Secure logins from different devices
by valsaraj pv
Hi,
We need to determine “typical” usage for a user and then flag sign-in from
lesser known locations. Is there any feature option in Keycloak or can
expect in future versions?
Also, is it possible to set a custom browser workflow for a client in KC?
We are using 3.4 version.
Thanks!
5 years, 8 months
How to implement access to resources based on resource roles
by Alfonso Alba García
Hi guys,
We have a rails app with a very simple Role-Based access control model.
The thing is that this very simple model needs to become something much
more fine grained and I think that keycloak is the right tool for that.
We need a permission system to do the following:
* "Organisations" have users with different roles: Owner, Admins,
Collaborators and Members. These roles are what we call "Resource Roles"
* "Organisations" have modules or packages (for example "Events package"
or "Email package") that the owner can buy. Only the users with resource
role "Owner" can buy these item
* Owners and Admins of an organisation can edit the organization profile
or any resource of the organization (Event, Meeting, Contact, etc)
* Owners and Admins of an organisation can add users to packages. For
example, user XXXX will have permission to edit,create,destroy and view
any resource created in module YYYY in organisation ZZZZ.
* Owners and Admins can add Collaborators: a collaborator will have
permission to access certain organisation resources, for example,
collaborator XXX will have permission to edit Event YYYYY
* Owners and Admins can add Members: a member will have permission to
see all the resources from all the active packages that are marked as
"visible by members only"
* Members can edit the organization resources they create inside the
packages they have access to
* Packages have limits: if you the organisation is free, you can only
create 2 events for example.
*etc, etc, etc...
These are just a few of the permissions we need. At the moment, the
product owner is changing the roles and permissions regularly trying to
find the best way to monetise and test the business model. We need a way
to deploy those changes as soon as possible and I think keycloak can
help us with this task!
I've done some research about this use case and I found these two
threads [1], [2] in which a similar (simplified) model is discussed.
I've installed keycloak locally and now I'm trying to implement these
requirements. I've started with the ones I think are the easiest: The
organisation Owner an Administrator. Following what's suggested in the
threads mentioned above, I implemented these resource roles as follows:
* Create three scopes: organisation:edit, organisation:view,
organisation:billing
* Create a resource "Organisation 1" with scopes organisation:edit,
organisation:view and organisation:billing
* Create two client roles "Organisation 1 Owner" and "Organisation 1
Administrator"
* Create two policies: "Organisation 1 Owner Policy" and "Organisation 1
Administrator Policy"
* Create one scope-permission "Organisation 1 Managers Permissions" that
allows users with roles "Organisation 1 Owner" or "Organisation 1
Administrator" get permission for the scopes organisation:edit and
organisation:view
* Create one scope-permission "Organisation 1 Owners Permissions" that
allows users with roles "Organisation 1 Owner" access the scope
organisation:billing
I created these for three organisations and as well as several users.
I've been playing around with them using the Evaluate functionality of
the keycloak client and apparently everything is working fine. Now I'm
thinking about how I could implement the access to the packages I
mentioned above, the members, etc, but before I continue I have several
questions:
* Since users can have different roles in different organisations, I'm
creating only one realm. I guess that's ok since different realms do not
share users.
* For every organisation that we create in our application we will need
to create all the policies, roles and permissions described above. Is
this supposed to be like that or am I missing something?
* If this is the way to do it, I was wondering if it's a good idea to
create a Resource Server (i.e. a new client inside the realm) for each
organisation. This way I can create a client organisation-1-client with
all the resources, policies and permissions for "Organisation 1". I
think that this will make deleting an organisation quite easy after the
user deletes the organisation, I just need to delete de client
organisation-1-client. I don't know if this a good idea or not, has it
any negative impact in performance? will this make the application code
more difficult? or may be this not a good practice for any reason?
Thanks for your time. Regards,
Alfonso
-------
[1] http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
[2] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html
5 years, 8 months
Tie admin console login to external LDAP user store
by ghuey@southalabama.edu
I can't seem to find this information explicitly documented although it
seems there is a test case on github but I am not having any luck with it.
I have successfully created a connection to our LDAP server under User
Federation, but I am not clear on where you tell Keycloak that the admin
console should authenticate against that defined LDAP instead of the
internal user store it uses by default. It may not be that simple. Again I
want to be clear, this is simply leveraging my ldap to actually long into
the Admin console of Keycloak, NOT, using ldap credentials for an IDP for
SSO which I will be working on eventually.
Thank you for everyone's time.
