I'm trying to make a POST request to our KeyCloak.
I can create a user with no problem but once i provide the post request with the federationLink this isn't picked up. I tried it both with the ID and the string of the Federation Link. I noticed that the added Attributed aren't picked up aswell.
The body i post is:
"username": "xx#local",
"email": "xx#local",
"emailVerified": true,
"enabled": true,
"federationLink": "qa.exn-dir.xxx.com/cn=xxx,cn=xxxx,o=xxx",
"attributes":{
"PHONE_NUMBER": [
"xxxx"
],
"CARD_NUMBER":[
"xxx"
]
},
"credentials": [
{
"type": "password",
"value": "12345"
}
]
And i post this to /auth/admin/realms/REALM/users
When looking at the created user this is still in the default federation and not the one we provided in the body.
Any idea how i could solve this?
User federation in keycloak provide functionality to import user data from your selected LDAP system, source from keycloak documentation
Keycloak can store and manage users. Often, companies already have LDAP or Active Directory services that store user and credential information. You can point Keycloak to validate credentials from those external stores and pull in identity information.
That means keycloak does not store the user credential, keycloak only point to those external stores to validate the user credentials.
Quoting from your comment replying to #sventorben
Thanks for the reply. The users that we need to create in case are external users and they need to be added in keycloak using the API. Atleast that is what i'm told.. But they need to be added to a specific federationLink. This is my first time using KeyCloak so i'm still new to the whole thing
In case of your requirement to create external users:
You can create it and store the user data information and credential in keycloak, that means you need to send the appropriate user data and credentials along to the keycloak so that keycloak can use it.
Or if you prefer to load the users data and validate the credential from your LDAP system, then first you need to register the external users to your LDAP system just like #sventorben said, and then let keycloak automatically synchronize these new users (based on your synchronize settings of the user federation) or if you prefer manually, you can do it via keycloak admin console.
Related
We have impersonation roles for a number of admins -- it's working as expected.
A Client application, for audit purposes, would like to be informed when a token issued is via impersonation -- is there a way we can send an attribute/claim to the Client informing that the token is an Admin impersonating a user?
Yes, Keycloak stores that information in user session notes. The information can be mapped via builtin mappers.
Follow these steps:
Navigate to Clients -> <your client> -> Mappers
Click Add Builtin
Choose Impersonator Username and/or Impersonator User ID (depends on whether you want the username or id as a claim in the token)
Click Add selected
That's it. Your tokens contain the information as shown below:
{
...
"sub": "9ab9bfd1-f95d-4aa1-a8b2-0d1fb06b365a",
"preferred_username": "test",
...
"impersonator": {
"id": "2d2f4b4a-716c-4428-97cd-22fa731c0d9a",
"username": "admin"
}
...
}
My organization runs a grafana 7.0 instance that only allows SSO logins. I would like to create an API token for my user account but based on these instruction it seems like doing so is not possible without supplying a password. Is this understanding accurate?
As #Amal.Touzani mentioned, API key is created per organisation, not per user.
Instruction, mentioned by you, needs admin password to authenticate the admin user during API token creation. Later on access level will be defined by role specified in request, in example it is "role": "Admin". Role could be Viewer, Editor or Admin (as mentioned here)
Of course, all these steps could be done from Grafana Administration UI:
I think your user should have the permission to create API token but you don't supply the
password.
Based on the documentation , the Admin API needs (username , password ) to authenticate .
But API Tokens are currently only linked to an organization and an organization role , please see these links :
https://grafana.com/docs/grafana/latest/http_api/admin/
https://grafana.com/docs/grafana/latest/http_api/auth/
https://grafana.com/docs/grafana/latest/tutorials/api_org_token_howto/
Does keycloak provide a way to distinguish between logins by the same user on different devices (a user can be logged in on mobile device/s and also on desktop browser/s).
Does keycloak provide a way to identify when a user entered their credentials (whether through keycloak login or using an identity provider flow)?
Our use case is:
a user can request to reset their pin (from our app).
the user is logged out (a /logout using the 'keycloak-connect'
middleware).
following logout, the user is redirected to login and enters
credentials (keycloak or identity provider).
on login, the user is presented with the 'enter a new pin' page (our app).
To achieve this we want to be able to determine server side when to send the 'enter a new pin' page.
Our situation is that we don't easily know (for various reasons, including active keycloak session or other token expire/active states) when an actual 'credentials entered' login occurs.
Could the session_state from the keycloak access token be used to identify which keycloak session a client request corresponds to?
