keycloak | add authentication to applications and secure services | Identity Management library

 by   imagov Ruby Version: v3.2.2 License: MIT

kandi X-RAY | keycloak Summary

kandi X-RAY | keycloak Summary

keycloak is a Ruby library typically used in Security, Identity Management applications. keycloak has no bugs, it has a Permissive License and it has low support. However keycloak has 11 vulnerabilities. You can download it from GitHub.

Keycloak gem was developed to integrate applications and services into Red Hat's Keycloak system for user control, authentication, authorization, and session management.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              keycloak has a low active ecosystem.
              It has 86 star(s) with 47 fork(s). There are 8 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 15 open issues and 8 have been closed. On average issues are closed in 108 days. There are 8 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of keycloak is v3.2.2

            kandi-Quality Quality

              keycloak has 0 bugs and 0 code smells.

            kandi-Security Security

              OutlinedDot
              keycloak has 11 vulnerability issues reported (0 critical, 5 high, 6 medium, 0 low).
              keycloak code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              keycloak is licensed under the MIT License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              keycloak releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of keycloak
            Get all kandi verified functions for this library.

            keycloak Key Features

            No Key Features are available at this moment for keycloak.

            keycloak Examples and Code Snippets

            Keycloak,Use,Keycloak::Admin
            Rubydot img1Lines of Code : 43dot img1License : Permissive (MIT)
            copy iconCopy
            # GET /admin/realms/{realm}/users
            Keycloak::Admin.get_users(query_parameters = nil, access_token = nil)
            
            # POST /admin/realms/{realm}/users
            Keycloak::Admin.create_user(user_representation, access_token = nil)
            
            # GET /admin/realms/{realm}/users/count
              
            Keycloak,Use,Module Keycloak
            Rubydot img2Lines of Code : 21dot img2License : Permissive (MIT)
            copy iconCopy
            Keycloak.installation_file = 'path/to/file.json'
            
            Keycloak.realm
            
            Keycloak.auth_server_url
            
            Keycloak.proxy
            
            Keycloak.generate_request_exception
            
            Keycloak.keycloak_controller
            
            Keycloak.proc_cookie_token
            
            cookies.permanent[:keycloak_token] = Keycloak::  
            Keycloak,Use,Keycloak::Client
            Rubydot img3Lines of Code : 16dot img3License : Permissive (MIT)
            copy iconCopy
            Keycloak::Client.get_token(user, password, client_id = '', secret = '')
            
            Keycloak::Client.url_login_redirect(redirect_uri, response_type = 'code')
            
            Keycloak::Client.get_token_by_code(code, redirect_uri, client_id = '', secret = '')
            
            Keycloak::Client.  
            The keycloak config resolver bean .
            javadot img4Lines of Code : 4dot img4License : Permissive (MIT License)
            copy iconCopy
            @Bean
                public KeycloakConfigResolver configResolver() {
                    return new KeycloakSpringBootConfigResolver();
                }  

            Community Discussions

            QUESTION

            Confidential Rest-Api w/ Permissions - Always 403s - What Am I Doing Wrong?
            Asked 2022-Apr-11 at 18:17

            I've tried for many hours now and seem to have hit a wall. Any advice/help would be appreciated.

            Goal: I want to authorize the express rest-api (ex client-id: "my-rest-api") routes (example resource: "WeatherForecast") across various HTTP methods mapped to client scopes (examples: "create"/"read"/"update"/"delete"). I want to control those permissions through policies (For example - "Read - WeatherForecast - Permission" will be granted if policy "Admin Group Only" (user belongs to admin group) is satisfied.

            Rest-api will not log users in (will be done from front end talking directly to keycloak and then they will use that token to talk with rest-api).

            Environment:

            What Happens: I can login from keycloak login page through postman and get an access token. However when I hit any endpoint that uses keycloak.protect() or keycloak.enforce() (with or without specifying resource permissions) I can't get through. In the following code the delete endpoint returns back 200 + the HTML of the keycloak login page in postman and the Get returns back 403 + "Access Denied".

