IBM DB2 not supported anymore?
by Manfred Duchrow
Hi,
in issue https://issues.jboss.org/browse/KEYCLOAK-7519 Stian added a
comment saying
"Rejecting this as we removed support for DB2 in 4.x. DB2 had very few
users
and was by far the most time consuming to maintain."
Is it true that DB2 will not be supported anymore?
Where has it been announced? I cannot find anything in documentation,
release notes or blogs
or user list mentioning it.
I think you shouldn't drop support for DB2. It is a major enterprise
database and many companies
are using it.
Cheers,
Manfred
5 years, 9 months
SAML Advice assertion with signature
by Arjan Lamers
Hi,
We are running KeyCloak 3.4.3-Final for a client and are running into trouble with an identity provider (the dutch eHerkenning) that is using SAML Advice tags.
We were running an older version of KeyCloak and recently that identity provider started to use <saml:Advice> tags in their responses. We found https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the Advice tag and that made us upgrade to 3.4.3. However, this patch does not seem to be complete.
The patch there ignores the Advice tag when parsing the document. This is fine. However, in our case, the Advice contains two Assertions, both of which are signed (have a Signature tag). The document verification seems to also validate these signatures. This is a problem, since we do not have the keys for these advices, hence the validation fails.
We have been advised to fully ignore the Advice tag, including the underlying signatures. I am not a SAML expert but that feels a bit wrong. Any thoughts on that?
However, if we do want to go down this road, we would probably patch this in
org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document signedDoc, final KeyLocator locator)
by skipping over nodes that have an ‘Advice’ parent.
Would that be an appropriate approach? Would you be interested in such a patch?
Met vriendelijke groet,
Arjan Lamers
Software Architect
+31 (0)6 23 82 24 05
a.lamers(a)first8.nl
https://www.first8.nl <http://www.first8.nl/>
Linkedin https://www.linkedin.com/in/arjanl <https://www.linkedin.com/in/profiel-id>
Kerkenbos 1059b
6546 BB Nijmegen
Bekijk hier de algemene voorwaarden van Conclusion <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>
5 years, 9 months
Add consent programmatically
by Henning Waack
Hi.
Using KC 4.0, I am a little confused about consents. Using the KC Admin
Client, when retrieving a UserResource I can get a (untyped) list of
consents, which represents the consents visible on the KC Admin Homepage
for a given user. Also I can revoke a consent on the UserResource object.
On the UserRepresentation object I have a method getClientConsents which
returns a list of UserConsentRepresentations. These I do not know where to
find on the Admin UI for a user. And these consents are not the same as the
one from the UserResource.
Can someone please explain the difference between these two? And my real
question is: can I programmatically set the consent for a user for a client
which requires consent?
Hope you can help, thanks in advance,
greetings
Henning
5 years, 9 months
Is that possible to custom token claims? Especially, I don't want "sub" in the token claims.
by hugh shangguan
Hi there,
I am learning Keycloak system. I wonder if I can change the token claims.
In the endpoint,
http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
I can see there is a claims_supported. Can I set it without "sub"?
"claims_supported": [
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported": [
"normal"
],
when I login keycloak, I can receive a token, the claims in the token like
this.
{
"jti": "ea8ea454-6af2-4343-a51f-14092d7566bb",
"exp": 1531316875,
"nbf": 0,
"iat": 1531280875,
"iss": "http://localhost:8080/auth/realms/demo",
"sub": "a9ce424d-019b-4222-859d-eba851c875ff",
"auth_time": 0,
"session_state": "20dc46d8-029b-4b27-af37-e4b896789e96",
"resource_access": {},
"state_checker": "GYcbcAp8yFc0YCmBdKN9jJ1lqXT_oMp9Hoa1WW93uxw"
}
Can I change some config to set the "sub" off? Is that save that browser
can get the user information?
My understanding of keycloak working is steps below. please point out if I
my wrong.
1. client (browser) go to Application server to ask a protected url. and it
will redirect to Keycloak login page.
2. After user finish their login in browser, user will get a code from
keycloak.(seems it ractually is a token).
3. Then browser will send the code to Application server.
4. Application server will ask Keycloak server that if the code is valid
and get a access token. Then Application server decides to allow or not
allow the user .
But I see my browser just get the access token with user information. I
wonder is that secure?
Thanks
--
Hugh
Zhaohui Shangguan
5 years, 9 months
How to keep users from updating their account details in admin client?
by Torsten Juergeleit
Hi everyone,
we have the requirement, that the users are not able to change their
account details (email, first name, last name) in Keycloak's account
client. We need read-only access to the admin client, so removing the admin
client from the realm is not an option.
