In my application, I would need to obtain my custom principal object when I call request.getUserPrincipal(). Application is deployed in wildfly 26 server. So far I tried to use custom login module with JAAS-realm, than I tried to implement custom security realm. In both ways, when I call request.getUserPrincipal(), instance of NamedPrincipal is returned back.
Is there any possible way to get custom principal object out of request in elytron security?
I think you are running into this unresolved issue https://issues.redhat.com/browse/WFCORE-5809 . You can upvote it or write a specific comment there.
Depending on why you need a custom principal class, you can maybe utilize attributes of SecurityIdentity if you need to obtain a specific information about the principal.
Related
I have an application where right now a user could work in different context : in the same client application he could switch his context and work either for a company1 as "Administrator" or if he switch to the second context , he could work as "Editor" for the company2…
This was done by using a custom homemade authorization module, but we are trying to use openid-connect now so we are trying to find some solutions with KeyCloack.
Is it possible to assure the same kind of thing in Keycloack ?
It's possible. BUT it's not something that anyone who doesn't know the internal of your custom implementation could give you a solution.
Authorization services provided by Keycloak is quite flexible and of course complex. I suggest you to take a look at the following link and see which of of authorization solution can answer your requirements and would also be possible to adopt your system to use it (e.g. RBAC, ABAC, CBAC, etc.).
As an example, one solution could be to consider each company a resource and then each user of the application, can have different roles/permissions on each resource. So in Keycloak you define who has what roles on which resources (companies) and then in your app, you check those to see if user is authorized or not. But I'm pretty sure when you get a better overview of the Authorization Services in Keycloak, you would come up with a much better idea.
Keycloak Authorization Services
I wanted to capture user attributes coming from SAP IDP(Identity & Authentication tenant service like department,salutation ,company etc ,via UserAccessor SDK api,but although those attributes are set and has value in IDP user and all the integration with IDP and sub account is in place post authentication ,user attributes object is empty ,i am only able to retrieve specific attributes like first names ,last name,email address ,user groups etc via JWT and UserAccessor api ,but no luck with other attributes ,in IDP i have mentioned these attributes as well under assertion attributes in SAP Identity authentication tenant .
Please guide and help in this matter .
Thanks Siddharth
Update: As we have now identified the problem, I will update my answer to reflect that. The original answer below is outdated:
Okay so the problem is that you haven't mapped any additional user attributes from your Identity Provider (IdP) to your JWT. As far as I'm aware there are three things you will need to do:
You need to create attributes in your xs-security.json (the file you used to configure your XSUAA service instance). This documentation should explain how to do that.
You need to configure which attributes are exposed by your IdP (in your case the SAP Identity & Authentication service. This documentation looks like a good place to start looking).
You need to map the attributes exposed by your IdP to the attributes defined in your xs-security.json. You will probably need to reconfigure (i.e. delete, recreate and rebind) your XSUAA service instance with the updated config, before you can do this step. Then, navigate to your application in the Cloud Platform Cockpit, from the left toolbar click "Security > Roles" and create your mapping.
Let me know if this works for you!
Original Answer:
As far as I'm aware the default IdP does not support SAML. Without SAML, I'm not sure whether you can propagate any attributes from your IdP into the JWT.
Please also check out this discussion for more information.
I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
After successful authentication have keycloak pull extra claims from the application database somehow. This app database is postgres, for example.
Have the application update the jwt with extra claims using a shared key.
I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
Answering my own question here. I cross-posted this question to the Keycloak users mailing list here (http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html) and got an answer that seems reasonable.
This is pasted from the answer I received there.
I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :
User logs in
My custom protocol mapper gets called, where I overwrite the transformAccessToken method
Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.
I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured
Get the info returned by the endpoint and add it as extra claims
I want to use IdentityServer3 in my solution, but one of my requirements is to connect to multiple databases for users, clients and scopes.
So, I want to customize the Login page and add a database selector. I’m doing this with a custom view service.
Then, when the user click on login button, my custom user service is called, but I don’t know how to send the database selector value to my AuthenticateLocal implementation on custom user service.
I need to know the database selector value in custom client and scope services as well.
I saw this post: http://forums.asp.net/t/2032044.aspx?Custom+User+Service+for+Thinktecture+Identity+Server+V3 where Brock said it isn’t possible.
Does the latest version of IdentityServer3 have any way to archive what I need?
Thanks!
Best regards.
You can add custom form elements to the submit on the login page. In your custom IUserService add the OwinEnvironmentService as a ctor dependency to get access to the incoming OWIN environment. You can then wrap that with an OwinContext for convenience. Then in your AuthenticateLocal you can read the posted custom form elements to do whatever you need in your logic.
I have a scenario where I am trying to combine spring security with jersey for my REST API.
My need is rather complicated (I think) and it is as follows:
Spring security is being used to intercept urls and forcing basic authentication in order to access a REST resource. This seems to be ok as I am using http client to test this.
However what I want to do is somehow access the User object that is loaded to check some additional permissions that hang off the user (a map object with boolean flags to indicate if object properties are visible or not). The code that does the loading works, but after spring authenticates how do I then access the User object in the actual REST Resource method itself?? Is this possible?
So the steps are:
1) Client makes a REST API call
2) Spring intercepts URL checks username and password supplied in the http header
3) The rest resource method is then accessed if valid credentials are present
But before step 3, I want to somehow pass on the loaded User object to the actual Resource method itself so I can further apply some logic to restrict what the user can see based on the permissions that I have loaded??? Is this possible? I think I have seen some code somewhere that checks for User Roles before a method is accessed using Spring and REST but if anyone has any links or ideas that would be excellent.
Please help if you can. thank you so much.
I solved this by using a request-scoped proxy which was constructed by a bean factory.
This allows you to simply inject your currently authenticated user into any spring managed bean, and in my case my Jersey Resources fell into that category. I injected my user into the tier below the resources, but it's all the same.
Someone else elegantly blogged the full solution here.