            Current State of Realm

            • Test User (who I login with in Postman) has group "Admin".
            • Client "my-rest-api" with access-type: Confidential with Authorization enabled.
            • Authorization set up:
              • Policy Enforcement Mode: Enforcing, Decision Strategy: Unanimous
              • "WeatherForecast" resource with uri "/api/WeatherForecast" and create/read/update/delete client scopes applied.
              • "Only Admins Policy" for anyone in group admin. Logic positive.
              • Permission for each of the client scopes for "WeatherForecast" resource with "Only Admins Policy" selected, Decision Strategy: "Affirmative".

            Current State of Nodejs Code:

            ...

            ANSWER

            Answered 2022-Apr-11 at 18:17

            So my team finally figured it out - the resolution was a two part process:

            1. Followed the instructions on similar issue stackoverflow question answers such as : https://stackoverflow.com/a/51878212/5117487 Rough steps incase that link is ever broken somehow:
            • Add hosts entry for 127.0.0.1 keycloak (if 'keycloak' is the name of your docker container for keycloak, I changed my docker-compose to specify container name to make it a little more fool-proof)
            • Change keycloak-connect config authServerUrl setting to be: 'http://keycloak:8080/auth/' instead of 'http://localhost:8080/auth/'
            1. Postman OAuth 2.0 token request Auth URL and Access Token URL changed to use the now updated hosts entry:
            • "http://localhost:8080/auth/realms/abra/protocol/openid-connect/auth" -> "http://keycloak:8080/auth/realms/abra/protocol/openid-connect/auth"
            • "http://localhost:8080/auth/realms/abra/protocol/openid-connect/token" -> "http://keycloak:8080/auth/realms/abra/protocol/openid-connect/token"

            Source https://stackoverflow.com/questions/71802757

            QUESTION

            How to access the original case sensitive username input in custom user storage provider of keycloak?
            Asked 2022-Mar-24 at 07:18

            I need to integrate keycloak with an existing application. Users log in with username and password. Unfortunately, the application supports case-sensitive usernames and must continue to do so.

            When creating the Custom User Storage Provider, at the entry point public UserModel getUserByUsername(String username, RealmModel realm) I get the username, but it has already been converted to a case insensitive String.

            Here is an example which illustrates the situation.

            username input received username users in database John Doe john doe john doe, John Doe

            I am aware that keycloak does not support case sensitive users, but for retrieving the users from the database I need to be able to distinguish the users. Is it possible to access the original input of the username?

            ...

            ANSWER

            Answered 2022-Mar-24 at 07:18

            like you noticed correctly, usernames (and also email) are converted to lowercase in Keycloak. This behaviour is introduced by the UserCacheSession-class. The only way i found to get around this is to disable user caching globally in the Keycloak instance. This can be done by setting the appropriate configuration values inside standalone.xml, standalone-ha.xml or domain.xml (depending on your setup like described here).

            The config block should be changed from

            Source https://stackoverflow.com/questions/69553369

            QUESTION

            Keycloak 17: Unsatisfied dependency for type org.keycloak.models.KeycloakSession and qualifiers [@Default]
            Asked 2022-Mar-23 at 09:03

            We are using keycloak as IDP and have some custom plugins/Spi, we are in process of updating our keycloak instance to version 17 Quarkas distribution and the SPIs began to break (error below) during keycloak build process. I've made sure that there are no keycloak libraries packed as part of jar.

            The SPI looks like below and have corresponding entries in Manifest file under Manifest/services/org.keycloak.services.resource.RealmResourceProviderFactory

            Custom SPI/plugin

            ...

            ANSWER

            Answered 2022-Mar-23 at 09:03

            Remove @Path annotation from class.

            Source https://stackoverflow.com/questions/71427463

            QUESTION

            Quarkus GraphQL Client with Keycloak
            Asked 2022-Mar-18 at 10:34

            I'm trying this for days right now and I'm not sure if i missed something.

            I have a Quarkus GraphQL Service , like here : https://quarkus.io/guides/smallrye-graphql

            And I have setup Keycloak to secure it.

