May 2019 - keycloak-user - Jboss List Archives

Custom REST endpoint not associated with a specific REALM

by Michael Dailous

Hi, We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication. Is it possible to create a custom REST endpoint that's not associated with a specific REALM? Thanks, Michael

7 years

2
1
0 / 0

X509 Direct Grant with client certificate

by Chirag Unnadkat

Hi, Is it possible to pass the same client certificate in a token request with different login credentials? My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config) This is configured to take the Subjects Common Name, with the attribute "NAME" I have configured a trust store with 1 certificate (want to share this across users) When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. chirag.unnadkat(a)cerillion.com<mailto:chirag.unnadkat@cerillion.com> T. 0207 9276029 W. www.cerillion.com<http://www.cerillion.com/> Addr. 25 Bedford Street, London, WC2E 9ES, UK ________________________________ Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website www.cerillion.com<http://www.cerillion.com> This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt. ________________________________

7 years

2
2
0 / 0

How to get the role -> permissions for an authenticated user

by Ori Doolman

Hi, I have a web application (Angular) which calls a REST API in a Java microservice. In my application, which manages books, I have a "regular" and "admin" roles. "regular" is allowed to execute API readBook. "admin" is allowed to execute APIs readBook, deleteBook, createBook. The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities. I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions. When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization. 1. What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created? Or is there any other recommended way to "map" the roles into the effective permissions at runtime? Maybe keep the role->permissions in my current DB and load them to service cache ? 2. I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way? 1. Another alternative I thought of: have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role. This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token. Thanks, Ori. ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.

7 years

2
15
0 / 0

[Keycloak-admin-client] An error message when changing password.

by Алексей Виноградов

Hello everyone. I have a question about REST API of the Keycloak. When I attempt to change password via REST API of user to that password that not meets security constraints of Keycloak, I recieve BadRequestError without additional information of what goes wrong. But when I change password in Administration console I see an exact error. So, how can I get a exact problem what wrong with my password? My usecase is that: I have a frontend (html/css) that communicates with a backend that communicates with the Keycloak. An user wants to change password of his/her account so he/she click on button on some form, and makes a request to backend to change password. A backend processes that request and ask Keycloak to change user password. In case that password doesn't meet security constraint I want to provide to user exact error. Thanks to all. -- -- Best regards, Vinogradov Alexey vinogradov.a.i.93(a)gmail.com +7 983 311 38 40

7 years

2
3
0 / 0

Help for using Keycloak in Spring Boot

by Ali Ahmadzadeh Asl

Hi First of all, excuse me for poor English. I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link: https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-b... There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy. But after running the server, I can use rest services without any limitation and authentication. Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel? Thank you

7 years

4
8
0 / 0

Keycloak, SpringBoot, and Swagger-UI

by Ali Ahmadzadeh Asl

Hi Dears I have a Spring Boot project which uses Swagger-UI library for describing and testing REST services. Everything was ok until I added Keycloak library and settings to my project. The Keycloak settings are: keycloak.realm=my-realm keycloak.resource=my-app keycloak.ssl-required=external keycloak.enable-basic-auth=true keycloak.autodetect-bearer-only=true keycloak.use-resource-role-mappings=true keycloak.principal-attribute=preferred_username keycloak.auth-server-url=http://localhost:8080/auth keycloak.credentials.secret=f3776b88-2600-44fa-83ec-67cb72fa0000 keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied keycloak.securityConstraints[0].authRoles[0] = USER keycloak.securityConstraints[0].securityCollections[0].name = default keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /* Now, when a logged in user wants to see Swagger-UI page using a URL like http://127.0.0.1:6060/swagger-ui.html, a message containing bellow text and a text box shown: "Unable to infer base url. This is common when using dynamic servlet registration or when the API is behind an API Gateway. The base url is the root of where all the swagger resources are served. For e.g. if the api is available at http://example.org/api/v2/api-docs then the base url is http://example.org/api/. Please enter the location manually: " But the JSON of services' definitions is accessible from http://127.0.0.1:6060/v2/api-docs address. Can anybody help me to solve this problem? What is the reason for this matter? How can I resolve? Thanks

7 years

1
1
0 / 0

UserRepresentation enabled Boolean

by Matthew Broadhead

org.keycloak.representations.idm.UserRepresentation (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...) has a property enabled which is of type java.lang.Boolean. Technically this should have getters and setters of getEnabled and setEnabled. A type boolean would have isEnabled and setEnabled. This stops it from working with JSF (https://stackoverflow.com/questions/14400222/boolean-properties-starting-...) This also applies to totp and emailVerified in the same class.

7 years

2
3
0 / 0

Client Admin

by Fabio Ebner

there is one sample to how create and update users in a java application? all sample I have found are older and don`t works in java 1.8 and that dependency <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-admin-client</artifactId> <version>6.0.1</version> </dependency>

7 years

1
0
0 / 0

Question about how to extend or know more about keycloak

by Paul Luk

Hi all, i am now checking keycloak to see whether i can adopt it and extend it to fulfill my project's requirement. However, when i try to check the source code in github, i found there is almost no comment on the source code of keycloak!!! The javadocs are empty: https://www.keycloak.org/docs-api/6.0/javadocs/index.html i am quite surprise that how you guys can develop and maintenance keycloak! Without the code comment or javadocs, it will difficult for me to study and extend keycloak (not even enough for creating SPI) Thanks.

7 years

2
1
0 / 0

Re: [keycloak-user] Custom REST endpoint not associated with a REALM

by Michael Dailous

Is there anyone that can provide some guidance on this? Michael -----Original Message----- Date: Thu, 30 May 2019 17:45:12 +0000 From: Michael Dailous <mdailous(a)forensiclogic.com> Subject: [keycloak-user] Custom REST endpoint not associated with a specific REALM To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> Message-ID: <BYAPR09MB2549F8DA4ED6A39523363562D6180(a)BYAPR09MB2549.namprd09.prod.outlook.com> Content-Type: text/plain; charset="us-ascii" Hi, We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication. Is it possible to create a custom REST endpoint that's not associated with a specific REALM? Thanks, Michael ------------------------------

7 years

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2019