I entered the following data, but after applying these settings, the input is not carried out, several questions arise. during authorization, the user returns to the page with minio and so on indefinitely
MINIO_IDENTITY_OPENID_CONFIG_URL=https://test.local.ru/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
MINIO_IDENTITY_OPENID_CLIENT_ID="292085223830"
MINIO_IDENTITY_OPENID_CLIENT_SECRET="12344556"
MINIO_IDENTITY_OPENID_SCOPES=openid
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC==https://minio.local.ru/*
how do I even understand why it brings me back to the page? are
there any logs, I don't understand how to debug
do I still need to have policies and users that are in sso? if you start, then you need to specify the access key. It is unclear why authorization is needed then. if you still get the keys to enter.
is it possible to enable both OpenID and standard authorization at the same time?
I finally figured out this problem
you need
to go to the rules section in your keycloak sso client to create a role with a name equal to the policy from the minio:
for example role name
consoleAdmin or readonly
in addition to the name, you do not need to fill in any attributes in the role, do not put it as a composite
after adding the role, we need to perform two steps
create a claim name (the name can be any), for example, minio-roles
mapper type - user client role
claim json - string
client id - the name of your sso client
token claim name - minio-roles
then it remains to assign this role to users in the users section
user - role mapping - client roles ( select client name SSO) - select the right role for this user
Related
I have keycloak instance (version 16) with one realm and two different clients.
The first client works with Open ID Connect Identity provider. It also works with public Access Type and with SSO and 2FA.
The second client works with a Custom module added from User Federation where 2FA is not possible to be used because the calls for authentication are mainly programmatically. Also, this client works with confidential Access Type.
The problem is that each client has a different external database with users, but the usernames in these databases are not unique.
And if I try to log in with the second client it works but after that, if I try to log in with the first client I can't, and vice versa. (in both clients username "notUniqueUser#email.com" is used)
The error message in this case is:
User with username notUniqueUser#email.com already exists. How do you want to continue?
“Review profile”
“Add to existing account”
Is it possible for these two clients to work both properly at the same time, when I do not have unique usernames and how should I configure it? (I find that is possible to have same email addresses but I can't find anything for usernames)
Maybe some kind of force authentication will be OK, and when the user "notUniqueUser#email.com" is already logged with the first client and I try to log in with the second, the session from the first one to be deleted and vice versa.
Depending on how your IDPs are configured you can try the following:
go to your realm
then to the IDP configuration in question
switch to Mappers
Click on Create
As a mapper type select Username teamplate Importer
in the template field and something that will make the username unique for example ${CLAIM.preferred_username}_<The Name of the IDP>
For example, if a username named 'user' logins from both 'IDP1' and 'IDP2' it will be imported into the Keycloak DB as 'user_IDP1' and 'user_IDP2', respectively.
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I came across similar scenario and the way I solved it was by enabling a default role to the newly added user.
This role can be changed later on but with a default role in place, your flow will complete.
There are 2 ways to assign a default role in keycloak. With both these configs, whenever a new user is registered even from external service providers, they will be assigned this default role:
Assign a default role directly to user:
Assign a default group to user & map a role to that default group
Please note that Default Group & Role names in above are my own and they are not predefined in keycloak.
After logging in to Keycloak admin console --> roles -> go to 'Default Roles' tab and add the role from available section to default realm roles section and save...Now when a user is registered, it will have the role assigned .
I've just setup my first Keycloak server to offer SSO between two applications. These are not Java applications, and one is connected with SAML-2 and the other with OpenID Connect.
So in Keycloak I have Realm-1, and then Client-1(application1) and Client-2(application2) and user-1 and user-2.
Now I want user-1 to only be allowed access to Client-1, and user-2 to be allowed access to both Client-1 and Client-2. Should be simple enough.
I have tried to read up on Roles and Authorization, but I find the documentation(or maybe just the topic) very confusing. I have been playing around with it with no success. I was expecting an interface to just map a group to a Client, and restrict access to the Clients by adding/removing users from groups.
If you are using SAML:
Create a new role in Keycloak.
Assign this role to the group.
Create new authentication script in Keycloak. Configure which role is allowed upon login (e.g. user.hasRole(realm.getRole("yourRoleName")) ).
In client setting, under "Authentication Flow overrides" choose the created authentication(from step 3).
If you are using openid, look at the comment in this thread
Making first steps with Dreamfactory and followed the tutorial I am not finding, how could I apply role to the user, when I want user to access some service (and not app).
Here
http://wiki.dreamfactory.com/DreamFactory/Tutorials/Accessing_SQL_tables
is described, how to create such role, but on User-tab there is no place to apply roles for services, there is only list of apps.
How could I achieve it?
I'll do my best to explain
Access to services is always controlled by Roles. You can have as many or as few Roles as you like.
Apps (API Keys) can have a default Role, but it is not required.
If the app has a default Role, then no JWT is needed to access. The call is made with API Key only, and the default Role is used to allow or deny access to services.
If the app does NOT have a default Role, then a user session (JWT) needs to be included in the call, in which case the User and App are correlated to a Role, and that Role is used to allow or deny access to services. A User may have a different Role for each App.
Assigning the user to app to role relationship is done via the User management tab.
So with that in mind, you need to create a role that defines access to your desired services. Then you need to assign that role to the user for a particular app (api key.) Then when you make your api calls you will make them with the user's session and the api key included, and the role will allow or deny access to services as you defined it.
I am using keycloak, and I have created a dropwizard service that I want to start enforcing roles in.
I have tried using the #RolesAllowd("user") annotation, but it always returns 403.
I have also tried #PermitAll, and that works fine.
I know I am connected correctly to the server, as the user has the correct information in it (email, name, etc), but where do the roles come from?
Is there a way to see the roles that a user has?
(answering my own question)
The issue that I was having #RolesAllowd("user") always returns a 403, is because of a checkbox in the Keycloak UI called "Scope Param Required". and the tooltip reads:
This role will be granted just if scope parameter with role name is used during authorization/token request.
It turns out, if you are trying to use that role, and the checkbox is on, it will not be sent to the client, so it will seem to the client that the user does not have that role. That checkbox was clicked ON for me, so that is why the annotation was showing the user was not authenticated.
So, if that checkbox is checked, you need to explicitly ask for the role, here is how you do that with user:
"scope" : {
"realm" : [ "user" ]
}
And here is more information from Keyclaok: https://issues.jboss.org/browse/KEYCLOAK-231
In your application realm on the keycloak admin console, you have a section called roles. There you must add the roles that will be checked by java security.
If you want that a user after a registration automatically receive a role, you need to add this role into default roles (roles -> default roles). You can also add manually roles to existent users in users -(select a user)->role mapping->assigned roles