5 years, 8 months
Cannot update the user realmRoles using the Admin API
by Alfonso Alba García
Hi,
I'm using the keycloak Admin API to create a new user with the
"subscriptor" role from my application.
I've found issue KEYCLOAK-6080 [1] in Jira which says that you first
have to create the user and then set the roles. That's what I'm trying
to do.
1- First, get a token for the Admin API using the admin user from the
master realm:
curl -d "client_id=admin-cli" \
-d "MYUSERNAME" \
-d "MYPASSWORD" \
-d "grant_type=password" \
"https://mykeycloakserver/auth/realms/master/protocol/openid-connect/token"
2- set shell variable "access_token" with the provided access_token
3- Change the user firstName and realmRoles of the "demo-rails-app" realm
curl -X PUT \
-H"Content-Type: application/json" \
-H "Authorization: Bearer ${access_token}"
-d '{"realmRoles":["subscriptor"], "firstName":"NEW FIRST NAME"}'\
https://mykeycloakserver/auth/admin/realms/demo-rails-app/users/80ef4038-...
The firstName of the user field is properly updated, however the user
realm roles are not modified. Am I doing something wrong?. I've tried to
pass a string instead of an array or use the role ID instead of the role
name but neither of them worked.
Regards,
Alfonso
------
1 - https://issues.jboss.org/browse/KEYCLOAK-6080
5 years, 8 months
converting OIDC token to SAML
by Bruce Wings
I have successfully integrated few of my apps with keycloak (with OIDC
tokens). However there is a 3rd party app which works on SAML tokens. I am
wondering is it possible to use my existing keycloak system to send SAML
tokens to this third party app?
i.e. I want to use keycloak as IDP and SP and generate SAML tokens and send
it to this 3rd party app. Is this scenario even possible?
5 years, 8 months
Duplicate email not supported
by valsaraj pv
Hi,
I have checked in latest KC version & still there is issue with importing
users with duplicate email from LDAP using KC user federation. Is there any
option to disable duplicate email check/constraint?
Thanks,
Valsaraj Viswanathan
5 years, 8 months
Regarding Keycloak custom 'UserNamePasswordFormFactory'
by Kiran Kumar Gubbi Veerajinendra
Hi,
We have requirement where the Browser Keycloak user login authentication will be performed by the external rest api in the backend. Please suggest how do I achieve this.
Kind Regards,
Kiran
5 years, 8 months
Re: [keycloak-user] How to implement access to resources based on resource roles
by Alfonso Alba García
As you mentioned, at the moment our "organisations" are more similar to
groups than to real organisational units. We have one realm that holds
all our users and a simple client to login users and implement the
authorisation.
However, you made an important remark about SaaS and realms... I have to
think again about your "random thought", I knew about user federation
but I was not aware that I can delegate authentication to other realms.
I guess it's similar to when you activate "login with facebook", right?
But instead of that I will have a "login with Eden". I have to dig
deeper in Identity Brokering and user federation. Thanks again, you have
been super-helpfull!! :-)
Pedro Igor Silva wrote:
> It really depends on how different the organization settings are.
>
> Without knowing your use case in details, I assume that an organization
> may have different client applications. A SaaS solution would have
> organizations mapping to realms and not clients. In this case, each
> organization has its own user database and security settings.
>
> It seems that your use case is more likely related with groups as
> organizations given that you have a shared user database.
>
> FYI, the identity broker feature set in Keycloak can help to solve the
> "shared user database" across realms problem if you want to keep a
> single realm as them the main repository of users and still have these
> users "federated" to other dependent realms. Suppose you have an "Eden"
> realm where you manage all your users. Then you have "Organization Foo"
> realm and "Organization Bar" realm. Each of these realms would be
> configured to delegate authentication to "Eden" realm and thus have
> users federated across all of them. Just a random thought :)
>
> On Thu, Apr 18, 2019 at 8:09 AM Alfonso Alba García
> <alfonso(a)alfonsoalba.com <mailto:alfonso@alfonsoalba.com>> wrote:
>
> Hi Pedro,
>
> Thanks a lot for your answer. I will have a look at the three things
> you
> are suggesting: groups, resource types and pushing claims.
>
> At the moment I'm having a deeper look at the Policy Enforcer
> documentation. I consider that I read that part of the documentation
> and
> did not get it right. As you suggest, pushing claims can simplify my
> policies. I had a look at the app-authz-rest-employee[1] and
> app-authz-rest-springboot[2] examples. I already have some ideas about
> it after going through them. I will post an update after trying a
> little
> more.
