:
- I have one "database" client application defined in Keycloak having access type "bearer-only" (created with the intent of exposing REST web services protected by Keycloak based on user roles)
- I have one "rest_service" client application defined in keycloak having access type "confidential" (created with the intent of logging in users and allowing access to the "bearer-only" REST services after a successful login). The below described workflow is implemented in this application using REST web services
I am performing the following steps:
- An http GET request is performed on URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth which redirects the user to the login page handled by Keycloak
- The user performs the login using his credentials (using the credentials of a user defined in Keycloak)
- Keycloak redirects the user to the "redirect_uri" which was passed in step 1. In this step Keycloak also provides as request parameters the "state" and "code" values.
- After the user has been redirected back to the application I exchange the "code" received in step 3 for a token doing a POST request on http://localhost:8180/auth/realms/demo/protocol/openid-connect/token which is done successfully
- After the access token is available I proceed to access the "bearer-only" REST web services.
note: the REST web services exposed by the "bearer-only" service are not accessible unless the user has been logged in and it has the correct "role" assigned to it.Problem: As stated at the start of the post the user is still able to access the "bearer-only" REST web services after the logout has been done. The only thing that seems to work is the logout from the "confidential" application (the user is not able to access the application unless he logs in again).If I perform the logout of the user then the REST web services exposed by the bearer-only application are still accessible. In the Keycloak server I get the following WARN message: " Some clients have been not been logged out for user adminuser in demo realm: rest_service"I tried implementing the logout in three ways:
- A redirect to URL http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the redirect_uri and client_id parameters
- A POST request to http://localhost:8180/auth/realms/demo/protocol/openid-connect/logoutpassing in the Authorization Bearer in the header and the client_id, refresh_token, client_secret and redirect_uri
- A REST service exposed by the "bearer-only" service which does the following method call: HttpServletRequest request.logout()
Neither of the above methods is working.PS: I did not want to go in to many details because even so the post is long enough. If I missed something please tell me and I will provide the additional information (if possible I can also attach the actual projects)
Thank you,Dan Nemes
| | Virus-free. www.avg.com |
6 years, 2 months
Updated release cadence
by Stian Thorgersen
As we've started working in 3 week sprints we are considering a new release
model for Keycloak.
What we are considering is doing a Beta release for every sprint, then for
every 4th sprint (each quarter) we plan to do a Final release.
For a beta release existing features will be considered stable, while new
features may not be ready for prime time. The recommendation will still be
to upgrade to always update to the latest release to receive the latest
security fixes and other fixes.
However, care should be taken before using new features in production until
a Final release is available.
Thoughts?
6 years, 2 months
Atrributes in resources into Keycloak Authorization services
by Thiago Presa
Hi,
We're looking into Keycloak Authorization services, but currently, we can't
get our heads around configuring in Keycloak a policy the following
authorization requirement:
Suppose we have a corporate Google-docs-like app, where every document has
a clearance level (e.g. confidential, internal, public). Every user has its
own permission level, which indicates whether the user is allowed to access
confidential, internal or public documents.
Could you please advise as to how to implement such requirements into
Keycloak Authorization services?
Assuming this isn't currently supported, a simple solution seems to be
implementing the ability to set resource attributes and make them available
to policy construction. Would you be considering implementing such approach
(or any other)?
Best regards,
Thiago Presa
6 years, 2 months
kcadm CLI for kerberos user storage API needs updating?
by Ryan Slominski
I'm following the latest CLI documentation (http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli), but the section about managing Kerberos user storage providers seems to be out-of-date. The related REST API documentation (http://www.keycloak.org/docs/latest/server_development/index.html#rest-ma...) points out major changes occurred after version 2.4.0. In particular the following command no longer works:
kcadm.sh create user-federation/instances -r demorealm ...
Instead it seems it should be something like the following:
kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\
-s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"]
However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes:
-s config.keyTab=["path-to-keytab"]
-s config.kerberosRealm=["kerberos-realm-name"]
-s config.cachePolicy=["DEFAULT"]
-s config.editMode=["READ_ONLY"]
-s config.serverPrincipal=["http-principal-name"]
Including any one of them results in the server throwing the following exception:
Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token
Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web. It DOES show up when queried from the command line with:
kcadm.sh get components -r demorealm
But oddly doesn't show up if you filter as the web does with:
kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider
Any help is appreciated. Thanks,
Ryan
6 years, 2 months
SAML doesn't work when logging in through Identity Providers
by Kristi Nikolla
Hi,
I’ve recently setup Keycloak for SSO in our organization. I’m using two docker containers in standalone-ha with Apache as a proxy. I’ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients.
The issue is when using a SAML client.
Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method.
It doesn’t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.” The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak.
The only thing that I see in the logs is:
21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
Even turning on debug logging doesn’t provide anything useful.
Thank you,
Kristi Nikolla
6 years, 2 months
sessions when using prompt=login
by Sud Ramasamy
When using the OIDC prompt=login URL parameter I’m able to successfully get Keycloak to force the user to authenticate even if he/she had previously authenticated. But I noticed that when the user re-authenticates the session associated with the previous authentication in Keycloak is being replaced with a new session. This would break the first client no?
For example, user authenticates in Keycloak via client1 which established session1 (and associated RefreshToken1). The user then attempts to access client2 which also redirects to Keycloak with prompt=login by design. The user as expected is forced to re-authenticate in Keycloak. Upon successful authentication Keycloak zaps session1 and creates a new user session (session2 with new associated RefreshToken2) associated with client2.
Now the RefreshToken1 in client1 that is associated to session1 in Keycloak is no longer valid and attempts by client1 to get a new access token based on RefreshToken1 will fail requiring authentication. Is this expected when using prompt=login. It seems like when using prompt=login we can not be using the access token as a bearer token to pass to downstream resource servers for authentication purposes. This is our primary use case - ie. to have the user required to authenticate when they access each client and use the access token in each client as a bearer token for backend service authentication. Doesn’t seem like this use case is supported.
Is this a right assessment. Does feel like I’m missing something. Shouldn’t it be possible to have Keycloak track a user session per client that the user authenticates for?
-sud
6 years, 2 months
Client specific enumerated roles
by Ravi Kiran
Currently in our application we use LDAP and each LDAP role is mapped to
multiple CRUD permissions roles with in the application. For example
HUMAN_RESOURCE_DIRECTOR
role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department
and etc. We are adding these enumerated roles by extending
LdapExtLoginModule.
Now we are planning to switch to Keycloak (rh-sso), what is the best
approach to achieve this?
According to the issue, https://issues.jboss.org/browse/KEYCLOAK-1382,
looks like extending LoginModule is not an option.
Thank you and appreciate it.
6 years, 2 months
Keycloak as an identity provider to Tableau
by Boctor, Joseph
I'm trying to use Keycloak as an OpenID Connect Identity provider to a data analysis software called Tableau. I tried with two different instances of Keycloak.. one is locally hosted, and the other is from the master Realm in a remotely hosted development instance.
I tried creating a Realm for the client, and tried also using the master Realm.. both came with the same result. Each time I get a message telling me that my Identity provider is not reachable.
I tried editing Keycloak authentication request URL by adding the realm name, since it's not on Tableau's OpenID Connect setup (see screenshot), with no use.
[cid:image001.png@01D39F54.7BE7E2A0]
Am I missing something? Or doing something wrong?
6 years, 2 months
