Organization data save
by Tumenjargal B
Hello, I want to integrate old system to keycloak. A user has many organization. my case Users have account and general account position. A account position has working many organization. How to save organization data of user on keycloak?
6 years, 4 months
Re: [keycloak-user] CORS error in Keycloak Admin REST API - Unable to create realms from React JS app
by Vinay Matam
Team,
Can someone please reply to my question ?
I am stuck with this issue for more than a week now.
Please help me with this.
Thank you!
On Fri, 15 Nov 2019, 7:12 pm , <keycloak-user-request(a)lists.jboss.org>
wrote:
> Send keycloak-user mailing list submissions to
> keycloak-user(a)lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request(a)lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-user-owner(a)lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Re: JBoss_Keycloak_"404 - Not Found" (Sushil Singh)
> 2. Re: Fw: Associating a REST api end point to multiple
> resources in Keycloak in Policy Enforcer (Vishnu Prakash)
> 3. CORS error in Keycloak Admin REST API - Unable to create
> realms from React JS app (Vinay Matam)
> 4. Re: [UMA] Access a protected resource by using a link
> (Pedro Igor Silva)
> 5. Re: JBoss_Keycloak_"404 - Not Found" (Naga Vijay)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 15 Nov 2019 10:08:37 +0000
> From: Sushil Singh <sushil.singh(a)guavus.com>
> Subject: Re: [keycloak-user] JBoss_Keycloak_"404 - Not Found"
> To: Naga Vijay <nagausb2(a)gmail.com>, "keycloak-user(a)lists.jboss.org"
> <keycloak-user(a)lists.jboss.org>, "keycloak-dev(a)lists.jboss.org"
> <keycloak-dev(a)lists.jboss.org>
> Message-ID:
> <
> HK2PR04MB38253C1ED2860727D495BEC8FB700(a)HK2PR04MB3825.apcprd04.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> I think , you might be countering an error while the war is deployed that
> is why it is giving 404
>
> You should identify the server logs first to identify what is failing
>
> Thanks
>
> Sushil
>
> ________________________________
> From: keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> on behalf of Naga Vijay <
> nagausb2(a)gmail.com>
> Sent: 13 November 2019 20:22
> To: keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>;
> keycloak-dev(a)lists.jboss.org <keycloak-dev(a)lists.jboss.org>
> Subject: Re: [keycloak-user] JBoss_Keycloak_"404 - Not Found"
>
> As I haven't heard back from anyone, I have logged this -
> https://issues.jboss.org/browse/KEYCLOAK-12036
>
> Thanks
> Naga
>
> On Wed, Nov 13, 2019 at 5:43 AM Naga Vijay <nagausb2(a)gmail.com> wrote:
>
> >
> > Hello,
> >
> > Did anyone get a chance to look into this? I am wondering whether I am
> > facing a bug. Keycloak realm, user, client definition are all in place.
> And
> > the adapter has been installed into JBoss EAP instance. Here's web.xml in
> > the hello.war ...
> >
> > <web-app xmlns="http://java.sun.com/xml/ns/javaee"
> >
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >
> > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
> >
> > version="3.0">
> >
> >
> >
> > <module-name>basicauth</module-name>
> >
> >
> >
> > <security-constraint>
> >
> > <web-resource-collection>
> >
> > <url-pattern>/*</url-pattern>
> >
> > </web-resource-collection>
> >
> > <auth-constraint>
> >
> > <role-name>*</role-name>
> >
> > </auth-constraint>
> >
> > </security-constraint>
> >
> >
> >
> > <login-config>
> >
> > <auth-method>KEYCLOAK</auth-method>
> >
> > <realm-name>MyRealm</realm-name>
> >
> > </login-config>
> >
> >
> >
> > <security-role>
> >
> > <role-name>*</role-name>
> >
> > </security-role>
> > </web-app>
> >
> > And here's keycloak.json alongside web.xml ...
> >
> > {
> >
> > "realm": "MyRealm",
> >
> > "auth-server-url": "http://localhost:8180/auth",
> >
> > "ssl-required": "external",
> >
> > "resource": "dkc",
> >
> > "public-client": true,
> >
> > "confidential-port": 0,
> >
> > "enable-cors" : true
> > }
> >
> > http://localhost:8080/hello gives "404 - Not Found" instead of showing
> > keycloak login page.
> >
> > What am I missing?
