[keycloak-user] Using two or more access types

Danilo do Val danilodoval at gmail.com
Fri Jun 22 10:04:26 EDT 2018


Good afternoon sirs

  I am implementing the Keycloak Authorization Service and, in addition to
JWT,
we need to use a second type of access, for example, Apikey or Basic
Auth, does anyone have experience or knowledge of how to support different
authentication types of the adapters?

Our case study uses the example app-authz-a-photoz (
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
)

Em sex, 22 de jun de 2018 às 08:57, <keycloak-user-request at lists.jboss.org>
escreveu:

> Send keycloak-user mailing list submissions to
>         keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
>         keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
>         keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
>    1. Using two or more access types (Danilo do Val)
>    2. Re: Architectural Blueprint/Recommendations (Dmitry Telegin)
>    3. Re: Add custom roles in realm-management client (Dmitry Telegin)
>    4. Re: Keycloak client (Dmitry Telegin)
>    5. Re: keycloak SAML response - Authentication method
>       information (Manisha Nandal)
>    6. Re: Keycloak as SAML IdP - Google sign-out problem (Tiemen Ruiten)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 21 Jun 2018 16:16:29 -0300
> From: Danilo do Val <danilodoval at gmail.com>
> Subject: [keycloak-user] Using two or more access types
> To: keycloak-user at lists.jboss.org
> Message-ID:
>         <
> CAOPhXAm0rQVoE1aL5SnG513T8xKa5mVLDuRXXk+rSBPfPxRH1w at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
>  `` `
>
> Boa tarde senhores
>
>  Estou implementando o Servi?o de Autoriza??o Keycloak e, al?m do JWT,
> precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic
> Auth, algu?m tem experi?ncia ou conhecimento de como suportar diferentes
> tipos de autentica??o dos adaptadores?
>
> Nosso estudo de caso usa o exemplo app-authz-a-photoz (
>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> )
>
>
> --
> __________________
> http://br.linkedin.com/in/daniloval
> 19 9227.9082
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 22 Jun 2018 01:26:08 +0300
> From: Dmitry Telegin <dt at acutus.pro>
> Subject: Re: [keycloak-user] Architectural Blueprint/Recommendations
> To: "Everson, David (MNIT)" <david.everson at state.mn.us>,
>         "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID: <1529619968.6161.1.camel at acutus.pro>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi David,
>
> Please see the answers and remarks inline.
>
> On Mon, 2018-06-18 at 14:40 +0000, Everson, David (MNIT) wrote:
> (skipped)
> > 15. Keycloak should be clustered for high availability.
> > 16. Keycloak environment would be hosted on AWS, more than likely EC2
> > instances.
> > 17. Client applications also hosted in AWS.
> > 18. Keycloak's database would be PostgreSQL hosted in AWS RDS.
>
> Speaking of Keycloak on AWS, this is absolutely doable, but not that
> trivial. Please be sure to have read the document [1], especially the
> "Troubleshooting AWS specifics" part, and relevant ML postings [2].
> Long story short, AWS doesn't allow for IP multicast between the nodes,
> which is the default node discovery mode in JGroups (the backbone of
> Keycloak clustering). You should use S3_PING or JDBC_PING instead.
>
> >
> > A few questions/concerns of the working group:
> >
> > A. Is there any information available on the maximum size of an
> > Keycloak installation? Will Keycloak be scalable and performant given
> > the above assumptions and constraints.
>
> AFAIK, nobody has performed actual Keycloak benchmarking yet
> (publicly). There's however a Keycloak benchmarking suite based on
> Gatling [3]. It hasn't been updated for about two years, so first we'll
> need to make sure it works with recent Keycloak versions.
>
> >
> > B. What's the best recommendation for distributing the Keycloak
> > instances and realms.??Right now the group has three options on the
> > table:??1) A single Keycloak install per application (i.e.
> > client);??2) A single Keycloak install per organizational unit (i.e.
> > realm); or 3) A single Keycloak install per organization (i.e.
> > serving all realms and clients).
>
> The pros for A and B is obviously that you get some degree of
> separation/isolation, which might be good from the security and
