I would like to call Keycloak Rest APIs using basic auth. To do so I've tried following what is answered here but there are missing links.
I've set the clients access type to confidential and set Direct Access Grants Enabled.
Apparently enable-basic-auth needs to be specified in the Java Adapter Configuration but I can't see how this is done. The documentation mentions it's a JSON file which makes it sound like I add it in my Keycloak directory as a configuration.
Lastly I've seen mentions of using a generated secret. I can generate a secret in the Credentials tab however I can't find references in the documentation about how I use this.
What do I need to do to enable basic authentication correctly?
You have to add two parameters enable-basic-auth and credentials in the keycloak.json file which you have to place in the WEB-INF folder.
{
"realm": "<REALM_NAME>",
"auth-server-url": "<KEYCLOAK_HOST>/auth",
"ssl-required": "external",
"resource": "<CLIENT_ID>",
"public-client": false,
"credentials": "<CLIENT_CREDENTIAL_FROM_CREDENTIALS_TAB>",
"enable-basic-auth": true
}
Related
Is there a built in way in .net core 3.1 to Verify that the JWT token present in the request has a Required Scope.
A sample of jwt data I already have from our Identity Server:
{
"user_id": "12345",
"scope": "test1"
}
I have already seen the article:
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore
But this is specific for azure-ad and it requires that the Scope claim is named "scp" instead of "scope".
Yes, you configure the authorization handler by defining various policies to control the access to your API based on the data provided in the access token.
See https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0 for more details.
I am trying to update my password via keycloak account management using postman and I get this error:
"error": "RESTEASY003650: No resource method found for POST, return 405 with Allow header"
My endpoint: http://keycloak_url/auth/realms/{realm name}/account//credentials/password/
I have done a post request
Password reset functionality via API is removed from keycloak(12+) as it was unsafe. You can refer this thread from github. You won't find /credentials/password/ api if you are using keycloak 12 or above.
Alternative that I can suggest is that use Application Initiated Action (AIA) or use Admin Rest API
You can see further these got removed from keycloak here.
References : https://github.com/keycloak/keycloak/pull/7393#issuecomment-773502862
I am under keycloak 17+, I also had troubles to make it work,
The correct url to use should be like:
https://myHost.com/auth/admin/realms/myRealm/users/99999999-9999-9999-9999-999999999999/reset-password
You absolutely need the /auth/admin/realms keywords (some other endpoints only use /auth/realms) !
You will also need an access token from either a keycloak user or a keycloak client in the Authorization header. Check somewhere else to see how to generate and use an access token.
The body should be like:
{
"type": "password",
"temporary": true,
"value": "myNew-password1"
}
Check documentation:
https://www.keycloak.org/docs-api/17.0/rest-api/index.html#:~:text=Set%20up%20a%20new%20password%20for%20the%20user.
I'm creating Java appliation, where I will need users to log in. Currently I'm verifying if I can configure Keycloak safe enough. I'd like to make sure my application is really authenticating users against my Keycloak server - eg I know there is something like DNS Poisining or other attacks, where my application could get to attackers server with duplicated/attackers Keycloak instance. What surprised me, I have currently configuration with follwing keys:
keycloak.auth-server-url=...
keycloak.realm=...
keycloak.resource=...
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=..
keycloak.security-constraints[0].securityCollections[0].patterns[0]=...
keycloak.principal-attribute=preferred_username
and no public key is needed. Even worse here: https://stackoverflow.com/a/40516696/520521 I see upvoted comment telling, my application may download key from (malicious) server.
Are there any extra steps I need to follow, to authenticate Keycloak server before starting to authenticate users against it?
Based on your configuration, it seems that you've defined your client in Keycloak as public. This allows your client to be able to call Keycloak without any authentication. This type of client is used for example when you're going to authenticate via js in webpage in which nothing can be hidden from attacker as they have access to the source of the page.
