Set which user can authenticate at which client
by Remko Lodder
Hi,
I am new to Keycloak and first of all I would like to thank you and all contributors for all your hard work.
I have little experience with Keycloak and it’s usage so please put me on the correct track in case I am off :-)
So: For a customer and my own environment I am implementing Keycloak. I am consolidating our users in one
Realm and have added a multitude of clients (both saml as oidc). I would like to be able to place selectors on users
when importing them or setting it manually, that someone has access to for example gitlab. I found that Okta has
probably want I am looking for described here:
https://help.okta.com/en/prod/Content/Topics/Directory/group-assign-app.htm <https://help.okta.com/en/prod/Content/Topics/Directory/group-assign-app.htm>
Now, is there something like that also in Keycloak? I would like users to be part of a group, or role, or whatever
and that way control who has access where, without needing to fiddle with the application on the back (I can do
that for targetting specific roles, like admin, manager, read-write, read-only, etc).
I was not able to find something similar .. so probably I overlooked it or didn’t understand the documentation :-)
Any pointers/suggestions/this is not an option right now?
Thanks & Again, thank you all,
Remko
4 years, 9 months
RPT tokens can still be used after approval revokation
by Rivat Olivier
Hi,
I have the following use case
1) alice is creating some resouces (a5 for example)
2) jdoe is asking to access a5
3) alice approves request for Jdoe to access a5
4) Jdoe is getting an rpt token and now can access to a5 (so far so good)
5) Alice is revoking Jdoe access right for a5
6) RPT token of Jdoe is still valid (it has no yet expired)
---> Joe can access to alice a5 resource without any problem
For me it sounds like a bug. I was expecting Jdoe no longer being able
to access alice A5 resource (after revokation from alice).
Regards,
Olivier
4 years, 9 months
(UMA) How is it possible to approve pending request via REST API calls
by Rivat Olivier
Hi,
I am playing with auth_uma_photoz example.
1. I have created some album resources for alice (album a5).
2. Jdoe has made a request to access to alice album
3. Through Rest API calls, I can see that there is a pending request on
a5 resource owned by alice
access_token_alice=$(curl -d "client_id=photoz-restful-api" -d
"client_secret=secret" -d "username=alice" -d "password=alice" -d
"grant_type=password"
http://localhost:8180/auth/realms/photoz/protocol/openid-connect/token |
jq -r .access_token)
curl
http://localhost:8180/auth/realms/photoz/authz/protection/permission/tick...
-H 'Authorization: Bearer '$access_token_alice | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 258 100 258 0 0 86000 0 --:--:-- --:--:-- --:--:--
86000
[
{
"id": "29505d42-da8d-46f5-afe2-f90e35845192",
"owner": "11f3314e-f1c6-40a9-912b-d6f9d0c5a177",
"resource": "dee953ef-1df8-4787-9d32-ce4e407da010",
"scope": "0dc735d5-1ecc-466d-ba9e-e59f8ad563e4",
"granted": false,
"requester": "dceb398e-9f68-4077-8073-ca53137cccb3"
}
]
So my question:
What should be the command syntax to approve this request from Jdoe (I.e
set "granted":true) using teh REST API.
I have made several trials, quite unsuccessful, and haven't found any
hint in the keycloak doc.
Regards,
Olivier
4 years, 9 months
Support for totp in REST client (org.keycloak.admin.client.Keycloak)
by Lukasz Lech
Hello,
I was under impression, that activating TOTP will makes the account unable to use with REST api, but then I've found that people describe how to do that and that is actually supported through 'totp' parameter to the API call.
The parameter would have to be added to org.keycloak.admin.client.token.TokenManager:grantToken() method. Rather through some interface for TOTP generator than the one-time code.
Were there already any plans to extend the library (keycloak-admin-client) to support TOTP?
To my understanding the code like that should work:
if (PASSWORD.equals(accessTokenGrantType)) {
form.param("username", config.getUsername())
.param("password", config.getPassword());
if (config.getTotpGenerator() != null) {
form.param("totp", config.getTotpGenerator().getToken());
}
}
The caller would have to provide the implementation of TotpGenerator compliant with Keycloak settings and set the secret from otp configuration QR code...
Best regards,
Lukasz Lech
4 years, 9 months
Disable logging in via REST API
by Lukasz Lech
Hello,
How to disable logging into Keycloak via REST API, without affecting logging in via browser?
Which URLs I need to block?
I have problem finding out that information...
Best regards,
Lukasz Lech
4 years, 9 months
Permission Handling After Keycloak 4.5.0
by Jahn, Lasse
Hey everyone,
I'm running Keycloak Server Version 4.5.0.Final according to the dockerfile from jboss shown in the dockerhub [1] with only changed keycloak version. (Took the tools from [2])
During developing I noticed that there is an Endpoint missing that I wanted to use (request a group list which have specific client role, for users this enpoint exists
GET /{realm}/clients/{id}/roles/{role-name}/users
In Keycloak 6.0 this also exists for groups.
GET /{realm}/clients/{id}/roles/{role-name}/groups
So I thought why not migrating to 6.0. After successful upgrade I realized that there is no permission tab?!
I wanted to handle the permissions of a user to be a client admin as explained in the documentation [3] but this was not possible.