            Now I wanted to create a client with Qute and GraphQL Smallrye client like here : https://quarkus.io/guides/smallrye-graphql-client

            The client can connect to the service, but I always get an "Data Fetching Error: io.quarkus.security.UnauthorizedException".

            It seems like the GraphQL client is not sending the headers correctly or it doesn't send any ...

            Does anyone know how I can tell the client to send the Authorization header from keycloak with every call?

            PS: I tested it with a short react frontend and there it's working, so it seems to be an graphql client issue with the headers... Some ideas?

            ...

            ANSWER

            Answered 2022-Mar-17 at 08:35

            Not sure if you're using a dynamic or typesafe client, so I'll describe both.

            For both types, if you have a key that doesn't change during the life of the application, you can configure that by adding a configuration property like this: quarkus.smallrye-graphql-client.CLIENT_NAME.header.HEADER_NAME=HEADER_VALUE (see https://quarkus.io/guides/all-config#quarkus-smallrye-graphql-client_quarkus-smallrye-graphql-client-smallrye-graphql-client)

            If the value can change over time, I would probably recommend using the programmatic builder instead of using a statically configured client, like this:

            Source https://stackoverflow.com/questions/71500950

            QUESTION

            Using Keycloak adapter with Wildfly 26 does not provide "KEYCLOAK" as mechanism
            Asked 2022-Mar-16 at 19:01

            I have a JAX-RS application deployed in WildFly. The application's endpoints shall be protected by Keycloak with Access Type: bearer-only. This works perfectly fine for WildFly versions up to 24.

            Starting from WildFly 25 the Keycloak adapter is deprecated and one should migrate to the new Elytron subsystem. According to this WildFly issue https://issues.redhat.com/browse/WFLY-15485 however the OIDC adapter is not ready yet to work with bearer-only. But it is mentioned that it should still be possible using the Keycloak Wildfly adapter.

            Also the latest Keycloak documentation and this thread in Google Groups states this.

            So I installed the adapter from this location and ran the installation script:

            https://github.com/keycloak/keycloak/releases/download/16.1.1/keycloak-oidc-wildfly-adapter-16.1.1.zip

            ./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml

            When deploying the application I get thte following error message:

            java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory

            Setup

            • WildFly 26 (Jakarta EE 8)
            • Keycloak 16.1.1

            web.xml

            ...

            ANSWER

            Answered 2022-Feb-01 at 07:31

            I finally got it working without the Keycloak adapter, i.e. using the new built-in Elytron subsystem.

            oidc.json (located in the WEB-INF directory)

            Source https://stackoverflow.com/questions/70922622

            QUESTION

            React navigate after login with keycloak
            Asked 2022-Mar-01 at 22:58

            Using expo-keycloak-auth

            https://www.npmjs.com/package/expo-keycloak-auth

            I am trying to add the login to an existing screen. I am able to login successfully. I want the user to be able to click a button to navigate to the new screen. this is the code (almost identical to the example on github)

            ...

            ANSWER

            Answered 2022-Mar-01 at 22:58

            You have to pass navigation from LoginScreen as prop to Auth component:

            Source https://stackoverflow.com/questions/71315102

            QUESTION

            Secure WebApp in Wildfly 25 using OpenID Connect (OIDC) without installing a Keycloak client adapter
            Asked 2022-Feb-09 at 15:42

            My Webapp is deployed in Wildfly 25.0.1.Final and is secured using OpenID Connect (OIDC). WildFly 25 enables you to secure deployments using OpenID Connect (OIDC) without installing a Keycloak client adapter.

            It is configured like this:

            web.xml

            ...

            ANSWER

            Answered 2022-Feb-09 at 15:42

            This is a known issue and documented here: https://issues.redhat.com/browse/ELY-2284

            If you upgrade to wildfly 26.0.1 it should be resolved.

            Source https://stackoverflow.com/questions/70020441

            QUESTION

            How to modify existing claims in JWT from Keycloak for OIDC flow?
            Asked 2022-Feb-07 at 23:01

            I'm generating JWTs for a service for authentication and we're using Keycloak as the OAuth server.