> >
> > Thanks
> > Naga
> >
> > On Tue, Nov 12, 2019 at 9:24 PM Naga Vijay <nagausb2(a)gmail.com> wrote:
> >
> >>
> >> (+) keycloak-dev
> >>
> >> On Tue, Nov 12, 2019 at 7:56 PM Naga Vijay <nagausb2(a)gmail.com> wrote:
> >>
> >>>
> >>> Hello,
> >>>
> >>> Can someone help me with this?
> >>>
> >>> ==============
> >>> Environment -
> >>> ==============
> >>>
> >>> 1. OS - Mac OS X
> >>> 2. JBoss EAP 7.1
> >>>
> >>> 3. Keycloak 7.0.1
> >>>
> >>> ==============
> >>> Issue -
> >>> ==============
> >>>
> >>> . Getting "404 - Not Found" for a simple hello.war (with KEYCLOAK as
> the
> >>> auth-method in its web.xml) when accessing http://localhost:8080/hello
> >>>
> >>> ==============
> >>> Attachments -
> >>> ==============
> >>>
> >>> 1. kc.json - export dump of keycloak database/configuration
> >>> 2. hello.war - the simple war tested with
> >>>
> >>> Let me know if you need any other info.
> >>>
> >>> Thanks
> >>>
> >>> Naga
> >>>
> >>>
> >>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 15 Nov 2019 16:01:14 +0530
> From: Vishnu Prakash <vishnuprakash323(a)gmail.com>
> Subject: Re: [keycloak-user] Fw: Associating a REST api end point to
> multiple resources in Keycloak in Policy Enforcer
> To: Sushil Singh <sushil.singh(a)guavus.com>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <
> CAPLmjegvQ2h1FdKDBtj1bP_TiH17cjPXxvVozMsZw9Q9WxnDgw(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Dear Sushil,
>
> Thank you for your valuable response.
>
> Vishnu Prakash
>
> On Fri, Nov 15, 2019 at 3:19 PM Sushil Singh <sushil.singh(a)guavus.com>
> wrote:
>
> >
> >
> > ________________________________
> > From: Sushil Singh <sushil.singh(a)guavus.com>
> > Sent: 15 November 2019 15:14
> > To: Vishnu Prakash <vishnuprakash323(a)gmail.com>; Pedro Igor Silva <
> > psilva(a)redhat.com>; Stian Thorgersen <sthorger(a)redhat.com>
> > Subject: Re: [keycloak-user] Associating a REST api end point to multiple
> > resources in Keycloak in Policy Enforcer
> >
> > Hi,
> >
> > I think the use case is similar to what I am proposing
> >
> > @Vishnu Prakash<mailto:vishnuprakash323@gmail.com>
> >
> > I have also proposed to impose custom policy-enforcement on a set of
> > resources.
> >
> > https://github.com/keycloak/keycloak/pull/6448
> > [
> >
> https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11...
> > ]<https://github.com/keycloak/keycloak/pull/6448>
> > KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring
> adapters
> > by sushil-singh-guavus ? Pull Request #6448 ? keycloak/keycloak<
> > https://github.com/keycloak/keycloak/pull/6448>
> > KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring
> adapters
> > https://issues.jboss.org/browse/KEYCLOAK-11300
> > github.com <https://issues.jboss.org/browse/KEYCLOAK-11300github.com>
> >
> >
> > Where user can specify a Map<Resource, Set<scopes>> and it will evaluate
> > to a positive result only if it satisfies permission for all resources in
> > the Map
> >
> > Currently I don't think this functionality is available in keycloak
> >
> > Thanks,
> >
> > Sushil
> > ________________________________
> > From: keycloak-user-bounces(a)lists.jboss.org <
> > keycloak-user-bounces(a)lists.jboss.org> on behalf of Vishnu Prakash <
> > vishnuprakash323(a)gmail.com>
> > Sent: 15 November 2019 10:01
> > To: keycloak-user <keycloak-user(a)lists.jboss.org>
> > Subject: [keycloak-user] Associating a REST api end point to multiple
> > resources in Keycloak in Policy Enforcer
> >
> > Hi,
> > I want to protect my REST api's using Keycloak. I am deploying my
> > application in Wildfly application server and using keyclaok wildfly
> > adapters.
> > Is it possible to associate a REST api end point to multiple resources in
> > keycloak using the Policy Enforcer. If the user is having permission to
> > access all the associated resources, then only access should be granted
> to
> > the api.
> >
> > Any input will be a great help to me.
> >
> > Thanks & Regards,
> > Vishnu Prakash
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 15 Nov 2019 18:12:11 +0530
> From: Vinay Matam <vinay(a)dailykit.org>
> Subject: [keycloak-user] CORS error in Keycloak Admin REST API -
> Unable to create realms from React JS app
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <CADNoEv8cyfuaHMg=RLqSvzm=9_HGPUg=
> mNCwpHBD_sRDFN2sHQ(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi,
> I need help with a situation.
> We are trying to create new realms in Keycloak dynamically from a ReactJS
> based application with the help of the Keycloak Admin Rest API. Here's what
> we have done so far:
>
> Created a client in the master realm, "realm-creator", type = confidential,
> Service Accounts Enabled = true, Scope = admin & create-realm selected,
> Service Account Roles = create-realm.
>
> I then fetch an access token of the above client using the grant_type =
> client_credentials, Authorization = BASIC and using the client id and
> client secret as username and password. I am successfully getting the
> access token.
>
> Now, as a next step, I am using this access token to create new realms by
> calling the Admin REST API endpoint to create new realm,
> https://<keycloakserver>/auth/admin/realms
> Authorization: Bearer <accesstoken> // Access token generated from the
> above step using "realm-creator" client
> and sending the JSON body representation of the realm representation.
>
> Now, everything is working fine as expected when I test this from postman.
> Realm is getting created successfully.
>
> But when I try to implement this from a ReactJS app, I am getting a CORS
> error.
> For clients, we have an option of "Web Origins" and we can configure a "*"
> or the URL we want, to solve the CORS issue. But here the client
> "realm-creator" does not have "Standard Flow" Enabled and I am not seeing
> the option of "WebOrigins".
>
> Where should I configure the CORS setting for the Keycloak Admin REST API
> to avoid CORS error ?
> Please help.
>
> Thank you!
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 15 Nov 2019 09:44:03 -0300
> From: Pedro Igor Silva <psilva(a)redhat.com>
> Subject: Re: [keycloak-user] [UMA] Access a protected resource by
> using a link
> To: Fernando Mayoral <fernando.mayoral(a)practiv.com>
> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <CAJrcDBdLQeqP=
> r7-PgpJ06DQB5Y4xwk1y1qmxyUq-nn4jnbVXA(a)mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> What type of application we are talking about? A single monolithic or
> separated apps for frontend and backend ? Asking because you could just
> resume the workflow after the user authenticate again and is redirected
> back to your app ...
>
> AFAIK, there is nothing you could use OOTB but maybe implementing some
> custom authenticator. Even with a custom authenticator, the fact that you
> are automatically re-authenticating the user based on some form of code
> sent to an email may be risky ...
>
>
> On Thu, Nov 14, 2019 at 6:37 PM Fernando Mayoral <
> fernando.mayoral(a)practiv.com> wrote:
>
> > Yes, they leave the application and their keycloak session expires.
> > So then we want to send them a link for them to get a new session with
> > their user and get redirected to the order they didn't complete.
> > For example, a product is a bank account application:
> > They start filling the forms and early on they are asked for email.
> > But they never finish and submit the form, or maybe they leave the tab
> > open and forget so the session expires, so we send them an email to
> remind
> > them with a link to get authenticated and redirected back to an arbitrary
> > url.
> >
> > On Fri, Nov 15, 2019 at 2:47 AM Pedro Igor Silva <psilva(a)redhat.com>
> > wrote:
> >
> >> Hi,
> >>
> >> When the user "drops" from the system you mean a logout (ending the user
> >> session in Keycloak) ?
> >>
> >> On Thu, Nov 14, 2019 at 1:53 AM Fernando Mayoral <
> >> fernando.mayoral(a)practiv.com> wrote:
> >>
> >>> Hello!
> >>>
> >>> We have a product on which we create a protected resource (called
> orders)
> >>> in keycloak and we secure access to it by using a UMA as described by
> uma
> >>> authorization process
> >>> <
> >>>
> https://www.keycloak.org/docs/7.0/authorization_services/#_service_uma_au...
> >>> >
> >>> .
> >>>
> >>> When the user drops from the system before they submit their order
> (i.e.
> >>> the order is incomplete) we want to be able to send them an email with
> a
> >>> link to the user so they?ll be able to get automatically authenticated
> >>> and
> >>> authorized so they can continue working on this protected resource.
