How to add a custom header to a Keycloak POST request? - jboss

I am running Keycloak (v.12) in a container. I need to send a header rquid to the identity provider while trying to get a token. The header must be a guid without dashes.
I know that you can write a plugin/extension to customize requests. However, I don't have any experience in Java.
Is it possible to adjust a request via some environment variables, properties in standalone-ha.xml file or anything else?
Any tip would be appreciated.

Related

No “nbf” property found in access token generated by Keycloak after upgrade to 10.0.2 from 3.4.3-Final

We were using a very old release of Keycloak (3.4.3-Final) in which we had the “nbf” property inside our access tokens.
We had changed to the latest Keycloak 10.0.2, but now the “nbf” is gone and in the response of “/auth/realms/--our realm--/protocol/openid-connect/token” we have a new property “not-before-policy”.
We need to put back the “nbf” property back to the access token, so that our API Gateway can verify the value when processing requests, but we can’t find documentation about it. We understand that it should be there by default, but we can’t find any option how to put it back.
We use confidential clients with a default custom Client scope (migrated from a custom client template from the old release).
Other than that we have a custom protocol mapper to add client attributes to the claim.
Thanks for the help.

WOPI Host implementation issues

We’re trying to implement a Wopi Host following the protocol to integrate with OWA, as documented in here, and we’re having some issues with some points:
We have implemented a simple host that is only capable of viewing files, that is, it implements the CheckFileInfo and GetFile views. In a test environment, the flow is working and we’re able to view the files in OWA. The point is, when executing the Wopi Validator (the web and the docker version), we’re having an error in the GetFile operation because the validator is trying to access the endpoint with two // at the end:
host/wopi/files/file_id//contents
Is this a known issue that is happening only in the validator? Why are the two ‘/’ being appended to the end of the WopiSrc? How can we address this issue?
We have read some posts here stating that the editing is required in order to officially validate our OWA integration with Microsoft. Is this true? Isn’t the CheckFileInfo and GetFile views the only ones necessary to implement a simple Wopi host capable only of viewing files? We’re just passing the required information in the response of the CheckFileInfo operation. We’re not using FileUrl or any other parameter but the required ones. As far as I can see, these two views are the only one required for viewing files with OWA, such as stated here
Additionally, we’re having an issue in the first part of the flow, when the browser sends a request to OWA and passes the token and the WopiSrc. We were only able to make the flow work passing the token in the query string via the GET method. If we put it under a JSON with a POST method, the OWA simply ignores it and does not make an attempt to call the Wopi Host at all, via the WopiSrc. Could someone enlighten us a bit on this matter to figure out what may be happening?
Furthermore, we’re stuck in some point of token validation. The docs are crystal clear when they say that the token is generated by the host, and that it should be unique for a single user/file combination. We have done that. The problem is, how are we supposed to know what is the user that is trying to access a resource, when the request comes from OWA? For example, when the OWA calls the host in the CheckFileInfo and GetFile views, it passes us the token. But how could we know the user information as well? Since the token is for a single file (which we have in the address of the endpoint being accessed) and for a single user, how can we validate the user at this point? We have not found any header or placeholder value that could be used to extract this information when receiving a request from OWA, and we’re a bit lost here. We’ve thought about appending the user information to the token, and then extracting it back, but for what I could see, doing that I’m only ensuring that the token has not been modified between requests. Does anyone have any idea?
Regarding the validation with Microsfot demands the edit functionality.
For the POST situation, the submission must be made as a "form" not as JSON.
The token validation is completely open, you must choose the way you think would be the best approach. JWT is a good alternative in this case.

How can I use Fiddler to supply authentication information for logging into Crucible?

