Implementing a global admin role
by Stefan Hesse
Hello,
I am trying to implement some kind of global admin role that grants
access rights to all scopes within a resource.
What I did is the following:
- Defined a permission with a group policy on the resource (Admin)
- Defined a permission with a user policy on one specific scope e.g.
view. (normal user)
The problem that arises is, while evaluating the polices, the global
group policy always overwrites the decision from the group policy.
Therefore the user will always be denied access, even though one
permission grants access.
Can I change this behavior to make the accumulated result "PERMIT"
instead of "DENY"?
Best Regards
Stefan
5 years, 9 months
Resource attributes with API
by Corentin Dupont
Hello,
I'm trying to experiment with resource attributes...
However I don't find it in the doc (yet).
Creating attributes like this seems to work:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{"name":"Sensortest3", "attributes":{"isPrivate": ["true"]}}'
However, I'm not sure about the Javascript policy:
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (permission.getResource().getAttributes().containsValue('isPrivate',
'false')) {
$evaluation.grant();
}
Thanks!!
5 years, 9 months
Keycloak persistence - PostgreSQL schema?
by Leonid Rozenblyum
Hello.
I would like to integrate keycloak with db storage in an existing
PostgreSQL database (however in a separate keycloak-specific schema).
I tried to:
1) import the keycloak db creation sql script into the db and modifying
public. -> keycloak. (so all schema references point there) + places where
the unqualified access was used: added the schema prefix
2) provde 'current_schema' jdbc driver option
However this didn't work and keycloak still complained that the db should
be properly created.
Does keycloak support PostgreSQL schemas? Maybe something more should be
configured?
Thanks in advance for advice.
5 years, 9 months
how to clone a realm?
by Madhu
Hi,
I am using keycloak for a multi tenant/multi realm scenario.
In all my realms the clients/roles/password policies/groups/authentication/token settings etc are same.
So my idea is to create a template realm and clone it to a new realm every time i want to provision a new tenant.
I tried using the import/export option, but was not successful. I even tried remvoign all the ids /container id fields from the exported json and changed the realm namesand was unsuccessful again.
Any idea how to clone a realm?
Looks like import/export was built for replicating/duplicating the data in another keycloak/database instance, and not suitable for cloning /creating a new realm.
Any idea how i can create a new realm with defined set of clients, user policies, mappers, authentication settings, flows, token settings and roles?
Regards,Madhu
5 years, 9 months
Launch Keycloak SPI as module with external dependencies
by Lamine Léo Keita
Hi,
I've build an authentication SPI which I deploy with a jar file with no
problem by copying it to $KEYCLOAK_HOME/providers/ directory.
I needed external dependencies so I made some change to my application and
external dependencies are not found ...
The documentation does not really explain this case.
Can someone help me on how to build a jar with all external dependencies to
deploy it plz?
I tried to use jar-with-dependencies plugin but this does not work too...
Because my below file is not included in the jar...
services > org.keycloak.authentication.AuthenticatorFactory
Here is the plugin references :
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.4.1</version>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
</configuration>
<executions>
<execution>
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
BR,
Lamine
5 years, 9 months
Adding a new admin API as a Rest resource SPI
by Yegui Cai
Hi.
Would it be possible to add an admin rest API via building a SPI? If so,
any doc/resource I should check? I played with the REST resource SPI under
example directory. However, it is not protected yet. What mechanism can I
take to protect the newly added API?
Thanks!
Yegui
5 years, 9 months
Fwd: Trying to create a user in a realm I get 405 response
by Jorge Morales Pou
Hi,
I'm deploying Che on OpenShift and I was trying to pre-create some users in
Keycloak.
This Che and Keycloak are deployed using Ansible, and so far so good. I'm
using the templates from github.com/eclipse/che.
This deployment comes preconfigured with a che realm as well as the ability
to change the master realm admin's username and password, which I do, for
security reasons, but the che realm don't allow me to change the
username/password for the admin, so those default to admin/admin (as of
now).
The problem comes when I try to create a user via rest.
