Feature Request
by Sushil Singh
Hi,
As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes
ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also.
https://issues.jboss.org/browse/KEYCLOAK-11300
Thanks,
Sushil Pratap Singh
4 years, 11 months
Authorisation and public clients
by Pete Chown
Hello,
I have a public client and I can issue tokens for it. I would like to
be able to use Keycloak for access control as well, so for example I
might give a user the "admin" role and that would cause additional
scopes to be added to their tokens.
Unfortunately it looks as though the authorisation aspect of Keycloak is
only available to confidential clients. First of all, is that correct?
If my understanding is correct, is there some specific security issue
that arises if authorisation is applied to public clients? I can't
think of one, but perhaps I just haven't thought hard enough. :)
Suppose I have a confidential client, but I don't take any steps to keep
the "secret" secure. Is it then equivalent to a public client? In
other words could I work around this issue by making my client nominally
confidential, but not taking steps to conceal the secret? (There are
actually no steps I could take, because my client is just Javascript
running in a web page.)
Thank you for any help you can give, and many thanks to the developers
for this excellent software.
Pete
4 years, 11 months
Cross-Datacenter Replication Mode Question
by Townsley, Eric L
Hi,
We are looking into implementing cross datacenter replication. In looking at the doc's I see mention of using JBoss Data Grid. Will we need to purchase/license from Red Hat before we can proceed? Is there an alternate option, ie. community Data Grid solution?
Thanks
Eric
Please consider the environment before printing this email and any attachments.
This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
4 years, 11 months
Refresh token in client_credentials grant type
by Sebastian Rus
Hi,
I have created a client with 'confidential' Access Type for a microservice
which has to connect to other keycloak secured microservice. I enabled
"Service Accounts Enabled" option, which "[...] in terms of OAuth2
specification, enables support of Client Credentials Grant for client".
Everything seemed to be OK, until I saw a huge number of sessions for that
client. It turned out that that the token endpoint returns a refresh token.
A request interceptor I use in my microservice application just ignores the
refresh token and uses client credentials to obtain the new one - which
creates a new session every time new access token is issued.
Oauth2 specification (https://tools.ietf.org/html/rfc6749#section-4.4.2)
says that "A refresh token SHOULD NOT be included" for client_credentials
grant type. So why is it included? Is the presence of refresh token
configurable for 'confidential' Access Type and client_credentials grant?
Best regards,
Sebastian
4 years, 11 months
Max number of Realms supported each keycloak instance/node
by Nagendra Darla
Hello All,
I wondering if we have any documentation or suggestion on maximum number of
realms that can be created on a keycloak instance. If it is bases on
hardware configuration then is there any reference configuration
mentioned anywhere in keycloak documentation ?
Your help is much appreciated.
Thank You,
Nagendra Darla
4 years, 11 months
SSL connection to MySQL with self signed certificate
by Alexandre Filgueira
Hi
We are trying to test keycloak connecting to a MySQL database using TLS with self signed certificates.
The container where this keycloak is running already has a truststore and a keystore file to be used, but I can’t find documentation on how to proceed.
I saw that you can add the truststore with a block like:
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="${env.APP_CONFIG_SSL_DATABASE_DIR}/truststore"/>
<property name="password" value="${env.APP_STORE_PASS}"/>
<property name="hostname-verification-policy" value="ANY"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
But what about the keystore?
In a regular JAVA application I would need to run my java jar file with something like these for example:
java -Djavax.net.ssl.trustStore=${APP_TRUSTED_SERVERS} -Djavax.net.ssl.trustStorePassword=${APP_STORE_PASS} -Djavax.net.ssl.keyStore=${APP_KEYSTORE_CLIENT} -Djavax.net.ssl.keyStorePassword=${APP_STORE_PASS} -jar target/myjarfile.jar
In my truststore I would need to store the CA certificate from MySQL, and in my keystore the client certificate to connect.
Then in my connection-url block I just define some booleans like useSSL, requireSSL and verifyServerCertificate.
Thanks
4 years, 11 months
Re: [keycloak-user] Mappers with token exchange
by Andrew B Goldberg
I'm trying to set up token-exchange for an external token to internal token, and I ran into the same issue as below (using version 7.0.0) and wondering if this is a known issue, or if it is supposed to be working. If so, any particular setting or policy to look into changing to allow attribute mappers to work?
It may also be the case that my access token doesn’t contain all the claims being mapped, and usually the mappers apply to the id token. But it doesn’t seem like token-exchange supports exchanging an external id token.
For context, my identity provider here is Microsoft azure oidc (not the built-in social one, but a custom one added using all the standard microsoftonline.com OAuth endpoints). And the main claim I’m looking for is “groups” (which does show up when logging into this provider directly).
Thanks!
Andrew
---- older message:
Hello, We're using token exchange to enable logins for social media providerusers, using their respective native apps. So the tokens are obtained viaofficial SDKs/apps, then sent our backend to be exchanged for a keycloaktoken, which is then used throughout. The problem is, attribute importers don't seem to be running for tokensthat are exchanged with this method. We have a mapper to export the user'sfacebook id ("Social Profile JSON Field Path" set to "id") to custom userattribute, but it doesn't seem to be working. (except of course when Ilogin "properly" and not use the token exchange process at all) Are there any settings that I'm missing? Recommendations? (Keycloak 5.0. Same with 4.1) Thanks
Kemal
4 years, 11 months
Restrict who can login a client app
by Paul Luk
hi,
in keycloak, i have defined an active directory for 'user federation'.
i have also define a client application (OpenID connect). by default, all
user (in the AD) can login the client.
now i want to restrict only certain user (e.g. by AD group, by AD attribute
value) can login the client ( i have tried the 'authorization' feature, but
it seems still allowing non-valid user to login the client [a JWT token
issued]).
i have a search and find this post:
https://stackoverflow.com/questions/54305880/how-can-i-restrict-client-ac...
Which mention 2 methods:
- by coding a custom AD authenticator .
- by 'authorization' (failed for me...user still able to login and JWT
token issued)
can you please share your way to achieve this?
4 years, 11 months
Cross-site DB Replication Question
by Hossein Doutaghy
Hi,
We have 2 GEO redundant sites having Keycloak installed in standalone-ha
mode. Each site has its own Galera cluster and mariadb replication is
happening between the two sites.
Keycloak uses few URLs which are specific to a single site, for
example the *Base
URL* which the keycloak redirects the user to, once the authentication is
successful. The syntax of *Base URL* is :
https://<SITE_VIP>:8443/servicemanager
What we have noticed is since the entire mariadb data gets replicated from
Site A to Site B so does the above Base URL and because of which when we
access the service manager client on site B that is protected by Keycloak
B, then it redirects us to the service manager client in Site A in case of
successful authentication. In other words, in both the service manager
clients in Keycloak server A and B i.e. 10.88.9.74 and 10.88.9.64, the base
URL is same and when we change the base URL on any one of the sites, it
gets replicated to the other one. (Can be seen upon clearing realm cache)
How can we prevent this data to be replicated as they are more site
specific? Is it safe to just exclude the CLIENT table in database from the
replication by using mariadb selective replication technique?
Thanks,
Moe
4 years, 11 months