If you set the "Access Type" of your client to "confidential" (in Client Settings on Keycloak Admin UI) and save the settings, there will appear another tab (next to "Setting" tab of the client) titled "Credentials". There you can see the default secret that is created for your client. You should then put this secret as below in your keycloak.json file inside your application:
"credentials": {
"secret": "paste-the-secret-value-here"
}
You can also re-generate the value by selecting the "Regenerate Secret" button.
You can also change the "Client Authenticator" there and set it to "X509 Certificate". Then you would be asked to define a regular expression to validate the "Subject DN" of the certificate that client will be using for authentication. Any certificate matching that regex would be considered as valid and authenticated. Then you have to setup your client to use such certificate instead of defining the "secret" value in the keycloak.json file.
There is of course another option which uses "Signed JWT" which is also secure and you can find the details about how to set it up in Keycloak documentation at Client Authentication section.
I can't see a word that this is the aim, but seeing where public and private key is placed I understand that answer is, that in realm settings -> keys -> active there is list of keys. You may download public key or certificate with button on right side. In my case of Spring boot, enter application.properties file a public key under keycloak.realm-key.
I'm using a the same destination on a number of apps, which are connecting fine.
Created a new app (using the same SAP WEB IDE template).
The Service is retrieved fine when selecting New/OData service from the project menu, proving my Destination credentials are fine.
Now, when I run the app. I'm getting a basic authentication window. Cancelling this means I can't connect to the metadata of the service and therefore can't retrieve any data.
https://webidetesting0837185-s0015641139trial.dispatcher.hanatrial.ondemand.com/SAPUI5-ABAP-SFI/sap/opu/odata/sap/ZSV_SURVEY_SRV/$metadata?sap-language=EN 401 (Unauthorized)
My username and password is not being accepted even though it's correct.
Any ideas?
If you User/Password is not accepted I think you missing some configuration in the backend, check the logs like ST22 or SLG1 for authorization issues. Also check if your destinations in Cloud Connector work properly.
To solve this in generell not using basic authentication, you need to work with SAP CP's destination service. Retrieving from onPremise or via AppToAppSSO as Type/Mode of the destination OR work with API Service on SAP CP. For first way change (destination service) reference in your SAPUI5 instead of relative paths in neo-app.json like this:
{
"routes": [
{
"path": "/destinations/SFSF_ODATA_PROXY",
"target": {
"type": "destination",
"name": "sap_hcmcloud_core_odata"
},
"description": "SFSF Proxy OData"
}
],
"cacheControl": [
{
"directive": "public",
"maxAge": 0
}
]
}
Make sure you enter the credentials for your backend (and not for your CP account for example). You can also try and maintain the credentials in the destination itself by setting AuthenticationType as BasicAuthentication.
I have already solved this issue with change Authentication as Basic Authentication
I would like to know if it is possible to use passport-http to secure the REST API of Hyperledger Composer generated with the composer-rest-server and what would be the export COMPOSER_PROVIDERS='{}' configuration.
The idea is to use the identities previously generated and assigned to participants with the composer to authenticate the GET and POST requests on the API.
If it were possible, how would the userID and userSecret be passed, as a special http header, in the body or as a simple basic auth header?
I've not tried, but it should be able to. The Composer REST server uses the open source Passport authentication middleware, its a matter of configuration. Multiple Passport strategies can be selected, allowing clients of the REST server to select a preferred authentication mechanism.
The strategy for passport-http is here -> https://github.com/jaredhanson/passport-http
You can try something like:
export COMPOSER_PROVIDERS='{
"basic": {
"provider": "basic",
"module": "passport-http",
"clientID": "REPLACE_WITH_CLIENT_ID",
"clientSecret": "REPLACE_WITH_CLIENT_SECRET",
"authPath": "/auth/local",
"callbackURL": "/auth/local/callback",
"successRedirect": "/",
"failureRedirect": "/login"
}
}'
I assume you know how to configure your passport-http strategy.
and check out RESTful Node.js Application with passport-http - and see an example (right near the end) of an app consuming REST Endpoints right near the end.