How to verify jwt token with jwt.io or javascript programme
by Christophe Lehingue
Hello,
How can I check the signature of a token (with https://jwt.io/ or an
external javascript programm) ?
The configuration of my client is of "public" acces type :
The keys I use are those defined in the "keys" area of the "realm" created :
But that does not work: do you have any idea how could I do this check?
Thanks and good day.
Regards,
Christophe
6 years
Re: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
by José Luis Colomer Martorell
Hello just to clarify the last question written by Francisco,
i'm also having problems when upgrading the RPT when the requested resource
is not authorized to the user.
This is my current setup:
Users:
Just one user: foouser
Resources:
- foo-resource
- bar-resource
Policies:
- foouser-policy: this policy grants access for only foouser.
Permissions:
- fooresource-foouser-permission: this permission associates the
resource "foo-resource" with the policy "foouser-policy"
I obtained the following valid RPT
{
>
> "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>
> "exp": 1531411894,
>
> "nbf": 0,
>
> "iat": 1531375932,
>
> "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>
> "aud": "demo-upgrade-rpt",
>
> "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>
> "typ": "Bearer",
>
> "azp": "auth-demo-webapp",
>
> "auth_time": 0,
>
> "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>
> "acr": "1",
>
> "allowed-origins": [],
>
> "realm_access": {
>
> "roles": [
>
> "offline_access",
>
> "uma_authorization"
>
> ]
>
> },
>
> "resource_access": {
>
> "account": {
>
> "roles": [
>
> "manage-account",
>
> "view-profile"
>
> ]
>
> }
>
> },
>
> "authorization": {
>
> "permissions": [
>
> {
>
> "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>
> "rsname": "foouser-resource"
>
> }
>
> ]
>
> },
>
> "scope": "profile email",
>
> "email_verified": false,
>
> "groups": [],
>
> "preferred_username": "foouser"
>
> }
>
>
And I tried to upgrade it using a ticket for an unauthorized resource
(bar-resource)
{
>
> "resources": [
>
> {
>
> "id": "c73c3133-b987-4d1f-8195-544735d75433",
>
> "scopes": []
>
> }
>
> ],
>
> "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>
> "exp": 1531411717,
>
> "nbf": 0,
>
> "iat": 1531375717,
>
> "aud": "demo-upgrade-rpt",
>
> "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>
> "azp": "demo-upgrade-rpt"
>
> }
>
>
Keycloak returns a 200 OK response including "upgraded": true in the body.
I was expecting a 403 forbidden response, it seems Keycloak just assess the
RPT's permissions, ignoring the ticket ones. Is this correct?
6 years
Re: [keycloak-user] Kerberos Authentication
by "Matthias Müller"
Hello Jochen,
here are the trace information. I d not have much experience with Kerberos, maybe you can see a reason?
KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/servername(a)domain.local
[8639] 1531391993.35803: Getting initial credentials for HTTP/servername(a)domain.local
[8639] 1531391993.36009: Looked up etypes in keytab: aes256-cts
[8639] 1531391993.36071: Sending request (196 bytes) to domain.local
[8639] 1531391993.36099: Resolving hostname kerberos.domain.local
[8639] 1531391993.36411: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391994.37505: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.47972: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391994.59194: Received answer (209 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391994.59365: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.123891: Response was not from master KDC
[8639] 1531391994.124071: Received error from KDC: -1765328359/Additional pre-authentication required
[8639] 1531391994.124163: Processing preauth types: 16, 15, 19, 2
[8639] 1531391994.124216: Selected etype info: etype aes256-cts, salt "DOMAIN.LOCALHTTPservername", params ""
[8639] 1531391994.124325: Retrieving HTTP/servername(a)domain.local from FILE:/etc/keytab/servername.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[8639] 1531391994.124420: AS key obtained for encrypted timestamp: aes256-cts/3C17
[8639] 1531391994.124492: Encrypted timestamp (for 1531391993.432619): plain 301AA011180F32303138303731323130333935335AA10502030699EB, encrypted 1AB1CF23868718D3F7DCCB375E7B5C09655FE360088E5877846A9E84E7CCFD424496D15486173B0A8DE54FB12C394A9481BC9DFDCD5A032E
[8639] 1531391994.124544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[8639] 1531391994.124572: Produced preauth for next request: 2
[8639] 1531391994.124622: Sending request (276 bytes) to domain.local
[8639] 1531391994.124690: Resolving hostname kerberos.domain.local
[8639] 1531391994.124813: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391995.125972: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.136487: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391995.147521: Received answer (176 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391995.147682: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.178245: Response was not from master KDC
[8639] 1531391995.178431: Received error from KDC: -1765328360/Preauthentication failed
[8639] 1531391995.178507: Preauth tryagain input types: 16, 15, 19, 2
[8639] 1531391995.178569: Getting initial credentials for HTTP/servername(a)domain.local
[8639] 1531391995.178667: Looked up etypes in keytab: aes256-cts
[8639] 1531391995.178731: Sending request (196 bytes) to domain.local (master)
kinit: Preauthentication failed while getting initial credentials
domain.local is the Name of the domain
Kerberos.domain.local is a Active Directory Server Kerberos is enabled
servername is the server the application is installed
Thanks
"Matthias Müller" <matthiasmueller07 at web.de> writes:
> I added the necessary fields in the ldap configuration before.
