We use Grafana with the built-in authentication. We have multiple users so they can have their own preferences but it would be convenient if they didn't need to set passwords.
I know Grafana supports anonymous login but I want distinct users... who don't need passwords. Is it possible to do this?
Configure Grafana with Auth Proxy to let a HTTP reverse proxy handle authentication. And it is up to you how do you create "authentication" on the proxy - e.g. initial login screen (without password), which will save username into cookie and then proxy will use that value for the Grafana user definition in the request header (only your imagination is your limit and this only an idea - proxy implementation is not in the scope of this question here).
But for user convenience are Single Sign-On (SSO) protocols used usually. Grafana supports Open ID Connect and paid version also SAML. That's should be used in the serious nd secure implementation. One user login, which can be used then in many apps, which support SSO.
Related
I have an application that includes Keycloak as the identity component. I want to redirect to the Keycloak security admin console for a particular realm from my application, which I am able to do, however I also want to specify a particular IdP to sign in.
For my OIDC apps that are protected by the same Keycloak realm, I am able to do this using the kc_idp_hint query param. However the built-in clients don't seem to respect this, so the following URL does not result in the IdP hint being propagated to the authorization URL:
https://<keycloak>/admin/<realm>/console?kc_idp_hint=<idp>
I built a login system using Flask OIDC and Keycloak. In my system, there is some endpoints decorated with oidc.require_login() that calls the Keycloak login page.
My goal is, after the user successfully logged in, my system checks if the user name exists in a specific database.
How can I set a function to be called every time someone successfully logged in with Keycloak and do this verification at the database?
According to your needs there are several ways to create the user in the backend.
The easiest way would be to just check the JWT token on every request. OIDC is based on JWT and that token is available on any request (which should already be done to find user roles etc). So your application can check that JWT and extract the username from it (see here for details about the JWT format). With the username you can check your internal database and create the user, if it doesnt exist. But at that time you'll not have access to any user credentials any more. It is just SSO and you need to trust Keycloak and the JWT... Also - you'll never be informed, if the user will be deleted in Keycloak, which could be an issue.
There is a callback API in Keycloak in form of the Admin URL per client. But the documentation is not clear. It says: It’s used by the Keycloak server to send backend requests to the application for various tasks, like logout users or push revocation policies. But I cannot find a complete list of "tasks". I saw only logout events. see Keycloak documentation and the documentation only talks about that. If I add an admin url to a test client, I did not get any requests at login time.
a different but more complicated way would be to create your own UserStorage SPI in Keycloak. It would be Java of course, but only some classes. There is an HTTP example or have a look at the LDAP user storage SPI, which supports registration too. If you choose that for your realm and a user tries to login to Keycloak (Login form), the SPI can call your backend to check the user. It also could be "used" to create the user in the backend by checking the Keycloak local storage and only if there is a local Keycloak user, call the backend. That isn't the reason, why you should implement the UserStorage SPI, but it's possible. If you think, this is a good idea, I would prefer to use your backend storage as the one and only storage or build a different one, that then could call your real backend in case of a new user. I would use this one by not using Keycloak local stored users but, by using your own database.
next (maybe last one). You can write an EventListener SPI to read all events and only filter the login events, see here and here. I think, that would be the easiest one. But be aware. In that case, the HTTP call to your backend coming from the event itself is based on a normal HTTP request (without OIDC at that time).
The last two examples create a JAR (which is explained in the links). That JAR with the SPI must be deployed in keycloaks standalone/deployments folder. The EventListener should be active by default, the UserStorage SPI must be activated per realm.
But - be aware - Keycloak/SSO/JWT - should not be used by creating users in multiple backends. Syncing the users between all backends in a SSO environment is maybe the wrong way. Most information is located in the JWT or can be called by a backend from one central user identity management. Do not store a user more then once. If you need the user reference in your backend - link just to the username or userid (string) instead of a complete entity.
There is no direct way of doing this, other sotfware like Openam, Okta allow you to trigger specific flows in a post-login configuration.
In keycloak, you can try to create your custom authn flow(using Default Identity Provider, its the only option that allow a redirect), and then select this flow in your Identity provider in post login flow.
The idea here is that after login, the user will be redirected to a link ( an api call that will verify his presence on the external database, and sent him back to keycloak once the verification is done.
More info here
We are running some tests on Keycloak to implement it on our company and I am are wondering what is the best approach to make Keycloak interact with our legacy system.
In our scenario, we have a native login interface and we are going to use direct grant - we are not going to authorization code flow / redirect flow using a browser and we don't have any kind of social login.
The other point is: we must to keep our native interface.
Based on that, what is the best/right approach to implement this flow? I have set my client on Keycloak with direct grant but the problem is that every user must exists in Keycloak. Isn't possible to use Keycloak as a "token emissor" instead of IDP?
In case of Keycloak must be an IDP, what is the right approach to allow Keycloak log in legacy system? Should I implement a custom Identity Provider? Will mobile make a login request to Keycloak or to legacy system?
Keycloak must somehow be able to either authenticate the user or delegate the authentication of the user to a federated identity provider. A few options:
If you want to use Keycloak as an identity provider, you could do
this by migrating your user base to Keycloak, or by making use of
User Storage Federation, which means Keycloak will use your existing
user database as a source. In this case, the login interface will be
a Keycloak interface (which you can customize to your wishes). See:
https://www.keycloak.org/docs/latest/server_admin/#_user-storage-federation
Another option is to convert your legacy system into an identity
provider that complies with either the OIDC or SAML protocol, and
set it up as an identity provider for Keycloak. In this case you can
keep your existing login interface, but it will probably require
quite some changes to your legacy system. See:
https://www.keycloak.org/docs/latest/server_admin/#_identity_broker
Currently, I have a social media project that already has the existing users, I want to enable the chat function. I had config Ejabberd with JWT and Mysql. I tested and I realized that I don't have to register the users in order to chat, I just need to make sure my token has "JID". Is it a good approach? Or do you have any other suggestions?
You don't need to register the users to ejabberd server explicitly while using external authentication mechanism.
However, chances are that you might not be able to see the list of registered users on the admin panel when not using the default authentication mechanism.
As per documentation, there are several Authentication Providers which are available via SDK to authenticate a user.
Regardless of that, I have a few queries to implement Token Based Authentication via configuring External Services.
Is there a way to create a Service to Authenticate instead of using SDK with clients. Basically, I want to create/configure a Service in Stitch which in-turn authenticate a user against the provided credential and needs to issue a JWT (similar to Custom Authentication Provider in SDK)?
All other subsequent Service requests are requested with this token which needs to be validated by the service before responding.
The reason is, I want to have all implementations in Single Place (Stitch Services) instead of using several SDK for different clients e.g. Web, Mobile etc.
Is there a way to create a Service to Authenticate instead of using SDK with clients
Currently, no. This is because an application needs to be authenticated first before being able to utilise Stitch Services.
Depending on the application requirements, the application could try to use Anonymous Authentication to access an External Service for your custom authentication. Although this means:
You need to handle the service actions returns as authentication
Other aspects of applications (functions, services, etc) are also available with anonymous authentication. Adjust rules appropriately.
Depending on the application use case, it's likely safer to write Custom Authentication for multiple clients.