Can I use keycloak to support PAT like github in addition to the OIDC JWT authentication?
Say, for some specific users, we should be able to support PAT or API key.
The expectation is that any SAML users who has to write a script to use our API's can use a PAT for authentication.
Related
When an user account is disabled on a connected IdP, how do I ensure the account is blocked as soon as possible on Keycloak? At the moment, the “disabled” user is able to continue using my SPA because Keycloak continues to refresh the access token without speaking to the external IdP.
One of the critical features required by my partners when using SSO is that they have control over their users’ access to my application. At the moment if the user was logged into my SPA, they can continue using it for about 24 hours. I would hope to cut that time down to 5 minutes, the lifetime of the access token.
The external IdP is Google. I have tried using both Keycloak’s builtin Social provider for Google as well as setting up a SAML app in Google and user-defind SAML provider in Keycloak. I’m using Keycloak v9 but can upgrade if necessary.
Is there a recipe to achieve my goal? What options do I need to set in the Keycloak client and SAML provider?
Many thanks!
The approach could be as follows. The resource server will need to do the checking with the IDP, not Keycloak.
Enable the option to Store Tokens and Read Stored Tokens in the IDP settings.
Assign users the broker/read-tokens role.
On the resource server, decide on a frequency to check whether the user has been disabled on the IDP. Be aware of each IDP's token introspection's endpoint. Each time the API is consumed:
First of course verify the access token as usual.
If it's time to verify against the IDP, call the Keycloak API with the access token to retrieve the IDP's access token.
The Keycloak endpoint is: https://{domain}/realms/{realm}/broker/{idpid}/token
Call the IDP's token introspection endpoint to validate the IDP access token.
Act accordingly if the IDP responds that the token is not valid. Respond with 401 and ensure that the Keycloak access token can't be used again. Maybe the end_session_endpoint or revocation_endpoint, not sure.
Token validation endpoints:
Google: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={access_token}
AuthO: https://{tenant}.eu.auth0.com/userinfo
MS Azure: doesn't exist, good luck with that!
I have a SPA (angular) application that connects users with Azure AD B2C. The application then obtains a JWT. The application (SPA) must then consume APIs behind WSO2 APIM. I want to have the JWT validated by Wso2 APIM.
SPA --> AZUREADB2C
SPA <-- AZUREADB2C (JWT)
SPA --> APIM (Validate JWT) --> Backend API
Should I create a custom key manager in APIM? or is there another setting?
You should be able to use the JWT Bearer Grant[1] for this purpose.
Basically, you will have to add Azure AD as an IdP in APIM and configure a service provider. Then you can obtain a token from APIM after validating your JWT and use that to access the APIs.
[1] - https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/jwt-grant/#jwt-grant
WSO2 API Manager provides two ways to cater this requirement.
If you want to validate the token directly generated from Azure AD
It needs to be configured as key manager from Admin portal. WSO2 API Manager does not have out of the box support to configure Azure AD as key manager. (It supports WSO2 IS, KeyCloak, PingFederate, Okta and Auth0 OOTB).
You can write custom key manager implementation and deploy it in API Manager to cater this requirement. The steps to write custom key manager is explained here.
User authentication with token exchange approach
WSO2 API Manager supports OAuth 2.0 Token Exchange grant type (From APIM 4.1.0 onwards) to exchange JWT tokens generated by external Authorization servers for APIM token.
For this, you need to add Azure AD as a Key Manager as mentioned in this doc and exchange the JWT token generated from Azure AD for APIM token. This method requires some modification in the SPA.
i am quite new to kubernetes and I am looking towards certificate based authentication and token based authentication for calling K8 apis. To my understanding, I feel token based approach (openID + OAuth2) is better since id_token will get refreshed by refresh_token at a certain interval and it also works well with the login point(web browser) which is not the case with Certificate based approach . Any more thoughts to this ? I am working using minikube with kubernetes . Can anyone share their thoughts here ?
Prefer OpenID Connect or X509 Client Certificate-based authentication strategies over the others when authenticating users
X509 client certs: decent authentication strategy, but you'd have to address renewing and redistributing client certs on a regular basis
Static Tokens: avoid them due to their non-ephemeral nature
Bootstrap Tokens: same as static tokens above
Basic Authentication: avoid them due to credentials being transmitted over the network in cleartext
Service Account Tokens: should not be used for end-users trying to interact with Kubernetes clusters, but they are the preferred authentication strategy for applications & workloads running on Kubernetes
OpenID Connect (OIDC) Tokens: best authentication strategy for end users as OIDC integrates with your identity provider (e.g. AD, AWS IAM, GCP IAM ...etc)
I advice you to use OpenID Connect. OpenID Connect is based on OAuth 2.0. It is designed with more of an authentication focus in mind however. The explicit purpose of OIDC is to generate what is known as an id-token. The normal process of generating these tokens is much the same as it is in OAuth 2.0.
OIDC brings a step closer to providing with a user-friendly login experience and also to allow us to start restricting their access using RBAC.
Take also look on Dex which acts as a middleman in the authentication chain. It becomes the Identify Provider and issuer of ID tokens for Kubernetes but does not itself have any sense of identity. Instead, it allows you to configure an upstream Identity Provider to provide the users’ identity.
As well as any OIDC provider, Dex supports sourcing user information from GitHub, GitLab, SAML, LDAP and Microsoft. Its provider plugins greatly increase the potential for integrating with your existing user management system.
Another advantage that Dex brings is the ability to control the issuance of ID tokens, specifying the lifetime for example. It also makes it possible force your organization to re-authenticate. With Dex, you can easily revoke all tokens but there is no way to revoke a single token.
Dex also handles refresh tokens for users. When a user logs in to Dex they may be granted an id-token and a refresh token. Programs such as kubectl can use these refresh tokens to re-authenticate the user when the id-token expires. Since these tokens are issued by Dex, this allows you to stop a particular user refreshing by revoking their refresh token. This is really useful in the case of a lost laptop or phone.
Furthermore, by having a central authentication system such as Dex, you need only configure the upstream provider once.
An advantage of this setup is that if any user wants to add a new service to the SSO system, they only need to open a PR to Dex configuration. This setup also provides users with a one-button “revoke access” in the upstream identity provider to revoke their access from all of our internal services. Again this comes in very useful in the event of a security breach or lost laptop.
More information you can find here: kubernetes-single-sign-one-less-identity/, kubernetes-security-best-practices.
Does Github support OAuth 20 resource owner password credential grant type? I know you can use basic authentication for CLI to login with Github account. The basic authentication can be used to directly request all sorts of user data (like emails, teams, etc). I am curiously to know if CL can request an OAuth access_token by using ROPC, then uses access_token (similar to authorization code grant type) to request user data.
Github's oAuth implementation only supports authorization code grant type. As an alternative (and similar to CLI), you can retrieve a personal access token via basic auth, then use the token for subsequent resource access.
I'm trying to post an issue on GitHub with the GitHub API.
I looked at the API documentation,
https://developer.github.com/v3/issues/#create-an-issue
but I can't figure out where the account information should go in the request body.
How should I authenticate this request?
You can see example of scripts posting issues in:
"'mapserver-trac-importer" (authentication github_post, with user/password)
"simple basic-auth node github api" (authentication here, with user/password)
".bashrc" (authentication in curl, with oauth)
As described in API V3 authentication, you can either user username/password, or an oauth token.
Note that if you have activated the 2FA (2 Form Authentication), you will need an oauth token.
I prefer oauth anyway, because you can revoke the token at any time (token that you can create just for this script), without having the hassle to change your password (which you could use in multiple other instances).