Java client for managing keycloak
by Nhut Thai Le
Hello,
Is there a java libraries that correspond to the Keycloak admin REST API ?
I just want to make
sure i don't reinvent the wheel by using Apache httpclient to call Keycloak
admin API.
Thank you
Thai
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
6 years, 1 month
How do I set a field for idToken when implementing custom Provider / Authenticator?
by Dominik Guhr
Hi all,
so I create3d a custom Provider for my legacy db and a custom
authenticator due to special requirements.
Now when I debug in validatePassword in
AbstractUsernameFormAuthenticator.java, I get the user entity with all
the fields I need.
Now my conrecete question is: How do I map these fields to the idtoken
to use them in my application?
I tried adding a User Attribute Mapper to my client directly, but this
gives me a nullpointerexception.
Also, in Admin Interface, the Field "Mappers" is missing from my custom
Provider. Perhaps this is the fault? Did I forget to implement one
thing? I used the storage-jpa example.
Any hints would be highly appreciated. If some code is needed, just ask :-)
Best regards,
Dominik
6 years, 1 month
Cannot create users when a Kerberos Federation is configured but the KDC is unreachable
by Jim Groffen
Hello folks,
I am using KeyCloak (3.4.3) with a Kerberos based User Federation - using a
keytab only with no communication available between the KDC and the
KeyCloak server. Note that no connection between the KDC and KeyCloak is
possible in my scenario so I need to rely on the keytab alone for
authentication.
This works well - new users from the network that can perform Kerberos auth
just need to add any missing information on first login. I have noticed the
following problem though:
I also need to add users manually to KeyCloak. I find that I have to
disable the Kerberos based User Federation to create a non-Kerberos based
user, or I get an error.
Digging in to the logs I find that KeyCloak is attempting to query the KDC
directly, which fails with:
DEBUG
[org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator]
(default task-10) Message from kerberos: Cannot locate KDC
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-10) Uncaught server error: org.keycloak.models.ModelException:
Kerberos unreachable
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
...
Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
...
Caused by: KrbException: Cannot locate KDC
at sun.security.krb5.Config.getKDCList(Config.java:1084)
...
Caused by: KrbException: Generic error (description in e-text) (60) -
Unable to locate KDC for realm XXXXXXX
I have verified that I can successfully create a user in KeyCloak if the
KDC is accessible. In this case KeyCloak logs no error, simply reporting
that the user was not found in the KDC.
Given the above, I have a few questions I'm hoping you can help me with:
1: Am I trying to do something that is unsupported by KeyCloak?
2: If this is currently unsupported, would you like me to raise a feature
request?
3: If it should be supported, is it possible I mis-configured something, or
should I raise a bug report?
KeyCloak is behaving how I want for the most part. With some advice /
direction I could work on a pull request targeting this.
Thanks in advance,
Jim Groffen.
6 years, 1 month
How to communicate access token in microservice architecture
by hmidi slim
HI,
I have a node.js app designed with microservice architecutre and I'm trying
to add some roles for each service to deny the access. Supposed that the
app consists of 3 services called service1, service2 and service3.
To access the main page of the app, a user should enter a login and
password to authenticate the keycloak server. If the authentication
succeeds it will show the index page. In the index page there are two
choices: resource B and resource C.
If a user check resource B a query will be send to service2 to get all the
data contained on it.
If a user check resource C a query will be send to service 3 to get all the
data.
In Keycloak admin console I created a realm MyApp with some realm role
RA_r (resourceA read) and RB_r (resource read) RC_r (resourceC read).
Then I created 3 clients called resource A and resource B resource C.
I created also a User called user and I associate for him the RB_r.
For each service I installed keycloak-connect and make the configurations
and I added the keycloak.json for each of them (
{
"serverUrl": url_auth_server,
"realm": "MyApp",
"clientId": "resource X",
"bearerOnly": true
}
)
In the service 2 I want to protect the get route:
app.get('resource', keycloak.protect('realm:RB_r'), handler)
The query starts from the first service (service1) and arrives to service
2. I got a status code of 403. However when I delete
keycloak.protect('realm:RB_r') I receive the data.
I decode the access token from the headers using jwt.io and I found that
the realm role (RB_r) exists.
So how can I transfer the access token between different service and
protect them using RBAC mechanism? Did I miss something in the config or
should I added a specific configuration?
6 years, 1 month
Guest account
by Corentin Dupont
Hi all,
I have a javascript web app using keycloak for authentication.
When the user opens the app, he is first redirected to the Keycloak login
screen.
However it's a bit annoying for the user to have to create an account
before seeing anything.
Personally I close this kind of application :)
I would like that the application uses a "guest" account if the user is not
registered.
"guest" is a real keycloak account that have particular access rights.
How to do that? My application probably needs to provide login/password for
guest and store the token.
