August 2019 - keycloak-user - Jboss List Archives

by Prado, Renann

Hello. I'm currently doing a research to see if keycloak fits our use cases and the impersonation feature is important for the case when we want to do support and see what the users sees for some reason. Of course Impersonation is nice, yet it can be very risky if impersonation permission is given to wrong people. I was doing some tests (locally) and I found out that by having only the client roles of view view-users and impersonation, I was able to impersonate the admin user. I'm using docker to runs my tests, so basically I was able to impersonate the user that is created via the KEYCLOAK_USER and KEYCLOAK_PASSWORD environment variables. My question is: is it possible to restrict impersonation to certain users based on attributes, roles, or something else? Or is the impersonation always possible to be done on all the users within the realm as long as the user has permission to do impersonation? As I understand the master realm shouldn't be used for anything other than administration, correct? Then what would be the best way to "slice" your realms, per product (e.g. web app)? We also want to use keycloak to provide SSO for us, which I suppose only works in the realm level. So if we create one realm per application, then we cannot really do SSO. Thanks -- Best regards, *Renann Prado*

4 years, 8 months

1
0
0 / 0

Docker X509 Apache Cert Lookup Client Certificate Passthrough

by Johnson, Freddie [USA]

Team -- I'm currently having issues getting Keycloak to read the client certificate forwarded from proxy in HTTP header from Apache using Apache SPI Cert lookup. Instead, it reads the wildcard of the cert provided below in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile. However, if i use that common name of the wildcard and assign it to any user, Keycloak will log that user in even though that is not the user originally making the initial request to the proxy. In short, how do I force Keycloak running in a container to use the apache spi to retrieve cert credentials in header? I tried developer documentation by adding spi per https://www.keycloak.org/docs/latest/server_admin/index.html#client-certi... to both standalone.xml and deployment folder but it's as if Keycloak is not recognizing the configuration change in container after build. If I remove SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the proxy saying "downstream server expected client cert but none configured" so that option didn't work either. Details below: My apache reverse proxy is: <VirtualHost *:443> SSLEngine on SSLProxyEngine on SSLVerifyClient optional SSLVerifyDepth 4 SSLOptions +ExportCertData SSLProxyCheckPeerName off ProxyPreserveHost On SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt" SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem" SSLProxyMachineCertificateFile "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem" RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_CERT_CHAIN_4 "" ServerName sso.xxx.ninja ProxyPass / https://keycloak:8443/ ProxyPassReverse / https://keycloak:8443/ ProxyRequests Off RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Proto "https" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i" RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i" </VirtualHost> My Keycloak Dockerfile (abbreviated - sanitized): ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem" USER root RUN mkdir -p /etc/x509/https RUN mkdir -p /opt/xxx COPY "./certs/tls.crt" "/etc/x509/https" COPY "./certs/tls.key" "/etc/x509/https" COPY "./standalone.xml" "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <---- originally edited this file to hold apache spi COPY "./apache.xml" "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved apache spi for x509 here per online instructions COPY "./certs/ca-xxx-ninja.crt" "/opt" COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/" RUN keytool -noprompt -import -trustcacerts -alias root -file /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit RUN keytool -noprompt -import -trustcacerts -alias xxx -file /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit USER 1000 EXPOSE 8080 8443 Any guidance/ideas you can provide would much appreciated as I've been working it for a few days now and can't seem to get over this last hurdle. Respectfully, Freddie Lee Johnson, Jr.

4 years, 8 months

2
3
0 / 0

Docker X509 Apache Cert Lookup Client Certificate Passthrough

by Johnson, Freddie [USA]

