March 2019 - keycloak-user - Jboss List Archives

OpenID Connect: Is storing access token in browser sercure?

by Timurhan Sungur

<https://security.stackexchange.com/questions/205837/openid-connect-is-sto...> Hi, I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services. In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API. Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability. I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service. My questions: Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them? Is there a way to mitigate the security threat and still store it in browser? Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to? What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service? Thank you for your assistance in advance! Regards, Timur

5 years, 1 month

3
5
0 / 0

node adapter

by Greet Robijns

Hi all, I followed the instructions on https://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_ada... to add a keycloak to my express server. my routes are handled by react on the client side. However I only get "access denied" and no redirection to the authentication page? My configuration: var session = require("express-session"); var Keycloak = require("keycloak-connect"); connectWithRetry(); var memoryStore = new session.MemoryStore(); let kcConfig = { realm: "Marketing Console", url: "http://localhost:8080/auth", clientId: "marketing_console", "bearer-only": true, "ssl-required": "none", "enable-cors": true, "public-client": true }; app.use( session({ secret: "mySecret", resave: false, saveUninitialized: true, store: memoryStore }) ); let keycloak = new Keycloak({ store: memoryStore }, kcConfig); app.get("/", keycloak.protect()); Kind Regards Greet Robijns

5 years, 1 month

2
4
0 / 0

Document how to generate a custom signed JWT when user is authenticated

by HILEM Youcef

Hi, I do not find documentation that provides instructions on how to implement a custom JWT for Keycloack. My need is to create Custom Tokens for Google Firestore ( https://firebase.google.com/docs/auth/admin/create-custom-tokens). Firebase gives you complete control over authentication by allowing you to authenticate users or devices using secure JSON Web Tokens (JWTs). You generate these tokens on your server, pass them back to a client device, and then use them to authenticate via the signInWithCustomToken() method. To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS <https://firebase.google.com/docs/auth/ios/custom-auth/>, Android <https://firebase.google.com/docs/auth/android/custom-auth/>, web <https://firebase.google.com/docs/auth/web/custom-auth/>). Once authenticated, this identity will be used when accessing other Firebase services, such as the Firebase Realtime Database and Cloud Storage. Furthermore, the contents of the JWT will be available in the auth object in yourFirebase Realtime Database Security Rules <https://firebase.google.com/docs/database/security/> and the request.auth object in your Cloud Storage Security Rules <https://firebase.google.com/docs/storage/security/>. You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support. Thanks Youcef HILEM

5 years, 1 month

2
1
0 / 0

X509 Client Authentication regex replacement possible?

by Page, Raymond (Techical Solutions )

To those that assisted me, thanks for the assistance yesterday, I finally got the logging that I needed enabled. When using auth-x509-client-username-form, is it possible to specify a regex *replacement* instead of simply a regex sub-string match for the identity? I'm mapping a numeric unique identifier in the client certificates to the UPN attribute in AD of the form '1234@domain'. Since the numeric unique identifier (i.e. '1234') is not in a dedicated attribute in AD, I cannot simply extract the identifier from the certificate, I need to append the '@domain' portion for the UPN lookup. If regex replacements aren't supported, where can I recommend this as a feature request? Should I reopen this feature request with an enhancement request: https://issues.jboss.org/browse/KEYCLOAK-4335 -- Raymond Page, CTR (US) Automation Engineer, UoT TIS CTR to Booz | Allen | Hamilton page_raymond(a)ne.bah.com raymond.c.page15.ctr(a)mail.mil C: (321) 549-7243<tel:(321)+549-7243> W: (703) 679-8618<tel:(703)+679-8618>

5 years, 1 month

1
0
0 / 0

Javascript Adapter vs Node Adapter

by Adnan Khan

Hi folks, I'm a junior javascript developer and am looking into ways to implement SSO using keycloak. My applications are javascript with backend rest node and front-end vue. Before I go deeper into implementation I wanted to understand why is there a javascript adapter and a node adapter as well. I understand that the javascript adapter is client side and the node adapter is server side. How do you authenticate a resource(end-point) from a client-side adapter? Another thing that's confusing me is keycloak.js, what is it? how is it used and its pros and cons? Thank you in anticipation and for bearing with the relatively noob questions. Regards, Adnan A. Khan

5 years, 1 month

2
2
0 / 0

Retrieving user information through the admin client on springboot

by Vikram

Hi all, Versions in use: Springboot version : 2.1.3 FINAL Keycloak version : 4.8.2 Springboot adapter version: 4.8.3 FINAL Keycloak admin client 4.8.2 FINAL So I am trying to get all the users that have a role "customer" and belong to a group "group1". I am using the following code. RoleResource roleResource = realmResource.roles().get("customer"); Set<UserRepresentation> customers= roleResource.getRoleUserMembers(); ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>(); for (UserRepresentation user: customers) { if (user.getGroups().contains("group1") { //error System.out.println("group customer: " + user.getUsername()); groupCustomers.add(user); } } However, I get an error when I loop through the user representations to read the group names. I do not get the group and roles information. I get the username, first name and last name though.. Is it a permission issue ? How can I get around it ? Regards, Vikram

5 years, 1 month

2
1
0 / 0

jaxrs integration

by mhd wrk

The project I'm working on uses JAXRS/Jersey for REST and Spring Boot for wiring (DI). As of now we have our own Authentication/Authorization components based on JAXRS filters. What's the best way to replace the in-house components with KeyCloak? BTW, looking at the adapters under oidc adapters <https://github.com/keycloak/keycloak/tree/master/adapters/oidc>, seems to me the *jaxrs-outh-client* and *spring-boot2* might be the right candidates. However the first one is deprecated and the second one relies on spring-web which we are not using. Thanks, Mohammad

5 years, 1 month

2
1
0 / 0

Restrict max number of users in a realm

by Bruce Wings

Is it possible to restrict number of users creation in a realm to say 500 , 1000 etc? Where can I find the config for the same?

5 years, 1 month

2
1
0 / 0

keycloak-gatekeeper test with example-usage-and-configuration, but fail

by 毕务刚

PNG

5 years, 1 month

2
1
0 / 0

Keycloak Gatekeeper + API Key + Service Account

by Sylvain Malnuit

Hi, Using Keycloak , it's possible to declare client like a service account . Client secret becomes API key. In my case, I'm going to generate 10 clients (10 API keys). I have tried to use Keycloak-gatekeeper to cover this use case but GK support only one client. In my case, I 'm understanding that I must create 10 instances of GT :(. Is there a way to associate various client to one instance of GT (different paths .) ? Thxs for your help. Regards, Sylvain

5 years, 1 month

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2019