Feature Request
by Sushil Singh
Hi,
As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes
ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also.
https://issues.jboss.org/browse/KEYCLOAK-11300
Thanks,
Sushil Pratap Singh
4 years, 6 months
create custom policy provider
by erik
Hello,
I have created a custom PolicyProvider and custom PolicyProvviderFactory
which have been successfully registered it with keycloak. The provider
shows up under the provider list in server info and is listed under
policies drop down when adding an authorization policy to a client. How
ever when I select the policy provider and to create one the next page says
page not found the page we could not fine the page you are looking fo.
What is necessary to to get a policy provider created? I have been
following the below samples
https://github.com/keycloak/keycloak/tree/master/authz/policy/common/src/...
4 years, 6 months
Keycloak automatic cache invalidation
by Hossein Doutaghy
Hi,
Is there a way to automatically invalidate the users and realms caches?
I know we can clear these caches from the Keycloak admin console under
realm settings, but I am looking for an automated way to do this. One
option we are exploring is to call the API but I was wondering if there is
any setting we can add to the cache settings in standalone xml file to
periodically invalidate the caches.
Would this work for users and realms caches? <expiration
max-idle="3600"/>
Thanks,
Moe
Security Software Developer
4 years, 6 months
Script Based Authenticator - Web Service Call
by Frank Herrmann
Hello all,
I'm attempting to use a script based authenticator to fire as part of the
post login flow of an identity provider. I need to make a web service call
from this script. Is this even possible? I've tried using XMLHttpRequest,
but as this is not executing inside a browser, it does not work. Is there a
way to get access to RestEasy on Wildfly and use REST.request()?
Basically, has anyone had to do anything similar, and what did you do to
accomplish this? Or, if this isn't possible in the limitations of a script
based authenticator, should I just write a small authenticator in Java to
handle this.
Thanks for the help.
-Frank
--
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT
T: 561-880-2998 x1563
E: frank.herrmann(a)modmed.com
[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>
[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
--
*CONFIDENTIALITY NOTICE:* This e-mail message may contain material
protected by the Health Insurance Portability and Accountability Act of
1996 and its implementing regulations and other state and federal laws and
legal privileges. This message is only for the personal and confidential
use of the individuals or organization to whom the message is addressed. If
you are an unintended recipient, you have received this message in error,
and any reading, distributing, copying or disclosure is unauthorized and
strictly prohibited. All recipients are hereby notified that any
unauthorized receipt does not waive any confidentiality obligations or
privileges. If you have received this message in error, please notify the
sender immediately at the above email address and confirm that you have
deleted or destroyed the message.
4 years, 6 months
[keycloak-dev] scripts-upload feature
by Knüppel, Pascal
Sorry for the late response...
I added the property "keycloak.profile.feature.scripts_upload=enabled"
The other one does not seem to have any effects anymore
Regards
Pascal Knüppel
--------------------------------------------------------------------------------
Moving discussion to keycloak-user mailing list.
Did you enable the `scripts`feature using system property
`-Dkeycloak.profile.feature.scripts=enabled` ?
Regards.
Pedro Igor
****************************************************
Veranstaltungsvorschau: Besuchen Sie
uns...
11.
Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<https://jahrestagung-eakte.de/>
Kongress e-nrw |
07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
OMNISECURE | 20.-22.01.2020
|Berlin<https://www.omnisecure.berlin/de/>
Zukunftskongress
Staat & Verwaltung |15.-17.06.2020 |
Berlin<https://www.zukunftskongress.info/de/zksv/willkommen>
On Mon, Nov 4, 2019 at 7:47 AM Knüppel, Pascal <
Pascal.Knueppel at governikus.de<https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
> Hi,
>
> I got a simple problem with the scripts upload feature. I created a
> jar-file as described here (
> https://www.keycloak.org/docs/7.0/server_development/#_script_providers)
> and put it into the deployments directory of keycloak. But now the simple
> question... how am I supposed to map these defined script-mappers and the
> authenticator-execution into my configuration within the admin-console?
> the deployment was successful and this is my "keycloak-scripts.json" file
>
> {
> "authenticators": [
> {
> "name": "authentication-level",
> "fileName": "authentication-level-script-authenticator.js",
> "description": "This script determines the authentication level,
> i.e. the authentication method used to identify the user"
> }
> ],
> "mappers": [
> {
> "name": "substitute-roles-mapper",
> "fileName": "substitute-roles-script-mapper.js",
> "description": "maps substitute roles into the access token"
> },
> {
> "name": "authentication-level-mapper",
> "fileName": "authentication-level-script-mapper.js",
> "description": "maps the authentication level into the access token"
> }
> ]
> }
>
> my jar file has the following structure:
>
> /
> |_ META-INF
> | |_keycloak-scripts.json
> | |_MANIFEST.MF
> |_authentication-level-script-authenticator.js
> |_authentication-level-script-mapper.js
> |_substitute-roles-script-mapper.js
>
> I can neither find the authenticator nor the mappers in the admin-console
> and I have no idea how to map them...
> any ideas?
>
> Best regards
> Pascal Knüppel
>
> ****************************************************
> Veranstaltungsvorschau: Besuchen Sie uns...
> 11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<
> https://jahrestagung-eakte.de/>
> Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
> OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
> Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin<
> https://www.zukunftskongress.info/de/zksv/willkommen>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org<https://lists.jboss.org/mailman/listinfo/keycloak-user>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
________________________________
4 years, 6 months
Gatekeeper access via custom field in token
by Popov, Viktor
Hello!
I added users AD groups into my token.
Is it possible to make gatekeeper allow/deny access based on this field and not by roles field?
So, I want to do something like:
--resources='uri=/*|methods=GET,PUT|ad_group=group1,group2'
Thanks!
Victor
4 years, 6 months
Keycloak Gatekeeper - Forward ID token
by Moritz Kammerer
Hi,
I'm using the newest Keycloak and Keycloak Gatekeeper. I got it set up so
that my upstream receives the access token as Authorization header. Is
there a way to also get the ID token in the upstream application?
Thanks,
Moritz
4 years, 6 months
