Send keycloak-user mailing list submissions to keycloak-user(a)lists.jboss.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.jboss.org/mailman/listinfo/keycloak-user or, via email, send a message with subject or body 'help' to keycloak-user-request(a)lists.jboss.org You can reach the person managing the list at keycloak-user-owner(a)lists.jboss.org When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..." Today's Topics: 1. Using two or more access types (Danilo do Val) 2. Re: Architectural Blueprint/Recommendations (Dmitry Telegin) 3. Re: Add custom roles in realm-management client (Dmitry Telegin) 4. Re: Keycloak client (Dmitry Telegin) 5. Re: keycloak SAML response - Authentication method information (Manisha Nandal) 6. Re: Keycloak as SAML IdP - Google sign-out problem (Tiemen Ruiten) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Jun 2018 16:16:29 -0300 From: Danilo do Val <danilodoval(a)gmail.com&gt; Subject: [keycloak-user] Using two or more access types To: keycloak-user(a)lists.jboss.org Message-ID: < CAOPhXAm0rQVoE1aL5SnG513T8xKa5mVLDuRXXk+rSBPfPxRH1w(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" `` ` Boa tarde senhores Estou implementando o Servi?o de Autoriza??o Keycloak e, al?m do JWT, precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic Auth, algu?m tem experi?ncia ou conhecimento de como suportar diferentes tipos de autentica??o dos adaptadores? Nosso estudo de caso usa o exemplo app-authz-a-photoz ( https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-um... ) -- __________________ http://br.linkedin.com/in/daniloval 19 9227.9082 ------------------------------ Message: 2 Date: Fri, 22 Jun 2018 01:26:08 +0300 From: Dmitry Telegin <dt(a)acutus.pro&gt; Subject: Re: [keycloak-user] Architectural Blueprint/Recommendations To: "Everson, David (MNIT)" <david.everson(a)state.mn.us&gt;, &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Message-ID: <1529619968.6161.1.camel(a)acutus.pro&gt; Content-Type: text/plain; charset="UTF-8" Hi David, Please see the answers and remarks inline. On Mon, 2018-06-18 at 14:40 +0000, Everson, David (MNIT) wrote: (skipped) > 15. Keycloak should be clustered for high availability. > 16. Keycloak environment would be hosted on AWS, more than likely EC2 > instances. > 17. Client applications also hosted in AWS. > 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. Speaking of Keycloak on AWS, this is absolutely doable, but not that trivial. Please be sure to have read the document [1], especially the "Troubleshooting AWS specifics" part, and relevant ML postings [2]. Long story short, AWS doesn't allow for IP multicast between the nodes, which is the default node discovery mode in JGroups (the backbone of Keycloak clustering). You should use S3_PING or JDBC_PING instead. > > A few questions/concerns of the working group: > > A. Is there any information available on the maximum size of an > Keycloak installation? Will Keycloak be scalable and performant given > the above assumptions and constraints. AFAIK, nobody has performed actual Keycloak benchmarking yet (publicly). There's however a Keycloak benchmarking suite based on Gatling [3]. It hasn't been updated for about two years, so first we'll need to make sure it works with recent Keycloak versions. > > B. What's the best recommendation for distributing the Keycloak > instances and realms.??Right now the group has three options on the > table:??1) A single Keycloak install per application (i.e. > client);??2) A single Keycloak install per organizational unit (i.e. > realm); or 3) A single Keycloak install per organization (i.e. > serving all realms and clients). The pros for A and B is obviously that you get some degree of separation/isolation, which might be good from the security and availability POV. However, this comes at a price of complexity; you'll have to deploy, monitor & maintain each separate instance / group of instances, each having different configs and dedicated database. Another big issue is load distribution. I doubt that your clients/realms all have equal, uniform load patterns. Given that each Keycloak instance will have its hardware limitations (CPU, RAM), you potentially end up with some nodes overloaded and others idle. The C scenario is obviously free from this issue. > > C. A major concern the group has with a single Keycloak install (#3 > in previous bullet) is the high-availability in terms of performance > and concerns of a rouge client affecting other applications > negatively.??What is the community's recommendation for addressing > this concern? As you will necessarily have a load balancer / reverse proxy in front of your Keycloak cluster, you can enforce rate limiting / throttling on your load balancer. For example, haproxy implements rate limiting based on IP addresses, URLs and HTTP headers [4]. > > D. Another major concern the group has with a single Keycloak install > is the restarts that are necessary when an organization unit deploys > a new or updated template.??The concern is that all applications > would be unavailable during the restart.???We would be operating in a > clustered environment, is the best solution to this concern > restarting individual members of the cluster rather than the entire > cluster? Could you please elaborate on template deployment? In Keycloak parlance, "templates" can be understood either as "client templates" or "HTML templates" (within