Sebastian – Thanks for the awesome feedback. I’ll implement your suggestion. How would you recommend I activate the Apache SPI in the docker image? Should I add it to the standalone.xml and comment out the default provider or add it to the deployment URL as annotated in docker documentation: “To add a custom provider extend the Keycloak image and add the provider to the /opt/jboss/keycloak/standalone/deployments/ directory.” Does that count as a custom provider? Freddie From: Sebastian Laskawiec <slaskawi(a)redhat.com> Date: Thursday, August 8, 2019 at 12:18 AM To: "Johnson, Freddie [USA]" <Johnson_Freddie(a)bah.com> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> Subject: [External] Re: [keycloak-user] Docker X509 Apache Cert Lookup Client Certificate Passthrough The only thing I found a bit weird is that you create `/etc/x509/https` directory. Keycloak image has a small script that tries to grab a key and a certificate in that directory and import them [1]. But I see you're already doing that in `RUN keytool ...` commands. Perhaps you should either put tls.crt and tls.key there and rely on our script or do everything by yourself (but in that case, please remember about modifying configuration similarly to [2]). The last advice I can give to you is to append `-Djavax.net.debug=all` argument to ./standalone.sh. This way you can see, what certificates are being picked up and if the TLS handshake looks correct (although, the debugging is really time-consuming). [1] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Dd...> [2] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Dd...> On Thu, Aug 8, 2019 at 1:05 AM Johnson, Freddie [USA] <Johnson_Freddie(a)bah.com<mailto:Johnson_Freddie@bah.com>> wrote: Team -- I'm currently having issues getting Keycloak to read the client certificate forwarded from proxy in HTTP header from Apache using Apache SPI Cert lookup. Instead, it reads the wildcard of the cert provided below in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile. However, if i use that common name of the wildcard and assign it to any user, Keycloak will log that user in even though that is not the user originally making the initial request to the proxy. In short, how do I force Keycloak running in a container to use the apache spi to retrieve cert credentials in header? I tried developer documentation by adding spi per https://www.keycloak.org/docs/latest/server_admin/index.html#client-certi...<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...> to both standalone.xml and deployment folder but it's as if Keycloak is not recognizing the configuration change in container after build. If I remove SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the proxy saying "downstream ser! ver expected client cert but none configured" so that option didn't work either. Details below: My apache reverse proxy is: <VirtualHost *:443> SSLEngine on SSLProxyEngine on SSLVerifyClient optional SSLVerifyDepth 4 SSLOptions +ExportCertData SSLProxyCheckPeerName off ProxyPreserveHost On SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt" SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem" SSLProxyMachineCertificateFile "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem" RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_CERT_CHAIN_4 "" ServerName sso.xxx.ninja ProxyPass / https://keycloak:8443/<https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=D...> ProxyPassReverse / https://keycloak:8443/<https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=D...> ProxyRequests Off RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Proto "https" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i" RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i" </VirtualHost> My Keycloak Dockerfile (abbreviated - sanitized): ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem" USER root RUN mkdir -p /etc/x509/https RUN mkdir -p /opt/xxx COPY "./certs/tls.crt" "/etc/x509/https" COPY "./certs/tls.key" "/etc/x509/https" COPY "./standalone.xml" "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <---- originally edited this file to hold apache spi COPY "./apache.xml" "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved apache spi for x509 here per online instructions COPY "./certs/ca-xxx-ninja.crt" "/opt" COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/" RUN keytool -noprompt -import -trustcacerts -alias root -file /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit RUN keytool -noprompt -import -trustcacerts -alias xxx -file /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit USER 1000 EXPOSE 8080 8443 Any guidance/ideas you can provide would much appreciated as I've been working it for a few days now and can't seem to get over this last hurdle. Respectfully, Freddie Lee Johnson, Jr. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...>

4 years, 8 months

1
0
0 / 0

Disable sending the email about invalid login

by Katarzyna Sycz

Hello, I would like to ask if there is a possibility to disable sending the specific email via Keycloak. In this case, I would like to prevent sending the email informing about the invalid login (when users use the incorrect username or password). I didn't find any setting for that in the console and I didn't find the info about it in the docs. I would appreciate any help. Kind regards, Katarzyna Sycz

4 years, 8 months

1
0
0 / 0

Is quorum needed in Keycloak Standalone Clustered Configuration?

by Roman Ok

Sorry, i'm sending this again as my last post was posted without text for some unknown reason: Should an Keycloak deployments configured in Standalone Clustered Configuration have odd number of nodes to ensure quorum? It's stated that Keycloak is built on top of the WildFly application server and its sub-projects like Infinispan (for caching) and Hibernate (for persistence). Keycloak recommends to look in WildFly Documentation and High Availability Guide. If understood correctly Standalone Clustered Configuration allows session replication or transmission of SSO contexts around the cluster. I don't understand though if odd number of Keycloak nodes is required so that there will be quorum. Singleton subsystem states 10.1.3. Quorum Network partitions are particularly problematic for singleton services, since they can trigger multiple singleton providers for the same service to run at the same time. To defend against this scenario, a singleton policy may define a quorum that requires a minimum number of nodes to be present before a singleton provider election can take place. A typical deployment scenario uses a quorum of N/2 + 1, where N is the anticipated cluster size. This value can be updated at runtime, and will immediately affect any active singleton services. e.g. Is it somehow related to Keycloak and its Standalone Clustered Configuration?