Could something like the following work:
the server receives the keycloak access token (containing the
session_state) from the keycloak login,
the server passes the session_state to the client (browser/mobile
app),
the client passes this session_state back to the server along with
the user requesting the action,
the server requests the session information from keycloak (something along the lines of making the following request to the admin REST API localhost:8080/auth/admin/realms/demo/users/{{user_id}}/sessions - then checking against session_state somehow?)
if the 'start' value of the session returned by the REST API is
recent, then maybe we have 'actual' login information?
We're still using Keycloak 6.0.1
Any help is greatly appreciated.
I wanted to update with how I'm proceeding, which I believe gives me all I want in terms of solving/answering my original question.
The keycloak access token includes: "sub", "auth_time" and "session_state".
{
"sub": "ae384e77-7588-444b-9c4f-3dc920750e1f",
"auth_time": 1590555910,
"session_state": "2d735372-1a5a-43de-8a6c-1a45deebf20b",
}
I can use the sub to query the Keycloak Admin REST API with https://my-domain.com/auth/admin/realms/demo/users/{{sub}}/sessions which gives a list like:
[
{
"id": "2d735372-1a5a-43de-8a6c-1a45deebf20b",
"username": "20000",
"userId": "ae384e77-7588-444b-9c4f-3dc920750e1f",
"ipAddress": "52.62.57.52",
"start": 1590555910000,
"lastAccess": 1590555910000,
"clients": {
"4eb676c2-94c3-4bac-a423-94a7bf57ece0": "demo"
}
}
]
I can then choose from the returned sessions list matching the id to the session_state from the access token (n.b., that start from the sessions list matches auth_time from the access token.
This gives me what I need. I can pass the original session_state to the client and request from keycloak matching that session_state :)
I'll update if I encounter issues.
I am building a SPA with a spring on the backend. I am working on signing in with Google, most of it is working already: got the id_token with the implicit flow in the frontend and I sent it and verified it on the backend.
I want to have users with roles and manage that locally (so, no adding info in the oidc provider). What are the options to go from the id_token to having an authenticated user in spring? I did not find any example doing that link manually (id_token-spring_sec_user).
I have checked several sources like the Spring Security 5 presentation at SpringOne https://www.youtube.com/watch?v=WhrOCurxFWU, several SO questions and posts on okta's and auth0's blogs but I am still missing the link.
You will have to create your own (application) specific roles.
Use these steps :
Get authenticated from Google
Access the profile section from google (username, name etc )
Use your own user table to store this info
Create admin APIs in your own system and assign your app-specific roles to the user.
When you login again you will authenticate against google login/password and roles specific to your application .
Create an account or session with the id_token
Check if the user is already in your user database. If so, establish an authenticated session for the user. If the user isn't yet in your user database, create a new user record with default role from the information in the ID token payload, and establish a session for the user. You can prompt the user for any additional profile information you require when you detect a newly created user in your app.
I have a question regarding Keycloak and obtaining an Access Token.
Our setup is as follows:
· users are created and maintained in Keycloak
· resources, policies and permissions are also maintained in Keycloak
Our use case is:
As a third party application, I want to obtain authorization information (e.g. resource- and scope-based permissions) for a specific user by only providing the username to Keycloak, so I can allow or prohibit further actions.
To be more specific:
In our application the need to validate each request to other services based on the access token.But we have only the user name with us.
The question is now:
> How can we obtain an access token for the user by only knowing the username ?
>
Is there a solution to obtain an access token for such a user?
You don't specify in your question if the current user is logged in. Are you validating user specific actions, or you want to retrieve user roles for the application instead?
The user is logged in and he is performing some action
I suppose you're using some keycloak adapter. Then just retrieve the session object and you should have the extra info somewhere in there.
If not, you can just parse the request yourself. When using OpenId Connect, the access token is always sent for each of the requests, in the Authorization header. The token is base64 encoded, you can decode the token yourself.
The application is performing some action for some registered user, without him logged in
User access tokens are meant to provide permissions for users. As you say in your question: As a third party application, I want... so here you are not acting as a logged user, but as an application, so you need to go with client credentials instead. Just give the client permissions to list all the users and their roles (probably it's enough with the view-users role, see the link below) and log in with client credentials grant. Then you can handle fine grained permissions in your application business logic.
See also:
Keycloak Client Credentials Flow Clarification
Keycloak spring security client credential grant
How to get Keycloak users via REST without admin account
For those who really needs to impersonate a user from a client, there is a new RFC for this : token-echange.
Keycloak loosely implement it at the time of this answer
See particularly https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation