July 2019 - keycloak-user - Jboss List Archives

How to configure my client for use ADMIN REST API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'

by Christophe Lehingue

Hello, how to configure a client so that the user can use the user removal API? [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sd... Whenever I try to call this request REST => I get the following error message: "resulted in a 401/403 Unauthorized`" Can you help me ? Thank you

5 years, 11 months

4
4
0 / 0

Keycloak Offline User Sessions and Online User Sessions

by Nagendra Darla

Hello Keycloak experts, We have below challenges in out project where we are building User Access Management using Keycloak. 1. *Offline User Sessions:* When a Offline token is used from two different machines, There is only one Session that will be created and session will have the IP address of the machine from where the User Session is first created. Because of this we cannot suspect any suspicious activity by hackers. Should n't we create different sessions even though same offline token is used from different machines. 2. *Why there is no separate REST end point to get only Online User Sessions: *Below REST end point returns all the User Sessions ie., both Offline and Online User Sessions. GET /{realm}/clients/{id}/user-sessions You help is much appreciated ! Thank you, Nagendra Darla

6 years

1
1
0 / 0

resource ids

by Corentin Dupont

Hi guys, I discovered that you can provide your own id when creating resources: curl -X POST " http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d '{*"_id": "123-456"*, "type": "test", "name":"test", "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", "ownerManagedAccess": true}' This is very practical for synchronizing the resources with my own database. After some investigation, I found: - the ID should be unique - the name should be unique Is that correct? The resource type is not used in the unicity. In my application database, resources with different types are stored in different collections, so two resources with different types *can* have the same ID. How do you suggest to solve this in Keycloak? Providing a keycloak ID of the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not collide. Cheers

6 years

3
10
0 / 0

multiple reset credentials flows

by Arnault BESNARD

Hi, We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario. Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case. What is the best way to solve our issue? Thanks in advance, Arnault

6 years

1
2
0 / 0

Prevent users from changing email address when email is used as username

by Ales Fuchs

Hello, We are using Keycloak version 4.8.3 and in our setting we have the option "Email as username" switched on and "Edit username" switched off. At the same time we need to let users to log in and change their name in the account console. Once the name and surname is editable, email can be changed too, which changes also the username. The input with email can be hidden, but whoever knows how Keycloak works can simply add this input and update the username. Does anyone have any idea how updating of username can be prevented? Best regards, Ales Fuchs

6 years, 2 months

3
7
0 / 0

Implementing Multi-tenancy through Keycloak

by Dhara Basida

Hi Team, We are currently planning to integrate our application with keycloak in order to achieve multi-tenancy. We have hierarchy like : 1) Super Admin : Who have access to eveything and will create tenant. 2) Tenant Admin : This admin can create their Members and one tenant admin cannot see the data of another tenant admin or Tenant. Also he could not able to see any details of Super Admin. 3) Members : Member are specific to Tenant. Member have rights to create their employees and roles which are applicable for their employees. But Member cannot see details of other Members or their Tenant Admin. 4) Employees : Employees are users who can only have view permissions for role applicable to them and manage their profile. He could not able to see any details of Member or Tenant. QUestions : I have created admin and tenant. I have link admin with Super Admin and Tenant Admin with Realm admin. For Member I linked it with Client but somehow I don't find the way to manage it. As I am not able to create Employees from member (Not able to get Add options for users and If I enable manage users or view users role from tenant admin than I can also see data of tenant which is wrong). Kindly provide the way to achieve these hierarchy. Thank you, Dhara Basida --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

6 years, 2 months

2
1
0 / 0

OIDC protocol extension

by Karipineni, Neelima,M.D.

We have a use case where we’re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It’s like an additional consent step after user and client authentication rather than an additional authentication step. My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/..., and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. I’m not sure it’s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it’s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? As an additional wrench, we’re still on v3.3.0 and upgrade is not on the schedule as of now. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

6 years, 3 months

3
4
0 / 0

Custom Social Login, cache access_token, Enterprise Wechat

by kkzxak47

Hi, I'm building a SSO service for my company (~1000 employee). After investigation I decided to adopt Keycloak as the core component. We are using Wechat Work as IM tool (https://work.weixin.qq.com/), employee DB is based on its Contacts. So it's natural to integrate it as a social login into Keycloak SSO service. In the process of implementing the 'WechatIdentityProvider' and 'WechatIdentityProviderFactory' classes I encountered some trouble. Just like Twitter / Google and other providers, some of Wechat Work's OAuth2 flow is not aligned with standards. For example, the processing of retrieving the access_token is relatively independent of other OAuth2 code flow, the access_token is valid for 7200 seconds, its API is limited to be called 2000 times per day for a single client. We are forced to cache a global access_token for each client. I noticed that Keycloak is heavily using Infinispan. My question is can I use it for caching access_token too? Is it safe to do so? What is your recommendation? And I'm working based on version 6.0.1 in standalone mode, is it appropriate? My main programming language is not Java by the way. I learned it ~10 years ago and Spring is new to me. So I'm still learning. It's of great help to give relevant document links or code snippets, thanks! Victor

