Simulate / call check-sso with curl
by Christophe Lehingue
Hello,
Is it possible to perform the equivalent of the call to the javascript
function 'check-sso' in CURL ?
Est il possible de réaliser l'équivalent de l'appel à la fonction
javascript 'check-sso' en CURL ?
thank you for your help,
Merci à vous,
6 years, 9 months
Multi-country domain
by Raúl Medeiros
Hello,
We need to develop a domain with multiple countries and one admin per
country. Those admin users can only see, edit and create users that belong
to its country. I don't know if the best approach to set a country to a
user is as an attribute or creating one group per country.
I would like to know what would be the best approach to solve this and if
it's possible to restrict one admin user to manage only it's country users.
Thank you,
Raul
6 years, 9 months
Obtaining permissions for resources which are not registered as Keycloak Resources
by Marcel Német
Hi,
We have an application with a large number of documents which are being
sent between companies. A company can have multiple users. We have many
companies and users can (on behalf of their company) send documents to
other company. Then the document can be accessed either by the users of the
sending company or the users of the receiving company. All documents can be
also accessed by our customer-care operators (but this is a simple case
which can be easily covered by the role-based access control). Our data and
users are in SQL Server DB, so we would like to use user federation
interfaces to get the users.
I would like to solve the problem in following way:
1. Using the user federation "company ID" custom attribute to the identity
token of each user.
2. Write a rule-based Policy in Java or JavaScript named "Only users which
belong to a sender or receiver company"
3. When somebody wants to access a document with ID "abc-123" which was
sent by company "bbb" and received by company "ccc" the Java or JavaScript
policy could - based on the resource ID "abc-123" and based on the "company
ID" custom attribute - query our database to see whether the "company ID"
of the logged-in user is a sender company or a receiver company of a given
document
3*. Optionally the sender and receiver company of the document could be
sent along as additional attributes in the permission ticket by the policy
enforcer, then the resource server would do the reading from the database
and Keycloak Policy can decide without DB connection. But I am not sure
this is secure, the permission ticket from policy enforcer could be
manipulated and the company ID of a hacker's company could be added as a
sending company, then the hacker could access all documents. But I guess
permissions tickets are protected against manipulation.
The problems which I am facing:
Regarding the step 3., the only way to get "document ID" to the
$evaluation.permission variable of the Java/JavaScript Policy is to create
a Keycloak resource for every single document with a matching name and a
matching URI (e.g. name= "abc-123" and URI= "/document/ abc-123").
It seems complicated for me to create a resource for every document which
we have and then delete those resources when we delete the documents since
the same policy applies to all documents anyway. We have huge numbers of
documents being sent every day between companies. At the same time, if we
do not create a Keycloak resource for every document, then I believe we can
not configure the policy enforcer to use the "/document/{id}" wildcard. The
Authorisation server will not receive the document ID unless there is a
Keycloak resource with the same name. Ideally, the Keycloak server should
be able to grant permissions even if it does not have a resource registered
and apply policies registered with URI /document/*. The
$evaluation.permission variable should hold the also the full URI not the
one with a wildcard. I understand that currently, the URI in
$evaluation.permission will be "document/*" even when a user is accessing
"/document/abc-123" (unless we create a Keycloak resource for every
document with a matching URI).
To summarize:
It would be great if the policy enforcer could obtain permissions to access
document "abc-123" even without creating resource "abc-123" in Keycloak.
The idea is that the policy enforcer asks "Can this user access
document abc-123?"
and the Java policy in the Keycloak can decide based on the ID of the
resource and additional data inside the identity token or based on queries
to our DB.
Is there a workaround or recommended solution?
I have read through the previous mail-list topics below, and I saw that
some user "hacked" the policy enforcer to send the precise URI from the
policy enforcer. Or is there another way to pass the document ID to
Keycloak Policy (i.e. inside $evaluation.permission) without creating a
Keycloak resource for every document? Is there a feature request in Jira
which would cover such use cases? Allowing Keycloak to grant permissions
for resources without having to register all resources in Keycloak would
make it a more general solution.
Related topics from the mailing list:
"Performance with a large number of resources":
http://lists.jboss.org/pipermail/keycloak-user/2017-May/010583.html
and
"Additional attributes for an authorization request":
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Additional-attribu...
Kind regards,
Marcel
6 years, 9 months
2FA protection for a specific resource
by Malys
Hi,
I want to protect a high-level risk feature with 2FA. Historically, we use
2FA SMS. I want to propose the same feature but ideally, I wish to be able
to integrate also native Keycloak OTP authenticator (more secure).
