Client Service Account Roles are not exported
by Fernando Mayoral
While automating the deployment and testing of my solution I found out that
the client service account roles are not being exported.
I've been struggling to find any documentation that allows the client
service account roles to be configured using the CLI or any other automated
way
I came across this bug ticket KEYCLOAK-4923
<https://issues.jboss.org/browse/KEYCLOAK-4923> but it's pretty quiet
there.
Which makes me wonder, is there any obvious workaround for this limitation?
Thanks,
Fernando.
6 years, 3 months
Re: [keycloak-user] Keycloak single Log Out not working
by Triveni Chegireddy
Hi,
I have few applications, i.e. one Spring Boot application using keycloak
specific java starter, another jira and confluence applications protected
using Miniorange plugin from Atlassian and another jenkins application
protected
using keycloak specific plugin from Jenkins available plugins for single
sign on and single Logout out. The SSO works fine on all applications.
However, the problem occurs in case of Logout. Below are my observations:
1. When I perform logout on java application, then jira, confluence and
jenkins application still works as normal rather than asking for login
again on next request.
2. And when I perform logout from Jira, then Confluence is getting
redirected to Login page on next request but the Spring boot application
works as normal.
3. When I see keycloak admin console, on logout of any application all the
sessions of all opened clients in the Realm are killed, but applications
are working normal instead of redirecting to Login page.
4. As per the keycloak documentation,Admin URL shall be set for a
particular client that can be used by Keycloak
server to send backend requests to the application for logout users.
Any idea/help in this regard will be much appreciated. Many thanks.
Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
From: Triveni Chegireddy/LATAM/TCS
To: keycloak-user(a)lists.jboss.org
Date: 09/11/2018 04:30 PM
Subject: Re: Keycloak single Log Out not working
Hi All,
The below issue is blocking in our application. Could anyone help us in
resolving the Single Logout issue.
Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
From: Triveni Chegireddy/LATAM/TCS
To: keycloak-user(a)lists.jboss.org
Date: 09/07/2018 12:42 PM
Subject: Keycloak single Log Out not working
Hi Team,
I am securing many tools using Keycloak for Single sign on and Single
Logout. We are securing tools like Jira, Confluence using Miniorange
plugin. We have few Spring boot applications which are to be secured. They
are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter.
Single Sign on is working fine. The landing application is spring boot web
application, which is accessed by giving LDAP credentials. From that
application, we will be accessing the Jira, Confluence. They are opened
without asking me for credentials. But Single Logout is not working. In
Spring boot application, on click of Logout, I am calling
HttpServletRequest.logout(), which is logging me out of Spring boot
application successfully. But the sessions in Jira and Confluence are not
killed. Similarly once I open the tools from Spring boot application, on
logout of any tools both Jira and confluence are logging out using Single
Logout but session in Spring boot application is not killed.
Could you please help us resolving this issue.
Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
6 years, 3 months
Re: [keycloak-user] Forward Keycloak Events to Kafka
by Gintautas Sulskus
Hi Thomas,
Have you come across such an extension in the end?
Best,
Gintas
Hello,
> just wanted to know if someone on this mailinglist has already built a
> keycloak extension that forwards Keycloak user / admin events to Kafka?
> Cheers,
> Thomas
6 years, 3 months
Keycloak 4.x Fine Grained Authorization - OAuth / UMA - Permissions That Deny Rather Than Grant?
by Brian Brooks (US)
Thanks for providing keycloak as an free open source security solution. It's awesome!
**QUESTIONS**
1. Is there any way to design a keycloak policy for a oauth/uma/bearer token authorization client/resource owner that efficiently expresses the idea that a user is granted access to most items but denied access to a few?