4 years, 8 months

2
1
0 / 0

Latest version download link?

by Uumas

Is there a direct link to downlaod the latest version of keycloak? I'm trying to write a script for updating.

4 years, 8 months

1
0
0 / 0

UserStorageProvider.updateCredential to receive current password

by Steve Thomas

Hi there, I have a custom UserStorageProvider with updateCredential method being implemented. Everything works fine but for security reason, I need the current password to be passed to that method as well. What is the suggested way if I want to change the behavior of the processPasswordUpdate method of the AccountFormService? Or is there a SPI I can use? Is there an example somewhere online? Thank you in advance [http://images.logibec.com/Logibec121x57.png] Steve Thomas Analyste-programmeur Infrastructure de d?veloppement Programmer Analyst T +1-800-361-9659 | T +1 800 361-9659 Steve.Thomas(a)logibec.com www.logibec.com AVIS DE CONFIDENTIALIT? Le pr?sent courriel et les informations qu'il contient sont confidentiels et demeurent la propri?t? exclusive de Logibec. Ils ne peuvent ?tre diffus?s ? quiconque hormis les membres du personnel devant en prendre connaissance, et ce, sous condition de leur avoir inform? qu'ils sont la propri?t? de Logibec, sont confidentiels et ne peuvent ?tre partag?s ? un tiers sans une autorisation pr?alable ?crite de Logibec. Si vous n'?tes pas le destinataire vis?, veuillez en aviser imm?diatement l'?metteur et d?truire le contenu du courriel sans le communiquer ou le reproduire. CONFIDENTIALITY NOTICE This email and the information it contains contained herein are confidential and remain the exclusive property of Logibec. They may not be disseminated to anyone except the staff members who must be aware of it, provided that they have been informed that the documents are the property of Logibec, are confidential and can not be shared with a third party without the prior written authorization of Logibec. If you are not the intended recipient, please indicate it immediately and destroy the contents of the email without disclosing or reproducing it.

4 years, 8 months

2
1
0 / 0

Logout from identity provider is not propagated to Keycload clients

by SauliK

Hi, I have set up Keycloak with a SAML2 Identity Provider and I have a client application configured to authenticate against Keycloak using SAML2. If I logout from the application, the logout happens correctly using browser redirects and the user is logged out from the application, from Keycloak, and from the identity provider. But if I logout from the Identity provider, the provider sends a logout request to Keycloak but Keycloak does not send the logouts to the clients. I have checked the source code regarding this and in the second scenario Keycloak uses only the backchannel logout and does not even attempt to do the browser / frontchannel logout. In my case backchannel logout is not supported. In the source code I can see that in SamlService class (which is being invoked when I do the logout from the application) it uses either browser logout or backchannel logout https://github.com/keycloak/keycloak/blob/1ac51611d3c1dd7c9b6537430587fa4... But in the SamlEndpoint class (which is used when the identity provider sends the logout request to Keycloak) it only attempts the backchannel logout: https://github.com/keycloak/keycloak/blob/ca4e14fbfa76e5c909503bde9b0f4e2... Is this the way it's supposed to work or is Keycloak just missing this feature? Br, Sauli -- Sent from: http://keycloak-user.88327.x6.nabble.com/

4 years, 8 months

1
0
0 / 0

Logout from identity provider is not propagated to Keycload clients

by SauliK

Hi, I have set up Keycloak with a SAML2 Identity Provider and I have a client application configured to authenticate against Keycloak using SAML2. If I logout from the application, the logout happens correctly using browser redirects and the user is logged out from the application, from Keycloak, and from the identity provider. But if I logout from the Identity provider, the provider sends a logout request to Keycloak but Keycloak does not send the logouts to the clients. I have checked the source code regarding this and in the second scenario Keycloak uses only the backchannel logout and does not even attempt to do the browser / frontchannel logout. In my case backchannel logout is not supported. In the source code I can see that in SamlService class (which is being invoked when I do the logout from the application) it uses either browser logout or backchannel logout https://github.com/keycloak/keycloak/blob/1ac51611d3c1dd7c9b6537430587fa4... But in the SamlEndpoint class (which is used when the identity provider sends the logout request to Keycloak) it only attempts the backchannel logout: https://github.com/keycloak/keycloak/blob/ca4e14fbfa76e5c909503bde9b0f4e2... Is this the way it's supposed to work or is Keycloak just missing this feature? Br, Sauli -- Sent from: http://keycloak-user.88327.x6.nabble.com/

4 years, 8 months

1
0
0 / 0

Is quorum needed in Keycloak Standalone Clustered Configuration?

by Roman Ok

4 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2019