Is there any way to achieve this other than blocking any post to
"/auth/realms/<realm>/account/" in our reverse proxy?
Cheers,
Torsten
5 years, 9 months
Retrieve all permissions
by Corentin Dupont
Hi guys,
I noticed a couple of strange things when retrieving all the permissions.
I tried:
$ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq
"authorization": {
"permissions": [
...
But it seems that this command returns only the permissions for the
resources belonging to the client, excluding resource belonging to other
users?
To get an assessment of all resources, I tried adding a scope:
$ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq
"authorization": {
"permissions": [
{
"rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
"rsname": "foo"
This instead returns a list of resources belonging to all users.
But the list seems to be wrong: it returns sensors to which I *don't* have
access!
If I try the request on the specific resource, it returns (rightfully)
access_denied:
curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=
9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
{"error":"access_denied","error_description":"not_authorized"}
Another strange thing, if I try with a non-existent resource ID, there is
no error message and it returns a list of permissions:
$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=not-exist#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq
"authorization": {
"permissions": [
{
"rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
"rsname": "foo"
...
5 years, 9 months
SAML Identity Provider Name ID format(s), which one too choose?
by Daniel Teixeira
Dear community,
I am trying to configure SAML Identity Providers (for Universities) but I
don't know which NameID Policy Format to choose. In my scenario, the
University users must be linked to LDAP User Federation, users should be
able to login in applications in both ways (either with LDAP or University
credentials).
I have tried the following configuration for the SAML Identity Provider:
Persistent, email and unspecified. And here are the problems I get:
*Persistent*: Works "Ok" but I have 2 issues with it:
1) Logout does not work well, because apparently keycloak does not send
NameQualifier and SPNameQualifier in LogoutRequest, more information in
here: https://issues.shibboleth.net/jira/browse/IDP-1297
2) The persistent nameID may not be "so persistent" in my case, because the
iDP takes the domain where keycloak runs, to make the persistent nameID and
therefore if I change the hostname of my keycloak instance, things may
break in the future. Moreover it does not help with test / dev environments
where the hostname is different (but this is not a problem of keycloak I
assume)...
*unspecified: *I tried unspecified (which, correct me if I am wrong, but
maybe it corresponds to the transient nameID?). In this case, the problem
is that it works the first time, but the second time, since it generates a
new ID, keycloak sees a user with already the same email, or if the user is
not there, it creates a new user everytime....
I have tried to create a mapper in the iDP mappers (Preprocessor Username
Template Importer), but this didn't fix the problem. (In the Provider User
ID and Provider Username) he always takes the random/transient? nameID and
for me this use case, Provider User ID and Provider Username should not
change.
*email: *I have tried to use email, but I get a non-informative error: "An
error occurred." and if I go look at the logs in DEBUG mode I don't see
very much valuable information:
15:32:34,996 DEBUG [org.keycloak.services.resources.IdentityBrokerService]
(default task-31) Authorization code is valid.
15:32:34,997 WARN [org.keycloak.events] (default task-31)
type=FEDERATED_IDENTITY_LINK_ERROR, realmId=******, clientId=account,
userId=******, ipAddress=******, error=An error occurred.,
code_id=bc92ef2d-5a0c-458c-a3a8-40c91ec13140, username=*****
15:32:34,998 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-31) An error occurred.
15:32:35,014 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-31) JtaTransactionWrapper commit
15:32:35,014 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-31) JtaTransactionWrapper end
Can someone point me in the light side of the force :) ?
Thank you very much in advance,
Daniel Teixeira
5 years, 9 months
Keycloak authorization based on business attributes
by Nikola Malenic
Here is how my application should work:
Users can use some functionalities of my application if they have enough
chips (token) which they can buy from another application, or they can be
granted to them upon some event, whatever.
Users have an attribute associated with them called 'chip', which represents
some number. This information should be represented as a claim, probably.
I want Keycloak to do this authorization for me - to check whether user can
use the functionality or not. I've come across JavaScript-based policies.
It's seems they are able to operate on informations in tokens - like user
email etc, but this is not my case where token can contain obsolete
information, i.e. when token was generated user had enough chips but since
then he spent them.
Maybe token should be refreshed upon spending chips, but in that case, would
it be updated with current informations bound to user? Or maybe
authorization service can somehow access database during evaluation of a
policy? Could this work or are there any elegant solutions to this use case?
5 years, 9 months