> >>>
> >>> Does keycloak provide this kind of functionality out of the box?
> >>> (i.e. given a link with some sort of long-lived token, get
> authenticated
> >>> with keycloak and redirected to some arbitrary url)
> >>> Is there any recommended way to approach this?
> >>>
> >>> any hints would be greatly appreciated.
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 15 Nov 2019 05:40:13 -0800
> From: Naga Vijay <nagausb2(a)gmail.com>
> Subject: Re: [keycloak-user] JBoss_Keycloak_"404 - Not Found"
> To: Sushil Singh <sushil.singh(a)guavus.com>
> Cc: "keycloak-dev(a)lists.jboss.org" <keycloak-dev(a)lists.jboss.org>,
> "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <
> CAGdFQvwHpHjaUYb-bneHx1gW7LJA3MTQTNg6QLm1tKERfdNKDw(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> The hello.war is properly deployed. I see the hello.war.deployed file in
> standalone/deployments.
>
> Thanks
> Naga
>
>
> On Fri, Nov 15, 2019 at 2:08 AM Sushil Singh <sushil.singh(a)guavus.com>
> wrote:
>
> > I think , you might be countering an error while the war is deployed that
> > is why it is giving 404
> >
> > You should identify the server logs first to identify what is failing
> >
> > Thanks
> >
> > Sushil
> >
> > ------------------------------
> > *From:* keycloak-user-bounces(a)lists.jboss.org <
> > keycloak-user-bounces(a)lists.jboss.org> on behalf of Naga Vijay <
> > nagausb2(a)gmail.com>
> > *Sent:* 13 November 2019 20:22
> > *To:* keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>;
> > keycloak-dev(a)lists.jboss.org <keycloak-dev(a)lists.jboss.org>
> > *Subject:* Re: [keycloak-user] JBoss_Keycloak_"404 - Not Found"
> >
> > As I haven't heard back from anyone, I have logged this -
> > https://issues.jboss.org/browse/KEYCLOAK-12036
> >
> > Thanks
> > Naga
> >
> > On Wed, Nov 13, 2019 at 5:43 AM Naga Vijay <nagausb2(a)gmail.com> wrote:
> >
> > >
> > > Hello,
> > >
> > > Did anyone get a chance to look into this? I am wondering whether I am
> > > facing a bug. Keycloak realm, user, client definition are all in place.
> > And
> > > the adapter has been installed into JBoss EAP instance. Here's web.xml
> in
> > > the hello.war ...
> > >
> > > <web-app xmlns="http://java.sun.com/xml/ns/javaee"
> > >
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > >
> > > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
> > >
> > > version="3.0">
> > >
> > >
> > >
> > > <module-name>basicauth</module-name>
> > >
> > >
> > >
> > > <security-constraint>
> > >
> > > <web-resource-collection>
> > >
> > > <url-pattern>/*</url-pattern>
> > >
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > >
> > > <role-name>*</role-name>
> > >
> > > </auth-constraint>
> > >
> > > </security-constraint>
> > >
> > >
> > >
> > > <login-config>
> > >
> > > <auth-method>KEYCLOAK</auth-method>
> > >
> > > <realm-name>MyRealm</realm-name>
> > >
> > > </login-config>
> > >
> > >
> > >
> > > <security-role>
> > >
> > > <role-name>*</role-name>
> > >
> > > </security-role>
> > > </web-app>
> > >
> > > And here's keycloak.json alongside web.xml ...
> > >
> > > {
> > >
> > > "realm": "MyRealm",
> > >
> > > "auth-server-url": "http://localhost:8180/auth",
> > >
> > > "ssl-required": "external",
> > >
> > > "resource": "dkc",
> > >
> > > "public-client": true,
> > >
> > > "confidential-port": 0,
> > >
> > > "enable-cors" : true
> > > }
> > >
> > > http://localhost:8080/hello gives "404 - Not Found" instead of showing
> > > keycloak login page.
> > >
> > > What am I missing?
> > >
> > > Thanks
> > > Naga
> > >
> > > On Tue, Nov 12, 2019 at 9:24 PM Naga Vijay <nagausb2(a)gmail.com> wrote:
> > >
> > >>
> > >> (+) keycloak-dev
> > >>
> > >> On Tue, Nov 12, 2019 at 7:56 PM Naga Vijay <nagausb2(a)gmail.com>
> wrote:
> > >>
> > >>>
> > >>> Hello,
> > >>>
> > >>> Can someone help me with this?
