Apache X509 cert-lookup
by Matthias ANGLADE
Hello,
I'm trying to setup a client cert authentication. Since my Keycloak server
is running behind an SSL reverse proxy I modified the domain.xml file in
order to declare the Apache cert lookup SPI. I checked that the certificate
was properly embedded in the HTTP header still, I can't get to authenticate
using this approach. In the log file I see no line related to this
authentication (I should be able to see log coming from
AbstractClientCertificateFromHttpHeadersLookup.
It behaves just as if the SPI wasn't active.
Note that even if my proxy isn't an Apache server, the certificate it emits
is formatted like for Apache.
Any clue on this ?
Regards,
5 years, 10 months
Implementation of Policy Provider Service Provider Interface
by Leonardo Nunes
The Authorization documentation says that Keycloak supports different access control mechanisms including (Support for custom access control mechanisms (ACMs) through a Policy Provider Service Provider Interface (SPI)).
Which class do I need to extend to implement this SPI.
Currently I’m on version 3.4.3.Final.
Thank you!
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
5 years, 10 months
Keycloak as an identity provider (either SAML or OpenID Connect)?
by Rafael Weingärtner
Hello, Keycloak community,
I am evaluating Keycloak, and after some reading, I got the impression that
it supports OpenID Connect and SAML (which fits exactly on my requirement).
However, after installing it, and digging a little deeper in the
configuration overview, I got confused.
I have used OpenID Connect before with MITREid implementation. So, when I
install and configure MITREid IdP, it will be working as an IdP for my
federation. I understand that key cloak can do identity brokering, which is
super nice, but what I wonder is the following. Is Keycloak prepared to be
an IdP out of the box with either SAML or OpenID Connect protocols? Or,
Does it depends on IdPs that implement those protocols to work?
--
Rafael Weingärtner
5 years, 10 months
Offline token revocation via API
by Dmitriy Semiushkin
Hello there!
I’m trying to find a way to allow user revoking their offline token via my web app (i.e. using keycloak’s API), not visiting keycloak’s page.
I’ve tried using DELETE /auth/admin/realms/R/users/U/consents/C request, but it requires `manage-users` role which is kinda wide.
I need a way to narrow this role to “allow user only revoke his tokens, not other users’ ones”.
I’ve tried implementing this in JavaScript Policy, but Evalution API have no information about user I’m trying to manage, so I can’t compare user id with identity id to tell if this is the same user.
Is there any way to implement this?
Thanks in advance!
5 years, 10 months
Using two or more access types
by Danilo do Val
Good afternoon sirs
I am implementing the Keycloak Authorization Service and, in addition to
JWT,
we need to use a second type of access, for example, Apikey or Basic
Auth, does anyone have experience or knowledge of how to support different
authentication types of the adapters?
Our case study uses the example app-authz-a-photoz (
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-um...
)
Em sex, 22 de jun de 2018 às 08:57, <keycloak-user-request(a)lists.jboss.org>
escreveu:
> Send keycloak-user mailing list submissions to
> keycloak-user(a)lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request(a)lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-user-owner(a)lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Using two or more access types (Danilo do Val)
> 2. Re: Architectural Blueprint/Recommendations (Dmitry Telegin)
> 3. Re: Add custom roles in realm-management client (Dmitry Telegin)
> 4. Re: Keycloak client (Dmitry Telegin)
> 5. Re: keycloak SAML response - Authentication method
> information (Manisha Nandal)
> 6. Re: Keycloak as SAML IdP - Google sign-out problem (Tiemen Ruiten)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 21 Jun 2018 16:16:29 -0300
> From: Danilo do Val <danilodoval(a)gmail.com>
> Subject: [keycloak-user] Using two or more access types
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <
> CAOPhXAm0rQVoE1aL5SnG513T8xKa5mVLDuRXXk+rSBPfPxRH1w(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> `` `
>
> Boa tarde senhores
>
> Estou implementando o Servi?o de Autoriza??o Keycloak e, al?m do JWT,
> precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic
> Auth, algu?m tem experi?ncia ou conhecimento de como suportar diferentes
> tipos de autentica??o dos adaptadores?
>
> Nosso estudo de caso usa o exemplo app-authz-a-photoz (
>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-um...
> )
>
>
> --
> __________________
> http://br.linkedin.com/in/daniloval
> 19 9227.9082
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 22 Jun 2018 01:26:08 +0300
> From: Dmitry Telegin <dt(a)acutus.pro>
> Subject: Re: [keycloak-user] Architectural Blueprint/Recommendations
> To: "Everson, David (MNIT)" <david.everson(a)state.mn.us>,
> "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID: <1529619968.6161.1.camel(a)acutus.pro>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi David,
>
> Please see the answers and remarks inline.
