Getting a realm public key without credentials
by Jean-Baptiste Fouet
Hi, we are trying to integrate keycloak in our system, and in order to
check the genreate access token, we need a realm public key. We would like
to avoid configuring crednetila on all endpoint needing to check a JWT
token, so it would be great to be able to get keycloak key without any
credentials.
i did found the endpoint
http://localhost:8080/auth/realms/{realm}
<http://%7b%7bkchost%7d%7d:8080/auth/realms/ISEP/>
which give the following json,without auth:
{"realm":{realm},"public_key":"xx","token-service":"http://localhost:8080/auth/realms/{realm}/protocol/openid-connect","account-service":"http://localhost:8080/auth/realms/{realm}/account","tokens-not-before":0}
Unfortunately, here there is no key id, so i can't handle several JWT
provider or even a single keycloak with key rotation.
Now, i found a more detailed key interface under
http://localhost:8080/auth/admin/realms/{realms}/keys, returning for
each key the status, type (algorithm), an the keyid.
But i need credentials to access this interface, even though its only
public data (HMAC & AES keys are NOT provided).
I accessed it with the keycloak master admin, i do not want to spread
his credentials everywhere, but i would be ok if i could create a
user with limited rights to access only that
Any suggestions on how to proceed ? Is there another endpoint to get
this fulll info ?
The doc doesnt clearly states the roles needed to access
auth/admin/realms/{realms}/keys
Thank you
JB
7 years, 9 months
Keycloak Rest API - sessions
by Eivind Larsen
Hi Keycloak Users!
I am integrating the session data from Keycloak into our existing
account settings page.
I see Keycloak has an API call for listing user sessions.
GET /admin/realms/{realm}/clients/{id}/user-sessions
a) I was wondering why this does not include offline sessions?
So to list all sessions I need to:
1. List user sessions (call above).
2. List consents.
3. Grab client ids from consents.
4. List offlineSessions for each client in 3.
5. Merge all the session from 1 and 4.
b) Am I missing something? Is there a simpler way to list all sessions
for a user?
Best regards,
Eivind Larsen
7 years, 9 months
Release plan RH-SSO
by Lösch, Sebastian
Hello,
the new Keycloak release 4.0.0.Final is out now and I wonder what's the
next RH-SSO release. Is there any release plan regarding RH-SSO? (And
is this mailing list the right place to ask?)
Best regards,
Sebastian
7 years, 9 months
Identity Provider Mappers are not being deleted when Identity Provider is deleted
by Matt Evans
I'm using kcadm to add and remove identity providers, and identity provider mappers.
I've noticed that I can delete an identity provider that has a mapper assigned to it, and then when I read the whole realm, the identityProviderMappers element contains all the mappers, including ones for the identity providers that I have deleted.
I don't seem to be able to delete them then, I can't use the documented api url because it is a sub route of the identity-provider, which doesn't exist now, so it returns 404.
Is there an admin url that can manipulate the provider mappers collection itself? Or is this an issue and deleting the provider should also delete it's mappers?
Matt
7 years, 9 months
"Mapper-spanning" LDAP federation and mapping "Composite Roles"
by Marco Hünseler
Hello there,
I am trying to to import a rather large and complex AD structure into
Keycloak and I am facing some rather substantial problems with that.
First of all, I have some user groups whose members span over multiple
subtrees.
Example:
Group OU 1
|- Group1
|- Group1.1
Group OU 2
|- Group2
|- Group2.2
Where Group1.1 is a member of Group1, Group2.2 is a member of Group2 and
Group2 is a member of Group1. In reality it is a little bit more complex of
course and makes much more sense ;-)
Unfortunately, this doesn't seem to work as every group mapper only sees
its own groups, which leads to (1) that the resulting group-order does not
remotely match the one that's in AD and worse (2) when telling a group
mapper to watch out for groups that do not exist in upstream anymore, it
cleans up everything else.
Second, there are (fortunately seperate) OUs containing groups that
represent a set of rights granted to the user. Obviously, I want to map
them as roles. What I cannot archieve is to map these roles, once I import
them, to the groups they point to. Loading the roles recursively would
probably possible as well, but I would like to stick to the AD structure as
close as possible (I'm planning to connect Keycloak to different data
sources as well and it would be pretty awesome to have some reporting
against the keycloak db at a later stage).