> > >>>
> > >>> ==============
> > >>> Environment -
> > >>> ==============
> > >>>
> > >>> 1. OS - Mac OS X
> > >>> 2. JBoss EAP 7.1
> > >>>
> > >>> 3. Keycloak 7.0.1
> > >>>
> > >>> ==============
> > >>> Issue -
> > >>> ==============
> > >>>
> > >>> . Getting "404 - Not Found" for a simple hello.war (with KEYCLOAK as
> > the
> > >>> auth-method in its web.xml) when accessing
> http://localhost:8080/hello
> > >>>
> > >>> ==============
> > >>> Attachments -
> > >>> ==============
> > >>>
> > >>> 1. kc.json - export dump of keycloak database/configuration
> > >>> 2. hello.war - the simple war tested with
> > >>>
> > >>> Let me know if you need any other info.
> > >>>
> > >>> Thanks
> > >>>
> > >>> Naga
> > >>>
> > >>>
> > >>>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 71, Issue 24
> *********************************************
>
6 years, 4 months
Changing "/auth/admin" route
by Jose Riguera
Hello,
I have a requirement to move admin route '/auth/admin' to something
like '/internal/admin', because we have a reverse generic HTTP proxy
load balancer which blocks all '/internal/*' path from outside
(public). Our company does not want to have "admin" public available
and it is not possible to change the HTTP proxy LB to block additional
routes.
I have some concerns, I think it can break the Web admin interface
because of JS,
am I right with my concern? Do you see it feasible?
Thanks,
Jose Riguera
6 years, 4 months
Keycloak 8: CredentialRepresentation algorithm
by Leonid Rozenblyum
Hello!
Before Keycloak 8.0.0 it was possible to
use org.keycloak.representations.idm.CredentialRepresentation methods
setAlgorithm
setHashedSaltedValue
in order to support import from a legacy storage with some custom algorithm
not supported by Keycloak.
During https://github.com/keycloak/keycloak/pull/6459 those methods were
removed, fields were deprecated.
What's the correct way to provide Credentials for a user with some custom
algorithm right now?
Thanks for explanation.
6 years, 4 months
Keycloak 8 and WebAuthn
by Chris Boot
Hi all,
I'm *so* glad to see WebAuthn and multiple authenticator support, but
I'm having trouble making use of it.
I'm following the documentation:
https://www.keycloak.org/docs/latest/server_admin/index.html#_webauthn
The scenario I would like to achieve is:
- No user registration. We use LDAP federated accounts.
- Login *requires* either OTP *or* WebAuthn.
- Users must be able to manage their WebAuthn and OTP tokens themselves.
I can achieve most of this by having a custom browser flow with a
required sub-flow of the Browser Forms that has WebAuthn and OTP as
alternatives. It's a bit unfriendly that a user has to select WebAuthn
from the popup and then click again to make it happen, but I expect we
can live with that.
What I cannot achieve is user self-management. The WebAuthn stuff
doesn't appear anywhere in the User Account Service screens despite the
documentation suggesting it should:
https://www.keycloak.org/docs/latest/server_admin/index.html#view-registe...
Is the documentation incorrect? How do I make this show up?
I really need for users to not have to take any action to replace their
OTP tokens if they don't want to, but they should be able to add
multiple WebAuthn tokens without admin intervention.
Thanks,
Chris
--
Chris Boot
bootc(a)boo.tc
6 years, 4 months
Setting web context path and adding providers in Dockerfile
by Sebastian Rus
I'm struggling with extending keycloak's docker image, so that I could
change the default web-context "/auth" path
in /opt/jboss/keycloak/standalone/configuration/standalone.xml
and /opt/jboss/keycloak/domain/configuration/domain.xml files. I tried to
use jboss-cli.sh to accomplish it, but the following Dockerfile:
FROM jboss/keycloak:7.0.0
COPY startup-config.cli /opt/jboss/tools/cli/startup-config.cli
RUN /opt/jboss/keycloak/bin/jboss-cli.sh
--file="/opt/jboss/tools/cli/startup-config.cli"
ENV KEYCLOAK_USER=admin
ENV KEYCLOAK_PASSWORD=admin
startup-config.cli:
/subsystem=keycloak-server:write-attribute(name=web-context,value=keycloak/auth)
build command ends with "No connection to the controller."