> availability POV. However, this comes at a price of complexity; you'll
> have to deploy, monitor & maintain each separate instance / group of
> instances, each having different configs and dedicated database.
>
> Another big issue is load distribution. I doubt that your
> clients/realms all have equal, uniform load patterns. Given that each
> Keycloak instance will have its hardware limitations (CPU, RAM), you
> potentially end up with some nodes overloaded and others idle. The C
> scenario is obviously free from this issue.
>
> >
> > C. A major concern the group has with a single Keycloak install (#3
> > in previous bullet) is the high-availability in terms of performance
> > and concerns of a rouge client affecting other applications
> > negatively.??What is the community's recommendation for addressing
> > this concern?
>
> As you will necessarily have a load balancer / reverse proxy in front
> of your Keycloak cluster, you can enforce rate limiting / throttling on
> your load balancer. For example, haproxy implements rate limiting based
> on IP addresses, URLs and HTTP headers [4].
>
> >
> > D. Another major concern the group has with a single Keycloak install
> > is the restarts that are necessary when an organization unit deploys
> > a new or updated template.??The concern is that all applications
> > would be unavailable during the restart.???We would be operating in a
> > clustered environment, is the best solution to this concern
> > restarting individual members of the cluster rather than the entire
> > cluster?
>
> Could you please elaborate on template deployment? In Keycloak
> parlance, "templates" can be understood either as "client templates" or
> "HTML templates" (within custom GUI themes).
>
> Client templates surely can be created/updated via GUI or REST API,
> without the need for restart. For GUI themes, they can be deployed a)
> as Wildfly modules, b) via "themes" directory. While the former option
> indeed requires restart, the latter does not. Keycloak 4.x also adds c)
> hot deployment of themes by dropping theme JARs into the "deployments"
> directory.
>
> >
> > E. For reporting and governance processes, the Keycloak API performs
> > quite poorly when we execute use cases such as "Report all Users of
> > an Application".??Given the version we are currently on, to
> > accomplish this we need to query all users in the realm and then
> > filter the users if they have the client/role combination.??We
> > understand that a future release addresses this use case, but in the
> > meantime the concern is such a query will negatively affect all other
> > clients using Keycloak.??Any recommendations on handling this use
> > case prior to Keycloak 4.x?
>
> Is this indeed addressed by Keycloak 4.x? (just wondering, couldn't
> find any info)
>
> Keycloak admin REST API has an endpoint called "Return List of Users
> that have the specified role name", see [5] (identical for KC 3.x and
> 4.x). You could use this endpoint, however you will have to iterate
> over client roles and then merge and de-duplicate the results. Anyway,
> this should be much more efficient than your current approach.
>
> In general, this looks like a classical use case for Realm Resource
> Provider [6]. The query you described easily maps to a single SQL/JPQL
> statement, so you could implement a custom REST resource that would
> execute exactly that query and return results.
>
> Unfortunately, custom REST resources in Keycloak are public by default
> (protected resources should become a part of the hypothetical Admin
> Resource SPI somewhere in the future). However, you can implement that
> (relatively) easily with the techniques demonstrated in Beercloak [7].
>
> >
> > F. Upgrading Versions of Keycloak.??We have experienced some
> > difficulty of upgrading versions on server-side (we need to export,
> > import vs a simple DB backup and deployment).??What is the
> > recommendations for handling the upgrade of Keycloak from one version
> > to the next given the size of our user base?
>
> Could you please elaborate a bit on the problems that you're facing?
> The export/import scenario is relevant for database upgrades (e.g.
> PostgreSQL 9 -> 10), but Keycloak does ship migration scripts that
> should upgrade the data+metadata automatically. Why doesn't that work
