We are using burrow in our system and we want to configure this to support SASL.
https://github.com/linkedin/Burrow/wiki/Configuration#sasl-profile
could you suggest me to how to pass password in runtime. we don't want to store the token information as the token expires in every 24 hours.
[sasl.saslprofile] username={{.kafkauser}} password={{.kafkasecret}} handshake-first=true
Our services enabled sasl to communicate with Kafka which needed runtime token. we need to add callback class, is there way to add dependency to our project and add callback class ?
Related
In my application, I would need to obtain my custom principal object when I call request.getUserPrincipal(). Application is deployed in wildfly 26 server. So far I tried to use custom login module with JAAS-realm, than I tried to implement custom security realm. In both ways, when I call request.getUserPrincipal(), instance of NamedPrincipal is returned back.
Is there any possible way to get custom principal object out of request in elytron security?
I think you are running into this unresolved issue https://issues.redhat.com/browse/WFCORE-5809 . You can upvote it or write a specific comment there.
Depending on why you need a custom principal class, you can maybe utilize attributes of SecurityIdentity if you need to obtain a specific information about the principal.
I'm using Keycloak as an auth server behind an Nginx reverse proxy.
Leveraging the multi-tenancy and multi-roles suites my needs but I'd like to extend the authentication flow with some custom user-properties that would be ideally stored in an alternative schema/database.
These could be exemplified by:
A global subscription with an expiration date associated with one or more tenants/realms.
A license with expiration date associated with each user inside the same tenant/realm.
...
From what I've understood I could exploit a custom Authenticator SPI that checks these fields based on the user_id and add it to a custom Authentication Flow defined for each separate client inside my pool. Is this the correct use case or is there a better general approach to apply?
We were using a very old release of Keycloak (3.4.3-Final) in which we had the “nbf” property inside our access tokens.
We had changed to the latest Keycloak 10.0.2, but now the “nbf” is gone and in the response of “/auth/realms/--our realm--/protocol/openid-connect/token” we have a new property “not-before-policy”.
We need to put back the “nbf” property back to the access token, so that our API Gateway can verify the value when processing requests, but we can’t find documentation about it. We understand that it should be there by default, but we can’t find any option how to put it back.
We use confidential clients with a default custom Client scope (migrated from a custom client template from the old release).
Other than that we have a custom protocol mapper to add client attributes to the claim.
Thanks for the help.
I’m currently working on a PoC with multiple Quarkus services and Keycloak RBAC. Works like a charm, easily to bootstrap and start implementing features.
But I encountered an issue that I could not solve in my mind. Imagine:
User accesses a protected service
quarkus-oidc extension does fancy token obtaining by HTTP redirecting, JWT in cookie lasts 30 minutes
User is authenticated and gets returned to the web application
User works in application, fills in forms and data
Data is being stored by JWT-enriched REST calls (we do validation by hibernate-validator)
User works again, taking longer than 30 min
Wants to store another entry, but token from step 3 is now expired and API call fails
User won’t be happy, so me neither
Possible ways to solve:
Make the JWT last longer than the current 30 minutes, but that just postpones the issue and opens some security doors
Storing users’ input in local storage to restore it later after a token refresh (we also would do that to not loose users’ work)
Refresh the token „silently“ in JS without user knowing. Is there a best practice for that?
I missed something important and the internet now tells me a better architecture for my application.
Thank you internet!
Re the step 3. In Quarkus 1.5.0 adding quarkus.oidc.token.refresh-expired=true will get the ID token refreshed and the user session extended if the refresh grant has succeeded
For such use cases, I tend to prefer the reverse of JWT. I keep the user data in a shared data service (a data grid like Infinispan or Redis). So that this data is keyed by the user and available. I do control the TTL of that data in the shared data service.
It can either be specific to an app, or shared between a small number of apps. It does bring some coupling but so does the JWT property structure.
For Quarkus, there is an Infinispan client integration, a Hazelcast one, mongodb and AWS dynamoDB. And you can bring other libraries.
I am currently evaluating keycloak as central Identity Manager for multiple a backend with multiple REST services (Resteasy/Wildfly).
After a lot of trial and error and reading the docu, I have succeeded in succesfully making an openid connect login into my custom keycloakrealm (analogue to this post http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html)
I can see the acces token + id_token coming in the response and are able to make requests to the REST services by passing these tokes.
However I can only authenticate using the credentials of the users defined in keycloak itself. However, in our reallife case, the users reside in SAP and are unknown to keycloak.
We do, however have a javalibrary for authenticating these users over the SAPJCO connector.
Can anyone please tell me how to configure keycloak to use a "custom authentication" module for the actual authentication?
Is implementing a custom authenticator SPI (https://keycloak.gitbooks.io/server-developer-guide/content/v/2.1/topics/auth-spi.html) the way to go? If not, what wuold be a possible solution???
Hope you guys can help!
Reagrds,
Kim Zeevaarders
The Netherlands
If you can access the SAP users details via the SAPJCO connector then you could write a custom Federation Provider. The provided example is rudimentary but it give the basic idea and maven dependencies.
In a nutshell you will need to extend org.keycloak.models.UserFederationProvider and provide methods for obtaining user details, validation of credentials and searching by attributes. In your case you would use your SAPJCO connector to fulfil each of these functions against your existing user base.
Update 30 May 2018
The User Federation SPI was replaced with a new User Storage SPI in release 2.5. Migration Notes are available here