slow role search
by Gideon Caranzo
Hi,
I'm running Keycloak with 1700 realms and API calls like getting a realm
now takes a lot of time. I profiled it and found that role checking is
causing the issue particularly *KeycloakModelUtils.searchFor(RoleModel
role, RoleModel composite, Set<String> visited)*.
I'm using a user with "admin" role to call get realm API. And since i have
1700 realms, "admin" role now have about 30K composite roles under it. The
line below from KeycloakModelUtils.searchFor() will load all 30K composite
roles causing the slow down.
*Set<RoleModel> compositeRoles = composite.getComposites();*
Is there a way to avoid this issue? Or is it possible to fix the code such
that it will do a database query instead of searching in memory to check if
the role exist?
Thank you,
Gideon
6 years, 2 months
Column Sorting
by KevinO
Hi everyone,
Is there any opposition to me adding column sorting? This is the ticket for
it:
https://issues.jboss.org/browse/KEYCLOAK-4676
I've tested a solution that uses standard angular ordering. I don't want to
update all the tables if this is a feature that is not wanted.
Thanks,
Kevin
6 years, 2 months
Spring Boot Adapter: Error creating KeycloakConfigResolver with KC 4.5.0.Final
by Niko Köbler
Hi all,
I just updated my Spring Boot w/ Spring Security demo installation to KC 4.5.0.Final.
To be able to use the Spring Boot configuration with Spring Security Adapter, I have this bean configuration:
@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
This worked well until 4.4.0.Final.
After upgrading to 4.5.0.Final, I get an error when Spring is trying to create the bean registry. Here is the relevant part of the stack trace:
Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'keycloakConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference?
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
... 69 common frames omitted
I see, that there was a change in KeycloakSpringBootConfigResolver a few days ago, but I don't really get it... Perhaps it's me, perhaps it's an error?
Do I have to define my KeycloakConfigResolver bean in another way?
Can anybody help me?
Regards,
- Niko
6 years, 3 months
Problem understanding authorization grants
by Ulrik Sjölin
Hello,
My name is Ulrik Sjölin and where I work we are currently looking into
Keycloak (4.4). I have a question regarding permissions and policy
evaluation.
My very simple setup is like this:
User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
Write, Delete)
User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
via the Keycloak web UI.
There a 5 scope-based permissions, one for each scope, that allows the
owner & admin each scope (Only Owner and Administrators Policy). My idea
here is that the owner of a resource
should not have to add the permissions on himself to be able to access the
resource.
I now run evaluate and I get a surprising result:
Input:
User JDoe
Resource: JDoe
Scope: Any
Output:
Result
PERMIT
Scopes
Delete
Admin
Policies
Resource owner (jdoe(a)keycloak.org) grants access to alice(a)keycloak.org
decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Read.
Only Owner and Administrators Policy voted to PERMIT .
Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Write.
Only Owner and Administrators Policy voted to PERMIT .
Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
decision. Granted Scopes: Delete.
Only Owner and Administrators Policy voted to PERMIT .
Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Admin.
Only Owner and Administrators Policy voted to PERMIT .
Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
decision. Granted Scopes: Peek.
Peek resource role policy voted to PERMIT .
Only Owner and Administrators Policy voted to PERMIT .
I would expect JDoe to have full access to his resource since he is the
owner and all the policies are reporting PERMIT. It is the top DENY that I
can’t wrap my head around.
The grants JDoe has given to Alice are removed from his own grants list, is
this expected behavior? Why do grants to user Alice affect the grants of
user JDoe?
Best Regards,
Ulrik
6 years, 3 months
keycloak js adapter - authorization code vs implicit flow
by petr40@wp.pl
Hello ! I dont understand why authorization code is default mode in keycloak.js adapter ? (for SPA javascript application) Should it be implicit flow instead ? Is it safe to use this flow for public clients ? I know that 'sending access token in the url fragment can be security vulnerability', but - authorizaiton code is also returned in query params - CORS needs to be enable on server side (to exchange code for token via POST) - we have an extra step - we can use refresh tokens, but we can also make this work in implicit flow (hidden iframe) If my arguments are wrong: why do we need implicit flow if it is authorization code ? how does it relate to openidconnect , oauth specification ? Thanks !
