Keycloak Offline User Sessions and Online User Sessions
by Nagendra Darla
Hello Keycloak experts,
We have below challenges in out project where we are building User Access
Management using Keycloak.
1. *Offline User Sessions:* When a Offline token is used from two
different machines, There is only one Session that will be created and
session will have the IP address of the machine from where the User Session
is first created. Because of this we cannot suspect any suspicious activity
by hackers. Should n't we create different sessions even though same
offline token is used from different machines.
2. *Why there is no separate REST end point to get only Online User
Sessions: *Below REST end point returns all the User Sessions ie., both
Offline and Online User Sessions.
GET /{realm}/clients/{id}/user-sessions
You help is much appreciated !
Thank you,
Nagendra Darla
5 years, 1 month
resource ids
by Corentin Dupont
Hi guys,
I discovered that you can provide your own id when creating resources:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{*"_id": "123-456"*, "type": "test", "name":"test",
"scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'
This is very practical for synchronizing the resources with my own database.
After some investigation, I found:
- the ID should be unique
- the name should be unique
Is that correct? The resource type is not used in the unicity.
In my application database, resources with different types are stored in
different collections, so two resources with different types *can* have the
same ID.
How do you suggest to solve this in Keycloak? Providing a keycloak ID of
the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not
collide.
Cheers
5 years, 1 month
multiple reset credentials flows
by Arnault BESNARD
Hi,
We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.
Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.
What is the best way to solve our issue?
Thanks in advance,
Arnault
5 years, 2 months
Keycloak Gatekeeper configuration with SPA
by Yumna Ghazi
Hello everyone,
I'm using Keycloak as an identity manager and since it also provides
optional authorization, I decided to use it to suit my access control
requirements as well. I have multiple microservices that I want to protect
using Keycloak Gatekeeper like the configuration below but with separate
Gatekeepers per service.
--------- ----------- -----------
------------
| UI | ---> | Proxy | ---> | GateK | ---> | Service |
--------- ------------ -----------
------------
| ||
| v
-----------------------------------> Keycloak
Aside from the CORS related issues this creates (KEYCLOAK-9099
<https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
issue that I'm struggling with. My UI already has keycloak js integrated
with a public client specifically for itself, which I was using for login
initially. Now that I want to use the Gatekeeper proxy, I want my
login/token refresh to happen on the UI such that it would automatically
generate the requisite cookies for Gatekeeper, because I want to disable
redirection on Gatekeeper and send 401 directly in case of expired/bad/no
token.
a) Is my understanding correct and is this the correct approach?
b) If so, how can I login via Keycloak directly or via Gatekeeper and get
the required cookies (without some proxy-level hacking)?
Right now I'm hovering between a couple of options, from using Kong oidc
with some custom authorization to using Gatekeeper. Any help would be much
appreciated.
Thanks.
Yumna
5 years, 3 months
Evaluation of RPT in admin console does not match Rest request result...
by Axel
Hello.
Keycloak 6.0.1 and 7
Can anyone help me with understanding of evaluating RPT?
Scenario:
2 Realm Roles - RoleA and RoleB
1 user with both realm roles
2 clients:
clientA public (or confidential) with Scope=RoleA
clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB
When I go to clientB
Authorization-Evaluate
set Client = clientA
set User = user
choose Any resource with scope(s) Any scope.
and see:
{
"jti": "7692f97f-3907-4e1b-a784-663c52f33bc7",
"exp": 1567062109,
"nbf": 0,
"iat": 1567061809,
"aud": "clientB",
"sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
"typ": "Bearer",
"azp": "clientA",
"auth_time": 0,
"session_state": "ff2e581c-0663-4b8c-9332-629b02c02729",
"acr": "1",
"realm_access": {
"roles": [
"RoleA"
]
},
"authorization": {
"permissions": [
{
"rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"email_verified": false,
"preferred_username": "user"
}
here I see that I have only RoleA (that is correct - I'm going through
clientA)
But when I make requests:
curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d
'grant_type=password' '
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token'
grab access-token and
curl -X POST \
http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \
-H "Authorization: Bearer access-token-from-first-curl" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=clientB"
I get different jwt:
{
"jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2",
"exp": 1567062641,
"nbf": 0,
"iat": 1567062341,
"iss": "http://localhost:8280/auth/realms/TestRPT",
"aud": "clientB",
"sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607",
"typ": "Bearer",
"azp": "clientA",
"auth_time": 0,
"session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e",
"acr": "1",
"realm_access": {
"roles": [
"RoleB",
"RoleA"
]
},
"authorization": {
"permissions": [
{
"rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139",
"rsname": "Default Resource"
}
]
},
"scope": "email profile",
"email_verified": false,
"preferred_username": "user"
}
Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT
request?
Our main target is: when user goes through clientA to clientB, clientB
should receive only those roles that the user has in clientA. We have many
applications-clients and we want to limit some of them. How can we achieve
this?
Thanks in advance.
Alexey Makarevich.
5 years, 3 months
Not able to extend User Storage SPI without changing Keycloak configuration files
by David VS
Goal:
Setup custom federation which extends ldap provider.
Question: What is the proper way to extend the ldap federation while adding
one more configuration input? (without changing internal keycloak files)
I followed the steps in
https://www.keycloak.org/docs/latest/server_development/index.html#_user-...
and specify my own provider and providerFactory,
In admin console, when trying to create the federation "custom-ldap", most
of the input fields do not have a label and some buttons like "Test
connection" are missing. The configuration property that I added and
customized has label/default value/tooltip.
If it is not possible to extend the form, is there an easy way how to
inherit the same UI form from the ldap federation page in my extension?
(Im new to keycloak, and do not have experience with Freemarker).
Thank you so much for your support,
David
5 years, 3 months
Identity provider mapper - Attribute to role
by Matteo Restelli
Hi all,
We're trying to setup an Attribute to role mapper inside our SAML 2.0
identity provider. The problem is that our attribute contains whitespaces.
How can we map an attribute with whitespaces to a role? Currently
surrounding it with double quotes or single quotes doesn't work.
Any thoughts on that?
Thank you,
Matteo
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
5 years, 3 months
Unable to get SAML ForceAuthn to work
by Neil Russell
Hey,
I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but have been unable to get it to force re-authentication if I have an existing session. I've inspected the SAML request and ForceAuthn is being passed in the request, one issue is that Shibboleth passes ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix to the StaxParserUtil class to try and get it working but even though I can now see that parser is returning true when the ForceAuthn attribute is read I'm still not getting the expected behaviour and I'm not sure where to look next.
Any suggestions would be appreciated, am I looking in completely the wrong place?
Thanks,
Neil Russell
5 years, 3 months