>
> Just one last question: in the first post I asked if using one client
> per organisation would be a good idea or not. Has anybody some advice
> about this? I don't know if I'm using the client to do something it's
> not supposed to do.
>
> Thanks again,
>
> Alfonso
>
> --------
> [1]
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-re...
> [2]
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-re...
>
> Pedro Igor Silva wrote:
> > Hi,
> >
> > Some comments inline ...
> >
> > On Wed, Apr 17, 2019 at 2:16 PM Alfonso Alba García
> > <alfonso(a)alfonsoalba.com <mailto:alfonso@alfonsoalba.com>
> <mailto:alfonso@alfonsoalba.com <mailto:alfonso@alfonsoalba.com>>>
> wrote:
> >
> > I've installed keycloak locally and now I'm trying to
> implement these
> > requirements. I've started with the ones I think are the
> easiest: The
> > organisation Owner an Administrator. Following what's
> suggested in the
> > threads mentioned above, I implemented these resource roles
> as follows:
> >
> > * Create three scopes: organisation:edit, organisation:view,
> > organisation:billing
> >
> > * Create a resource "Organisation 1" with scopes
> organisation:edit,
> > organisation:view and organisation:billing
> >
> > * Create two client roles "Organisation 1 Owner" and
> "Organisation 1
> > Administrator"
> >
> > * Create two policies: "Organisation 1 Owner Policy" and
> > "Organisation 1
> > Administrator Policy"
> >
> > * Create one scope-permission "Organisation 1 Managers
> Permissions"
> > that
> > allows users with roles "Organisation 1 Owner" or "Organisation 1
> > Administrator" get permission for the scopes
> organisation:edit and
> > organisation:view
> >
> > * Create one scope-permission "Organisation 1 Owners
> Permissions" that
> > allows users with roles "Organisation 1 Owner" access the scope
> > organisation:billing
> >
> >
> > Your policy model is fine but I think you can make it simpler if you
> > just use groups to represent organization membership.
> >
> > By using groups, you can have a single "Organization Resource",
> > "Organization Managers Permissions" and "Organization Owner
> Permission".
> > Your policies could benefit from claims pushed by your
> application [1]
> > in order to make decisions based on whether or not the user is a
> member
> > of an organization plus the RBAC.
> >
> > For instance, if you have in Keycloak a group "organization-foo" and
> > your application provides a REST endpoint like
> "/api/organizations/foo",
> > you could send the request URI to your policies, extract the
> "foo" part
> > of it and check if the user is member of organization-foo. I
> think the
> > same logic could be applied to other resource types.
> >
> > You could check this example [2].
> >
> > [1]
> >
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_e...
> > [2]
> >
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-re...
> >
> > I created these for three organisations and as well as
> several users.
> > I've been playing around with them using the Evaluate
> functionality of
> > the keycloak client and apparently everything is working
> fine. Now I'm
> > thinking about how I could implement the access to the packages I
> > mentioned above, the members, etc, but before I continue I
> have several
> > questions:
> >
> > * Since users can have different roles in different
> organisations, I'm
> > creating only one realm. I guess that's ok since different
> realms do
> > not
> > share users.
> >
> > * For every organisation that we create in our application we
> will need
> > to create all the policies, roles and permissions described
> above. Is
> > this supposed to be like that or am I missing something?
> >
> > * If this is the way to do it, I was wondering if it's a good
> idea to
> > create a Resource Server (i.e. a new client inside the realm)
> for each
> > organisation. This way I can create a client
> organisation-1-client with
> > all the resources, policies and permissions for "Organisation
> 1". I
> > think that this will make deleting an organisation quite easy
> after the
> > user deletes the organisation, I just need to delete de client
> > organisation-1-client. I don't know if this a good idea or
> not, has it
> > any negative impact in performance? will this make the
> application code
> > more difficult? or may be this not a good practice for any
> reason?
> >
> >
> > I would recommend you to try other approaches like that one I
> suggested.
> > I can think about another one using resource types.
> >
> > Considering your current design, I think the addition of a new
> > organization is pretty much related to a provisioning logic backed by
> > our REST APIs, so you can automatize this process. But I hope you can
> > find an alternative ...
> >
> >
> > Thanks for your time. Regards,
> >
> > Alfonso
> >
> >
> > -------
> > [1]
> >
> http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
> > [2]
> http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> <mailto:keycloak-user@lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
5 years, 8 months
