FYI I just gave this a spin...
It seems that the ScriptAuthenticator currently has no binding for
clientSession in order to access the client id for authentication,
e.g. this is missing in ScriptBasedAuthenticator
bindings.put("clientSession", context.getClientSession());
I'll send a PR which adds that binding. This will then enable to provide
client specific authentication behaviour.
Chreers,
Thomas
2017-02-24 11:33 GMT+01:00 Shane Boulden <shane.boulden(a)gmail.com>:
I got this working today with a custom auth flow, thanks heaps!
Just one thing - I've copied the 'Direct Grant Flow', and added a JS
script at the end to only allow certain groups to authenticate using the
OpenShift 'oc login' command from a prompt.
This works allowing/denying access based on a group, however when a user
does not belong to the correct group, the oc login prompt displays the
following error:
"Error from server: Internal error: unexpected error: 500"
Here's the code I used for my JS script:
function authenticate(context){
var groups = user.getGroups();
var group_array = groups.toArray();
for (var i in group_array) {
var gn = group_array[i].getName();
if (gn === "openshift-access") {
context.success();
return;
}
}
context.failure(authenticationflowerror.INVALID_USER)
return;
}
I thought this may be because the OpenShift CLI tool can't interpret the
error message back from Keycloak. I've also tried the following, but I get
a "ClassNotFound" exception when I try to import the OAuth2 error
representation:
Authenticationflowerror = Java.type("org.keycloak.authen
tication.AuthenticationFlowError");
// Throws 'ClassNotFoundException
Oauth2 = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepre
sentation");
Response = Java.type("javax.ws.rs.core.Response");
MediaType = Java.Type("javax.ws.rs.core.MediaType");
function authenticate(context) {
var groups = user.getGroups();
var group_array = groups.toArray();
for (var i in group_array) {
var gn = group_array[i].getName();
if (gn === "openshift-access") {
context.success();
return;
}
}
var errorRep = new
Oauth2("invalid_grant","invalid_user_credentials");
response = Response.status(401).type(MediaType.APPLICATION_JSON_TYPE).
build();
context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, response);
return;
}
Any ideas or assistance is appreciated.
Shane
On Fri, Feb 24, 2017 at 5:16 AM, Shane Boulden <shane.boulden(a)gmail.com>
wrote:
> Thanks very much Marek and Thomas for taking the time to get back to me.
>
> I've found an example of a JS authenticator here:
>
http://www.lookatsrc.com/source/scripts/authenticator-templ
> ate.js?a=org.keycloak:keycloak-services
>
> Is this how I would build the custom authenticator, and extend it to
> check the user roles and clientID?
>
> Thanks
>
> Shane
>
> On 24 Feb. 2017 01:25, "Thomas Darimont"
<thomas.darimont(a)googlemail.com>
> wrote:
>
>> Hello Shane,
>>
>> you could try to do that with the Javascript based Authenticator.
>>
>> Cheers,
>> Thomas
>>
>> 2017-02-23 14:07 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
>>
>>> I can think of some workarounds. Like for example, create an
>>> Authenticator, which will be added to the bottom of the authentication
>>> flow. Authenticator will throw an exception in case that unpermitted
>>> user is trying to authenticate to the client corresponding to your
>>> openshift application. You have the user available (he is already
>>> authenticated) and you have also the client (can be determined based on
>>> clientId).
>>>
>>> Maybe even easier is to do that in custom RequiredActionProvider and do
>>> this check in "evaluateTriggers".
>>>
>>> This is workaround as it mixes authentication and authorization (among
>>> other issues). But hopefully it can suit your needs.
>>>
>>> Marek
>>>
>>> On 23/02/17 07:19, Shane Boulden wrote:
>>> > Hi everyone,
>>> >
>>> > I'm trying to figure out a fairly straight-forward problem set -
>>> >
>>> > - I have a number of users in a Keycloak database, federated from
>>> an
>>> > LDAP provider with a READ_ONLY policy (ie; I can't
"disable" the
>>> users)
>>> > - I want to limit access to a client to only certain Keycloak
>>> users
>>> >
>>> > I thought this would be possible with a role that is shared by the
>>> client
>>> > and the user. However, it looks like Keycloak lets the application
>>> itself
>>> > determine access via a role:
http://lists.jboss.org/
>>> > pipermail/keycloak-user/2014-November/001205.html
>>> >
>>> > But what if I can't update the application's behaviour? Eg; if I
want
>>> to
>>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume
any
>>> > information from the OIDC provider?
>>> >
>>> > In this particular example, I don't want to limit the users in the
>>> Keycloak
>>> > database - I want to sync all users from LDAP, but limit application
>>> access
>>> > to only a subset.
>>> >
>>> > Any assistance is greatly appreciated.
>>> >
>>> > Shane
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org
>>> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>