Display app name on keycloak login page
by Pulkit Srivastava
Hi,
I have multiple applications that authenticate users using keycloak. Is
there a way to show the application name on keycloak login page according
to the application from which the user arrived. How this can be achieved?
Thanks,
Pulkit
7 years, 10 months
Can I omit keycloak.securityConstraints and HttpSecurity configuration?
by Gintautas Sulskus
Hi,
Is it necessary to manually map Spring app endpoints to Keycloak roles,
e.g. by configuring keycloak.securityConstraints in app.properties or
HttpSecurity in a Java class?
At the moment I configure Keycloak by extending
KeycloakWebSecurityConfigurerAdapter.
The app works only if I override the 'configure(HttpSecurity http)' method
and add endpoint-role mappings manually, e.g.:
http.authorizeRequests().antMatchers("/test").hasRole("someRole").
If I omit this step, the app fails to start and throws the following
expection:
>
> Caused by: org.springframework.beans.BeanInstantiationException: Failed to
instantiate [javax.servlet.Filter]: Factory method
'springSecurityFilterChain' threw exception; nested exception is
java.lang.IllegalStateException: permitAll only works with
HttpSecurity.authorizeRequests()
> at
org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
> at
org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:579)
> ... 26 more
> Caused by: java.lang.IllegalStateException: permitAll only works with
HttpSecurity.authorizeRequests()
> at
org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:49)
> at
org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:36)
> at
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:275)
at
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:66)
Please find my Keycloak configuration below. Note, I did not set
keycloak.securityConstraints[] in my app.
keycloak:
realm: master
auth-server-url: http://localhost/auth
ssl-required: external
resource: some-service
credentials:
secret: 6f02848a-0fd1-40fc-96cf-50035110240b
use-resource-role-mappings: true
confidential-port: 0
principal-attribute: preferred_username
policy-enforcer-config:
enforcement-mode: ENFORCING
Regards,
Gin
7 years, 10 months
Using a User Session Note in an IDP Post Login Flow Authentication SPI
by Trotman, Jake M
Hello,
I’m running in to an issue with an Authentication SPI I’m creating.
My use case boils down to this: I want to grab a User Session Note I have configured for a specific client in an Authentication SPI during its IDP Post Login flow and do something with it.
I have the following configuration set up:
A client with a custom mapper for identity_provider_identity to be used as a User Session Note type.
A 3rd party IDP used for identity brokering using the OpenID Connect v1.0 configuration.
A single custom Authentication SPI configured as the Post Login Flow authentication Flow for this IDP.
I’ll omit the beef of the SPI code for brevity, but this code snippet demonstrates the issue I’m running in to:
@Override
void authenticate(AuthenticationFlowContext context) {
context.getAuthenticationSession().getUserSessionNotes().each {
println "key: ${it.key}, value: ${it.value}"
}
context.getAuthenticationSession().getUserSessionNotes() is empty.
I’ve tried adding IDP mappers (Hardcoded User Session Attributes), and can see these populate in getUserSessionNotes(),
but what I really want is the identity_provider_identity which is only configurable for the client: https://www.keycloak.org/docs/latest/server_admin/index.html#available-us... and available as User Session Data.
I’ve tried context.getAuthenticationSession().getClientNotes(), but that does not contain the user session notes.
Can anyone help with figuring out a way to pull this user session data into my SPI configured as an IDP post login authentication flow?
Thanks for any response,
Jake Trotman
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
7 years, 10 months
Keycloak always create user when use exchange_token grant_type
by Florian Bernard
Hello,
We try to implement the following use case.
We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application).
Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it’s linked with Facebook identity provider.
Problem: if a user that does not exist in Keycloak exchange a Facebook token, it’ll be automatically created by keycloak and an access_token is return.
We try to modify First Login Flow in Identity provider configuration, but it does not work.
How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token?
Thanks in advance,
Florian
7 years, 10 months
keycloak | Service Provider | Wildfly | SAML 2.0 | SSO | Identity Provider |
by vandana thota
Hello
We have below Environment Set up
1) Wildfly -11-final.0.0.0
2)JDK8
3)Linux 7 version
4) Built the wildfly Non-prod as standalone server. Configured 3
Standalone instances on this wildfly server .
5) Deployed the application on all 3 instances
6) Enabled the SSL
7)Installed keycloak and configured and , could able to login to its
Administration console
8)SAML 2.0 protocol
We need to configure the Service Provider related things on keycloak
by using External Identity Provider information . We have already IDP
information.
What is the next step
1))Do I have do on keycloak inorder to get service provider information.