I thougth that maybe that the docker image does not include everything, so I downloaded all at the keycloak.org available server distributions and run them via standalone.sh (4.8, 5.0, 6.0) all with the same result, there is no permission Tab ?!
Is the documentation not updated and there is a way to enable the permission tab or how can I fullfill the mentioned scenario (client admin which is allowed to map roles) ?
Regards
Lasse
[1] https://hub.docker.com/r/jboss/keycloak/dockerfile
[2] https://github.com/jboss-dockerfiles/keycloak/tree/4.5.0.Final/server
[3] https://www.keycloak.org/docs/latest/server_admin/index.html#managing-one...
Viele Grüße
Lasse Jahn
4 years, 9 months
Identity First authentication flow and trick for extension specific theme resources
by Thomas Darimont
Hello Keycloak-Users,
I made some progress with a Google-like Identity First authentication flow
and found some interesting tricks that I wanted to share.
In my keycloak-extension-playground repository, I added an example
extension which supports a multi-step Identity first authentication
mechanism as Google and others provide.
See:
https://github.com/thomasdarimont/keycloak-extension-playground/tree/mast...
The authentication flow works as follows:
Instead of asking for username AND password on the login screen I only ask
for the username. A password is then asked in a consecutive step.
This enables additional user-specific authentication steps.
You can find a short demo-gif in this tweet:
https://twitter.com/thomasdarimont/status/1146552622943559682
- The example features two authenticators 'SelectUserAuthenticatorForm' and
'PasswordAuthenticatorForm'.
SelectUserAuthenticatorForm: Shows a form to enter the username (or
email) and provides a mechanism for resolving a user based on the given
username.
PasswordAuthenticatorForm: Based on the selected user, a password form is
shown
- The forms are sent asynchronously via AJAX without reloading the login
page
- The authentication process can be aborted/restarted via by clicking
'cancel' on the password form
Now comes a nice trick, I learned while I was looking for a way to ship
custom extension specific js/css/img resources with an authenticator
without(!) having to customize a realm login theme.
As you might now, one can have authenticator/extension specific templates
that are shipped in the extension jar within the 'theme-resources/template'
folder.
This works fine if you can do everything in an .ftl template, but falls
short, when you need extension specific css/js/img.
However, if you also ship a CUSTOM extension specific theme within the
extension, then one can access resources provided by this theme!
In my case:
I created a theme folder with a login theme, named like the extension:
extension: auth-identity-first-extension
theme-name: auth-identity-first-extension-theme
The resulting folder structure looks like this:
auth-identity-first-extension/src/main/resources/theme/auth-identity-first-extension-theme/login/resources
The 'resources' folder contains sub-folders for 'js' and 'css' resources
combined with a META-INF/keycloak-themes.json descriptor.
See:
https://github.com/thomasdarimont/keycloak-extension-playground/tree/mast...
auth-identity-first-extension/src/main/resources/META-INF/keycloak-themes.json:
{ "themes": [
{
"name": "auth-identity-first-extension-theme",
"types": [ "login"]
}
]}
This allows to refer to the extension specific theme resources from within
a template, e.g. in the 'select-user-form.ftl' template this looks like:
<link rel="stylesheet"
href="${url.resourcesPath}/../auth-identity-first-extension-theme/css/identity-first.css">
<script
src="${url.resourcesPath}/../auth-identity-first-extension-theme/js/identity-first.js"
defer></script>
We effectively define a custom theme within the extension jar just for the
sake of exposing extension specific resources.
I know that this feels a bit like a hack (because it is), but seems to work
quite well ;-)
Note that the extension specific theme also shows up within the realm theme
selection, but you can ignore this.
I hope that's useful for you too :)
Cheers,
Thomas
4 years, 9 months
add my email to the list
by Mohammad Haj Hussein (Student)
Dear Keycloak,
Please add my email to the list.
Regards,
Mohammad Haj Hussein
4 years, 9 months
User Storage SPI/LDAP Provider and groups
by Błażej Adamczyk
Hi all,
I want to extend user AND GROUP scheme with my own custom attributes
and data model to fit it to the use case.
I see several options here:
1) Extend the existing Keycloak entities with custom attributes (very
simple, but the attribute bag pattern seems to generic here?)
2) Use the User Storage API to map my own user/group entities to
Keycloak (similarily like the quickstart "user-storage-jpa")
2.1) Use import strategy - this probably would work well but it
seems it is overcomplicating the architecutre (two schemas,
synchronization etc.)
2.2) Use non-import strategy - this seems more relevant for my need
but I have a need to override not only users but also groups.
And finally the question: 2.2 seems fine but after looking through the
interfaces and looking through the ldap code I'm not sure how groups
are working in federated example when import is off.
The code seems to relate everywhere to existing keycloak groups, the
only place which I could find the groups are created is in
GroupLDAPStorageMapper (updateKeycloakGroupTree.., and syncDataFrom..
methods). These are called by specific REST sync URL or by the import
strategy (which in 2.2 is off).
Are the groups somehow automatically created when a group mapper is on
and import off? If so, how is the groups view in console working - is
it showing all LDAP groups? Or just those which were automatically
imported when user groups were accessed?
Also, can you please generally suggest which of the above options (1,
2.1 or 2.2) is better in my scenario and why?
--
Best regards,
Blazej Adamczyk
4 years, 9 months