I also would like to add some custom providers to the <providers> section
of standalone.xml file:
<providers> ...
<provider>module:x.y.z.some-custom-provider</provider>
</providers>
Is it possible to edit that xml files using custom Dockerfile and
extending default keycloak image?
I will be extremally grateful for help.
Best regards,
Sebastian
6 years, 4 months
Policy enforcer without roles in token
by Matteo Restelli
Hi guys,
we’re experiencing issues about JWT access_token size and we were planning
to remove the “roles” claim as a default, so to remove the claim from the
access_token. Once we do that, the KC adapter / policy enforcer returns a
403. So at this point, does the access_token must have the roles inside it?
Or it’s another problem which is giving us the 403?
Thank you!
Matteo
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
6 years, 4 months
Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
by Sushil Singh
Hi ,
I would suggest to play with keycloak standalone by following https://medium.com/@bcarunmail/securing-rest-api-using-keycloak-and-sprin...
And if you want to integrate your application using keycloak adapters please follow quick-start example of your requirement from https://github.com/keycloak/keycloak-quickstarts.
Also you can follow keycloak official documention https://www.keycloak.org/docs/7.0/authorization_services/
Authorization Services Guide<https://www.keycloak.org/docs/7.0/authorization_services/>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
[https://miro.medium.com/max/1200/0*WNyZiK6UEu-d0_RY]<https://medium.com/@bcarunmail/securing-rest-api-using-keycloak-and-sprin...>
Securing REST API using Keycloak and Spring Oauth2 - Arun B Chandrasekaran - Medium<https://medium.com/@bcarunmail/securing-rest-api-using-keycloak-and-sprin...>
Keycloak is Open Source Identity and Access Management Server, which is a OAuth2 and OpenID Connect(OIDC) protocol complaint. This article is to explain how Spring Boot REST APIs can be secured ...
medium.com
[https://avatars2.githubusercontent.com/u/4921466?s=400&v=4]<https://github.com/keycloak/keycloak-quickstarts>
GitHub - keycloak/keycloak-quickstarts<https://github.com/keycloak/keycloak-quickstarts>
Keycloak Quickstarts. Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.. The quickstarts demonstrate securing applications with Keycloak.They provide small, specific, working examples that can be used as a reference for your own project.
github.com
From: Tumenjargal B <b.tume(a)yahoo.com>
Sent: 16 November 2019 10:15
To: Sushil Singh <sushil.singh(a)guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Thank you very much Sushil,
You're helped much time. One question I cant find any example or production case How to search example or config files?
On Friday, November 15, 2019, 06:42:48 PM GMT+8, Sushil Singh <sushil.singh(a)guavus.com> wrote:
Based on my understanding ,
In keycloak what ever you want to protect is a Resource
In your case Resources will be created based on Organizations
Organization (Resources)
Example
/org/O1
/org/O2
/org/O3
/org/O4
So create two roles and associate policies with them
1. Account-role [ assign Account-role to the users / groups whom you want to give multiple access]
2. General-role [ assign General-role to users / groups whom you don’t want to give organization]
So you can create Role based policy and attach that policy to the permission
You can Associate the Resource with a Permission and Associate the permission with the above Policies
Checkout these links to get an overview of how to manage resources, policies and permissions
https://www.keycloak.org/docs/latest/authorization_services/index.html#_r...
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
Thanks
Sushil
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
________________________________
From: Tumenjargal B <b.tume(a)yahoo.com>
Sent: 15 November 2019 15:39
To: Stian Thorgersen <sthorger(a)redhat.com>; Pedro Igor Silva <psilva(a)redhat.com>; Sushil Singh <sushil.singh(a)guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hello dears,
I want to integrate old system to keycloak. A user has many organization.
my case Users have account and general account position. a Account position has working many organization. How to intergate keycloak? How to save organization data of user on keycloak?
Thank you
On Friday, November 15, 2019, 05:52:03 PM GMT+8, Sushil Singh <sushil.singh(a)guavus.com> wrote:
________________________________
From: Tumenjargal B <b.tume(a)yahoo.com>
Sent: 16 November 2019 10:15
To: Sushil Singh <sushil.singh(a)guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Thank you very much Sushil,
You're helped much time. One question I cant find any example or production case How to search example or config files?
On Friday, November 15, 2019, 06:42:48 PM GMT+8, Sushil Singh <sushil.singh(a)guavus.com> wrote:
Based on my understanding ,
In keycloak what ever you want to protect is a Resource
In your case Resources will be created based on Organizations
Organization (Resources)
Example
/org/O1
/org/O2
/org/O3
/org/O4
So create two roles and associate policies with them
1. Account-role [ assign Account-role to the users / groups whom you want to give multiple access]
2. General-role [ assign General-role to users / groups whom you don’t want to give organization]
So you can create Role based policy and attach that policy to the permission
You can Associate the Resource with a Permission and Associate the permission with the above Policies
Checkout these links to get an overview of how to manage resources, policies and permissions
https://www.keycloak.org/docs/latest/authorization_services/index.html#_r...
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
Thanks
Sushil
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
________________________________
From: Tumenjargal B <b.tume(a)yahoo.com>
Sent: 15 November 2019 15:39
To: Stian Thorgersen <sthorger(a)redhat.com>; Pedro Igor Silva <psilva(a)redhat.com>; Sushil Singh <sushil.singh(a)guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hello dears,
I want to integrate old system to keycloak. A user has many organization.
my case Users have account and general account position. a Account position has working many organization. How to intergate keycloak? How to save organization data of user on keycloak?
Thank you
On Friday, November 15, 2019, 05:52:03 PM GMT+8, Sushil Singh <sushil.singh(a)guavus.com> wrote:
________________________________
From: Sushil Singh <sushil.singh(a)guavus.com<mailto:sushil.singh@guavus.com>>
Sent: 15 November 2019 15:14
To: Vishnu Prakash <vishnuprakash323(a)gmail.com<mailto:vishnuprakash323@gmail.com>>; Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>>; Stian Thorgersen <sthorger(a)redhat.com<mailto:sthorger@redhat.com>>
Subject: Re: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hi,
I think the use case is similar to what I am proposing
@Vishnu Prakash<mailto:vishnuprakash323@gmail.com<mailto:vishnuprakash323@gmail.com>>
I have also proposed to impose custom policy-enforcement on a set of resources.
https://github.com/keycloak/keycloak/pull/6448
[https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11...]<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters by sushil-singh-guavus · Pull Request #6448 · keycloak/keycloak<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters https://issues.jboss.org/browse/KEYCLOAK-11300
github.com
Where user can specify a Map<Resource, Set<scopes>> and it will evaluate to a positive result only if it satisfies permission for all resources in the Map
Currently I don't think this functionality is available in keycloak
Thanks,
Sushil
________________________________
From: keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Vishnu Prakash <vishnuprakash323(a)gmail.com<mailto:vishnuprakash323@gmail.com>>
Sent: 15 November 2019 10:01
To: keycloak-user <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hi,
I want to protect my REST api's using Keycloak. I am deploying my
application in Wildfly application server and using keyclaok wildfly
adapters.
Is it possible to associate a REST api end point to multiple resources in
keycloak using the Policy Enforcer. If the user is having permission to
access all the associated resources, then only access should be granted to
the api.
Any input will be a great help to me.
Thanks & Regards,
Vishnu Prakash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 4 months
Red Hat SSO
by Yeo Wee Tat (NCS)
Hi all
I have issue in retrieve KeycloakSecurityContext using Keycloak Servlet Filter adapter. The SSO server is Red Hat SSO 7.2
The Keycloak Servlet Filter adapter version is 6.0.1. Is the version issue with Red Hat SSO 7.2.
The KeycloakSecurityContext is null. I have tested below code in standalone Keycloak SSO server , no issue. Anyone have suggestions ? Thanks
this.keycloakSecurityContext = (KeycloakSecurityContext) request.getSession().getAttribute(KeycloakSecurityContext.class.getName());
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-servlet-filter-adapter</artifactId>
<version>6.0.1</version>
</dependency>
Best Regards and Thanks
Wee Tat , Yeo (NCS)
Consultant, NCS Pte Ltd
WARNING: This e-mail transmission is intended only for the addressee. Privileged/Confidential information may be contained in this message. If you are not the intended addressee, you should delete it and must not copy, distribute it or take any action in reliance thereon. Communication of any information in this email to any unauthorised person is an offence under the Official Secrets Act (Cap 213). Please notify the sender immediately if you have received this by mistake.
6 years, 4 months
Organization and user data save
by Tumenjargal B
I want to integrate old system to keycloak. A user has many organization.
my case Users have account and general account position. A account position has working many organization. How to save organization data of user on keycloak?
6 years, 4 months