6 years, 3 months
Re: [keycloak-user] Custom Identity Brokering and First login flow: prevent username edition?
by Rémy Grünblatt
Hi,
nope, it's at "off":
Le 27/09/2018 à 15:25, Henning Waack a écrit :
> Hi Remy.
>
> In your realm settings in the tab "Login" you have the option "Edit
> username", which is most probably set to "true" in your case.
>
> Hth, greetings
>
> Henning
>
> Am Do., 27. Sep. 2018 um 11:17 Uhr schrieb Rémy Grünblatt
> <remy(a)grunblatt.org <mailto:remy@grunblatt.org>>:
>
> Hi,
>
> I'm using a custom IDP and I have some trouble during the first login
> flow, it redirects to a "Update Account Information" page (this is
> fine), but you can edit the username in this. How to prevent this
> behaviour? As the usernames are provided by the third party, I don't
> want people to be able to change them.
>
>
> Thanks,
>
> Rémy
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG | Hochstraße 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>|
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> |Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de <http://www.codecentric.de/> | blog.codecentric.de
> <http://blog.codecentric.de/> | www.meettheexperts.de
> <http://www.meettheexperts.de/>
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochgürtel . Ulrich Kühn* *. Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen
> Schütz
>
> Diese E-Mail einschließlich evtl. beigefügter Dateien enthält
> vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
> nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
> haben, informieren Sie bitte sofort den Absender und löschen Sie diese
> E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte
> Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die
> unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>
6 years, 3 months
Authorization Policy evaluation for specific REST method (verb)
by Ori Doolman
Hello,
We're using authorization services and Keycloak 2.5.X.
We want to have different policies for a REST endpoint with different verbs (GET, PUT).
We have everything configured at the Keycloak server side (PDP), through the web admin UI. We don't use the Policy Enforcer JSON configuration.
We have configured:
* Permission P1 for Resource X (URL X) and scope 'GET' mapped to Policy 'POLICY-1'.
* Permission P2 for Resource X (URL X) and scope 'PUT' mapped to Policy 'POLICY-2'.
What we see is that both policies are BEING evaluated, while we expected only one of them to be, according to the actual HTTP verb provided at runtime.
By reading the source code, we understand that because we don't use the policy enforcer adapter configuration (JSON file at client side), then the list of required scopes sent with the permission request is empty and therefore all the scopes associated to the resource and permission are being evaluated.
We could workaround this by utilizing the policy enforcer configuration file, but we really like to do the configuration in a single place at the server side (we have many clients and microservices).
My questions are the following:
1. Is there any way to enforce evaluation of only one of the permissions above (the one according to the relevant scope/verb)?
Or maybe it was changed in a later version?
I see that code of getRequiredScopes is different (adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java)
1. Why are there different configuration capabilities in the Admin UI (server side) and the Policy Enforcer adapter JSON file (client side)?
In the latter, we can configure the "method" like PUT/GET/POST/DELETE for the match. While if we use the server side configuration, we lack the ability to match the method per URL.
Again, is that something that was changed in later version?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
6 years, 3 months
Re: [keycloak-user] Problem with Spring WEB application using Keycloak + Spring Security Adapter in Multi Tenancy mode
by Mattia Bello
Please, can you describe your solution with more details?
I solved my issue by:
1.
Creating a custom KeycloakAuthenticationEntryPoint to redirect to /RootContext/{realmName}/sso/login.
How do i do that?
I can create a custom KeycloakAuthenticationEntryPoint (NewKeycloakAuthenticationEntryPoint) and set it in the keycloak xml config file:
<bean id="keycloakAuthenticationEntryPoint" class="org.myApp.NewKeycloakAuthenticationEntryPoint">
<constructor-arg name="adapterDeploymentContext" ref="adapterDeploymentContext" />
</bean>
Then? How do i do to redirect to /RootContext/{realmName}/sso/login ?
2.
Overrode the keycloakAuthenticationProcessingFilter method in the KeycloakWebSecurityConfigurerAdapter implementation to change the AntPathRequestMatcher to match.
How do you do to specified that?
I can create a new class NewKeycloakWebSecurityConfigurerAdapter and override the method keycloakAuthenticationProcessingFilter as you describe, but i don't understand how i set that class for use it when the app is running.
Do i have to set it in the keycloak config xml file ?
------------------------------
Mattia Bello
Developer
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 347 37 64 875
www.horsa.it
6 years, 3 months