custom GUI themes). Client templates surely can be created/updated via GUI or REST API, without the need for restart. For GUI themes, they can be deployed a) as Wildfly modules, b) via "themes" directory. While the former option indeed requires restart, the latter does not. Keycloak 4.x also adds c) hot deployment of themes by dropping theme JARs into the "deployments" directory. > > E. For reporting and governance processes, the Keycloak API performs > quite poorly when we execute use cases such as "Report all Users of > an Application".??Given the version we are currently on, to > accomplish this we need to query all users in the realm and then > filter the users if they have the client/role combination.??We > understand that a future release addresses this use case, but in the > meantime the concern is such a query will negatively affect all other > clients using Keycloak.??Any recommendations on handling this use > case prior to Keycloak 4.x? Is this indeed addressed by Keycloak 4.x? (just wondering, couldn't find any info) Keycloak admin REST API has an endpoint called "Return List of Users that have the specified role name", see [5] (identical for KC 3.x and 4.x). You could use this endpoint, however you will have to iterate over client roles and then merge and de-duplicate the results. Anyway, this should be much more efficient than your current approach. In general, this looks like a classical use case for Realm Resource Provider [6]. The query you described easily maps to a single SQL/JPQL statement, so you could implement a custom REST resource that would execute exactly that query and return results. Unfortunately, custom REST resources in Keycloak are public by default (protected resources should become a part of the hypothetical Admin Resource SPI somewhere in the future). However, you can implement that (relatively) easily with the techniques demonstrated in Beercloak [7]. > > F. Upgrading Versions of Keycloak.??We have experienced some > difficulty of upgrading versions on server-side (we need to export, > import vs a simple DB backup and deployment).??What is the > recommendations for handling the upgrade of Keycloak from one version > to the next given the size of our user base? Could you please elaborate a bit on the problems that you're facing? The export/import scenario is relevant for database upgrades (e.g. PostgreSQL 9 -> 10), but Keycloak does ship migration scripts that should upgrade the data+metadata automatically. Why doesn't that work in your case? Let us know, probably this could be fixed. > > I'm sorry for the long post, hopefully folks get to this point.??Any > insight that we could receive would be greatly appreciated. We are at > a critical cross-roads in our Keycloak adoption and want to ensure we > do this correctly. Sorry it took so long to reply. Keycloak is a great product, I hope it fulfills your needs. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training [1] https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup- in-aws.html <https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws... [2] https://www.keycloak.org/search.html?q=aws [3] https://github.com/rvansa/keycloak-benchmark [4] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim iting/ <https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/... [5] https://www.keycloak.org/docs-api/3.4/rest-api/index.html [6] https://www.keycloak.org/docs/latest/server_development/index.html# _extensions_rest [7] https://github.com/dteleguin/beercloak > > Thanks! > Dave > > > Dave Everson > Application Development Team Lead | Environmental Health > Minnesota IT Services | Partners in Minnesota Department of Health > 625 Robert Street North > St. Paul, MN 55155 > O: 651-201-5146 > Information Technology for Minnesota Government?| > ?mn.gov/mnit<http://mn.gov/mnit> > [Minnesota IT Services Logo] > [Facebook logo]<https://www.facebook.com/MN.ITServices>[LinkedIn > logo]<https://www.linkedin.com/company/mn-it-services>[Twitter > logo]<https://twitter.com/mnit_services> > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------ Message: 3 Date: Fri, 22 Jun 2018 03:38:30 +0300 From: Dmitry Telegin <dt(a)acutus.pro&gt; Subject: Re: [keycloak-user] Add custom roles in realm-management client To: Waldemar Schmalz <waldemar.schmalz(a)codecentric.de&gt;, keycloak-user(a)lists.jboss.org Message-ID: <1529627910.9620.1.camel(a)acutus.pro&gt; Content-Type: text/plain; charset="UTF-8" Hi Waldemar, What version of Keycloak are you on? Things are different for pre-3.2.0 and post-3.2.0. Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022) 888-30-71 E-mail:?info@acutus.pro > Hello, > > I have created a new client-role in client "realm-management". It's > called > "manage-roles" and its purpose is (or should be) to grant users > access to > create, edit and delete roles in their realms. In the base theme this > is > only possible when users have access to the role "manage-realm" in > client > "realm-management". But with this client-role the user is able to > manage > the whole realm, not only the roles. My user is only allowed to > manage > roles, users and groups in this case. > > I changed the html-files so that the keycloak sidebar menu is > working: Menu > item "Roles" is visible for user with my custom client-role "manage- > role". > I also extented the getAccessObject() method in my themes > controller/realm.js with the needed new role "manageRoles". > > Accessing the roles-list page is working, but accessing the role- > details > page (when clicking on a specific role) fails. I get a 403 Forbidden. > My > question is: Is there something I forgot?, where is the check for > returning > a 200 OK or a Forbidden for this case? It seems it is not in the > templates > files, like for the side-menu? > > If I forgot any information or something, please contact me. > > Thank you, your help is much appreciated! > > Best regards > Waldemar > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------ Message: 4 Date: Fri, 22 Jun 2018 04:34:35 +0300 From: Dmitry Telegin <dt(a)acutus.pro&gt; Subject: Re: [keycloak-user] Keycloak client To: Vinay <vinayatoz(a)gmail.com&gt;, keycloak-user(a)lists.jboss.org Message-ID: <1529631275.9620.4.camel(a)acutus.pro&gt; Content-Type: text/plain; charset="UTF-8" Hi Vinay, In Keycloak, client is (simply speaking) a combination of base URL, protocol (OIDC/SAML), roles and authorization rules. So, if your application lives under a single base URL, it's simply impossible to have many clients per application. Moreover, an adapter (that you use to secure your application) is configured for a particular client. Hence, there is a 1-to-1 relationship between an application and a client. However, if your application is heterogeneous, i.e. consists of separate components living under different base URLs (and created with different technologies), you will have to define individual clients for them. Resource is an URI under client's base URL, and is used to define fine- grained authorization rules within that client. Cheers,Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic + 42 (022) 888-30-71 E-mail: info(a)acutus.pro ? Thu, 21/06/2018 ? 12:50 -0400, Vinay ?????: > Hi there, > In what scenario an application should have multiple clients defined > in the > keycloak server ? How keycloak client defers from a resource ? I > understand > it is an application that asks for an authentication, but I am not > sure > when do we need multiple clients in an application. What is the basis > for > defining clients ? > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------ Message: 5 Date: Fri, 22 Jun 2018 10:05:51 +0530 From: Manisha Nandal <manisha04.nandal(a)gmail.com&gt; Subject: Re: [keycloak-user] keycloak SAML response - Authentication method information To: keycloak-user(a)lists.jboss.org Message-ID: < CAP63w5Ti+nKSk2FF4n_urmEkNPBY5HYKq-5MvBS88Jnbnss2Xg(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Any update ? On Wed, Jun 20, 2018 at 4:12 PM, Manisha Nandal < manisha04.nandal(a)gmail.com&gt; wrote: > Hi, > > I authenticated my client application using google IDP. i want to retrieve > the information of IDP used for authentication from keycloak SAML > response. I have checked in keycloak documentation that > "AuthnStatement" give us the authentication method used (password, etc.) > as well as a timestamp of the login. > > But, my SAML response does not provide any such information. SAML contains > user name used for authentication under "NameID" but i want the identity > provider information, say in my case google is IDP > > <saml:AuthnStatement AuthnInstant="2018-06-20T08:00:43.222Z" > SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794:: > 7f6d3293-8370-413f-b958-1763df3bb078"> > <saml:AuthnContext> > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0: > ac:classes:unspecified</saml:AuthnContextClassRef> > </saml:AuthnContext> > </saml:AuthnStatement> > > Can you please guide me on the same > > > Thanks, > Manisha > ------------------------------ Message: 6 Date: Fri, 22 Jun 2018 10:00:53 +0200 From: Tiemen Ruiten <t.ruiten(a)rdmedia.com&gt; Subject: Re: [keycloak-user] Keycloak as SAML IdP - Google sign-out problem To: Rodolfo De Nadai <rdenadai(a)gmail.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Message-ID: < CAAegNz0QKWJn0zdOZst36GsOujrsXuyhvwYAHnSvnZ8xxGpn_g(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Signout is working for us, I initially used the same guide but had to make some changes. My setup differs in the following places: Include OneTimeUse Condition - off Optimize REDIRECT signing key lookup - off SAML Signature Key Name - NONE Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps (note the lack of &RelayState=true) I set the signout URL in the Google Apps dashboard to https://ourdomain.tld/auth/realms/{realmname}/account/ On 19 June 2018 at 22:12, Rodolfo De Nadai <rdenadai(a)gmail.com&gt; wrote: > Hi, > > i'm configuring my keycloak installation as an IdP and Google apps as an > SSO. > > I'm able to login but when trying to logout i got no success... > > My configuration follows the described here: > https://stories.scandiweb.com/sign-in-to-google-apps-using- > saml-protocol-and-keycloak-as-identity-provider-79227fd2e063 > > There were a thread in the mailing list which was able to login also, but > didn't mention logout process. As i thought it should be almost as > transparent, since no documentation say anything, is begging to transform > in a problem. > > If someone could help or point in some direction i appreciate. > > thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Tiemen Ruiten Systems Engineer R&D Media ------------------------------ _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user End of keycloak-user Digest, Vol 54, Issue 32 *********************************************