User registration
by John Norris
Hello,
this is not really a problem but some feedback on the user registration feature in keycloak.
This should be a really useful feature. It is simple to turn on in the admin console. And suddenly there is a new link in login page. But I am not sure how useful it is from a practical viewpoint.
The user can register and, from a keycloak perspective, is then logged in to the application. But because the app will be set up to use roles, the app does not see the user as authenticated and so is prevented from seeing the protected url. The solution would be to have a default role set up in the client, perhaps with low permissions until further verification takes place.
But there may be other things that need to take place such as adding the user to the apps database.
So would it be useful, in addition to the user registration yes/no switch, to have a url that a newly registered is sent to for other actions to take place?
I know that events should be able to deal with this but I had real trouble trying to get custom events to work (in fact never did, keycloak would crash when changes were made to standalone.xml file).
So not a complaint, not a bug, just some feedback and very much my opinion based on limited keycloak experience and knowledge.
5 years, 1 month
Change resource Ids
by Corentin Dupont
Hi guys,
I would like to change the IDs of all my Authorization resources (in order
to match the Ids in my main database).
What is the recommended way?
I could write a script that go through them all with the REST API, delete,
re-create...
Or run some commands directly in the MySQL database? I'm not sure about its
structure, though, and I will be afraid to break something.
Thanks
Corentin
5 years, 1 month
Back channel logout request is not sent when keycloak session is expires
by Nagendra Darla
Hi all,
I am facing a challenge in my keycloak implementation.
I integrated multiple applications running on JBoss with Keycloak. When I kill a keycloak session from the keycloak console it sends back channel logout request to all the connected apps through admin URLs. But when the keycloak session expires it does not send back channel logout request to the applications. Why there is a difference in behavior in these two cases.
I would also like to know if there is any SPI or hook that can be used to send back channel logout request when session expires in keycloak?
Get Outlook for iOS<https://aka.ms/o0ukef>
NOTICE: This email and all attachments may contain information that is confidential, private or protected by attorney-client privilege. If you believe that you are not an intended recipient, please do not copy, forward, or rely on the contents of this email in any way. Please notify the sender and delete or destroy any copy of this email and its attachments. Sender reserves and asserts all rights to confidentiality, including all privileges that may apply.
5 years, 1 month
Brute Force Detection issue: login failure count not resetting after successful login
by Vishnu Prakash
*Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But the
login failure count is not resetting after successful login. As per the
Permanent Lockout Algorithm described in keycloak documentation, the
failure count should reset on successful login. It is described as follows
in the documentation, 1. On successful login1. Reset count2. On failed
login1. Increment count2. If count greater than Max Login Failures1.
Permanently disable user3. Else if time between this failure and the last
failure is less than Quick Login Check Milli Seconds1. Temporarily disable
user for Minimum Quick Login WaitWhen a user is disabled they can not login
until an administrator enables the user; enabling an account resets
count.Can someone comment on this? Is it a bug or expected behaviour? Any
help will be appreciated.Thanks & Regards,Vishnu Prakash*
5 years, 1 month
External User Storage Provider Works Only One Time
by Yasiru Tittagalla
Hi,
I have created a custom SPI to get the users from my existing oracle
database and then create them in the keycloaks own database but and the
user sync is done via federation link.
When I'm logging into the system for the first time with existing user it
works fine and registers the user but when I change the enabled state or
delete a user from my existing oracle database according to logic I have
written it should be reflected in the keycloak database but it doesn't go
through my SPI simply giving me the following error,
[org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator]
(default task-2) Provider not found or not enabled for realm
migration-provider.
I have implemented the ImportedUserValidations validate method correctly
also.
It would be of great help if you can help me on this matter.
Thank you,
Regards,
Yasiru.
5 years, 1 month
Allocating Role Assignment Responsibilities with OIDC / Keycloak
by Steve Ramage
Hello,
I'm building an application that will use OIDC to authenticate (and potentially make some simple authorization decisions) and I have some questions about the best way to do that. Keycloak is our reference implementation, but we would like to do this in a completely generic way.
The context is that our application has three classes of users, teachers, students and parents for example, and they under go completely different life cycles and have different responsibilities in our application. In some deployments of our software the teachers may be part of a school district with SSO functionality, and they have a different set of capabilities in our application (and our application knows that they are teachers). We also have students who may be centrally registered, and we may have parents who are publicly registered or signed up manually. We would like Keycloak or whatever IdP that is chosen, to manage all of this complexity for us and essentially we just need to know the class of user. There is zero possible need for users to switch classes, students don't become teachers, etc...
There are two broad ways I can see our application handling this within the context of OIDC.
1) My first thought from going over the OpenID Connect protocol, was that we could use scope/claims for this. When we redirect the user to the IdP, we ask for a specific additional scopes (i.e., "openid teacher" or "openid student" or "openid parent"). If the user doesn't have these roles in Keycloak, then we don't get the actual claims and we can reject the request. The issue that I have is I can't seem to get this workflow to work with Keycloak, where there is a scope type based on the role, and only users with that role can successfully give us that claim. I can get the claim to appear in the claims returned but not conditionally in this sense. I can also get the information in other claims returned by Keycloak, but this seems Keycloak specific, and it seems like other identity providers would have different structures, and we would have to support different introspection of the various tokens, or make that configurable, which is less than ideal.
2) We could just wire our application up to use three different configurations for IdPs, one for teachers, students and parents. This could be managed in different realms in Keycloak. The drawback of this approach is that in some cases we need to ask the user who they are (teacher / student / parent) before we can authenticate them.
