November 2019 - keycloak-user - Jboss List Archives

Re: [keycloak-user] [UMA] Access a protected resource by using a link

by Fernando Mayoral

*What type of application we are talking about? A single monolithic or separated apps for frontend and backend? Asking because you could just resume the workflow after the user authenticate again and is redirected back to your app ...* We are talking separated frontend/backend, in fact, it's microservices and micro-frontend architecture. Correct, authentication & redirect would work and I've just realised I've missed an important aspect of this: Our users don't have a username-password with keycloak, not that they know of at least, there's a third-party authentication provider they can use through OIDC. Alternatively, if they don't have an account with that third-party and can't be bothered with setting one up, we have a custom authenticator that essentially allows "anonymous authentication", i.e. you don't have an account, yet you want to use the application, you get an anonymous session. And we use such user to store protected data (such data expires after some time in the system and it's erased). Now we want to provide a way for such anonymous users to be able to recover their order and be authorised without having them to set a password for the account and so on, as the intention of the anonymous user mechanism is mostly for tracking and authorisation which we erase after some time, and not so much for having a permanent user in the system. AFAIK, there is nothing you could use OOTB but maybe implementing some custom authenticator. Even with a custom authenticator, the fact that you are automatically re-authenticating the user based on some form of code sent to an email may be risky Agreed on the risky side, it's not desirable nor recommended from a security point of view, yet since users in our system are ephemeral, the attack vector is narrow enough that makes it acceptable to sacrifice that in order to get a smoother UX. Probably long-lived cookies can help here too, but we are assuming users can use a different device, so it doesn't work for all scenarios. - Thanks for your comments, I was thinking of a custom authenticator but wanted to confirm if support existed OOTB, I take your points on the risk and discuss it with our team. Regards, - Fernando On Sat, Nov 16, 2019 at 1:44 AM Pedro Igor Silva <psilva(a)redhat.com> wrote: > What type of application we are talking about? A single monolithic or > separated apps for frontend and backend ? Asking because you could just > resume the workflow after the user authenticate again and is redirected > back to your app ... > > AFAIK, there is nothing you could use OOTB but maybe implementing some > custom authenticator. Even with a custom authenticator, the fact that you > are automatically re-authenticating the user based on some form of code > sent to an email may be risky ... > > > On Thu, Nov 14, 2019 at 6:37 PM Fernando Mayoral < > fernando.mayoral(a)practiv.com> wrote: > >> Yes, they leave the application and their keycloak session expires. >> So then we want to send them a link for them to get a new session with >> their user and get redirected to the order they didn't complete. >> For example, a product is a bank account application: >> They start filling the forms and early on they are asked for email. >> But they never finish and submit the form, or maybe they leave the tab >> open and forget so the session expires, so we send them an email to remind >> them with a link to get authenticated and redirected back to an arbitrary >> url. >> >> On Fri, Nov 15, 2019 at 2:47 AM Pedro Igor Silva <psilva(a)redhat.com> >> wrote: >> >>> Hi, >>> >>> When the user "drops" from the system you mean a logout (ending the user >>> session in Keycloak) ? >>> >>> On Thu, Nov 14, 2019 at 1:53 AM Fernando Mayoral < >>> fernando.mayoral(a)practiv.com> wrote: >>> >>>> Hello! >>>> >>>> We have a product on which we create a protected resource (called >>>> orders) >>>> in keycloak and we secure access to it by using a UMA as described by >>>> uma >>>> authorization process >>>> < >>>> https://www.keycloak.org/docs/7.0/authorization_services/#_service_uma_au... >>>> > >>>> . >>>> >>>> When the user drops from the system before they submit their order (i.e. >>>> the order is incomplete) we want to be able to send them an email with a >>>> link to the user so they’ll be able to get automatically authenticated >>>> and >>>> authorized so they can continue working on this protected resource. >>>> >>>> Does keycloak provide this kind of functionality out of the box? >>>> (i.e. given a link with some sort of long-lived token, get authenticated >>>> with keycloak and redirected to some arbitrary url) >>>> Is there any recommended way to approach this? >>>> >>>> any hints would be greatly appreciated. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>>

4 years, 5 months

1
0
0 / 0

JBoss_Keycloak_"404 - Not Found"

by Naga Vijay

Hello, Can someone help me with this? ============== Environment - ============== 1. OS - Mac OS X 2. JBoss EAP 7.1 3. Keycloak 7.0.1 ============== Issue - ============== . Getting "404 - Not Found" for a simple hello.war (with KEYCLOAK as the auth-method in its web.xml) when accessing http://localhost:8080/hello ============== Attachments - ============== 1. kc.json - export dump of keycloak database/configuration 2. hello.war - the simple war tested with Let me know if you need any other info. Thanks Naga

4 years, 5 months

2
6
0 / 0

[UMA] Access a protected resource by using a link

by Fernando Mayoral

Hello! We have a product on which we create a protected resource (called orders) in keycloak and we secure access to it by using a UMA as described by uma authorization process <https://www.keycloak.org/docs/7.0/authorization_services/#_service_uma_au...> . When the user drops from the system before they submit their order (i.e. the order is incomplete) we want to be able to send them an email with a link to the user so they’ll be able to get automatically authenticated and authorized so they can continue working on this protected resource. Does keycloak provide this kind of functionality out of the box? (i.e. given a link with some sort of long-lived token, get authenticated with keycloak and redirected to some arbitrary url) Is there any recommended way to approach this? any hints would be greatly appreciated.