> in your case? Let us know, probably this could be fixed.
>
> >
> > I'm sorry for the long post, hopefully folks get to this point.??Any
> > insight that we could receive would be greatly appreciated. We are at
> > a critical cross-roads in our Keycloak adoption and want to ensure we
> > do this correctly.
>
> Sorry it took so long to reply. Keycloak is a great product, I hope it
> fulfills your needs. Good luck!
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> [1] https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-
> in-aws.html
> <https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html>
> [2] https://www.keycloak.org/search.html?q=aws
> [3] https://github.com/rvansa/keycloak-benchmark
> [4] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim
> iting/
> <https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/>
> [5] https://www.keycloak.org/docs-api/3.4/rest-api/index.html
> [6] https://www.keycloak.org/docs/latest/server_development/index.html#
> _extensions_rest
> [7] https://github.com/dteleguin/beercloak
>
> >
> > Thanks!
> > Dave
> >
> >
> > Dave Everson
> > Application Development Team Lead | Environmental Health
> > Minnesota IT Services | Partners in Minnesota Department of Health
> > 625 Robert Street North
> > St. Paul, MN 55155
> > O: 651-201-5146
> > Information Technology for Minnesota Government?|
> > ?mn.gov/mnit<http://mn.gov/mnit>
> > [Minnesota IT Services Logo]
> > [Facebook logo]<https://www.facebook.com/MN.ITServices>[LinkedIn
> > logo]<https://www.linkedin.com/company/mn-it-services>[Twitter
> > logo]<https://twitter.com/mnit_services>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------
>
> Message: 3
> Date: Fri, 22 Jun 2018 03:38:30 +0300
> From: Dmitry Telegin <dt at acutus.pro>
> Subject: Re: [keycloak-user] Add custom roles in realm-management
>         client
> To: Waldemar Schmalz <waldemar.schmalz at codecentric.de>,
>         keycloak-user at lists.jboss.org
> Message-ID: <1529627910.9620.1.camel at acutus.pro>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Waldemar,
> What version of Keycloak are you on? Things are different for pre-3.2.0
> and post-3.2.0.
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022)
> 888-30-71
> E-mail:?info at acutus.pro
> > Hello,
> >
> > I have created a new client-role in client "realm-management". It's
> > called
> > "manage-roles" and its purpose is (or should be) to grant users
> > access to
> > create, edit and delete roles in their realms. In the base theme this
> > is
> > only possible when users have access to the role "manage-realm" in
> > client
> > "realm-management". But with this client-role the user is able to
> > manage
> > the whole realm, not only the roles. My user is only allowed to
> > manage
> > roles, users and groups in this case.
> >
> > I changed the html-files so that the keycloak sidebar menu is
> > working: Menu
> > item "Roles" is visible for user with my custom client-role "manage-
> > role".
> > I also extented the getAccessObject() method in my themes
> > controller/realm.js with the needed new role "manageRoles".
> >
> > Accessing the roles-list page is working, but accessing the role-
> > details
> > page (when clicking on a specific role) fails. I get a 403 Forbidden.
> > My
> > question is: Is there something I forgot?, where is the check for
> > returning
> > a 200 OK or a Forbidden for this case? It seems it is not in the
> > templates
> > files, like for the side-menu?
> >
> > If I forgot any information or something, please contact me.
> >
> > Thank you, your help is much appreciated!
> >
> > Best regards
> > Waldemar
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------
>
> Message: 4
> Date: Fri, 22 Jun 2018 04:34:35 +0300
> From: Dmitry Telegin <dt at acutus.pro>
> Subject: Re: [keycloak-user] Keycloak client
> To: Vinay <vinayatoz at gmail.com>, keycloak-user at lists.jboss.org
> Message-ID: <1529631275.9620.4.camel at acutus.pro>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Vinay,
> In Keycloak, client is (simply speaking) a combination of base URL,
> protocol (OIDC/SAML), roles and authorization rules. So, if your
> application lives under a single base URL, it's simply impossible to
> have many clients per application. Moreover, an adapter (that you use
> to secure your application) is configured for a particular client.