Third, there are quite a lot of groups with multiple "member"s in AD. When
listing them, most of them have something in common: They are logically
used to pool similar roles, so no one needs to manage them one by one.
Which leads me to think that it would be quite accurate to map them as
"composite roles". Unfortunately, this does not seem to be supported by the
role mappers at all and if it was, it would probably also not work over
mapper boundaries.
TLDR; Keycloak is able to map groups and roles from AD but is completely
missing functionality to do this cooperatively between mappers. I would
love to know whether anyone can think of another
as-good-as-possible-structure-preserving way of mapping this directory
beast inside Keycloak. Also, I would love to hear about your thoughts
regarding implementing some "cross-mapper" functionality for the LDAP
connector and how far it can or should go to get this upstreamed later
eventually so we can proceed with this on -dev :-)
Thanks for reading!
Marco
7 years, 9 months
keycloak without token
by rdg77390
Hi, I created an application using tomcat 8 and keycloak.
The application has some rest API that will call from the browser. So the
application is both server and application. I believe with Jsessionid in a
cookie, I do not need to pass authentication token if I'm talking to the
same server in the same session. isn't it? Could someone clear this for me?
or should I have to pass access token even if I'm talking to the same
server?
also, I want to use Orbeon in the same tomcat, I set up crosscontext as
true.
I want it to be secure, but without setup security-constraint, it seems like
keycloak does not protect orbeon path. but it should be protected and should
be able to access without passing access token. Is this make sense? I do not
know if I'm right track or not.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
7 years, 9 months
keycloak without token
by rdg77390
Hi, I created an application using tomcat 8 and keycloak.
The application has some rest API that will call from the browser. So the
application is both server and application. I believe with Jsessionid in a
cookie, I do not need to pass authentication token if I'm talking to the
same server in the same session. isn't it? Could someone clear this for me?
or should I have to pass access token even if I'm talking to the same
server?
also, I want to use Orbeon in the same tomcat, I set up crosscontext as
true.
I want it to be secure, but without setup security-constraint, it seems like
keycloak does not protect orbeon path. but it should be protected and should
be able to access without passing access token. Is this make sense? I do not
know if I'm right track or not.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
7 years, 9 months
keycloak without token
by rdg77390
Hi, I created an application using tomcat 8 and keycloak.
The application has some rest API that will call from the browser. So the
application is both server and application. I believe with Jsessionid in a
cookie, I do not need to pass authentication token if I'm talking to the
same server in the same session. isn't it? Could someone clear this for me?
or should I have to pass access token even if I'm talking to the same
server?
also, I want to use Orbeon in the same tomcat, I set up crosscontext as
true.
I want it to be secure, but without setup security-constraint, it seems like
keycloak does not protect orbeon path. but it should be protected and should
be able to access without passing access token. Is this make sense? I do not
know if I'm right track or not.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
7 years, 9 months
About issue 6073
by Nicolas Gillet
Hello,
Implementing kc as authentication server for our web application, I stumbled upon what tastes like the jira issue 6073.
All our applications servers are in the same network and a HaProxy makes rooting of requests based on the path (The Keycloak server answers all path starting with /auth for instance) From what I got of the auth mechanism, the other applications hosted in our network (aka "clients") need to query Keycloak when they receive a token form the browser, therefore they need to have the kc URL and there comes the glitch: in order to make it work, the url must be strictly equals to token's issuer and when querying over the internal network, it's not the case.
Worst for me, our company has several domain names for the very same application, these domains being our customer's domains for whom we "style" the application so using the "external" domain name to query kc is not an option as it's dynamic, depending of the domain name the token was issued on.
Anyway that's yet another reason to get interest on the feature request 6073.
I had a look in the code to see if I could do the pull request myself but it's very daunting and does not look an easy one for a first contribution.
So I'd like to know if the team is planning on implementing this feature one day or if someone is willing to give me more detail about the way to do it (my background in oAuth and security beeing very light)
Many thanks,
Nicolas GILLET
7 years, 9 months
