I want to use keycloak as openId Connect implementation via docker with a postgres db.
I could not find a resource where it is documented whether keycloak stores user data encrypted. Only passwords seem to be hashed.
Postgres provides pgcrypto as a way to execute encryption and decryption at runtime.
Is there a way to enable crypto for user data with keycloak?
Keycloak provides an option called User Storage SPI https://www.keycloak.org/docs/latest/server_development/#_user-storage-spi
With this, you can build a bridge between keycloak and your DB.
You will have the freedom to store your data in DB as per your convenience and when keycloak invokes the User storage SPI method you will have to return as per keycloak's specifications.
Related
I have setup Keycloak as a SAML broker, and authentication is done by an external IdP provided by the authorities. Users logging in using this IdP are all accepted and all we need from Keycloak is an OAuth token to access our system.
I have tried both the default setup using H2 and running with an external MariaDB.
The external IdP provides us with a full name of the user and a personal ID. Both data are covered by GDPR and I really do not like the sound of storing that data in a database running in the DMZ. Opening up for Keycloak to access a database in the backend is also not a good solution, especially when I do not need users to be stored.
The benefit of running without a database is that I have a simpler DMZ setup as I really do not need to store anything about the users but on the backend.
Do I need a database, and if not how do I run Keycloak without it?
Do I need a database, and if not how do I run Keycloak without it?
Yes, however, out-of-the-box Keycloak runs without having to deploy any external DB. From the Keycloak official documentation section Relational Database Setup one can read:
Keycloak comes with its own embedded Java-based relational database
called H2. This is the default database that Keycloak will use to
persist data and really only exists so that you can run the
authentication server out of the box.
So out-of-the-box you cannot run Keycloak without a DB.
That being said from the same documentation on can read:
We highly recommend that you replace it with a more production ready external database. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either.
So regarding this:
The benefit running without a database is that I have a simpler DMZ
setup as I really do not need to store anything about the users but
on the backend.
You would still be better offer deploying another DB, because Keycloak stores more than just the users information in DB (e.g., realm information, groups, roles and so on).
The external IdP provides us with a full name of the user and a
personal ID. Both data are covered by GDPR and I really do not like
the sound of storing that data in a database running in the DMZ.
Opening up for Keycloak to access a database in the backend is also
not a good solution, especially when I do not need users to be stored.
You can configured that IDP and Keycloak in a manner that the users are not imported to the Keycloak whenever those user authenticate.
I am using EC2 Instance profile credentials for allowing the AWS EC2 instance to access other AWS services.
Recently, I implemented MongoDB Client-Side Field-Level Encryption for which the AWS KMS has been used as KMS Providers. The MongoDB Documentation for CSFLE mentions that the KMS Provider should have secret key and access key that maps to an IAM User.
This way I will have to create another IAM User and then maintain those credentials separately. A simpler way (and more secure) would have been to use the DefaultCredentialsProvider from software.amazon.awssdk:auth and that could have used the credentials from the instance profile that could have given access to the KMS. But this does not work for me and MongoClient fails as KMS rejects the security token used.
Is there any reason behind not allowing this way of accessing KMS?
As all projects, initial implementation of CSFLE had a scope. This scope did not include the ability to use instance roles for credential identification.
I suggest you submit your request to https://feedback.mongodb.com/ for consideration.
We have an application that is deployed into CloudFoundry/Bluemix. The application reads its database connections from the VCAP_SERVICES environment variable. The db password stored in the environment variable is encrypted and we decrypt it when the application boots up.
We are looking at Spring Cloud Service Connectors. Do the cloud connectors provide any hook, so that we can decrypt the password from VCAP_SERVICES before the DataSource instance is created?
Why do you want to do this? Where does the app get its decryption key from? If it's hard-coded in the app, that's an antipattern that will make it hard to rotate the key. If it's through an environment variable, then it's no more secure than storing the database credentials unencrypted as services in Cloud Foundry - services in CF are nothing more than domain-specific groups of environment variables. I can't see that encrypting them adds any security.
To answer the question: Not out-of-the-box, but you could probably intercept the flow of Spring components that act on the environment variables that Cloud Foundry provides to your app.
The abstract class that creates ServiceInfo instances is CloudFoundryServiceInfoCreator. You could look at maybe providing a custom implementation of this? There is a blog post describing how Spring Cloud Connectors works. You might be able to extend CloudFoundryConnector too.
We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.
I have a requirement that, I need to authenticate the User Credentials via WSO2 Identity Server. The user credentials are stored in the separate Database. Can anyone explain how to achieve this?
All of the WSO2 products are based on WSO2 Carbon framework (an award-winning, light-weight, service-oriented platform for all WSO2 products), and can be configured to use a existing centralized user management systems as the user store.
In WSO2 Carbon-based products, there are four user store manager classes that implement the AbstractUserStoreManager class. You can select one of those classes according to the user store that you have in your environment.
org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager
org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager
org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager
org.wso2.carbon.user.core.ldap.ActiveDirectoryLDAPUserStoreManager
You can write a custom JDBC user store manager, if your data in RDBM system. Have a look on Writing a Custom User Store Manager, specially check on Implementing a custom JDBC user store manager
When a JDBC user store is used as a primary or secondary user store, the user details will be stored in “UM_USER” table upon user creation. Following are the columns of the table.
UM_ID
UM_USER_NAME
UM_USER_PASSWORD
UM_SALT_VALUE
UM_REQUIRE_CHANGE
UM_CHANGED_TIME
UM_TENANT_ID
All WSO2 products are defult shipped with H2 database internally. H2 database stores registry and user management data.
This H2 data can easily achived by enabling the H2DatabaseConfiguration in carbon.xml that located /repository/conf.
Follow the following configuration steps to achive H2 database in browser.
Open the carbon.xml file and paste the H2DatabaseConfiguration as follows.
Note: Don't uncomment the H2DatabaseConfiguration which already there.
<H2DatabaseConfiguration>
<property name="web"/>
<property name="webPort">8082</property>
<property name="webAllowOthers"/>
</H2DatabaseConfiguration>
Start the server.
Direct your browser to http://localhost:8082
Fill the JDBC url, username and password as follows.
JDBC url: jdbc:h2:/repository/database/WSO2CARBON_DB
username: wso2carbon
password: wso2carbon
If anyone want replace H2 database with different kind of databases like MySQL you can do it as follows. Refer[1].
[1] https://docs.wso2.com/display/IS500/Setting+up+MySQL