> Hence, there is a 1-to-1 relationship between an application and a
> client.
> However, if your application is heterogeneous, i.e. consists of
> separate components living under different base URLs (and created with
> different technologies), you will have to define individual clients for
> them.
> Resource is an URI under client's base URL, and is used to define fine-
> grained authorization rules within that client.
> Cheers,Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail: info at acutus.pro
> ? Thu, 21/06/2018 ? 12:50 -0400, Vinay ?????:
> > Hi there,
> > In what scenario an application should have multiple clients defined
> > in the
> > keycloak server ? How keycloak client defers from a resource ? I
> > understand
> > it is an application that asks for an authentication, but I am not
> > sure
> > when do we need multiple clients in an application. What is the basis
> > for
> > defining clients ?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 22 Jun 2018 10:05:51 +0530
> From: Manisha Nandal <manisha04.nandal at gmail.com>
> Subject: Re: [keycloak-user] keycloak SAML response - Authentication
>         method  information
> To: keycloak-user at lists.jboss.org
> Message-ID:
>         <
> CAP63w5Ti+nKSk2FF4n_urmEkNPBY5HYKq-5MvBS88Jnbnss2Xg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Any update ?
>
> On Wed, Jun 20, 2018 at 4:12 PM, Manisha Nandal <
> manisha04.nandal at gmail.com>
> wrote:
>
> > Hi,
> >
> > I authenticated my client application using google IDP. i want to
> retrieve
> > the information of IDP used for authentication from  keycloak SAML
> > response. I have checked in keycloak documentation that
> > "AuthnStatement" give us the authentication method used (password, etc.)
> > as well as a timestamp of the login.
> >
> > But, my SAML response does not provide any such information. SAML
> contains
> > user name used for authentication under "NameID" but i want the identity
> > provider information, say in my case google is IDP
> >
> > <saml:AuthnStatement AuthnInstant="2018-06-20T08:00:43.222Z"
> > SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794::
> > 7f6d3293-8370-413f-b958-1763df3bb078">
> >          <saml:AuthnContext>
> >             <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:
> > ac:classes:unspecified</saml:AuthnContextClassRef>
> >          </saml:AuthnContext>
> >       </saml:AuthnStatement>
> >
> > Can you please guide me on the same
> >
> >
> > Thanks,
> > Manisha
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 22 Jun 2018 10:00:53 +0200
> From: Tiemen Ruiten <t.ruiten at rdmedia.com>
> Subject: Re: [keycloak-user] Keycloak as SAML IdP - Google sign-out
>         problem
> To: Rodolfo De Nadai <rdenadai at gmail.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
>         <
> CAAegNz0QKWJn0zdOZst36GsOujrsXuyhvwYAHnSvnZ8xxGpn_g at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Signout is working for us, I initially used the same guide but had to make
> some changes. My setup differs in the following places:
>
> Include OneTimeUse Condition - off
> Optimize REDIRECT signing key lookup - off
> SAML Signature Key Name - NONE
> Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps   (note
> the lack of &RelayState=true)
>
> I set the signout URL in the Google Apps dashboard to
> https://ourdomain.tld/auth/realms/{realmname}/account/
>
> On 19 June 2018 at 22:12, Rodolfo De Nadai <rdenadai at gmail.com> wrote:
>
> > Hi,
> >
> > i'm configuring my keycloak installation as an IdP and Google apps as an
> > SSO.
> >
> > I'm able to login but when trying to logout i got no success...
> >
> > My configuration follows the described here:
> > https://stories.scandiweb.com/sign-in-to-google-apps-using-
> > saml-protocol-and-keycloak-as-identity-provider-79227fd2e063
> >
> > There were a thread in the mailing list which was able to login also, but
> > didn't mention logout process. As i thought it should be almost as
> > transparent, since no documentation say anything, is begging to transform
> > in a problem.
> >
> > If someone could help or point in some direction i appreciate.
> >
> > thanks
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 54, Issue 32
> *********************************************
>


-- 
__________________
http://br.linkedin.com/in/daniloval
19 9227.9082


More information about the keycloak-user mailing list