Role required to manage user consents from REST API
by Paul Grebenc
I have been doing some investigation with Keycloak 3.4.3.Final, and have
noticed something that I am wondering about.
It is possible for me to request an offline token for a given user with a
password grant, and that consent will show up for the user under the user's
Consents tab in the admin console.
In terms of managing any granted consents (for the purpose of allowing a
user to revoke a consent that they have granted), I have been able to do
the following:
curl -X GET -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
<http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b...>
This returns all current consents granted by the user. I can then also do
the following:
curl -X DELETE -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents/<clientId>
<http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b...>
This revokes the consent granted by the specified user for the specified
client.
This is good so far, but I noticed that I was only authorized to perform
these operations as admin, and not as the user in question who has granted
these consents. Through experimentation, I was able to determine that if I
add the role "admin" to the user, that user is then authorized for these
operations.
Is this intentional? It was originally my expectation that a user who has
granted consents should be able to view or revoke their own consents
without having to have the admin role assigned.
Also, looking through the REST API documentation, I didn't see anything
related to roles and authorization. Are all operations only accessible by
users with the admin role assigned?
Regards,
Paul
6 years
SAMLResponse missing InResponseTo
by Chris Byron
Good morning. I'm trying to debug an issue where my Keycloak IdP does not
include an InResponseTo attribute in the SAMLResponse after an SP-initiated
login. Are there certain conditions in the Request that need to be
satisfied before it will be included? Or certain client configurations in
Keycloak?
The SAMLRequest from the SP:
```
<saml2p:AuthnRequest
AssertionConsumerServiceURL="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
AttributeConsumingServiceIndex="0"
Destination="
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
ID="idda5349fbbbf9483a91ec1531e52933a6"
IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>
</saml2p:AuthnRequest>
```
Keycloak client configuration:
```
{
"id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
"clientId": "https://checkmarx.corp.net",
"rootUrl": "",
"adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
"baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [],
"webOrigins": [],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"authorizationServicesEnabled": false,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "saml",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "true",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"saml.server.signature": "true",
"saml_idp_initiated_sso_url_name": "checkmarx",
"saml.server.signature.keyinfo.ext": "false",
"saml.signature.algorithm": "RSA_SHA256",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"saml.authnstatement": "true",
"saml_name_id_format": "email",
"saml.onetimeuse.condition": "false",
"saml_signature_canonicalization_method": "
http://www.w3.org/2001/10/xml-exc-c14n#",
"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
"KEY_ID"
},
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": -1,
"useTemplateConfig": false,
"useTemplateScope": false,
"useTemplateMappers": false,
"access": {
"view": true,
"configure": true,
"manage": true
}
```
Thank you for any help or advice on this! Cheers,
Chris Byron
6 years
User chooses authentication flow on login
by Nikola Malenic
I would like to let user choose between various alternative authentication
flows on login page. For example, I have this configuration:
Is there a way to let him choose the flow? What should I
configure/implement?
Thanks,
Nikola
6 years
SAML2.0: support for SessionNotOnOrAfter
by Leonid Rozenblyum
Hello.
Does Keycloak support the attribute SessionNotOnOrAfter based on realm
settings of session timeout? Maybe some another way to inform Service
Provider about the desired session end time?
6 years
Re: [keycloak-user] facing issue while having the single sign on flow
by vandana thota
Hello Dimtry ,
Have you checked the doc which 24 pages and I have attached to my previous
email ?
Keycloa-user lists can not able to post as its large .
Is your email id can able to get that big file ?
Thanks.
On Sun, Jul 22, 2018 at 10:50 PM vandana thota <vandana0242(a)gmail.com>
wrote:
>
>
> as for you, from which transaction depicted in the diagram did the
> error arise?
> PFA ( 23rd and 24th page )
> - there should have been a stack trace after "invalidRequestMessage",
> could you please share it?
>
> We could see keycloak logs as below
> 14:10:39,362 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
> Pool -- 47) HHH000431: Unable to determine H2 database version, certain
> features m work
>
> 14:11:30,567 WARN [org.keycloak.events] (default task-1)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
>
> 14:11:30,568 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-1) invalidRequestMessage
>
> 14:11:51,668 WARN [org.keycloak.events] (default task-2)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
>
> 14:11:51,669 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-2) invalidRequestMessage
>
>
> - what was the SAML payload of the request that lead to an error? You
> can obtain it from F12 -> Network in your browser (but don't forget to
> scrub any sensitive data)
>
> I did not understand what is SAML payload .we are using SAML 2.0 standrd.
>
> What is F12 .
>
> So far we did not configure any load balancer yet
>
>
>
>
>
>
> On Sun, Jul 22, 2018 at 11:10 PM Dmitry Telegin <dt(a)acutus.pro> wrote:
>
>> Hi Vandana,
>>
>> Excellent diagram! However I'm afraid we'll need some additional info:
>> - as for you, from which transaction depicted in the diagram did the
>> error arise?