>
> On Mon, 2018-06-18 at 14:40 +0000, Everson, David (MNIT) wrote:
> (skipped)
> > 15. Keycloak should be clustered for high availability.
> > 16. Keycloak environment would be hosted on AWS, more than likely EC2
> > instances.
> > 17. Client applications also hosted in AWS.
> > 18. Keycloak's database would be PostgreSQL hosted in AWS RDS.
>
> Speaking of Keycloak on AWS, this is absolutely doable, but not that
> trivial. Please be sure to have read the document [1], especially the
> "Troubleshooting AWS specifics" part, and relevant ML postings [2].
> Long story short, AWS doesn't allow for IP multicast between the nodes,
> which is the default node discovery mode in JGroups (the backbone of
> Keycloak clustering). You should use S3_PING or JDBC_PING instead.
>
> >
> > A few questions/concerns of the working group:
> >
> > A. Is there any information available on the maximum size of an
> > Keycloak installation? Will Keycloak be scalable and performant given
> > the above assumptions and constraints.
>
> AFAIK, nobody has performed actual Keycloak benchmarking yet
> (publicly). There's however a Keycloak benchmarking suite based on
> Gatling [3]. It hasn't been updated for about two years, so first we'll
> need to make sure it works with recent Keycloak versions.
>
> >
> > B. What's the best recommendation for distributing the Keycloak
> > instances and realms.??Right now the group has three options on the
> > table:??1) A single Keycloak install per application (i.e.
> > client);??2) A single Keycloak install per organizational unit (i.e.
> > realm); or 3) A single Keycloak install per organization (i.e.
> > serving all realms and clients).
>
> The pros for A and B is obviously that you get some degree of
> separation/isolation, which might be good from the security and
> availability POV. However, this comes at a price of complexity; you'll
> have to deploy, monitor & maintain each separate instance / group of
> instances, each having different configs and dedicated database.
>
> Another big issue is load distribution. I doubt that your
> clients/realms all have equal, uniform load patterns. Given that each
> Keycloak instance will have its hardware limitations (CPU, RAM), you
> potentially end up with some nodes overloaded and others idle. The C
> scenario is obviously free from this issue.
>
> >
> > C. A major concern the group has with a single Keycloak install (#3
> > in previous bullet) is the high-availability in terms of performance
> > and concerns of a rouge client affecting other applications
> > negatively.??What is the community's recommendation for addressing
> > this concern?
>
> As you will necessarily have a load balancer / reverse proxy in front
> of your Keycloak cluster, you can enforce rate limiting / throttling on
> your load balancer. For example, haproxy implements rate limiting based
> on IP addresses, URLs and HTTP headers [4].
>
> >
> > D. Another major concern the group has with a single Keycloak install
> > is the restarts that are necessary when an organization unit deploys
> > a new or updated template.??The concern is that all applications
> > would be unavailable during the restart.???We would be operating in a
> > clustered environment, is the best solution to this concern
> > restarting individual members of the cluster rather than the entire
> > cluster?
>
> Could you please elaborate on template deployment? In Keycloak
> parlance, "templates" can be understood either as "client templates" or
> "HTML templates" (within custom GUI themes).
>
> Client templates surely can be created/updated via GUI or REST API,
> without the need for restart. For GUI themes, they can be deployed a)
> as Wildfly modules, b) via "themes" directory. While the former option
> indeed requires restart, the latter does not. Keycloak 4.x also adds c)
> hot deployment of themes by dropping theme JARs into the "deployments"
> directory.
>
> >
> > E. For reporting and governance processes, the Keycloak API performs
> > quite poorly when we execute use cases such as "Report all Users of
> > an Application".??Given the version we are currently on, to
> > accomplish this we need to query all users in the realm and then
> > filter the users if they have the client/role combination.??We
> > understand that a future release addresses this use case, but in the
> > meantime the concern is such a query will negatively affect all other
> > clients using Keycloak.??Any recommendations on handling this use
> > case prior to Keycloak 4.x?
>
> Is this indeed addressed by Keycloak 4.x? (just wondering, couldn't
> find any info)
>
> Keycloak admin REST API has an endpoint called "Return List of Users
> that have the specified role name", see [5] (identical for KC 3.x and
> 4.x). You could use this endpoint, however you will have to iterate
> over client roles and then merge and de-duplicate the results. Anyway,
> this should be much more efficient than your current approach.