My manager and the company I work for currently use a program called Crucible and Fish Eye to generate graphs and show data for code commits, code coverage, repository data etc.
My manager would like me to come up with some way of querying the database (the database that I only have access to through crucible). He suggested that I use a program called Fiddler to generate an HTTP Request in order to GET, POST, and PUT data.
I have attempted to do this but I am not able to get data, because I do not know how to login to crucible FROM Fiddler.
Do you know if there's an authentication that I can set from Fiddler to supply the username and password to my Crucible account, or is there a different way around this?
The easy way is to use Postman instead of Fiddler. It helps you with different types of authentication schemes.
If your webservice supports basic authentication then you can add the authentication header manually or automatically as follows. Assume your username is "foo" and your password is "bar". Combine them as in "foo:bar" and encode them base64 to "Zm9vOmJhcg==" (https://www.base64encode.org/).
Now go to the Composer in Fiddler and add the following header:
Authorization: Basic Zm9vOmJhcg==
That should do it. You can also do this automatically with FiddlerScript.

Dropwizard - how to achieve custom authorization scheme?

I am trying to use Dropwizard as a full web server, combining serving public pages, protected pages and data through REST API. So, I am validating the ability to protect some routes by applying a custom authorization scheme based on a computed token and a realm to manage different security areas.
I have difficulties to understand how to achieve the purpose. The sequence I was expecting is the following :
display an HTML login page with a user form
user enters its credentials
call an authenticate route to validate credentials and create a token for the user. Send back a welcome page with an Authorization header like : MyScheme token="TYGDF655HD88D098D0970CUCHD987D897", realm="SUPER SECRET STUFF"
user click a link to list its invoice : /html/invoices
this route is protected by DropWizard #Auth annotation
no header is sent by the browser so the server answer with a 401 response with a header : WWW-Authenticate MyScheme realm="SUPER SECRET STUFF", challenging the browser to give it an authorization header matching the challenge
Unfortunatly, the browser didn't send it this header. According to many articles, I thought browser managed authorization cache for all received credentials, their scheme and parameters (such as realm).
It seems browser have this behavior for well known schemes such as Basic authentication, but not for custom scheme (by the way, it's usually an issue for basic auth since browser can't "logout" a user since he does not erase the web history or close the browser).
How do you think it's possible to tell a browser to cache authorization credentials and to add them each time a server request is challenging it with the right scheme / realm ?
I could display here all the example codes I use to make this example run.
A reference (good to read) : RFC1945 at https://www.rfc-editor.org/rfc/rfc1945#section-11
Thank you for your help.
Running dropWizard 0.9.2 on Jdk Oracle 1.8 / Debian 8.
Browser doesn't manage authorization. It never does, or at least never should.
Server should always keep its cache, and verify input from the browser.
At a basic level, all of the fields you need, are part of the HTTP Header. If you inject the request, you'll have access to them.
If dropwizard doesn't have things you need, you can always ignore everything, and simply read the request headers and do the custom processing you need.
For instance, add a Filter which sets the realm, something like WWW-Authenticate: Basic realm="myrealm:"
Authorization: MyScheme Ceasar-cipher-password. You'll need to parse it and process it yourself, perhaps set up an incoming Filter on all requests, or selective requests.
Is it a good idea, I'll let you be the judge. Perhaps, in your use case it makes sense.
If you have a look at the source code and how the BasicCredentials are used, perhaps, it can provide insight in a potential solution you may adapt yourself.
Hope it helps.

What is the best way of passing user info/profile/context via web API service

I am a newbie who is writting ASP.Net web API service for the very first time. The issue I am having is how to pass user information or different contexts via service request. For example I want to pass user context (i.e username, user preferences etc.) and lets say security context (i.e. api key, secret etc.) thru each service call. The options I found
1. using Query string
2. custom HTTP headers
3. overload authorization header to pass Jason object
4. cookie
I ditch the idea of using query string as it has 2k limitation, custom header could be ripped by proxy services, dont want to use cookie,creating a jason object of all the context and send it via auth header can work but seems like not a smart way. Any idea? what is the best way of passing those extra information.
I really appreciate if someone help me with some examples.