Our system manages devices and for some customer systems we have as many as 0.1 million devices. We'd like the app's keycloak policy to default to granting a user write access to all devices but deny access to maybe a few dozen. Ideally, the Requesting Party Token (RPT) response would contain a list of permissions like
Permission {id=3e633107-2291-4694-9f07-728ea6fa7744, name=All Devices Resource, scopes=[device:grant:write]}
Permission {id=86d95056-7e24-4888-93ed-2afe33199212, name=Device 123 Resource, scopes=[device:deny]}
Permission {id=33333333-3333-3333-3333-333333333333, name=Device 456 Resource, scopes=[device:deny]}
2. Does this make sense; is there a better way to implement this idea?
3. Is this possible with keycloak?
4. Are there any quickstart examples that demonstrate use of denials?
I've been working with the keycloak quickstarts app-authz-uma-photoz and app-authz-jee-servlet for a while but I don't see them using any "denial" permissions. All the permissions seem to be "grants".
I've also have been searching the keycloak mailing list for similar questions. I have not seen an answer to this question in these policy related threads:
1. [keycloak-user] Additional attributes for an authorization request
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009451.html
2. [keycloak-user] How to implement this using Keycloak
http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html
3. [keycloak-user] Keycloak authorization protected resource with user attributes
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008821.html
4. [keycloak-user] understanding the photoz example
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008917.html
**DETAILS ABOUT APPLICATION**
We're upgrading our device management application with keycloak authentication and authorization. We sell our device management application to customers that install and operate the device management application to run the customer's systems. Our device management application consists of:
1. Single Page Application that runs in a web browser.
2. Google Dart-based server-side application from which the SPA gets its data (we wish it was Tomcat-based but don't own the source code).
3. OSGi container running many bundles from which the Dart application get its data.
4. Several other parts e.g. Reporting, Device Data Collectors, database
For this generation of the application and due to our atypical architecture, we'll probably be manually walking the claims in the RPT in JavaScript to govern our SPA's user interface authorization.
The most important data in our system are devices. Devices consist of commands, alarms, values, grids. Devices are typed similar to the relation between Java objects (device) and Java classes (device_type). Devices and parts of devices can be logically grouped into one or more "circuits". A device is attached to a computer (Device Data Collector).
A typical system has:
1,000 devices; a very large system may have 0.1 million devices.
100 circuits
Each device has <100 commands, <300 fields, <50 grids, <100values
Each circuit has 5-20 devices
<15 computers
<100 users; a very large system may have 500 users
Here are some of our application's use cases. Write for our use cases means send commands, change values, etc.
Administrators can write to all devices and circuits.
Operator A can only read all devices.
Operator B can write to all devices except device123, device456, and device678.
Operator C can only write circuit1.
Operation D can only write computer1.
Thanks for reading this far!
5. Any advice on how to implement these use cases with a keycloak policy? Is it too ambitious to model this hiearchical permission scheme? What do you recommend? We're a very small development team trying to implement finish this in 2018.
Brian
6 years, 3 months
OAuth Tokens and IoT Devices
by Federico Michele Facca
Hi,
what is the current best solution in Keycloak to support a scenario where
devices needs to authenticate using OAuth against an API?
At the time being, to simplify we use offline-refresh tokens and every
time, it the token is expired, generated out of that a new token.
In term of performance the trick we use is to cache the access token and
refresh it when needed with a background process.
This process, unfortunately, for some tiny computational devices can be
quite demanding and slow down the most important
goal of sending data to the API at given intervarls.
A better solution could be having a way to create never expiring access
tokens (or with a manually defined expired date), we understand
that may introduce security issues, but it would be only for specific
scenarios (and I doubt it will introduce more issues that the offline
token).
Feelings? Suggestions?
Cheers,
Federico
--
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/> - Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>
6 years, 3 months
Unable to perform Keycloak single logout
by Amjad
I am using keycloak to authenticate users of two applications. One
application is Django based protected using mod_auth_openidc over apache,
where is the 2nd application is Java based hosted on wildfly and protected
using keycloak specific java adapter. The SSO works fine on both
applications. However, the problem occurs in case of Logout. When I perform
logout from Django application, then both applications are redirected to
login on next request. However, when I perform logout on java application,
then Django application still works as normal rather than asking for login
again on next request.