>
> In general, this looks like a classical use case for Realm Resource
> Provider [6]. The query you described easily maps to a single SQL/JPQL
> statement, so you could implement a custom REST resource that would
> execute exactly that query and return results.
>
> Unfortunately, custom REST resources in Keycloak are public by default
> (protected resources should become a part of the hypothetical Admin
> Resource SPI somewhere in the future). However, you can implement that
> (relatively) easily with the techniques demonstrated in Beercloak [7].
>
> >
> > F. Upgrading Versions of Keycloak.??We have experienced some
> > difficulty of upgrading versions on server-side (we need to export,
> > import vs a simple DB backup and deployment).??What is the
> > recommendations for handling the upgrade of Keycloak from one version
> > to the next given the size of our user base?
>
> Could you please elaborate a bit on the problems that you're facing?
> The export/import scenario is relevant for database upgrades (e.g.
> PostgreSQL 9 -> 10), but Keycloak does ship migration scripts that
> should upgrade the data+metadata automatically. Why doesn't that work
> in your case? Let us know, probably this could be fixed.
>
> >
> > I'm sorry for the long post, hopefully folks get to this point.??Any
> > insight that we could receive would be greatly appreciated. We are at
> > a critical cross-roads in our Keycloak adoption and want to ensure we
> > do this correctly.
>
> Sorry it took so long to reply. Keycloak is a great product, I hope it
> fulfills your needs. Good luck!
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> [1] https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-
> in-aws.html
> <https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws...>
> [2] https://www.keycloak.org/search.html?q=aws
> [3] https://github.com/rvansa/keycloak-benchmark
> [4] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim
> iting/
> <https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/>
> [5] https://www.keycloak.org/docs-api/3.4/rest-api/index.html
> [6] https://www.keycloak.org/docs/latest/server_development/index.html#
> _extensions_rest
> [7] https://github.com/dteleguin/beercloak
>
> >
> > Thanks!
> > Dave
> >
> >
> > Dave Everson
> > Application Development Team Lead | Environmental Health
> > Minnesota IT Services | Partners in Minnesota Department of Health
> > 625 Robert Street North
> > St. Paul, MN 55155
> > O: 651-201-5146
> > Information Technology for Minnesota Government?|
> > ?mn.gov/mnit<http://mn.gov/mnit>
> > [Minnesota IT Services Logo]
> > [Facebook logo]<https://www.facebook.com/MN.ITServices>[LinkedIn
> > logo]<https://www.linkedin.com/company/mn-it-services>[Twitter
> > logo]<https://twitter.com/mnit_services>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------
>
> Message: 3
> Date: Fri, 22 Jun 2018 03:38:30 +0300
> From: Dmitry Telegin <dt(a)acutus.pro>
> Subject: Re: [keycloak-user] Add custom roles in realm-management
> client
> To: Waldemar Schmalz <waldemar.schmalz(a)codecentric.de>,
> keycloak-user(a)lists.jboss.org
> Message-ID: <1529627910.9620.1.camel(a)acutus.pro>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Waldemar,
> What version of Keycloak are you on? Things are different for pre-3.2.0
> and post-3.2.0.
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022)
> 888-30-71
> E-mail:?info@acutus.pro
> > Hello,
> >
> > I have created a new client-role in client "realm-management". It's
> > called
> > "manage-roles" and its purpose is (or should be) to grant users
> > access to
> > create, edit and delete roles in their realms. In the base theme this
> > is
> > only possible when users have access to the role "manage-realm" in
> > client
> > "realm-management". But with this client-role the user is able to
> > manage
> > the whole realm, not only the roles. My user is only allowed to
> > manage
> > roles, users and groups in this case.
> >
> > I changed the html-files so that the keycloak sidebar menu is
> > working: Menu
> > item "Roles" is visible for user with my custom client-role "manage-
> > role".
> > I also extented the getAccessObject() method in my themes
> > controller/realm.js with the needed new role "manageRoles".
> >
> > Accessing the roles-list page is working, but accessing the role-
> > details
> > page (when clicking on a specific role) fails. I get a 403 Forbidden.
> > My
> > question is: Is there something I forgot?, where is the check for
> > returning
> > a 200 OK or a Forbidden for this case? It seems it is not in the
> > templates
> > files, like for the side-menu?
> >
> > If I forgot any information or something, please contact me.
> >
> > Thank you, your help is much appreciated!
