I am trying to configure my Keycloak hostname. I have a frontend URL for the public requests and an admin URL not publicly exposed :
Frontend URL : http://localhost:8080/auth
Admin URL : http://localhost:8081/auth
I have the following hostname configuration in my standalone-ha.xml file :
<spi name="hostname">
<default-provider>${keycloak.hostname.provider:default}</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${env.FRONTEND_URL}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="adminUrl" value="${env.ADMIN_URL}"/>
</properties>
</provider>
...
Now I can't access the Keycloak admin console (localhost:8081/auth/admin). It only loads a white page with the following error in the console :
GET http://localhost:8080/auth/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=6rmi9 404 (Not Found) check3pCookiesSupported #keycloak.js?version=6rmi9:1314 Promise.then (async) (anonymous) #keycloak.js?version=6rmi9:350
I cannot update the "keycloak.js" file as seen in some answers because it is not an adapter but the builtin file from Keycloak. I also have updated the Content Security Policy of the master realm with the following :
frame-src 'self' http://localhost:8000 http://localhost:8080 http://localhost:8081; frame-ancestors 'self' http://localhost:8000
Have I overlooked anything ?
Related
I'm trying to setup a (dockerized) keycloak instance but, after successful login, its' Security-admin-console keeps redirecting me to an internal URL instead of the URL I have setup in dns. Looking into the settings, its Root URL is set to ${authAdminUrl}. I could override this value with an actual URL but I'd much rather change the value of the variable. So where does ${authAdminUrl} come from, and more importantly, how do I manipulate it?
Actually the whole admin base URL (including scheme and port) can be configured in the standalone.xml file,
section <spi name="hostname">.
There you can add a property "adminUrl".
It's briefly mentioned in the Installation Guide, Hostname/Default provider.
Example:
<spi name="hostname">
<default-provider>default</default-provider>
<provider name="default" enabled="true">
<properties>
<property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
<property name="forceBackendUrlToFrontendUrl" value="false"/>
<property name="adminUrl" value="https://myhost:10443/auth"/>
</properties>
</provider>
</spi>
TLDR: environment variable KEYCLOAK_HOSTNAME
A little more nuanced:
The value for the placeholder ${authAdminUrl} is a complete URL, whereas the environment variable KEYCLOAK_HOSTNAME is only the hostname; so without protocol, port number, or path. In my case, this doesn't matter because I'm not doing anything special with these so the default url formed with the custom hostname is good for me.
I am new to keycloak, I am using keycloak for both frontend and backend application but I am getting the different issuer in the token generated by keycloak when decoded in jwt.io.
Front end:
the issuer is the same as the base URL of the frontend application
For example:
If the front-end URL is https://example.org/portal then the issuer is the same as https://example.org/auth
Request via postman:
the issuer is the internal DNS name
I have tried below ways,
Proxy redirection(With preserve host) - Which generates the issuer with frontend base url.
Proxy redirection without preserving host - Which expects the private DNS to be resolved at front end application
Played around the keycloak configuration - updated frontendUrl to https://example.org/auth and forceBackendUrlToFrontendUrl to true which resulted in the same issuer both the backend and frontend but no hostname like https:/auth/relam/external(Refer #2 in reference).
Expected outcome:
I need the private DNS to be issuer it both the request from frontend and backend(for now it works direct backend request)
Thanks in advance.
Reference
https://github.com/keycloak/keycloak-community/blob/master/design/hostname-default-provider.md
Code block
<spi name="hostname">
<default-provider>fixed</default-provider>
<provider name="fixed" enabled="true">
<properties>
<property name="frontendUrl" value="https://example.org/auth"/>
<property name="forceBackendUrlToFrontendUrl" value="true"/>
</properties>
</provider>
</spi>
currently We have CAS SSO to our existing .net application, but now client is asking for Shibboleth SSO instead CAS. I'm totally new to Shibboleth.
Client has given the below details:
entityid= urn:mace:incommon:xxx.edu
metadata URL for test environment is:
https://shibboleth-test.xxx.edu/idp/shibboleth
By using guidelines from Shibboleth site, below are the steps i followed.
Installed Shibbolth Service provider (shibboleth-sp-2.6.1.4-win64.msi)
Installed Java with JCE
Installed Shibboleth Idp (in which jetty also checked)(shibboleth-identity-provider-3.3.3-x64.msi)
Web Application with self signed certificate
attached my Shibboleth2.xml file
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <InProcess logger="native.logger"> <ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="2" name="shibboleth-test.xxx.edu" scheme="https" port="443" />
</ISAPI> </InProcess> <RequestMapper type="Native"> <RequestMap> <Host name="shibboleth-test.xxx.edu" scheme="https" port="443">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap></RequestMapper><ApplicationDefaults entityID="urn:mace:incommon:xxx.edu" REMOTE_USER="eppn persistent-id targeted-id" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="true" cookieProps="https"> <SSO entityID=""urn:mace:incommon:xxx.edu" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF"> SAML2 SAML1 </SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 <my system IP">/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root#localhost"
helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <!-- Map to extract attributes from SAML assertions. --> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Problems I'm facing......