I have the following 2 ansible tasks (they are easily understood):
- name: get auth token from keycloak
uri:
url: http://keycloak-{{ project_name }}.{{ apps_hostname_suffix
}}/auth/realms/che/protocol/openid-connect/token
method: POST
body: "username=admin&password=admin&grant_type=password&client_id=admin-cli
"
status_code: 200
headers:
Content-Type: "application/x-www-form-urlencoded"
status_code: 200
register: access_token_result
- set_fact:
access_token_bearer: "{{ access_token_result.json |
json_query('access_token') }}"
- name: Pre-create {{ che_generate_user_count }} users in che realm with
format ({{ che_generate_user_format }})
uri:
url: http://che-{{ project_name }}.{{ apps_hostname_suffix
}}/admin/realms/che/users
method: POST
body: "{{ lookup('template','che-user.json.j2') }}"
body_format: json
status_code: 204
headers:
Authorization: "Bearer {{ access_token_bearer }}"
vars:
username: "{{ item }}"
first_name: "User"
last_name: "{{ item }}"
email: "{{ item }}(a)none.com"
password: "{{ che_generate_user_password }}"
with_sequence: start={{ che_generate_user_count|int if
che_generate_user_count|int < 1 else 1}} end={{ che_generate_user_count }}
format={{ che_generate_user_format }}
when: che_generate_user_count|int > 0
And the che-user.json that I use for the request is this:
{
"username": "{{ username }}",
"enabled": "true",
"firstName": "{{ first_name }}",
"lastName": "{{ last_name }}",
"email": "{{ email }}",
"credentials": [
{
"type": "password",
"value": "{{ password }}"
}
]
}
Everything looks perfectly configured on my end, and I've tried using curl
as seen in many documentation to troubleshoot but with same error.
I get a 405, POST method not allowed.
This is the verbose stack of the request, which has all the valuable info
(host-name is changed):
------------------------------------------------
failed: [localhost] (item=user1) => {
"changed": false,
"connection": "close",
"content": "<!doctype html><html lang=\"en\"><head><title>HTTP Status
405 – Method Not Allowed</title><style type=\"text/css\">h1
{font-family:Tahoma,Arial,sans-serif;color:white;
background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;font-size:16px;} h3
{font-family:Tahoma,Arial,sans-serif;color:white;
background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,
sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;} p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
a {color:black;} a.name {color:black;} .line {height:1px;background-color:#
525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not
Allowed</h1><hr class=\"line\" /><p><b>Type</b> Status
Report</p><p><b>Message</b> HTTP method POST is not supported by this
URL</p><p><b>Description</b> The method received in the request-line is
known by the origin server but not supported by the target resource.</p><hr
class=\"line\" /><h3>Apache Tomcat/8.5.23</h3></body></html>",
"content_language": "en",
"content_length": "1117",
"content_type": "text/html;charset=utf-8",
"date": "Thu, 05 Jul 2018 17:12:32 GMT",
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": {
"credentials": [
{
"type": "password",
"value": "password"
}
],
"email": "user1(a)none.com",
"enabled": "true",
"firstName": "User",
"lastName": "user1",
"username": "user1"
},
"body_format": "json",
"client_cert": null,
"client_key": null,
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "safe",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {
"Authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0
psM20wQTRnckIzNnJJIn0.eyJqdGkiOiIzYjkyZTUxZi1iZTc0LT
QwODItYmFjZS01YjAwNTA0MWE2YmIiLCJleHAiOjE1MzA4MTEwNTEsIm5iZi
I6MCwiaWF0IjoxNTMwODEwNzUxLCJpc3MiOiJodHRwOi8va2V5Y2xvYWstc3