>> - there should have been a stack trace after "invalidRequestMessage",
>> could you please share it?
>> - what was the SAML payload of the request that lead to an error? You
>> can obtain it from F12 -> Network in your browser (but don't forget to
>> scrub any sensitive data)
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info(a)acutus.pro
>>
>> On Fri, 2018-07-20 at 15:44 -0500, vandana thota wrote:
>> > ERROR [org.keycloak.services.resources.IdentityBrokerService]
>> > (default
>> > task-25) invalidRequestMessage
>> >
>> > We are configuring the Single sign on for the application deployed on
>> > the
>> > Wildfly instance by having keycloak , external IDP , SAML 2.0
>> > standards
>> > .Below is the flow .
>> >
>> > There was an error at the flow while we are trying this flow . PFA It
>> > has
>> > pictorial representation of the flow .
>> > Wildfly app or servlet container -> (SP) SAML request to IdP ->
>> > Keycloak ->
>> > (identify Okta IdP... may or may not need a username) -> (SP SAML
>> > Request
>> > to Okta) -> Okta IdP (May or may not need user to login depends on if
>> > they
>> > have an active okta session or not) -> IdP SAML Response -> Keycloak
>> > -> IdP
>> > SAML Response Wildfly app / servlet container
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
6 years
Keycloak - grant_type when getting a token and token introspection
by Dorit Mari
Hi,
When an access_token is generated for grant_type authorization_code, can the token be introspected by keycloak server? When trying to introspect such a token, keycloak server constantly replies with { "active": false }. However, when the access_token is generated for grant_type password, introspection works correctly.
Also, if a token generated for grant_type authorization_code can be introspected, does the introspection procedure differs from the usual introspection (a POST request, with an Authorization header that has Basic scheme whose value fits the Client ID and Client Secret, a Content-Type header whose value is "application/x-www-form-urlencoded", and a body whose value is token="the access_token". In CURL: curl --user testApp:d7945c1b-7174-4ebb-a481-b3c0bf8991ef -d "token=ey.............NPJW71A" -X POST http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/intr...).
Thanks,
Dorit
This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.
If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message
6 years
Using custom client authenticator for clients created through OpenID Dynamic Client registration
by Peter Flintholm Sørensen
Hi,
I would like to create clients using the OpenID dynamic client registration, and I would like these clients to limit the number of wrong 'client_secret' authentiation attempts.
For this purpose, I have implemented my own "revoking" ClientAuthenticator that disables the client after 3 wrong client_secret attempts.
Now the problem is how to configure this authenticator correctly in KeyCloak.
First i tried to deploy the authenticator and create a new authentication flow based on the built-in "Clients" flow. In this new flow, I set the authenticator to my own authenticator. I then defined the realm authentication flow binding for clients to this new flow.
This almost works. My authenticator is invoked on newly created clients, but unfortunately the ClientAuthenticationFlow.processFlow() fails since the provider_id of the new clients is still expected to be "client-secret" (and I set the provider_id to "revoking-client-secret").
If I manually change the authenticator for the newly created clients (using the admin UI) to my own authenticator, it works perfectly fine. But I need this client to work without manual configuration.
I have also tried to change my authenticator provider_id to "client-secret". This makes it in effect overwrite the built-in client authenticator *everywhere* which i don't want.
It seems to me that KeyCloak only partially adopts the client authentication flow defined in the realm authentication binding when creating new clients.
I hope someone can help - or perhaps lead me in another direction. Please aks if more information is needed!
Best regards,
Peter
(A little background information: The reason i would like to create these clients with limited number of client_secret guesses, is to use them as a sort of online PIN code authentification from a mobile app. The flow I would like is
1. User logs in
2. The app creates a client specifically for this installation of the app (authenticating with the users AT).
3. The user select a PIN code which is used to derive a key to encrypt the client_secret for this client. The encrypted client_secret is stored in the app.
4. The app reuses the session to log in through the new client, and gets a long-lived RT.
5. When the user wants to start the app again, the user enters the PIN code, derives the key and decrypts the client_secret. The app calls the token endpoint to get AT from the RT.
It is of course important that the number of PIN guesses is limited online. Hence the need to revoked the client after a number of wrong client_secret guesses.)
6 years
Frontend and backend on separate servers
by Nikola Malenic
I would like to host backend on secured network, i.e. it would be accessible
only from certain IPs.
Frontend (Angular application) would be served by different server in public
zone, which would have access to the secured network because requests from
it's IP would be allowed to go through firewall.
Is it possible to achieve this in an easy way? I wouldn't like to implement
proxy endpoints for all backend services in secured zone.
Many thanks,
Nikola
6 years