That' s why based on keycloak-sms-authenticator-sns <http://
https://github.com/nickpack/keycloak-sms-authenticator-sns> , I have
improved this authenticator ( here
<https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS>
).
I have searched in Keycloak 3.4.3 documentation but using the same realm, I
haven't seen any feature to ask 2FA when the final user want to access to a
specific resource.
Role mechanism allows managing access (403 - 200) but it seems that it isn't
cover my use case.
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It
isn't yet implemented.
Level of assurance seems very well but it isn't yet implemented and it would
be difficult to do it.
I could include a servlet filter on the business application (JBoss adapter)
to route user to 2FA authenticator when he wants to access the resource.
But in this case, I have to propagate a state between Keycloak and Java
adapter to not ask 2FA code for each access.
It could be a little bit tricky in cluster mode (stateless service).
Below, I describe the use case.
<http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_ma...>
Have you any idea to cover this use case easily based on native keycloak
features?
If that isn't the case, in your opinion, what is the best solution (see
above)? (easiest integration for maintainability, clustering support and 2FA
technic agnostic)
Thank you for sharing your experience.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 9 months
Keycloak 3.4.3: Login With Kerberos and Active Directory with multiple Domains. seem not to work.
by Kraenzlein, Ralph
Hi,
we try out to use Keycloak 3.4.3 as Federation Service With Kerberos and Active Directory with multiple Domains. (like ADFS)
First we only test authentication with Keycloak, Kerberos Ticket and Active Directory with multiple domains.
Problem:
Keycloak only seem to read the sAMAccountName from Kerberos Ticket. Not the realm/domain. If the sAMAccountName is in top level (or highest prio) Federation provider authentication is successful. If not it fails.
It is crucial that Keycloak knows in which AD Domain the user from Kerberos ticket is located. Unless Keycloak is not able to get the correct claims for the user.
Test environment:
Keycloak 3.4.3 standalone on Centos 7 with a Keycloak REALM EMP_AD.
We configured 3 LDAP Federation Providers (with Kerberos Integration) for 3 AD Domains: DE.MIT.NET, FR.MIT.NET and BE.MIT.NET.
Each Federation Provider has been configured with the following parameters: vendor:Active Directory, UserName LDAP attribute: sAMAccountName, Kerberos REALM: "Name of AD/Kerberos Domain", ...
sAMAccountName ist unique in each ad domain, but not in forest. In forest only userPrincipalName is unique.
We made the Kerberos Configuration as described in Keycloak-Doc. Also included a keytab file. Our productive company AD and KDCs are used.
2 Test user: john.smith(a)de.mit.net (upn in Domain DE.MIT.NET), john.smith(a)fr.mit.net (upn in Domain FR.MIT.NET). sAMAccountName for both user is john.smith .
Testing:
Since we just test how can handle Keycloak Kerberos, AD and multiple domains we just call the admin realm url for login tests: https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console
First scenario:
User john.smith is already authenticated in his Windows 7 Client (AD Domain DE.MIT.NET). In Keycloak only Federation Provider for AD Domain DE.MIT.NET is enabled.
When calling https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console user john.smith gets a Kerberos Ticket for Keycloak. In the Ticket the user is identified with his sAMAccountName and its Kerberos REALM (AD Domain):
klist:
Client: john.smith @ DE.MIT.NET
Server: HTTP/DUS212kcsrv.wert.net @ DAS.MIT.NET
KerbTicket (Verschlüsselungstyp): RSADSI RC4-HMAC(NT)
Ticketkennzeichen 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
...
Result: User john.smith from AD Domain DE.MIT.NET is automatically successfully authenticated in Keycloak. --> Successful
Second scenario:
Same as first scenario, but this time only Federation Provider for AD Domain FR.MIT.NET is enabled. (user john.smith is also available in domain FR.MIT.NET)
Even though Kerberos ticket from user john smith in AD Domain DE.MIT.NET is used, in Keycloak john.smith from AD domain FR.MIT.NET is authenticated.
--> NOT successful
Third scenario:
Same as first scenario, but this time all FPs are enabled in Keycloak. The FP for Domain BE.MADM.NET is on top of the list (or has the highest prio) In BE.MADM.NET user john.smith does not exist.
