I'm using a client "admin-cli" in order to create users in my application.
Recently, I've deployed to the production environnement.
I've recreated my keycloak configuration from scratch. Bur the admin-cli can't add users in the environnement.
In order to understand this issue, I've create in my developpemnt environnment a new client myClientAdmin and assign the same rigth as the admin-cli.
And I reproduce the same issue as in my production environnement.
Then I try with kcadm to solve or have a better understanding of this issue.
kcadm.sh config credentials --server http://localhost:8080/auth --realm mira --client admin-cli --secret secret1
kcadm.sh get-roles -r mira --uusername service-account-admin-cli --cclientid realm-management
---> "name" : "realm-admin"
kcadm.sh get users -r mira -q role=XXX --fields "username" --> works fine
kcadm.sh config credentials --server http://localhost:8080/auth --realm mira --client myClientAdmin --secret secret2
kcadm.sh get-roles -r mira --uusername service-account-myClientAdmin --cclientid realm-management
---> "name" : "realm-admin"
kcadm.sh get users -r mira -q role=XXX --fields "username" --> doesn't works
---> Logs of keycloak
13:07:46,001 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (default task-45) Error response 403: org.keycloak.services.ForbiddenException
at org.keycloak.keycloak-services#16.0.0//org.keycloak.services.resources.admin.permissions.UserPermissions.requireQuery(UserPermissions.java:283)
at org.keycloak.keycloak-services#16.0.0//org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:275)
at jdk.internal.reflect.GeneratedMethodAccessor551.invoke(Unknown Source)
I don't undestand this issue the two clients seems to have the same client roles : real-admin
Can anyone help me ?
Keycloak 16.0.0
best regards
Related
I set up my mongoDB cluster with TLS authentication.
I can successfully connect on a mongos instance using :
/opt/cluster/stacks/mongoDB/bin/mongosh --tls --host $(hostname).domain.name -tlsCAFile /opt/cluster/security/ssl/cert.pem --port 27017
I have a Kafka connect mongoDB sink that has the following configuration :
{
"name": "client-order-request-mongodb-sink",
"config": {
"connector.class": "com.mongodb.kafka.connect.MongoSinkConnector",
"database":"Trading",
"collection":"ClientOrderRequest",
"topics":"ClientOrderRequest",
"connection.uri":"mongodb://hostname1.domain.name:27017,pre-hostname2.domain.name:27017",
"mongo.errors.tolerance": "all",
"mongo.errors.log.enable": "true",
"errors.log.include.messages": "true",
"writemodel.strategy":"com.mongodb.kafka.connect.sink.writemodel.strategy.ReplaceOneBusinessKeyStrategy",
"document.id.strategy": "com.mongodb.kafka.connect.sink.processor.id.strategy.PartialValueStrategy",
"document.id.strategy.overwrite.existing": "true",
"document.id.strategy.partial.value.projection.type": "allowlist",
"document.id.strategy.partial.value.projection.list": "localReceiveTime,clientId,orderId"
}
}
It is working fine if I redeploy mongoDB without authentication, but now when I try to instantiate it with the following curl command :
curl -X POST -H "Content-Type: application/json" --data '#connect-task-sink-mongodb-client-order-request.json' $KAFKA_CONNECT_LEADER_NODE/connectors/
I have the following error:
{"error_code":400,"message":"Connector configuration is invalid and contains the following 1 error(s):\nUnable to connect to the server.\nYou can also find the above list of errors at the endpoint /connector-plugins/{connectorType}/config/validate"}
From the mongoDB kafka connect sink documentation I found that I needed to set up global variable of the KAFKA_OPTS so before starting the distributed connect server I do:
export KAFKA_OPTS="\
-Djavax.net.ssl.trustStore=/opt/cluster/security/ssl/keystore.jks \
-Djavax.net.ssl.trustStorePassword=\"\" \
-Djavax.net.ssl.keyStore=/opt/cluster/security/ssl/keystore.jks \
-Djavax.net.ssl.keyStorePassword=\"\""
Notice that I put an empty password because when I list the entry of my keystore with:
keytool -v -list -keystore key.jks
Then I just press enter when the password is prompted.
So the issue was that the ssl connection wasn't enabled on the client side.
If you want to do so with the mongoDB kafka connect plugin you need to state it in the connection.uri config parameter such as:
"connection.uri":"mongodb://hostname1.domain.name:27017,pre-hostname2.domain.name:27017/?ssl=true"
mongorestore -h ds121312.mlab.com:21312 -d heroku_jzxndzbk -u heroku_jzxndzbk -p xxxxxxxxxxxxxxx dump/Loc8r
Error:
2019-12-20T11:36:55.931-0500 error connecting to host: could not connect to server: connection() : auth error: sasl conversation error: unable to authenticate using mechanism "SCRA
M-SHA-1": (AuthenticationFailed) Authentication failed.
I am following along "Getting MEAN" text by Holmes/Harber - pg 152.
Any suggestions? Thank you
You must also specify which database you are using for authentication, e.g., --authenticationDatabase admin.
Reference: https://docs.mongodb.com/manual/reference/program/mongo/#cmdoption-mongo-authenticationdatabase
I am trying to set up the JHipster Registry with a local git config server.
--spring.cloud.config.server.composite.0.type=git
--spring.cloud.config.server.composite.0.uri=http://mygit/abc.git
those 2 config works but my git need permission to login.
now I got the error: Authentication is required but no CredentialsProvider has been registered
Does anyone know where can I set up the username and password?