> >
> > Best regards
> > Waldemar
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------
>
> Message: 4
> Date: Fri, 22 Jun 2018 04:34:35 +0300
> From: Dmitry Telegin <dt(a)acutus.pro>
> Subject: Re: [keycloak-user] Keycloak client
> To: Vinay <vinayatoz(a)gmail.com>, keycloak-user(a)lists.jboss.org
> Message-ID: <1529631275.9620.4.camel(a)acutus.pro>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Vinay,
> In Keycloak, client is (simply speaking) a combination of base URL,
> protocol (OIDC/SAML), roles and authorization rules. So, if your
> application lives under a single base URL, it's simply impossible to
> have many clients per application. Moreover, an adapter (that you use
> to secure your application) is configured for a particular client.
> Hence, there is a 1-to-1 relationship between an application and a
> client.
> However, if your application is heterogeneous, i.e. consists of
> separate components living under different base URLs (and created with
> different technologies), you will have to define individual clients for
> them.
> Resource is an URI under client's base URL, and is used to define fine-
> grained authorization rules within that client.
> Cheers,Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail: info(a)acutus.pro
> ? Thu, 21/06/2018 ? 12:50 -0400, Vinay ?????:
> > Hi there,
> > In what scenario an application should have multiple clients defined
> > in the
> > keycloak server ? How keycloak client defers from a resource ? I
> > understand
> > it is an application that asks for an authentication, but I am not
> > sure
> > when do we need multiple clients in an application. What is the basis
> > for
> > defining clients ?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 22 Jun 2018 10:05:51 +0530
> From: Manisha Nandal <manisha04.nandal(a)gmail.com>
> Subject: Re: [keycloak-user] keycloak SAML response - Authentication
> method information
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <
> CAP63w5Ti+nKSk2FF4n_urmEkNPBY5HYKq-5MvBS88Jnbnss2Xg(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Any update ?
>
> On Wed, Jun 20, 2018 at 4:12 PM, Manisha Nandal <
> manisha04.nandal(a)gmail.com>
> wrote:
>
> > Hi,
> >
> > I authenticated my client application using google IDP. i want to
> retrieve
> > the information of IDP used for authentication from keycloak SAML
> > response. I have checked in keycloak documentation that
> > "AuthnStatement" give us the authentication method used (password, etc.)
> > as well as a timestamp of the login.
> >
> > But, my SAML response does not provide any such information. SAML
> contains
> > user name used for authentication under "NameID" but i want the identity
> > provider information, say in my case google is IDP
> >
> > <saml:AuthnStatement AuthnInstant="2018-06-20T08:00:43.222Z"
> > SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794::
> > 7f6d3293-8370-413f-b958-1763df3bb078">
> > <saml:AuthnContext>
> > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:
> > ac:classes:unspecified</saml:AuthnContextClassRef>
> > </saml:AuthnContext>
> > </saml:AuthnStatement>
> >
> > Can you please guide me on the same
> >
> >
> > Thanks,
> > Manisha
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 22 Jun 2018 10:00:53 +0200
> From: Tiemen Ruiten <t.ruiten(a)rdmedia.com>
> Subject: Re: [keycloak-user] Keycloak as SAML IdP - Google sign-out
> problem
> To: Rodolfo De Nadai <rdenadai(a)gmail.com>
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <
> CAAegNz0QKWJn0zdOZst36GsOujrsXuyhvwYAHnSvnZ8xxGpn_g(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Signout is working for us, I initially used the same guide but had to make
> some changes. My setup differs in the following places:
>
> Include OneTimeUse Condition - off
> Optimize REDIRECT signing key lookup - off
> SAML Signature Key Name - NONE
> Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps (note
> the lack of &RelayState=true)
>
> I set the signout URL in the Google Apps dashboard to
> https://ourdomain.tld/auth/realms/{realmname}/account/
>
> On 19 June 2018 at 22:12, Rodolfo De Nadai <rdenadai(a)gmail.com> wrote:
>
> > Hi,
> >
> > i'm configuring my keycloak installation as an IdP and Google apps as an
> > SSO.
> >
> > I'm able to login but when trying to logout i got no success...
> >
> > My configuration follows the described here:
> > https://stories.scandiweb.com/sign-in-to-google-apps-using-
> > saml-protocol-and-keycloak-as-identity-provider-79227fd2e063
> >
> > There were a thread in the mailing list which was able to login also, but
> > didn't mention logout process. As i thought it should be almost as
> > transparent, since no documentation say anything, is begging to transform
> > in a problem.
> >
> > If someone could help or point in some direction i appreciate.
> >
> > thanks
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 54, Issue 32
> *********************************************
>
--
__________________
http://br.linkedin.com/in/daniloval
19 9227.9082
5 years, 10 months
realm JSON download without authorization check
by Neujahr, Jana
Dear keycloak users,
we found a little security gap which we do not know how to fix:
When you type and open the URL https://<domain>/auth/realms/<realmname<https://%3cdomain%3e/auth/realms/%3crealmname>>, then a download of the keycloak JSON starts without checking for authorization! The JSON contains the realm name, public key, account-service and the parameter tokens-not-before.