Anyway I'm not even sure if the above two are the right approach at all, and maybe I'm looking at the problem backwards. In particular, the role and scope/claims are specific to our application, our application really isn't asking for authorization to protected resources that the the end users own, we are just piggy backing on it, to determine role in a simple RBAC system, maybe that is simply a mistake, and we should leave the role assignment in the application (although that vastly increases scope, and seems weird since Keycloak has a whole bunch of complex role management functionality that we couldn't leverage or coordinate between services). Alternatively maybe we can impose some constraints on IdPs and say that they have to support say a role claim, that has one of three possible values in the tokens, either teacher / student / parent. Maybe that is a very reasonable imposition to make on a dedicated Identity Management System.
I'd appreciate any advice anyone had on this problem.
Cheers,
Steve Ramage
5 years, 1 month
@Inject KeycloakPrincipal in EJB container
by Vagelis Savvas
Dear community,
as the subject says, how can the org.keycloak.KeycloakPrincipal be
@Inject-ed in say a @Stateless bean?
I tried injecting a java.security.Principal but I couldn't get a
KeycloakPrincipal out of it.
I also tried creating a CDI @Producer (annotated with @RequestScoped)
producing the KeycloakPrincipal
but that didn't work either because KeycloakPrincipal can't be proxied.
(That's mostly for convenience since @Resource SessionContext ctx and
then ctx.getCallerPrincipal()
answers the KeycloakPrincipal but I wouldn't want to do that explicitly
in every business method)
This is on 17.0.1 Wildfly with the Elytron Keycloak adapter.
Cheers,
Vagelis
5 years, 1 month
Fwd: Fine grain access to User Federation management
by Leonardo Casanova
Hello,
I have been trying to fine grain user federation out of the "manage-realm"
role in order to allow a user to add a user storage (ldap or kerberos),
without giving all the capabilities that manage-realm provides.
My use case is that I would like to have admins, that are capable of
configuring their own user storage, but unable to change how the clients
authorization flows work.
"manage-realm" will give capabilities like renaming the whole realm which
would change how as well the authorization endpoints in that realm.
After several attempts, trying to add a custom resource with the keycloak
URI that returned the HTTP status forbidden 403
(/auth/admin/realms/{realm}/components?type=org.keycloak.storage.UserStorageProvider).
I realized that this might not be an available feature, reading the full
list of permission in the link below confirmed my doubts.
https://www.keycloak.org/docs/7.0/server_admin/#_fine_grain_permissions
Is what I am trying to accomplish somehow possible already? If not why I
would like to understand why is user federation tied the "manage-realm"
role? Perhaps my scenario does not make sense in the context of the
Keycloak architecture.
So far the only option I believe I have left, is to build a client with a
service account that has the "manage-realm" role, then I can use the
Keycloak REST API
to manage the user storages, and create custom permissions towards my
client endpoints, to authorize the users. The downside of this approach is
that the events produces will be registered as coming from the service
account in my client
instead of the user himself.
Best Regards
Leonardo
5 years, 1 month
Keycloak Gatekeeper: Support Relative/Internal URLs for Airgapped Environments
by Yannis Zarkadas
Hi all,
I am a contributor to the Kubeflow project, which is a machine learning
platform built on top of Kubernetes.
Recently, we (Arrikto) implemented a reference architecture for OIDC
Authentication in Kubeflow.
More details can be found in this article:
https://journal.arrikto.com/kubeflow-authentication-with-istio-dex-5eafdf...
After 3 months of testing this setup with users, we gathered feedback from
users operating in onprem, airgapped environments which lead to the
following use case:
We want to use an OIDC authenticating proxy for securing an on-prem,
airgapped Kubernetes Cluster.
For an OIDC Provider, we use Dex, which lives in the same cluster and
connects with LDAP.
Keycloak Gatekeeper is a great project that has caught our attention and we
would
love to use it to cover our use-case.
We have the following user requirements:
- Don't make any requests that exit and reenter the cluster. This means
that the OIDC Client should
talk to the OIDC Provider using its internal address.
- Work behind any origin URL. This lets users use kubernetes port-forward
to debug issues and work behind
a proxy.
To solve these requirements we came up with the following:
- Use the OIDC Provider's internal address for the {discovery, jwks, token,
userinfo}_endpoint.
This means the OIDC Client won't make a request to a public address that
would exit and
reenter the cluster.
- Use relative URLs for the authorization_endpoint and redirect_uri. We
know that our OIDC Client and
OIDC Provider live behind the same origin, so we can redirect from one to
the other using relative
URLs.
We haven't found a way to set up Gatekeeper to support this use-case.
I would greatly appreciate it if you could help me understand if this is a
valid use-case for
Gatekeeper to support.
If yes, I'd love to contribute to it and if not, I'd like to understand why.
Thanks in advance,
Yannis Zarkadas
5 years, 1 month
Database connection spurious failure when adding a new client via admin-cli
by Nicolò Di Domenico
Hello everyone,
I’m currently struggling with an issue that appears with no regular pattern whatsoever. I’m deploying Keycloak to a server via Ansible, and later in the playbook I create a new client using its dedicated module. The problem is that the first time everything’s fine, but when I call the playbook again to make some modifications, it sometimes gets stuck when using admin-cli to add the client: if that happens, the server returns with a 500 error and everything stops. By looking at the logs, it looks like that Keycloak for some reason loses connection to the MariaDB server, and it won’t make it again until I restart Keycloak manually, because every subsequent database connection will fail.
I’ll leave down here the link to a gist with the server logs, the standalone.xml configuration file, and MariaDB and its JDBC version.
https://gist.github.com/ndido98/971e19ba2b071f34d37055d973234e7e
Thank you in advance for your help.
Greetings,
Nicolò
5 years, 1 month