6 years, 3 months

1
3
0 / 0

Question about CBAC + Pushing Claims + Authorization Scopes

by Álvaro Gómez

Hi, We are applying RBAC and CBAC models to evaluate permissions in a multi-tenant UMA application. We are using Pushing Claims to let custom policies determine if an user has an specific role in a provided context (tenant) via Pushing Claims. Everything works fine if we use non-scoped resources but things get a bit confusing when we use scoped ones since the pushing-claims (representing the tenants) end up mixed in the RPT permission claim without leaving any trace of the scopes with which they were pushed along. Consider the following example: We have an application which manages products (represented by resources). There are profiles (represented by roles) which allow users to sell, modify or delete products (represented by scopes). A certain user may interact with one product in the context of a tenant (Determined by the Pushing claim) with an specific role and with some different role from other tenant. - Resource: * product (With scopes sell and update) - Roles: * Seller * Product-Manager - Policies: * Is-Seller (In the Tenant specified in the Pushing Claim "tenant") * Is-Product-Manager (In the Tenant specified in the Pushing Claim "tenant") - Permissions: * product:sell -> Provides the "sell" scope of the resource "product" if the "Is-Seller" policy evaluates to grant. * product:update -> Provides the "update" scope of the resource "product" if the "Is-Product-Manager" policy evaluates to grant. - Users: * Alice -> Alice is "Seller" in the tenant "Organization-1" and is "Product-Manager" in the tenant "Organization 2" so she should be able to sell products in the context of the tenant "Organization-1" and update products in the context of "Organization-2" but neither "update" products in the context of "Organization-1" or sell products in the context of "Organization-2". 1.- Alice requests an RPT using the following ticket: { "resource": "product", "resource_scopes": ["sell"], "claims": { "tenant": ["Organization-1"] } } Since Alice is "Seller" in the "Organization-1" (meaning the Policy "Is-Seller" will evaluate to "grant" if the provided claim value is "Organization-1" and the evaluated Identity is Alice) an RPT is emitted with the following "permission" claim: [{ "resource": "product", "resource_scopes": ["sell"], "claims": { "tenant": ["Organization-1"] } }] 2.- Alice upgrades the previous RPT with the following ticket: { "resource": "product", "resource_scopes": ["update"], "claims": { "tenant": ["Organization-2"] } } Here is were things get confusing to us. We'd expect Alice to be granted when requesting the scope "update" in the context of "Organization-2" since Alice has the role "Product-Manager" in that tenant. That would be what happened if Alice was requesting the RPT for the first time instead of upgrading a previous one. However, since we are upgrading the RPT obtained in Step 1, when the policy "Is-Product-Manager" is evaluated, the claim "tenant" is mixed with the one in Step 1 (Since they are not grouped by scope) resulting in the following permission: { "resource": "product", "resource_scopes": ["sell", "update"], "claims": { "tenant": ["Organization-1", "Organization-2"] } } The policy can't evaluate to grant since Alice is not "Product-Manager" in both tenants "Organization-1" and "Organization-2" (Obtained through $evaluation.getPermission().getClaims()). When evaluating this policy we would only be interested in the pushing-claim `{ "tenant": ["Organization-2"] }` which was pushed along with the scope "update" (which is the one being evaluated by the permission "product:update" associated with this Policy). Shouldn't the claims be grouped by the scopes which with they were pushed along? (See example at the end of this text), Are we missing something? Example: { "resource": "product", "resource_scopes": [ { "name": "sell", "claims": { "tenant": ["Organization-1"] } }, { "name": "update", "claims": { "tenant": ["Organization-2"] } }, ] Thanks in advance, Álvaro.

6 years, 3 months

2
7
0 / 0

CDI Support in keycloak

by Christian Froehlich

Hi, CDI (Weld subsystem) is deactivated inside the keycloak server if I understood it right in the documentation. Is there a specific reason why you explicitly deactivate CDI? Regards Christian

6 years, 3 months

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2019