How can we prohibid this URL/JSON for others than a specific role?
Thank you in advance for your help.
Kind regards
Jana
Treffen Sie GISA auf folgenden Veranstaltungen!
15.06.2018 WEBINAR: GISA 365 – Wie sieht Ihr Weg in die Cloud aus?
19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig
19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig
23.-24.10.2018 metering days 2018, Fulda
Aufsichtsratsvorsitzender: Norbert Rotter
Geschäftsführung: Michael Krüger
Sitz der Gesellschaft: Halle/Saale
Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414
UST-ID-Nr. DE 158253683
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.
5 years, 10 months
Client scopes not checked?
by Matthias Kesternich
Hello,
I am trying to setup a keycloak configuration for my use case which goes like this:
- I have an api called test-api, written in python and using oauth2/oicd.
- Simple endpoints can be accessed if the access token's scope contains "test-api-read-write". This scope is granted to admin and api users.
- Admin endpoints can be accessed if the access token's scope contains "test-api-admin". This scope is granted only to admin users.
- All other users requesting an access token should not be granted any of the scopes.
Now I've set it up like this in keycloak:
1. Create new realm "test"
2. Create user "norights".
3. Create new client scopes "test-api-read-write" and "test-api-admin" (display consent = off).
4. Create new client "test-api" (confidential, openid-connect).
5. Add "test-api-read-write" to default client scopes of "test-api", add "test-api-admin" to optional client scopes.
6. Under "Scope" set "Full scope allowed" = off.
To test the setup I go to the test-api client scopes page and click "Evaluate" with
- optional client scopes: test-api-admin
- user: norights
This returns a generated access token like shown at the bottom of this mail. Especially, it contains the line
"scope": "openid profile test-api-admin email test-api-read-write"
This is really suprising to me, I expected "scopes" to *not* contain any of the "test-api-*" scopes. After all the user norights does not have any roles or permissions setup yet. Quoting from a previous mail on this list:
"If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration"
Here, the intersection with the users own roles/scopes seems to be missing.
I've looked at the code here: https://github.com/keycloak/keycloak/blob/49407c2e4f870659e1d5a00c7fd6cf1... .
It seems initToken does "token.setScope(clientSessionCtx.getScopeString());" which seems to merely copy the scopes from the request. There's also this applyScope() method that sees to do the intersection thing, but doesn't seem to be called in this case.
Is my understanding of client scope just plain wrong? I could get it to work if I use the "Authorize" tab and setup all this complicated policies stuff, but client scopes just seem so much easier.
Thanks for creating such an impressive open source SSO solution!
-Matthias
Generated access token:
{
"jti": "14f8a8e5-b39f-4092-aaa8-25ce62ceac2e",
"exp": 1529408429,
"nbf": 0,
"iat": 1529408129,
"iss": "http://localhost:8080/auth/realms/test",
"aud": "test-api",
"sub": "f4ecc77a-45ad-4dbf-9295-87d2fa4518c9",
"typ": "Bearer",
"azp": "test-api",
"auth_time": 0,
"session_state": "35140ca3-6107-4a79-8f46-b1b298d4bb58",
"acr": "1",
"allowed-origins": [],
"resource_access": {},
"scope": "openid profile test-api-admin email test-api-read-write",
"email_verified": true,
"preferred_username": "norights"
}
5 years, 10 months
keycloak SAML response - Authentication method information
by Manisha Nandal
Hi,
I authenticated my client application using google IDP. i want to retrieve
the information of IDP used for authentication from keycloak SAML
response. I have checked in keycloak documentation that
"AuthnStatement" give us the authentication method used (password, etc.) as
well as a timestamp of the login.
But, my SAML response does not provide any such information. SAML contains
user name used for authentication under "NameID" but i want the identity
provider information, say in my case google is IDP
<saml:AuthnStatement AuthnInstant="2018-06-20T08:00:43.222Z"
SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794::7f6d3293-8370-413f-b958-1763df3bb078">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
Can you please guide me on the same
Thanks,
Manisha
5 years, 10 months
Keycloak client
by Vinay
Hi there,
In what scenario an application should have multiple clients defined in the
keycloak server ? How keycloak client defers from a resource ? I understand
it is an application that asks for an authentication, but I am not sure
when do we need multiple clients in an application. What is the basis for
defining clients ?
5 years, 10 months