            I've set up a realm R, a client C, and a user U. I setup a protocol mapper to include "C" in the "aud". I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".

            How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it. I've been googling around a lot and trying out different stuff in Keycloak but I can't get this to work somehow.

            ...

            ANSWER

            Answered 2022-Feb-07 at 22:59

            I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".

            Instead of an audience Mapper you can use a Hardcoded claim Mapper with:

            • Token Claim Name set to aud
            • Claim value set to C
            • Add to access token set to ON

            this mapper will override the original claim "aud": "account" with "aud": "C"

            Like so:

            How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it.

            For this you need to go to:

            • The realm where the client is
            • Go to clients and select the client
            • Click on the tab "Client Scopes"
            • Remove the scopes email and profile from "Assigned Default Client Scopes"

            like so:

            Source https://stackoverflow.com/questions/71025013

            QUESTION

            Deploying a Keycloak HA cluster to kubernetes | Pods are not discovering each other
            Asked 2022-Feb-05 at 13:58

            I'm trying to deploy a HA Keycloak cluster (2 nodes) on Kubernetes (GKE). So far the cluster nodes (pods) are failing to discover each other in all the cases as of what I deduced from the logs. Where the pods initiate and the service is up but they fail to see other nodes.

            Components

            • PostgreSQL DB deployment with a clusterIP service on the default port.
            • Keycloak Deployment of 2 nodes with the needed ports container ports 8080, 8443, a relevant clusterIP, and a service of type LoadBalancer to expose the service to the internet

            Logs Snippet:

            ...

            ANSWER

            Answered 2022-Feb-05 at 13:58

            The way KUBE_PING works is similar to running kubectl get pods inside one Keycloak pod to find the other Keycloak pods' IPs and then trying to connect to them one by one. Except Keycloak does that by querying the Kubernetes API directly instead of running kubectl.

            To do that, it needs credentials to query the API, basically an access token.

            You can pass your token directly, if you have it, but its not very secure and not very convenient (you can check other options and behavior here).

            Kubernetes have a very convenient way to inject a token to be used by a pod (or a software running inside that pod) to query the API. Check the documentation for a deeper look.

            The mechanism is to create a service account, give it permissions to call the API using a RoleBinding and set that account in the pod configuration.

            That works by mounting the token as a file at a known location, hardcoded and expected by all Kubernetes clients. When the client wants to call the API it looks for a token at that location.

            Although not very convenient, you may be in the even more inconvenient situation of lacking permissions to create RoleBindings (somewhat common in more strict environments).

            You can then ask an admin to create the service account and RoleBinding for you or just (very unsecurely) pass you own user's token (if you are capable of doing a kubectl get pod on Keycloak's namespace you have the permissions) via SA_TOKEN_FILE environment variable.

            Create the file using a secret or configmap, mount it to the pod and set SA_TOKEN_FILE to that file location. Note that this method is specific to Keycloak.

            If you do have permissions to create service accounts and RoleBindings in the cluster:

            An example (not tested):

            Source https://stackoverflow.com/questions/70286956

            QUESTION

            keycloak + Kong API Gateway
            Asked 2022-Jan-27 at 22:33

            We are using keycloak to handle authentication (client/secret) in our API Gateway.

            The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.

            Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection

            I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.

            If I auth straight to keycloak, the bearer token works for introspection.

            eg

            Token from: http://kongapigateway.domain/getOAuthToken

            • NOTE: We have not yet set up ssl on the kong api gateway

            Returns:

            ...

            ANSWER

            Answered 2022-Jan-27 at 22:33

            You can fix this by setting Keycloak's frontend URL to your public URL. For details please refer to my answer to another but similar question.

            Source https://stackoverflow.com/questions/70872675

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install keycloak

            Add this line in your application's gemfile:.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries

            Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Identity Management Libraries

            vault

            by hashicorp

            k9s

            by derailed

            keepassxc

            by keepassxreboot

            keycloak

            by keycloak

            uuid

            by uuidjs

            Try Top Libraries by imagov