I tried:
--spring.cloud.config.server.git.uri=
--spring.cloud.config.server.git.password=
--spring.cloud.config.server.git.username=
not working
Try
--spring.cloud.config.server.composite.0.username=
--spring.cloud.config.server.composite.0.password=
Add the following in the bootstrap-*.yml
cloud:
config:
server:
bootstrap: true
composite:
- type: git
uri: https://github.com/awnali/configuration
username: ${spring.cloud.config.server.git.username}
password: ${spring.cloud.config.server.git.password}
default-label: main
and then run the application with the following command:
java -jar target/jhipster-registry-6.8.0.jar --spring.profiles.active=prod --spring.cloud.config.server.git.username=***** --spring.cloud.config.server.git.password=*****
What is the correct way to set the aud claim to avoid the error below?
unable to verify the id token {"error": "oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match, aud=account, client_id=webapp"}
I kinda worked around this error message by hardcoding aud claim to be the same as my client_id. Is there any better way?
Here is my docker-compose.yml:
version: '3'
services:
keycloak-proxy:
image: "keycloak/keycloak-gatekeeper"
environment:
- PROXY_LISTEN=0.0.0.0:3000
- PROXY_DISCOVERY_URL=http://keycloak.example.com:8181/auth/realms/realmcom
- PROXY_CLIENT_ID=webapp
- PROXY_CLIENT_SECRET=0b57186c-e939-48ff-aa17-cfd3e361f65e
- PROXY_UPSTREAM_URL=http://test-server:8000
ports:
- "8282:3000"
command:
- "--verbose"
- "--enable-refresh-tokens=true"
- "--enable-default-deny=true"
- "--resources=uri=/*"
- "--enable-session-cookies=true"
- "--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j"
test-server:
image: "test-server"
With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field 'aud' of the access token.
Therefore even though the login succeeds the client rejects the user.
To fix this you need to configure the audience for your clients (compare doc [2]).
Configure audience in Keycloak
Add realm or configure existing
Add client my-app or use existing
Goto to the newly added "Client Scopes" menu [1]
Add Client scope 'good-service'
Within the settings of the 'good-service' goto Mappers tab
Create Protocol Mapper 'my-app-audience'
Name: my-app-audience
Choose Mapper type: Audience
Included Client Audience: my-app
Add to access token: on
Configure client my-app in the "Clients" menu
Client Scopes tab in my-app settings
Add available client scopes "good-service" to assigned default client scopes
If you have more than one client repeat the steps for the other clients as well and add the good-service scope.
The intention behind this is to isolate client access. The issued access token will only be valid for the intended audience.
This is thoroughly described in Keycloak's documentation [1,2].
Links to recent master version of keycloak documentation:
[1] https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/client-scopes.adoc
[2] https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/oidc/audience.adoc
Links with git tag:
[1] https://github.com/keycloak/keycloak-documentation/blob/f490e1fba7445542c2db0b4202647330ddcdae53/server_admin/topics/clients/oidc/audience.adoc
[2] https://github.com/keycloak/keycloak-documentation/blob/5e340356e76a8ef917ef3bfc2e548915f527d093/server_admin/topics/clients/client-scopes.adoc
This is due to a bug: https://issues.jboss.org/browse/KEYCLOAK-8954
There are two workarounds described in the bug report, both of which appear to do basically the same thing as the accepted answer here but can be applied to the Client Scope role, so you don't have to apply them to every client individually.
If, like me, you want to automate the keycloak config, you can use kcadm
/opt/jboss/keycloak/bin/kcadm.sh \
create clients/d3170ee6-7778-413b-8f41-31479bdb2166/protocol-mappers/models -r your-realm \
-s name=audience-mapping \
-s protocol=openid-connect \
-s protocolMapper=oidc-audience-mapper \
-s config.\"included.client.audience\"="your-audience" \
-s config.\"access.token.claim\"="true" \
-s config.\"id.token.claim\"="false"
Its works to me:
In my SecurityConfiguration class:
#Bean
public CorsConfigurationSource corsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(Arrays.asList("http://localhost:3000"));
config.setAllowedMethods(Arrays.asList(CorsConfiguration.ALL));
config.setAllowedHeaders(Arrays.asList(CorsConfiguration.ALL));
config.setAllowCredentials(true);
source.registerCorsConfiguration("/**", config);
return source;
}
In our keycloak we have written admin-cli command to make things smooth after keycloak bought up .We will create some basic Realm/user/group and other details from the help of admin-cli .
Now we want to add the SMTP server details through admin-cli . How can be achieve this ?
Ok at last too many hit and try i found the solution . Here is the details how to add the SMTP server details via admin-cli
First Step Enable HTTPS(As in our case keycloak running on HTTPS)
/opt/keycloak/bin/kcadm.sh config truststore --trustpass keycloak /opt/keycloak/security/ssl/keycloak.jks
Second Step Login with client admin-cli
/opt/keycloak/bin/kcadm.sh config credentials --server https://{{keycloak_server_IP}}:{{keycloak_port}}/auth --realm master --user admin --password admin --client admin-cli
If realm not created create it via this
/opt/keycloak/bin/kcadm.sh create realms -s realm=SURE -s enabled=true
and then run below command
/opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm -x -s 'smtpServer.host=Your Host Name' -s 'smtpServer.from=email#somemail.com' -s 'smtpServer.fromDisplayName=Mail Support' -s 'smtpServer.auth=false' -s 'smtpServer.ssl=false'
You can also use this command
/opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm -f - << EOF
{"smtpServer" : {
"replyToDisplayName" : "...",
"starttls" : "",
"auth" : "true",
"envelopeFrom" : "...",
"ssl" : "true",
"password" : "...",
"port" : "...",
"host" : "...",
"replyTo" : "...",
"from" : "...",
"fromDisplayName" : "...",
"user" : "..."
}
}
EOF