Re: [keycloak-user] keycloak does not send backchannel logout requests to Admin URL
by mn@fstrk.io
Anyway, if you've made this work, please specify the versions of the
libraries you used; I will find a Java friend to put them together, and
then I'll look at HTTP requests issued and implement them in Python :)
11.11.19 23:06, Leonid Rozenblyum пишет:
> Well since Spring Security adapter is used inside Java client software
> to secure communication with Keycloak, and you're developing your
> software in Python - it seems to be another problem...
>
> According to the docs:
>
>
> *Admin URL*
> For _Keycloak specific_ client adapters, this is the callback endpoint
> for the client. The Keycloak server will use this URI to make
> callbacks like pushing revocation policies, performing backchannel
> logout, and other administrative operations. For Keycloak servlet
> adapters, this can be the root URL of the servlet application. For
> more information see Securing Applications and Services Guide.
>
> It looks like Python OIDC library is not keycloak-specific, so Admin
> URL is NOT an option to set up backchannel logout.
>
> On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>
> I would love to try it, but I am a Python guy and I am not sure
> how to figure out Keycloak internals :) is there anyway you can
> point me to look for the instructions on how to do it?
>
>
>
> 11.11.19 22:27, Leonid Rozenblyum пишет:
>> Ok, I see.
>> But do you use Spring Security adapter in your application?
>> If yes, a workaround for KEYCLOAK-10266
>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
>> before 8.0.0 release.
>>
>> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
>> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>>
>> I am using the Docker version, and 8.0.0 has not been
>> released in Docker yet:
>> https://hub.docker.com/r/jboss/keycloak/tags
>>
>> so I guess the only option for me is wait for the 8.0.0
>> Docker release then.
>>
>>
>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>> Hi. What adapter are you using?
>>> Spring Security adapter had a bug which was recently fixed
>>> and the fix should be part of 8.0.0
>>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>>
>>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io
>>> <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>>>
>>> I created a client in Keycloak and set up a test admin URL
>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>>> (this is a
>>> webhook testing site).
>>>
>>> After that, I performed an OpenID login via this client,
>>> and then sent a
>>> logout request to Keycloak.
>>>
>>>
>>> I did this a couple of times, and tried two ways of
>>> logging a user out:
>>>
>>> - redirecting to
>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>
>>> <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>>
>>> - force logging out of the user via Keycloak admin
>>> interface:
>>> http://prntscr.com/pv1v76
>>>
>>> The user indeed gets logged out. However, in both of
>>> these cases I don't
>>> see any requests coming out from Keycloak. The testing
>>> website shows
>>> zero registered requests.
>>>
>>>
>>> How do I make this work?
>>>
>>>
>>>
>>>
>>> --
>>> Mikhail Novikov
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Михаил Новиков
>> Ведущий разработчик
>> fstrk.io <http://fstrk.io>
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
4 years, 5 months
Multi-tenant system: Using single /certs endpoint for all realms (spring-security-oauth2)
by Ori Doolman
Hi,
I'm using spring-security-oauth2-autoconfigure package in my Spring boot Java service for securing my REST endpoints. I'm not using any Keycloak adapters. It's basically working, but there is a problem with multi-tenancy (multi realms).
I'm getting the Keycloak token in the Authorization header, and then the spring code is using a class named JwkTokenStore (and other related ones) to verify the token signature.
For that, it is getting the public key from Keycloak by interrogating the /certs endpoint.
In keycloak, each realm has its own public key (represented by different KID) and also its own /certs endpoint.
For example, if I have 2 tenants on my system, then my service will have to interrogate 2 endpoints:
/auth/realms/{tenant1}/protocol/openid-connect/certs
/auth/realms/{tenant2}/protocol/openid-connect/certs
This poses an issue, since it means I will have to interrogate another endpoint each time I add another tenant to my system.
And unfortunately, spring-security-oauth2 does not support dynamic discovery of new public key endpoints. It can only use the ones provided upon startup.
It means I have no way to support dynamic on-boarding of new tenants.
My questions:
1) Is there any way to configure Keycloak to use a single /certs endpoint for all the realms (and return the KIDs of all realms)?
Or maybe have all realms share the same keys between them and then I will always use the master realm endpoint.
2) Why different realms must use different keys in Keycloak? I suppose the answer would involve the term "security" : )
But still, when using Google APIs, all customers are using the same public key from this URL: https://www.googleapis.com/oauth2/v3/certs .
Thanks,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
4 years, 5 months
Link for password reset sent via email
by Serhiy Senyush
Hello,
I have keycloak runned in kubernetes cluster, and my application sends
request to keycloak via rest API to reset password to the user (send action
email). Application and keycloak are running in different containers. The
problem is that the link sent by keycloak contains internal address and is
not accessible for external users. Hence i have a questions:
1. Is there a way to configure the link sent in emails?
2. Is there any configuration needed in docker container?
3. Is the link generated based on where the password request comes from?
4. Is the link generated based on the token that is included in the request
fro the application.
I looking forward to your reply.
