On keycloak, I want to add some users from external storage but not some.
For those who will use an external database, spi works fine, but when I want to add users who do not know about the external database directly to the local database of keyclok, I get stuck on spi and get an error.
It succeeds to add user from other use to disable spi. But i need more efective solution.
Can you help, please?
Thank you
In Keycloak you can have users both using the user spi(external data-source) and also the users directly managed by keycloak in parallel.
You don't have to disable User SPI to add keycloak managed users.
Of-course this depends on how you have implemented your SPI, but it's possible and I have tried it.
If you share more details on your user SPI implementation and error logs, it would help in suggesting a solution.
Related
May u know any possibility to secure access to dashboard of jobrunr? As inside dashboard there are many critical operation can be done, it need be protected with user name and password. At the moment it seems it open for anyone who can access the dashboard's url.
thanks in advance
I don't recommend a setup where the dashboard can be accessed via the internet, I would only allow access via internal IP's.
If you also want to protect for internal IP's, there is a way to do so. Search the issues and the discussions for it (I'm not writing the answer here as I don't like to promote that solution).
Update regarding JobRunr 6
JobRunr Pro 6 will support OpenID Authentication.
I am using keycloak on one of my projects. On the backend I am using sringboot and calling Keycloak REST API.
I would love to have info about roles (better would be client's roles, but realm roles will be sufficient) of each users, when fetching it's profile.
URL where I am trying to fetch user: <host>/admin/realms/<realm>/users/<id>
At this moment, I have to programmatically loop over each user and fetch his roles. Which means many and many additional requests. Imagine having 500 users... And yes, I know I could paginate them etc.
I have been trying to find something on the internet for sooo long time, but nothing works. I am able to add them to the access token, but I can't add them to the user info.
If there is anyone who knows how to enrich user info, just point me the right directions. I have been messing with client scopes for so long and I still don't understand them at all. I could not even find a good tutorial on this topic..
You should develop your own KeyCloak extension:
https://www.keycloak.org/docs/latest/server_development/#_extensions_rest
You need java and nhibernate skills.
I am currently evaluating keycloak as central Identity Manager for multiple a backend with multiple REST services (Resteasy/Wildfly).
After a lot of trial and error and reading the docu, I have succeeded in succesfully making an openid connect login into my custom keycloakrealm (analogue to this post http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html)
I can see the acces token + id_token coming in the response and are able to make requests to the REST services by passing these tokes.
However I can only authenticate using the credentials of the users defined in keycloak itself. However, in our reallife case, the users reside in SAP and are unknown to keycloak.
We do, however have a javalibrary for authenticating these users over the SAPJCO connector.
Can anyone please tell me how to configure keycloak to use a "custom authentication" module for the actual authentication?
Is implementing a custom authenticator SPI (https://keycloak.gitbooks.io/server-developer-guide/content/v/2.1/topics/auth-spi.html) the way to go? If not, what wuold be a possible solution???
Hope you guys can help!
Reagrds,
Kim Zeevaarders
The Netherlands
If you can access the SAP users details via the SAPJCO connector then you could write a custom Federation Provider. The provided example is rudimentary but it give the basic idea and maven dependencies.
In a nutshell you will need to extend org.keycloak.models.UserFederationProvider and provide methods for obtaining user details, validation of credentials and searching by attributes. In your case you would use your SAPJCO connector to fulfil each of these functions against your existing user base.
Update 30 May 2018
The User Federation SPI was replaced with a new User Storage SPI in release 2.5. Migration Notes are available here
I need integrate Liferay (version 6.2) with another service which stores information about users. Communication with service occurs through SOAP.
Is it possible use users from service to authenticate to Liferay?
Liferay integrates with external systems through LDAP already. If you use that interface, you're set. If you need a proprietary API to access user information, you will have some work in front of you.
It might be worth examining the SSO implementation and intercept newly authenticated users on this level: With the user's identity, create or update a Liferay user account on the fly through LIferay's API. To me this looks like the most promising approach from an effort/maintenance point of view, with the little information I have about your situation.
Alternatively you could batch-update all (Liferay-) user accounts from time to time, based on updates in your external system.
Let me see if I understand what need:
1- Step 1: User prompted with A login page.
2- Step 2: The credentials entered by the user are checked against a web service (could be any service)
3- Step 3: The user is either logged in or an auth error displayed to the user.
If that's what you need, then create an autologin hook. The code that call the webs service shall live in the autologin hook.
May seem intimidating, but it is trivial: likely liferay comes with a bunch of them: (take one of them as a template)
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin,com.liferay.portal.security.auth.FacebookAutoLogin,com.liferay.portal.security.auth.NtlmAutoLogin,com.liferay.portal.security.auth.OpenIdAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin,com.liferay.portal.security.auth.SiteMinderAutoLogin
I have a web application using XMPP for chatting. The only real problem is that users have to create their own XMPP account on the right server. I'd like to automate this process.
How do I automatically create a new XMPP account for a new user ? How do I know what address can be used or not for the account ?
There are a few different approaches:
Have the client register in-band. They can then choose their username themselves.
Connect to an existing user database, or interface with it directly.
The server might have some CLI or Web-based management tool that can be used.
As ggozad wrote, use the Add user command defined by Service Administration.
You need to implement (and your server to support) XEP-0133 Service Administration and in particular the add user command. You can create random user ids or generate them with some logic and store them somehow to check for uniqueness. The get-registered-users command might also be of help.