RhcnRlci13b3Jrc2hvcC1hcGItdGVzdC5hcHBzLm9zZXZnLm9wZW5zaGlmdH
dvcmtzaG9wLmNvbS9hdXRoL3JlYWxtcy9jaGUiLCJhdWQiOiJhZG1pbi1jbG
kiLCJzdWIiOiJiMDdlM2E1OC1lZDUwLTRhNmUtYmUxNy1mY2Y0OWZmOGIyND
IiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbW
UiOjAsInNlc3Npb25fc3RhdGUiOiI1MGRhMGJiNy0zOTc3LTQzMjQtOWY2OS
03NjkzNmEwZGIzMmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXS
wicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkFkbWluIEFkbWluIiwicH
JlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiQWRtaW
4iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJhZG1pbkBhZG1pbi5jb20ifQ.DTjDZ_
Kx9QMDcLqMRtGir5PwzOhXEBc3-jg3vZgToooKfvC1b1Kw1DSHCM1hJuwriw-
dBp2dQMAk2CjwwFNNb2lKFVxCGvmk4KQLRG3giv_BHQcoeFZ-Ol7sQJvFL-
V-XyAV6KWO9a0WPai6C6hkHw37Ksp_klzk89jAoSSxrtOJ8zUOjzxT_
XS99cwj6NYNJnyTczppAMB14Nm8-a9gexDnUqUmOlifFCyH7i2Fyrk2pnT
GFEFjB92QCUWJEXpFOKdx9-IGi7y8ywRH7a9R-dcuOb1_Mx6Xbi79qjfow6EKJYDAjNupKOUfOO
qNFscgwR6kUdbsEfRr3JCmmTL8cw",
"Content-Type": "application/json"
},
"http_agent": "ansible-httpget",
"method": "POST",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": false,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
"204"
],
"timeout": 30,
"unsafe_writes": null,
"url": "http://che-starter-workshop-apb-test.apps.mydomain.com/
auth/realms/che/users",
"url_password": null,
"url_username": null,
"use_proxy": true,
"validate_certs": true
}
},
"item": "user1",
"msg": "Status code was 405 and not [204]: HTTP Error 405: ",
"redirected": false,
"set_cookie": "688655d95dc9dee6e6f6057ef3239223=
5aac40b93e1fbe870f8d213baa7a4c7a; path=/; HttpOnly",
"status": 405,
"url": "http://che-starter-workshop-apb-test.apps.osevg.
openshiftworkshop.com/auth/realms/che/users"
}
------------------------------------------------
Anyone can provide some insight into what I'm doing wrong? Is it the
request or is it the che realm configuration
<https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycl...>
or the client in the realm
<https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycl...>
used to get the token?
Cheers,
*Jorge Morales*
Red Hat <https://www.openshift.com/>
<https://www.openshift.com/>
OpenShift <https://www.openshift.com> Developer Advocate
http://jorgemoral.es/
| @jorgemoralespou <https://twitter.com/jorgemoralespou>
5 years, 9 months
Backchannel logout on session-timeout?
by Eric B
I'm using Keycloak 3.4.3 and have my java client configured for backchannel
logout. It works fine if I logout from within the Keycloak user
interface. But I was also expecting it to work if the KC user session died
due to idle timeout or max session life. But in both session expiration
cases, the backchannel logout is not triggered.
Is this a bug in KC, or simply not a use-case that is supported? Or is
this a configuration issue with my KC install?
Thanks,
Eric
5 years, 9 months
admin-client binary and dependencies
by Nhut Thai Le
Hello,
Where can i get the binaries of the admin-client and its dependency for KC
4.0.0.Final? I added the following jars from mavencentral to my package:
javax.ws.rs-api,\
org.jboss.resteasy:resteasy-jackson2-provider,\
org.jboss.resteasy:resteasy-jaxrs,\
org.apache.commons.lang3,\
org.keycloak:keycloak-admin-client,\
org.keycloak.keycloak-core,\
org.jboss.resteasy:resteasy-client,\
org.jboss.resteasy:resteasy-multipart-provider,\
org.jboss.resteasy:resteasy-jaxb-provider,\
org.eclipse.equinox.supplement,\
com.castortech.iris.security;version=latest,\
org.keycloak:keycloak-server-spi-private,\
org.keycloak:keycloak-server-spi,\
org.keycloak.keycloak-common,\
org.eclipse.emf.common,\
javax.annotation-api,\
com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
5 years, 9 months