Sincerely yours
Serhiy Senyush
e-mail: serhiysenyush(a)gmail.com
4 years, 5 months
Keycloak Istio RBAC returns 403 Forbidden
by Kannan K R
Hi All
I’m trying to authorize my users using their roles. Here is my JWT from
Keycloak
{
"jti": "f9f5af0c-b187-4510-8302-d2d553c3bdee",
"exp": 1573594538,
"nbf": 0,
"iat": 1573558569,
"iss": "https://kc.krk.wtf/auth/realms/K2",
"aud": "account",
"sub": "920fadc1-5a30-4d94-8604-8bd14cea2685",
"typ": "Bearer",
"azp": "ufinity",
"auth_time": 1573558538,
"session_state": "c5679b6d-fc0e-4536-abc2-3533e6ba8c85",
"acr": "1",
"realm_access": {
"roles": [
"provider",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"ufinity": {
"roles": [
"provider1"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"name": "Kannan2 Provider",
"preferred_username": "kannan2",
"given_name": "Kannan2",
"family_name": "Provider",
"email": "kannan2(a)yopmail.com"
}
My Authorization yaml files are as follows:
apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION'
inclusion:
services:
- "record.default.svc.cluster.local"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "record"
paths: ["/users/*"]
methods: ["GET"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: provider-role
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: provider-role-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[roles]: "provider1"
roleRef:
kind: ServiceRole
name: "provider-role"
I’m always getting 403 forbidden response.
Please let me know what am I doing wrong here. Or please point me to a
documentation
Thanks in advance
-Kannan
--
************************************************************************
This e-mail and all attachments are intended solely for use by
the intended
recipient and may contain confidential / proprietary information
of
KiwiTech, LLC, subject to important disclaimers and conditions including
restrictions on the use, disclosure, transfer or export of such
information. If you have received this
message in error or are not the
named recipient(s), please immediately notify
the sender at the telephone
number stated above or by reply e-mail and delete
this e-mail from your
computer
4 years, 5 months
KEYCLOAK SSO QUERIES
by CHARLES BABU
Hello Sir,
My name is charles and I am working in an organization called maybank.We are planning to integrate Keycloak to one of our newly developing application suite. I am supposed to do a POC for this project on keycloak integration. I got your mail id from one of the git project which you created to integrate keycloak with springboot web. Can you help me to answer below questions.
* I want to dynamically draw menus in my application. What is the best way to do this using keycloak ?(Any policies/permissions)
* Want to enable/disable html elements(textbox, dropdown etc.) based on user role. Is this possible ?
* Can I maintain user hierarchy like manager reportees etc using keycloak ?
* Can you suggest any documentation to learn the product ?
Regards,
Charles
________________________________
This message is intended only for the use of the person to whom it is expressly addressed and for the purpose of the subject of this email and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any purpose is prohibited. If you have received this message in error, please notify the sender by reply e-mail of the misdelivery and delete all its contents.
Opinions, conclusions and other information in this message that do not relate to the official business of Malayan Banking Berhad shall be understood as neither given nor endorsed by it.
4 years, 5 months
log file for login and admin events
by Yang Yang
Hi,
Could you help to tell how to get the log file for login and admin events?
I have enabled event logging and can check login and admin events on the web portal, but could not get logs for those events in server.log and audit.log, is there some other file or configuration I missed?
I am using the official docker image.
Thanks,
Yang
4 years, 5 months
Failed to get log files with docker installation
by Yang Yang
Hi,
I wanted to access Keycloak logs on host machine, so I started the docker container with “-v /path/on/my/host:/opt/jboss/keycloak/standalone/log”, and then met the permission issue, “java.io.FileNotFoundException: /opt/jboss/keycloak/standalone/log/server.log (Permission denied)”.
Could you help to tell what I should do? Some posts on the internet suggests to deactivate SELinux or run the container in privileged mode, which I believe is not good for security reason.
Thanks,
Yang
4 years, 5 months
User and organization connect
by Tumenjargal B
How to use connect a user to organization on keycloak? Please describe me. Example: User 1 is worker of A company. but User 1 is part time worker of B company.
4 years, 5 months
export/import realms - illegal json format?
by Ori Doolman
Hi,
I'm using Keycloak docker 7.01 to export all my realms into a json file realms.json.
Then, I take the json file and try to import in another container.
The json looks like:
[ {
"id" : "tenant1",
"realm" : "tenant1",
....
},
{
"id" : "tenant2",
"realm" : "tenant2",
....
} ]
However, after I run the import, I get an error about the json format. I checked the json with an online validator, and it seems to be valid.
Is that a bug? Is there any way to reformat the json so it will work?
When I export/import a single tenant, I don't get the error.
Here is my export command:
docker exec keycloak /opt/jboss/keycloak/bin/standalone.sh \
-Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.usersExportStrategy=REALM_FILE \
-Dkeycloak.migration.file=/tmp/vol/realms.json
Here is my import command:
sudo docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e KEYCLOAK_IMPORT=/tmp/vol/realms.json -v /home/caadmin/keycloak:/tmp/vol --name keycloak jboss/keycloak
This is the error I get:
... 8 more
Caused by: java.lang.RuntimeException: Failed to parse json
at org.keycloak.keycloak-services@7.0.1//org.keycloak.services.resources.KeycloakApplication.loadJson(KeycloakApplication.java:476)
at org.keycloak.keycloak-services@7.0.1//org.keycloak.services.resources.KeycloakApplication.importRealms(KeycloakApplication.java:368)
at org.keycloak.keycloak-services@7.0.1//org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:233)
at org.keycloak.keycloak-services@7.0.1//org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:146)
at org.keycloak.keycloak-server-spi-private@7.0.1//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.keycloak-services(a)7.0.1//org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:137)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at org.jboss.resteasy.resteasy-jaxrs@3.7.0.Final//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
... 31 more
Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `org.keycloak.representations.idm.RealmRepresentation` out of START_ARRAY token
at [Source: (FileInputStream); line: 1, column: 1]
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
4 years, 5 months
