I am using Shinyproxy with Keycloak and read the username with
userName <- Sys.getenv("SHINYPROXY_USERNAME")
Unfortunately I receive a concatenation of FirstName and LastName, which is not unique.
I would like to have the username in SHINYPROXY_USERNAME. Is this a Keycloak configuration issue?
From documentation
proxy.keycloak.name-attribute: name of the attribute to use as the user's name;
one of name (default, current behaviour), preferred_username, nickname or email
in the default keycloak token mapping preferred_username is the username of the keycloak user.
So set in your application.yml
keycloak:
...
name-attribute: preferred_username
If this does not work, you can always remove existing token mappers for name (a few token mappers a pre defined in client_scopes) and create a token mapper with the following config
type: User Property
property: username
Token Claim Name: name
ID/Access/User-Info: on
Now Keycloak tokens will contain a attribute name with the value of users username
Related
I want to connect to SharePoint by using username#company.com and password instead of client id and client secret. Do I need to get any authorization for my ID? If yes, how to get? I know the process for fetching authorization for client ID and client secret.
In this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/user.aspx
I add my user id and password with permission levels as "Full control".
But in this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/appprincipals.aspx
I am able to see only client id and client secret. Not my user id.
When I send POST request using Postman it is giving me "error": "unsupported_grant_type".
Postman Inputs:
POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
Headers
Content-Type : application/x-www-form-urlencoded
Body (x-www-form-urlencoded)
grant_type: password
username: username#company.com
password: password
resource:00000003-0000-0ff1-ce00-000000000000/{tenant}.sharepoint.com#{tenant_id}
SharePoint rest api does not support "Password Grant Flow". You can either use "Client Credentials Flow" or "Implicit Flow".
If you want to allow users to use their username & password, Use implicit flow.
NOTE: User will always require to sign in to get access token. You can not simply pass username and password with post request.
Here is the complete guide for configuring azure ad app for implicit flow : https://frankchen2016.medium.com/how-to-access-the-spo-rest-api-using-implicit-authentication-flow-40d65750554f
Below is my kubeconfig file for accessing kubernetes clusters:
kind: ClientConfig
apiVersion: authentication.gke.io/v2alpha1
spec:
name: dev-corp
server: https://10.x.x.x:443
certificateAuthorityData: ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
authentication:
- name: oidc
oidc:
clientID: aaaaad3-9aa1-33c8-dd0-ddddd6b5bf5
clientSecret: ccccccccccccccccc-
issuerURI: https://login.microsoftonline.com/aaaa92-aab7-bbfa-cccf-ddaaaaaaaa/v2.0
kubectlRedirectURI: http://localhost:12345/callback
cloudConsoleRedirectURI: http://console.cloud.google.com/kubernetes/oidc
scopes: offline_access,profile
userClaim: upn
userPrefix: '-'
groupsClaim: groups
preferredAuthentication: oidc
There are different OAuth grant types.
My understanding is, above OAuth grant type is client credential grant type, that requires client_id, client_secret, token URL(issuerURI), scope
What is the significance of fields kubectlRedirectURI, cloudConsoleRedirectURI, userClaim, userPrefix?
How OIDC different from OAuth2?
oauth2.Config does not store userClaim & userPrefix, groupsClaim information
, as shown here.... https://github.com/golang/oauth2/blob/master/oauth2.go#L41
How to store kind:ClientConfig with oidc based authentication into cache? for example api.Config can be stored with an API from client-go to write api.Config as shown here.
KUBECTL_REDIRECT_URL: the redirect URL that kubectl oidc login uses for authorization. This is typically of the format http://localhost:PORT/callback, where PORT is any port above 1024 that will be available on developer workstations, for example http://localhost:10000/callback. You must register the URL with your OIDC provider as an authorized redirect URL for the client application.
USER_PREFIX: prefix prepended to user claims to prevent conflicts with existing names. By default, an issuer prefix is appended to the userID given to the Kubernetes API server (unless the user claim is email). The resulting user identifier is ISSUER_URI#USER. We recommend using a prefix, but you can disable the prefix by setting USER_PREFIX to -.
userClaim: the user identifier in the token under the claim name configured in spec.authentication.oidc.userClaim in the client configuration file.
cloudConsoleRedirectURI the name tell the story, the cloud redirect URL for OIDC, for example in case of google https://console.cloud.google.com/kubernetes/oidc
OIDC vs OAuth2
What's the difference between OpenID and OAuth?
The file in the question from OIDC and you are comparing the value with Oauth, both handling at different way, better to update the question again with Oauth config file.
api-server-authentication
you can check kubeconfig builder
kubernetes-engine-oidc
How to store kind:ClientConfig with oidc based authentication into cache?
you can write to a file and then read, or somewhere in the cloud storage as well
In my project, I need to get current user password from Rest API.
I searched keycloak 4.8.3 final documentation but I could not find it. With admin user I can change password without knowing the current password. But my logged in user can be admin or not. I found that keycloak does not give me permission to that because of security. Wrap up is there any way to active that settings or is there a way to get password with Rest API ?
Thank you.
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
Via the Rest API, one cannot get the password for obvious reasons. Ideally, in a secure setting, even if one is the admin one should not have access to the users' passwords.
From the comments you wrote:
I could use method like boolean isPasswordCorrect(username,password)
An approach is to create a client on your Realm as follows:
Go to your Realm;
Clients;
Create Client;
Set Access Type to public;
Set Direct Access Grants Enabled to ON;
Save;
Now request from the newly created client a token on behalf of the user that you want to check if the password is correct:
As you can see the endpoint is:
<KEYCLOAK_HOST>/auth/realms/<REALM_NAME/protocol/openid-connect/token
and the body is:
client_id : <The client ID of the newly create client>
username : <The username>
password : <The password to be tested>
grant_type : password
If the password is correct you will get back a token object, otherwise you will get the following response:
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
I'm using keycloak to get access tokens but I need those jwt tokens to have a 'policy' attribute/claim that MinIO requires.
Now, I can get those by calling the token endpoint with grant_type = password, plus username and pass.
I know that that policy attribute is mapped from the user, but, is there any possibility that I could get client creds (grant_type = client_credentials) including that attribute? or any other type of grant?
you can add Mapper to the client
Mapper Type: "hardcoded claim"
Token Claim Name: <token body key>, in your case is 'policy'
Claim value : <the value>
Couple of the Perl applications at my workplace require LDAP authentication. When those applications required the user to login, the application would anonymously connect to the LDAP server then searched for the user in the LDAP database. But now, we are no longer allowed to connect to the LDAP server anonymously, we are given a username and password to connect to it.
Some code would be helpful, but, basically, if you have a username and password, you just need to bind to the LDAP directory.
The Net::LDAP documentation has the following example:
$ldap = Net::LDAP->new( 'ldap.umich.edu' );
$mesg = $ldap->bind( 'cn=root,o=University of Michigan,c=us', password => 'secret' );
# your normal code goes here
Alternatively, of course, you could by-pass the username and password you were provided with and simply bind to the directory using the username and password supplied by the user.
Note that if you're binding against Active Directory, it's possible to bind using either 1) the user principal name of the account (e.g., user#umich.edu) or 2) the Kerberos ID (something like UMICH\user) in addition to using the DN of the provided user.