4 years, 5 months

2
3
0 / 0

CORS error in Keycloak Admin REST API - Unable to create realms from React JS app

by Vinay Matam

Hi, I need help with a situation. We are trying to create new realms in Keycloak dynamically from a ReactJS based application with the help of the Keycloak Admin Rest API. Here's what we have done so far: Created a client in the master realm, "realm-creator", type = confidential, Service Accounts Enabled = true, Scope = admin & create-realm selected, Service Account Roles = create-realm. I then fetch an access token of the above client using the grant_type = client_credentials, Authorization = BASIC and using the client id and client secret as username and password. I am successfully getting the access token. Now, as a next step, I am using this access token to create new realms by calling the Admin REST API endpoint to create new realm, https://<keycloakserver>/auth/admin/realms Authorization: Bearer <accesstoken> // Access token generated from the above step using "realm-creator" client and sending the JSON body representation of the realm representation. Now, everything is working fine as expected when I test this from postman. Realm is getting created successfully. But when I try to implement this from a ReactJS app, I am getting a CORS error. For clients, we have an option of "Web Origins" and we can configure a "*" or the URL we want, to solve the CORS issue. But here the client "realm-creator" does not have "Standard Flow" Enabled and I am not seeing the option of "WebOrigins". Where should I configure the CORS setting for the Keycloak Admin REST API to avoid CORS error ? Please help. Thank you!

4 years, 5 months

1
0
0 / 0

Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

by Sushil Singh

________________________________ From: Sushil Singh <sushil.singh(a)guavus.com> Sent: 15 November 2019 15:14 To: Vishnu Prakash <vishnuprakash323(a)gmail.com>; Pedro Igor Silva <psilva(a)redhat.com>; Stian Thorgersen <sthorger(a)redhat.com> Subject: Re: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer Hi, I think the use case is similar to what I am proposing @Vishnu Prakash<mailto:vishnuprakash323@gmail.com> I have also proposed to impose custom policy-enforcement on a set of resources. https://github.com/keycloak/keycloak/pull/6448 [https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11...]<https://github.com/keycloak/keycloak/pull/6448> KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters by sushil-singh-guavus · Pull Request #6448 · keycloak/keycloak<https://github.com/keycloak/keycloak/pull/6448> KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters https://issues.jboss.org/browse/KEYCLOAK-11300 github.com Where user can specify a Map<Resource, Set<scopes>> and it will evaluate to a positive result only if it satisfies permission for all resources in the Map Currently I don't think this functionality is available in keycloak Thanks, Sushil ________________________________ From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> on behalf of Vishnu Prakash <vishnuprakash323(a)gmail.com> Sent: 15 November 2019 10:01 To: keycloak-user <keycloak-user(a)lists.jboss.org> Subject: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer Hi, I want to protect my REST api's using Keycloak. I am deploying my application in Wildfly application server and using keyclaok wildfly adapters. Is it possible to associate a REST api end point to multiple resources in keycloak using the Policy Enforcer. If the user is having permission to access all the associated resources, then only access should be granted to the api. Any input will be a great help to me. Thanks & Regards, Vishnu Prakash _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

4 years, 5 months

2
1
0 / 0

Keycloak redirects localhost and not redirect remote url

by Alfonso Vidal García

I have my Keycloak server and my web app connected with to Keycloak to do the login into the app. If I run in local, its redirects perfectly, but if I deploy the server and the web app in the same server, when the web app redirects to keycloak it redirects to localhost not to the remote url. Any idea how to avoid redirects to localhost? P Please consider the environment before printing this e-mail.

4 years, 5 months

1
0
0 / 0

Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer

by Vishnu Prakash

Hi, I want to protect my REST api's using Keycloak. I am deploying my application in Wildfly application server and using keyclaok wildfly adapters. Is it possible to associate a REST api end point to multiple resources in keycloak using the Policy Enforcer. If the user is having permission to access all the associated resources, then only access should be granted to the api. Any input will be a great help to me. Thanks & Regards, Vishnu Prakash

4 years, 5 months

1
0
0 / 0

keycloak is accessed over HTTPS, but loads AJAX resources over HTTP

by mn＠fstrk.io

I deployed a Keycloak instance in a docker container on Heroku. The app is being served by Heroku load balancer over https. The JBoss server options I provide are as follows: -Djboss.bind.address=0.0.0.0 -Djboss.http.port=$PORT However when I access the admin console I have this error in the browser: === The page at 'https://xxx.com/auth/realms/fasttrack/protocol/openid-connect/auth... was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://xxx.com/auth/realms/fasttrack/login-actions/authenticate?.... This endpoint should be made available over a secure connection. === why is that? How does Keycloak make a decision to request content over HTTP when it was served over HTTPS? Maybe there are some server settings I am missing? As for setting "Require SSL=None" in the Keycloak admin panel - I already did that. That didn't help. -- Михаил Новиков Ведущий разработчик fstrk.io

4 years, 5 months

1
0
0 / 0

keycloak login page toggle

by Kannan, Vidhya (CMS)

Hello: I have a requirement for a toggle in the login page, between 2 categories If user chooses category 1, ldap should be used for auth, If user chooses category 2, AD should be used for auth. Finally to be redirected to the same client application. Is it possible with keycloak? Does it require development? Any directions will help. I don't find info in keycloak documentation. Thanks in advance. Vidhya

4 years, 5 months

2
3
0 / 0

Infinispan clustered sessions not being cleaned up after they expire.

by Marc Wijma

Hi, We see user sessions not expiring/cleaned up after the session max is expired (we see sessions being present of 2-3 days old in the session overview in the admin area). Since we are using a session limit per user (custom authenticator) this is a problem, since users experience blocked access due to false assumed # active sessions (expired sessions count as active ones). The used code in our authenticator 4 checking how many active users sessions there are, is checking the .size() function on the cache object. According to infinispan documentation (https://infinispan.org/docs/9.4.x/user_guide/user_guide.html#expiration_d...), on such a call lazy configured sessions should be invalidated and not counted in. NOTE this in in a higher infinispan version in the docs of version 7, nothing of this is mentioned. Alse this is valid in a local cache setup. I am under the impression that in a clustered setup this is not the case? You need to actively cleanup those sessions yourself (configure the reaper??). Out of the box config in keycloak is not giving any insight how this works and if a reaper is configured. Is my assumption correct that configuring a reaper would solve my problems and how would that configuration look like??? Background: We use keycloak 4.8.3 in a load balanced environment (A10, ssl offloading) 2 vps machines with infinispan 7 as a replicated caching mechanism between the machines. Session settings (adminarea: realm settings > tokens) - SSO Session Idle: 30 min - SSO Session Max 10 Hours - SSO Session Idle Remember Me 0 minutes - SSO Session Max Remember Me 30 days Code snippet in custom authenticator checking amount of active sessions: // Get the session count in this realm for this specific user List<UserSessionModel> userSessionsForRealm = session.sessions().getUserSessions(context.getRealm(), context.getUser()); int userSessionCountForRealm = userSessionsForRealm.size(); // Get the session count related to the current client for this user ClientModel currentClient = context.getAuthenticationSession().getClient(); logger.debugf("Client: %s", currentClient.getClientId()); List<UserSessionModel> userSessionsForClient = userSessionsForRealm.stream().filter(session -> session.getAuthenticatedClientSessionByClient(currentClient.getId()) != null).collect(Collectors.toList()); int userSessionCountForClient = userSessionsForClient.size(); We have configured infinispan as followed in standalone-ha.xml (basically as is out of the box): <subsystem xmlns="urn:jboss:domain:ejb3:5.0"> … <caches> <cache name="simple"/> <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/> </caches> <passivation-stores> <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/> </passivation-stores> … </subsystem> …… <subsystem xmlns="urn:jboss:domain:infinispan:7.0"> <cache-container name="keycloak"> <transport lock-timeout="60000"/> <local-cache name="realms"> <object-memory size="10000"/> </local-cache> <local-cache name="users"> <object-memory size="10000"/> </local-cache> <local-cache name="authorization"> <object-memory size="10000"/> </local-cache> <local-cache name="keys"> <object-memory size="1000"/> <expiration max-idle="3600000"/> </local-cache> <replicated-cache name="work"/> <distributed-cache name="sessions" owners="1"/> <distributed-cache name="authenticationSessions" owners="1"/> <distributed-cache name="offlineSessions" owners="1"/> <distributed-cache name="clientSessions" owners="1"/> <distributed-cache name="offlineClientSessions" owners="1"/> <distributed-cache name="loginFailures" owners="1"/> <distributed-cache name="actionTokens" owners="2"> <object-memory size="-1"/> <expiration interval="300000" max-idle="-1"/> </distributed-cache> </cache-container> …… Marc Wijma senior ontwikkelaar T 0522 235 235 M.Wijma(a)edu-actief.nl www.edu-actief.nl Meppel (Stationsweg 66) Edu'Actief Boom beroepsonderwijs Stationsweg 66 7941 HG Meppel Postbus 1056 7940 KB Meppel -------------------------------------------------------------------- De inhoud van dit bericht is uitsluitend bestemd voor geadresseerde. Gebruik van dit bericht door anderen zonder toestemming van Edu'Actief is onrechtmatig. Is dit bericht niet voor u bestemd? Meld dit a.u.b. aan de afzender en verwijder dit bericht. Aan de inhoud van dit bericht kunnen geen rechten worden ontleend. --------------------------------------------------------------------

4 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2019