Entitlement request with additional parameters
by Corentin Dupont
Hi guys,
I use the entitlement API to check access control on my resources. Here I
check if a user can update a sensor:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"sensors:update"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But I would like to make complex policies that check additional parameters,
such as sensor status etc.
How can I pass along the additional parameters to the request, and use them
in my policies? I use javascript policies mainly.
Thanks
Corentin
5 years, 10 months
KeyCloak and Azure Active Directory / response_type
by Robin Diederen
Hello all,
I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.
After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I’m presented with an error.
Upon further investigation I’ve noticed that KeyCloak reports this error in its logs: “Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being “response_type=token_id”. KeyCloak however does include “response_type=code”, yet Microsoft doesn’t seem to like this.
So here’s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I’ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.
Any help is greatly appreciated.
Best, Robin
5 years, 11 months
Additional attributes for an authorization request
by Scott Elliott
Would therebe any way to pass additional attributes (say, something from a
REST API call's headers or body) to an authorization request, and access it
in a Javascript or rules based policy? I see that what is available in the
Evaluation API currently is pretty limited.
5 years, 11 months
UTF-8 character set support for user name and other fields / attributes
by Upananda Singha
Hi,
I am working with the Keycloak OIDC feature, and needed some clarification
regarding the character set it supports:
1. I have a requirement to use utf-8 characters (multi byte) in the
Username field
which seems to work fine while setting the user name and I can login to
Keycloak.
But it seems there are other related issues while generating / encoding the
tokens.
Sometimes (some characters) it works fine but for some multibye characters
it throws
{
"error": "invalid_grant",
"error_description": "Code not valid"
}
while trying to get the Tokens using the authorization code.
Can someone tell me if Keycloak actually supports utf-8 character set in
Username and other fields and also in Custom user attributes?
It would be of great help if anybody can share some information.
Thanks,
Upananda,
Motorola Solutions
5 years, 11 months
User Attributes security and organization
by Eric B
I just starting working with KeyCloak (3.4.3) and have been looking at the
user attributes and trying to determine how I can leverage some custom
attributes for my different clients. Two things in particular stand out
when I look at the user attributes:
1) there is no mapping/assignment of attributes per client
2) there is no security assignment on the attributes (ex: what can be
self-administered, what is read-only, what is visible to the client, etc)
This becomes an issue when a user logs into the admin panel. Once he is
logged in, he can essentially post a form with any attributes defined and
these will automatically be persisted in the KeyCloak DB. While I'm not
concerned about CSRF, I am concerned about a malicious user trying to
explode by DB by submitting an extraneous number of attributes that KC will
persist.
Additionally, if I want to use a user attribute to specify some read-only
information about a user, if the user knows the attribute name, he can
override it via a form post. So essentially, I have no way to secure the
attributes.
In a similar vein, I am a bit taken aback that all attributes are
associated to the user only and cannot be assigned to a client. I would
like to be able to specify some client-specific attributes, and have KC
automatically filter the attributes available to a client token
accordingly. Is this not feasible?
Are either of these functionalities implementable through some form of
customization, or are they on the roadmap for a future version?
Thanks,
Eric
5 years, 11 months
keycloak reset issue.
by Sheng Hong Pan
We are having issue with Keycloak (3.0.0) reset feature. User is getting an error of "WE'RE SORRY ... An error occurred, please login again through your application". We looked log and there are many errors (see below) related to invalid_code.
2018-04-30 13:13:09,188 WARN [org.keycloak.events] (default task-60) type=RESET_PASSWORD_ERROR, realmId=<realm name>, clientId=null, userId=null, ipAddress=<ip>, error=invalid_code
After further investigation, we found that multiple requests with same active code are hitting on the server and it looks like that reset password url becomes invalid after first access. There is a similar complain ( http://lists.jboss.org/pipermail/keycloak-user/2016-February/004828.html ) on an older version of keycloak. Is the issue addressed in the 3.0.0?
Thanks.
-Sheng
----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
5 years, 12 months
Re: [keycloak-user] Access Token Timeout behaviour - Changes between Keycloak 2.5.5 and Keycloak 3.4.1
by Online User
Looks like there was a change!
FYI ... There was a +2 Mins wait time added to sessionIdle timeout in
AuthenticationManager for cross-DC support.
On Thu, Apr 12, 2018 at 4:52 PM, Online User <onlineuser21k(a)gmail.com>
wrote:
> How do I know what changed between these versions in subject?
>
> An internal client of mine reports that there is a change in the behaviour
> between these versions.
>
> He is observing in 3.4.1 that, keycloak redirects the user to the service
> after access token expirey and before the session timeout where in he
> expected to be redirected to the login page.
>
>
5 years, 12 months