As per the keycloak documentation, Admin URL shall be set for a particular
client that can be used by Keycloak server to send backend requests to the
application for various tasks, like logout users or push revocation
policies. This doesn't seem to work as I can not see any back-end request
generated by keycloak against the logout perform by Java-based application.
If I generate the logout from keycloak admin utility then apache logs show a
post action for k_logout.
I think, I am missing some configuration, but don't know what? Any idea/help
in this regard will be much appreciated. Many thanks.
I am using the following versions of different components,
mod_auth_openidc 2.3.7
apache 2.4.34
Ubuntu 16.4
Keycloak 4.2.1
and my mod_auth_openidc configurations are:
WSGIDaemonProcess myproject python-home=path_to_v_env
python-path=path_to_python
WSGIProcessGroup myproject
WSGIScriptAlias / path_to_wsgi.py
OIDCProviderMetadataURL
http://keycloak_domain/auth/realms/demo/.well-known/openid-configuration
OIDCRedirectURI http://domain_name/testapp
OIDCCryptoPassphrase random4321
OIDCClientID testapp
OIDCClientSecret client_secret
OIDCDefaultLoggedOutURL http://domain_name/
OIDCScope "openid email profile"
<Location /testapp/>
AuthType openid-connect
Require valid-user
</Location>
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 3 months
Get token returns new refresh token before expiry of refresh token
by Arun Velayudhan
Hello All,
Whenever we renew an access token keycloak returns a new refresh token.
Suppose the access token expiry is 30min and refresh token is 24hrs, for
every new access token request (i.e intervals of 30min) a new refresh token
(same expiry) gets created by keycloak. I am suspecting if this might be a
cause for memory growth in keycloak under traffic conditions. Any specific
configuration that can be enabled in keycloak so that keycloak can reuse
the same refresh token till it expires.
Arun
6 years, 3 months
Issuer mismatch when using fixed url provider and using different schema
by Fernando Mayoral
Hello everyone!
I'm trying to develop a very simple filter for an application to exchange
the user token with keycloak for another one with different scopes and I'm
in trouble with the issuer not matching.
Both the filter and keycloak are deployed in docker containers and connect
directly to each other.
The user authenticating into this application does it through a public
website, e.g. https://sample.com so the issuer in the token will look
something like https://sample.com/auth/realm or similar given the current
implementation.
The filter exchanging the token connects to keycloak through http, e.g.
http://my-keycloak the issuer would normally look like
http://my-keycloak/auth/realm, but because we are configuring the fixed
hostname provider to be sample.com it actually looks like
http://sample.com/auth/realm <https://sample.com/auth/realm>, so it's
pretty close but it's http instead of https because the hostname SPI
introduced in KEYCLOAK-7967
<https://issues.jboss.org/browse/KEYCLOAK-7967> doesn't
support a fixed schema (as far as I could tell at least by looking at the
PR and configs). And because that's being used to validate the token, and
there's no way I'm aware of setting the schema I haven't been able to get
it running properly.
Is there any known solution to this limitation?
My take is that schema should be supported by the fixed hostname provider,
otherwise I think it misses the point of supporting a "backchannel URL back
to the adapters to allow adapters to use internal IP address when
communicating with Keycloak"
On top of that, I believe there's a confusion on what the issuer is;
As per RFC-7519:4.1.1 <https://tools.ietf.org/html/rfc7519#section-4>
The "iss" (issuer) claim identifies the principal that issued the
JWT. The processing of this claim is generally application specific.
The "iss" value is a case-sensitive string containing a StringOrURI
value. Use of this claim is OPTIONAL.
i.e. not a URL and certainly not necessarily linked to the URL of the
issuing system, it's just a URI value defined arbitrarily. I believe
that this concept is more closely related to realm application clients
rather than to the entire keycloak server; i.e. issuer/accepted
issuers could be defined per client.
Because of this I've taken the liberty to raise KEYCLOAK-8310
<https://issues.jboss.org/browse/KEYCLOAK-8310>
Still, is there any known/recommended way to workaround this issue?
Thanks for your time,
Fernando.
6 years, 3 months