When i try to access https://shibboleth-test.xxx.edu/Shibboleth.sso/Status
getting error no metadataprovider available.
Noticed Problems:
1.when i try to add Metadataprovider Shibboleth daemon 2 service is getting
stopped and unable to start.if i remove it's is running.
2.Shibboleth Idp 3 deamon is getting stopped very frequently
When i run 'SC interrogate shibd_idp' in command prompt, results are
control service failed 1062
the service has not been started.
I donno what is wrong with my work.
Can any one please tell me what are the steps to be followed to accomplish this integration.
Thanks in advance,
Hema
There will be a tag in shibboleth2.xml called metadata provider, you will need to open that.
If you have done this but shill service is not getting started then you can check the log and give additional info in question.
Another reason I can think of is connection problem. Try downloading idP's metadata and store it physically in the SP configuration folder. Manually map the file, using following tag
<MetadataProvider type="XML" file="partner-metadata.xml"/>
All the issues has been resolved after we upgraded from Shibboleth 2.6 to 3.0.2. we are getting the Shibboleth Identity provider login page.We are able to see the attributes in Session.Now we are working on how to retrieve the attributes in our application and how to redirect to our application home page.Currently we created 1 sample html page under secure folder in our application. once we logged in we are able to this html page.But when i tried to redirect to our application home page, it's giving 500 error. Can any one knows like how to redirect to our app home page and retrieve the attributes in the application.
I have a backend server (Java / Spring / Spring Security).
Currently when users from mobile app login, they simply submit their username/password and Spring Security creates a Session and assign it to the request with a JSESSIONID.
We would now also have a button on the mobile app "Login with Facebook". Here is my understanding of how it will work.
mobile app uses facebook SDK to get an "access_token"
mobile app retrive USer Profile from facebook (name,surname,email etc..)
mobile checks (against MY server) if the username is unique
If username unique, call MY REST api, with something like this /login/facebook POST over SSL and passing the access_token, email, username etc...)
my server then checks if the access_token is valid
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
If yes, if the UID returned by facebook is already present in my local database, I signin the user as follow:
SecurityContextHolder.getContext().setAuthentication(
new UsernamePasswordAuthenticationToken(username, null, ROLE_USER));
If i don't find the UID, I just create a new user and login the user.
and from now on every request made to the server by the mobile will have the SESSION (created and attached by spring security) and the mobile app is authenticated
Could someone tell me if this is a good way of doing things ?
Should I stop using sessions and switch to Spring-Security-OAUTH2 ?
EDIT 1
Based on Dave advices here is the updated spring-security config:
<!- handle login by providing a token-->
<security:http pattern="/login/facebook" auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<security:custom-filter ref="facebookLoginFilter" position="FORM_LOGIN_FILTER"/>
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/login/facebook"></constructor-arg>
</bean>
<!-- handle basic username + password logins-->
<security:http auto-config="true" use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<security:form-login login-processing-url="/security_check" authentication-failure-handler-ref="authFailureHandler"
default-target-url="/" always-use-default-target="true" authentication-success-handler-ref="authSuccessHandler" />
...
my others patterns..
...
</security:http>
<bean id="forbiddenEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="authSuccessHandler" class="my.package.AuthenticationSuccessHandlerImpl"/>
<bean id="authFailureHandler" class="my.package.AuthenticationFailureHandlerImpl"/>
<bean id="facebookLoginFilter" class="pl.jcommerce.ocean.web.ws.controller.FacebookLoginFilter">
<property name="requiresAuthenticationRequestMatcher" ref="loginRequestUrlHandler"></property>
<property name="authenticationManager" ref="authManager"></property>
</bean>
<security:authentication-manager id="authManager">
<security:authentication-provider ref="facebookAuthenticationProvider" />
</security:authentication-manager>
<security:authentication-manager>
<security:authentication-provider ref="webServiceUserAuthenticationProvider" />
</security:authentication-manager>
<bean id="loginRequestUrlHandler" class="org.springframework.security.web.util.matcher.RegexRequestMatcher">
<constructor-arg index="0" value="/login/facebook" />
<constructor-arg index="1" value="POST" />
<constructor-arg index="2" value="false" />
</bean>
Facebook is already using OAuth2 server side, and provides its own native SDK for clients, so I don't see any advantage in your case of using OAuth2 in your server as well, unless your use case extends beyond what you outline above. Spring OAuth2 also has client side support, but not in a native app, so I don't really see anything at all wrong in principle with your proposal. You didn't say in any detail where you would set the security context up in your server, and I think that might be an important detail -- it has to happen in the security filter chain in the right place to get the session to be updated.
I took a crack at implementing something like this based on Dave Syer's answer here along with the Spring Security Angular materials he put together. To see an example see my forked github repo, specifically the classes in the security package.
I am consuming an secured service hosted over basicHttpBinding
I have to pass credentials to the service for authenticatioon
Here’s the config setting for the client
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
While calling the service, I am getting following exception message
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
Message = "An invalid security token was provided (Bad UsernameToken Values)”
I not sure how to get it working I am curious if somebody can help me out or provide me any url where I could find the solution
When you create your MyServiceClient object you can set the username and password on the clientInstance.Credentials.UserName object.