>
> Realm: local.domain
> Principal: HTTP/server.name at local.domain
> Keytab: /etc/keytab/servername.keytab
Ok.
> local.domain and server.name are place holder for the original settings.
> The following message is shown with kinit and kvno:
> kinit: Preauthentication failed while getting initial credentials
> No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name
That's bad. My system has:
[root at saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root at saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org at EXAMPLE.ORG
Valid starting Expires Service principal
08.07.2018 22:09:40 09.07.2018 22:09:40 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
Until that works you don't need to look at anyhing else.
Please try:
KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/server.name at local.domain
> When I read the keytab file with klist the output is:
> 0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)
That date looks fishy.
[root at saml keycloak]# klist -k keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/saml.example.org at EXAMPLE.ORG
1 HTTP/saml.example.org at EXAMPLE.ORG
1 HTTP/saml.example.org at EXAMPLE.ORG
1 HTTP/saml.example.org at EXAMPLE.ORG
Can you please move the discussion back to the keycloak list? Thanks.
Jochen
--
This space is intentionally left blank.
6 years
View-users permissions only view some users
by Nicolas Gillet
Hello,
Is it possible to grant a user the permission to view only some (not all) users of the realm ?
Same question about being allowed to impersonate only the user he is allowed to see ?
Thank for any help :-)
Nicolas GILLET
6 years
lock user after being inactive for certain period
by Sachin Rastogi
Hi all,
We need to disable / lock user if user doesn't login into system for
certain period (such as after 10 days or so). I couldn't find an option to
enable. Please guide me.
Regards,
SR
6 years
"Secret" realm landing page
by Stan Silvert
Many of you may not know this, but each realm in Keycloak has a
public-facing page that allows you to retrieve the public key and some
other realm info as JSON.
http://localhost:8080/auth/realms/master
{"realm":"master","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvUuJC65uwY1u0wX5zDOmDI/hez0AgMWBTQ+FZ1P3IiqawxkAR35dh8PvfsdM0/3TLCEH195J3BMZL6fxPVKwaFN+s7JLYtSSQ/j7w9D+MP7j7OQbpo7ucvwAch2aG96sgqSXlr5ZWgksOXJwPTloFCjvNcnBwbg+sOyIJjxpQ4/augphUgXglOsXRrXuNUQOLmURlPFv//AyN4Iea0kyfWxGn0m4iRl+Mff/Lz5vPtv/m3sFJ/D5iL9WD2uxkmq88a5EgqiW9/U/stj7VDwd3DDTAzqPsicGWDiNdFSpI1AqaNcWGTMeXl0TU29/vW4yqzMgeDxV8ig9uU2DBkTzRwIDAQAB","token-service":"http://localhost:8080/auth/realms/master/protocol/openid-connect","account-service":"http://localhost:8080/auth/realms/master/account","tokens-not-before":0}
First, is anyone using this JSON?
Second, would you like to see something else in its place? A dashboard
of available apps perhaps?
Stan
6 years
Master releam or any other releam
by vandana thota
Hello
Which is better option to have for configurations in keycloak by using
the master releam or by creating any new releam ?
Thanks,
Vandana
6 years