Keycloak only lookup in Federation Provider from Domain BE.MADM.NET for john.smith. Since there is no one, access to keycloak failed :
server.log:
2018-03-08 16:37:03,121 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-1) Kerberos/SPNEGO authentication succeeded with username [john.smith], but couldn't find or create user with federation provider [BE.MADM.NET]
2018-03-08 16:37:03,122 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=EMP_AD, clientId=security-admin-console, userId=null, ipAddress=10.12.45.34, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console/, code_id=27a1da71-b5f2-4416-a0dd-6005b409a60a, response_mode=fragment
Best regards
Ralph
Geschäftsanschrift/Business address: METRO SYSTEMS GmbH, Metro-Straße 12, 40235 Düsseldorf, Germany
Aufsichtsrat/Supervisory Board: Heiko Hutmacher (Vorsitzender/ Chairman)
Geschäftsführung/Management Board: Dr. Dirk Toepfer (Vorsitzender/CEO), Wim van Herwijnen
Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232
Betreffend Mails von *(a)metrosystems.net
Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind ausschließlich für den bezeichneten Adressaten bestimmt. Sie können rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und vernichten Sie die E-Mail.
Regarding mails from *(a)metrosystems.net
This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.
6 years, 9 months
Re: [keycloak-user] How to set PostgreSQL schema for Keycloak when using the Docker Image?
by Meissa M'baye Sakho
Stephen, the postgress-ha docker image is deprecated. It's clearly stated
in the following:
https://hub.docker.com/r/jboss/keycloak-postgres/
@Marco, I undestand your point.
Maybe do you need to extend the keyclaok image.
Meissa
On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen(a)chassi.com> wrote:
> Actually, the postgres-ha docker image that is tagged for 3.4.3.Final
> installs version 3.4.2. I had to rebuild that image myself and replace the
> "latest" tag with a "3.4.3.Final" tag in order to have the correct version.
>
> Regards,
> Stephen
>
> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <msakho(a)redhat.com>
> wrote:
>
>> Marco,
>> which docker image are you using?
>> The latest docker image the rely on Keycloak 3.4.3 has been updated to
>> handle either postgresql or mysql.
>> You'll find information you're looking for in the following link at the
>> PostgreSQL section.
>> https://hub.docker.com/r/jboss/keycloak/
>> thanks,
>> Meissa
>>
>>
>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas(a)gmail.com>
>> wrote:
>>
>> > Hi there,
>> >
>> > i am trying to use the Docker Image for Keycloak but I seem to be
>> unable to
>> > set a schema for the tables that are created in PostgreSQL. Currently
>> all
>> > tables end up in the public schema.
>> > Is there a way that i can instruct Keycloak to create the tables inside
>> a
>> > schema?
>> >
>> > Kind regards,
>> > Marco Pas
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
6 years, 9 months
How to set PostgreSQL schema for Keycloak when using the Docker Image?
by Marco Pas
Hi there,
i am trying to use the Docker Image for Keycloak but I seem to be unable to
set a schema for the tables that are created in PostgreSQL. Currently all
tables end up in the public schema.
Is there a way that i can instruct Keycloak to create the tables inside a
schema?
Kind regards,
Marco Pas
6 years, 9 months
Keycloak with XA Datasource and Timeout Errors
by Niels Bertram
Hi there,
we have a user federation provider that requires us to run Keycloak JPA
datasource with XA. Things do appear to work but when a user times out on
the login page or like, I get below error in the logs.
I don't want to mute the logger in case of real errors but I also don't
want to get errors for normal use cases. Can this be silenced otherwise?
Cheers,
Niels
15:35:12,425 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-12) Uncaught server error: java.lang.RuntimeException:
javax.transaction.RollbackException: ARJUNA016102: The transaction is not
active! Uid is 0:ffffc0a85667:-3663f319:5aa4b6ff:228
at
org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:77)
at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)
at
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
at
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
at
org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
at
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.transaction.RollbackException: ARJUNA016102: The
transaction is not active! Uid is 0:ffffc0a85667:-3663f319:5aa4b6ff:228
at
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1279)
at
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
at
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
at
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
at
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
... 54 more
6 years, 9 months
Run commands with jboss-cli when server is off.
by hmidi slim
Hi,
I want to add some system properties with jboss-cli:
jboss-cli.sh --connect
--commands="/system-property=keycloak.migration.action/:add(value=export)","/system-property=keycloak.migration.provider/:add(value=dir)","/system-property=keycloak.migration.dir/:add(value=export_dir)".
this instruction will be executed only if the server is launched. Can I
execute this instruction when the server is off?
6 years, 9 months