2) Before having the information about SP what needs to be on keycloak
as pre-requisites ?
3)How can I configure anything related to IDP or SDP on wildfly server (
3 instances ) 's deployed application or standlaone.xml file of 3
instances ?
4)Any other configurations needs to be done related to Single sign on
etc
Let me know any thing I'm missing to provide as information for the
above configuration .If any one knows the information please provide us
with detail steps as this was the first time we have installed
keycloak and seraching about Service Provider configurations etc
. Whole above task is the first time we are going to do.
If possible can any one share scree shots step by step . Thanks in
advance.
7 years, 10 months
Developing with keycloak-adapter without an OAuth Server
by Jordan Conner
Hi all,
I've been developing a J2EE application utilizing the keycload-wildfly
adapter to connect to a 3rd party OAuth server.
Now the customer who I'm developing this application for also has another
vendor creating an OAuth server. After almost 2 years of developing they
have now restricted access to the OAuth server and I can no longer access
it from my local environment.
They expect me to push my code up to their remote development server to
test changes.
What is the best way I can go from here? I have tons of code utilizing the
attributes in a token, and I don't understand fully how to customize the
keycloak-adapter to skip certain functions in a development environment.
I was told my local environment shouldn't need to access the OAuth server
yet I don't understand how to bypass/fake certain functions.
For example, all of my .xhtml pages are secured in the .WAR's web.xml
using
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
>From my understanding, if a page is secured in <security-constraints> then
that is what triggers the redirect to OAuth (if a token isn't
active/valid.) How can I basically "skip" this authentication check in a
local environment?
I have stood up my own keycloak server which I can authenticate with, but
the customer's OAuth server vendor has done custom modifications to their
keycloak server. For example, they have added extra fields where first/last
name are, where on regular keycloak that would be a user-attribute map.
TLDR;
Is there anything in the keycloak-adapter that would skip authentication in
a development environment. Is there a way to create a fake base64 token? Or
during login of my application (where I extract user attributes and their
custom attributes) should I make it so it works for either OAuth server?
Thank you for any help.
7 years, 10 months
UMA PAT clarification
by Balazs Kovacs
Hi,
I'd like some help on clarifying the process of obtaining a PAT token.
I've collected some relevant text from the UMA2 specifications:
...
"protection API access token (PAT)An [RFC6749]
<https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2...>
access token with the scope uma_protection, used by the resource server as
a client of the authorization server's protection API. The resource owner
involved in the UMA grant is the same entity taking on the role of the
resource owner authorizing issuance of the PAT."
...
"As defined in [UMAGrant]
<https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2...>,
the resource owner -- the entity here authorizing PAT issuance -- MAY be an
end-user (natural person) or a non-human entity treated as a person for
limited legal purposes (legal person), such as a corporation. A PAT is
unique to a resource owner, resource server used for resource management,
and authorization server used for protection of those resources. The
issuance of the PAT represents the authorization of the resource owner for
the resource server to use the authorization server for protecting those
resources."
...
"Different grant types for PAT issuance might be appropriate for different
types of resource owners; for example, the client credentials grant is
useful in the case of an organization acting as a resource owner, whereas
an interactive grant type is typically more appropriate for capturing the
approval of an end-user resource owner. "
...
"Use of these endpoints assumes that the resource server has acquired OAuth
client credentials from the authorization server by static or dynamic
means, and has a valid PAT. Note: Although the resource identifiers that
appear in permission and token introspection request messages could
sufficiently identify the resource owner, the PAT is still required because
it represents the resource owner's authorization to use the protection API,
as noted in Section 1.3
<https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2...>.
"
Apparently, the PAT must represent the identity and consent of the user to
be used by the resource server at the authorization server, and this is the
_key_ for the authorization server to know whose resource it is handling.
In the keycloak documentation, I see an example on how a resource server
can act on its own to grab a PAT token, but I don't see or really know a
straightforward solution how a resource server could get a PAT on behalf of
a user.
https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...
In case the resource owner is acting, an authorization code flow conducted
by the user-agent facing client will use the token at the resource server,
which could be in turn also used by the resource server, if that token has
'uma_protection' scope and AS indicated as token audience.
But how can the RS acquire a valid PAT for the correct resource owner, when
the requesting-party is trying to access the RS for one of the resource
owner's registered resource? The resource owner is not even in the flow in
this case
Can one clarify this a bit how at all circumstances a resource server can
acquire a valid PAT to use on the Protection API so that the AS can always
conclude the requested owner?
Br,
Balazs
7 years, 10 months