I use keycloak-js library. Now my login code is standard:
var keycloak = Keycloak({
url: config.keycloakUrl,
realm: config.realm,
clientId: config.clientId
});
keycloak.init({ onLoad: 'login-required', checkLoginIframe: false
}).success(authenticated => {
if (authenticated) {
store.getState().keycloak = keycloak;
setInterval(() => {
keycloak.updateToken(3600).success(function (refreshed) {
getSensors();
getUsers();
}).error(function () {
alert('Your session has expired, please log in again');
keycloak.logout();
})
}, 10000);
displayPage();
}
}).error(function (error) {
console.log("Authentication error. Check Keycloak params and cors
issues.");
});
6 years, 1 month
Unable to access a resource with a given realm role
by hmidi slim
Hi,
I'm trying to protect some resources of my node.js app using RBAC mechanism.
I have creted a realm called MyApp and a user called user, then I create
some realm roles such as: res_r (read resource), res_u (update resource),
res_d (delete_resource), res_c(create resource).
Then I tried to give the user User the realm roles: res_r
After I configure keycloak using keycloak-connect, I added:
const router = require('express').Router();
router.get('resource', keycloak.protect('realm: res_r'), handler)
However I'm not able to read the resource. I decode the authorization with
jwt I got in the token:
"realm_access": {
"roles": [
"res_r",
"uma_authorization",
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
How can I fix the probelm?
6 years, 1 month
(no subject)
by hmidi slim
Hi,
I'm trying to protect some resources of my node.js app using RBAC mechanism.
I have creted a realm called MyApp and a user called user, then I create
some realm roles such as: res_r (read resource), res_u (update resource),
res_d (delete_resource), res_c(create resource).
Then I tried to give the user User the realm roles: res_r
After I configure keycloak using keycloak-connect, I added:
const router = require('express').Router();
router.get('resource', keycloak.protect('realm: res_r'), handler)
However I'm not able to read the resource. I decode the authorization with
jwt I got in the token:
"realm_access": {
"roles": [
"res_r",
"uma_authorization",
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
How can I fix the probelm?
6 years, 1 month
Question on Node.js adapter - Wrong response code when not logged in, maybe
by Luke Holmquist
Hi,
given this example application
https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
endpoint "/api/greeting", it is protected with the basic keycloak-connect
setup.
https://github.com/bucharest-gold/nodejs-rest-http-secured/blob/master/ap...
If we run this locally, with "npm start", and just curl that endpoint,
"curl http://localhost:3000/api/greeting" it will return with a 403.
There was an issue raised that it should be a 401,
https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
The way this comment makes it sound,
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#...
is
that the 403 is correct
If we look at the complimentary vert.x and swarm examples,
https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster and
https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-s...
a similar curl will result in a 401 when not logged in.
I'm just wondering if that 403 the node adapter is correct and if so, why
does it differ from the other runtimes
-Luke
6 years, 1 month
How to setup CORS for Angular frontend and Spring Boot backend
by Peemöller, Björn
Hi,
I'm struggling to setup our application with Keycloak. First, let me explain our setup:
- We have an Angular 5 application as the frontend.
- We have a Spring Boot application providing a REST api as our backend.
- During build, the frontend is placed into the webapp folder, such that it is delivered as static content by the backend.
- The backend is secured using Keycloak.
- The user is automatically authenticated using Kerberos.
If I build the application and then request the frontend's index.html, then a redirect to /sso/login occurs, which redirects to Keycloak, which redirects back to the application, and authentication is successful. After that, calls to our backend api (for which the user must be authenticated and authorized), are also successful.
During development, however, the frontend is served using webpack (angular-cli), and the backend is served individually. In this setup, the index.html can be loaded without authentication, and the frontend then starts to call the backend API. At first, the backend directly returned a 401 Unauthorized, and I figured out that this was raised at the KeycloakAuthenticationEntryPoint since the request was considered to be an API request. To work around this problem, I replaced the KeycloakAuthenticationEntryPoint by a subclass not checking for API requests. After that, the API request is now redirected to /sso/login, which then redirects to Keycloak. Since now the host has changed, the invoking browser has to perform a CORS request, and thus issued a CORS preflight request using the OPTIONS method, to which Keycloak answers with a 204 No Content without any CORS headers, such that the preflight fails, even though the Keycloak client has been configured to allow CORS requests. In consequence, the backend API cannot be reached.
My questions now are:
- Is there some configuration that we are missing to allow authentication during API requests?
- The behavioral change of the KeycloakAuthenticationEntryPoint seems incorrect to me, as if I'm working against the intended design. Could you provide me some guidance on how to setup my frontend and backend? I can think of doing authentication directly in the frontend using the Keycloak JS library, but have found no indication that a REST API should not do (Kerberos) authentication itself.
Many thanks in advance,
Björn
Björn Peemöller
IT & IT Operations
BERENBERG
Joh. Berenberg, Gossler & Co. KG
Neuer Jungfernstieg 20
20354 Hamburg
Telefon +49 40 350 60-8548
Telefax +49 40 350 60-900
E-Mail bjoern.peemoeller(a)berenberg.de<mailto:bjoern.peemoeller@berenberg.de>
www.berenberg.de<http://www.berenberg.de/>
Sitz: Hamburg - Amtsgericht Hamburg HRA 42659
Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen.
Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info(a)berenberg.de. Please refer to http://www.berenberg.de/my_berenberg/disclaimer_e.html for our confidentiality notice.
6 years, 1 month
