I am making a storage provider that federated user from my local database my question I need to set the attributes of my custom user in the returning JWT.
I need to carry the user from customStorageProvider to JWTMapper to map the attributes to JWT
I am making a storage provider that federated user from my local
database my question I need to set the attributes of my custom user in
the returning JWT.
I need to carry the user from customStorageProvider to JWTMapper to
map the attributes to JWT
That can be achieved with protocol mappers; they can map user-related attributes into the token. To create them via Admin Console, go to your realm:
then to clients, and select the client that you will be authenticating against
Afterwards:
(For the OLD Keycloak UI)
go to Mappers
click on:
either Create (right side) to create your mapper
or Add Builtin to add a Keycloak's built-in mapper
(For the NEW Keycloak UI)
go to the tab Client Scopes
click on the client scope <the client ID of your client>-dedicated (e.g., test-dedicated in the picture below)
if you have never created a mapper for this client before, click on:
either Configure a new mapper to create your mapper
or click on Add predefined mapper to add a Keycloak's built-in mapper
if you have already created mappers for this client before, click on Add mapper and select:
either From predefined mappers to create your mapper
By configuration to add a Keycloak's built-in mapper
Those mappers can also be automatically created with the Keycloak Admin REST API. To understand how check this SO answer on "how o create mapper for each user attribute in Keycloak via REST API".
Related
I'm using keycloak as my user management and trying to generated jwt to be used in other microservices, and as i understand to add new filed or info to the jwt, i need to create new client scope then link it to predefine mapper to be included in the jwt but i can't find any predefined realm id mapper, so is their any other way to add the realm id to the jwt ? or I'm messing something from the predefined mapper?
I'm using keycloak version 19.0.1
Use case is client, SAML or OIDC, will authenticate users via Identity Provider (OIDC say Google; or SAML) - on return of authentication from the Identity Provider, Keycloak will call out to an external JSON API, to obtain further attributes on the user (say lookup by email for telephone number).
Is above possible? Any hints on how to approach will be greatly appreciated.
I was referencing keycloak-json-remote-claim/README.md at master · groupe-sii/keycloak-json-remote-claim · GitHub as an OIDC example – not sure if I’m in correct ballpark.
If you want to add additional user attributes from an external service you should:
Create your own auth flow
Create plugin with Authenticator and AuthenticatorFactory
Implement all logic in Authenticator
Add AuthenticatorFactory to the new flow
Assign new flow to your main client
After these steps your Authenticator will invoke external service and put all needed attrs to the user, each time when user logs in through your main client
In keycloak, there is a default client which client id is “admin-cli”. I try to add a buildin claim into this client.
In Mappers tab under this client, I add buildin mapper “realm roles”. But when I get the JWT from this client using the API:
http://{{url}}/auth/realms/{{realm}}/protocol/openid-connect/token
with proper client_id, the JWT doesn’t include the claim.
I created another client and add the same mapper with same configuration, JWT requested from that client includes the claim.
Any idea why the claim not shown in JWT from client “admin-cli” ?
Any idea why the claim not shown in JWT from client “admin-cli” ?
Yes, you need to:
Go Master Realm;
Clients;
Click on Admin-cli;
Switch to Scope;
In admin-cli Scope Mappings: Set Full Scope Allowed to ON.
This will make all the Realm and Client roles to show up on the Token. If you only need some specific roles then do the following:
Go Master Realm;
Clients;
Click on Admin-cli;
Switch to Scope;
In admin-cli Scope Mappings:
Select the Realm Roles (or client roles) and move then to Assigned Roles column.
I built a login system using Flask OIDC and Keycloak. In my system, there is some endpoints decorated with oidc.require_login() that calls the Keycloak login page.
My goal is, after the user successfully logged in, my system checks if the user name exists in a specific database.
How can I set a function to be called every time someone successfully logged in with Keycloak and do this verification at the database?
According to your needs there are several ways to create the user in the backend.
The easiest way would be to just check the JWT token on every request. OIDC is based on JWT and that token is available on any request (which should already be done to find user roles etc). So your application can check that JWT and extract the username from it (see here for details about the JWT format). With the username you can check your internal database and create the user, if it doesnt exist. But at that time you'll not have access to any user credentials any more. It is just SSO and you need to trust Keycloak and the JWT... Also - you'll never be informed, if the user will be deleted in Keycloak, which could be an issue.
There is a callback API in Keycloak in form of the Admin URL per client. But the documentation is not clear. It says: It’s used by the Keycloak server to send backend requests to the application for various tasks, like logout users or push revocation policies. But I cannot find a complete list of "tasks". I saw only logout events. see Keycloak documentation and the documentation only talks about that. If I add an admin url to a test client, I did not get any requests at login time.
a different but more complicated way would be to create your own UserStorage SPI in Keycloak. It would be Java of course, but only some classes. There is an HTTP example or have a look at the LDAP user storage SPI, which supports registration too. If you choose that for your realm and a user tries to login to Keycloak (Login form), the SPI can call your backend to check the user. It also could be "used" to create the user in the backend by checking the Keycloak local storage and only if there is a local Keycloak user, call the backend. That isn't the reason, why you should implement the UserStorage SPI, but it's possible. If you think, this is a good idea, I would prefer to use your backend storage as the one and only storage or build a different one, that then could call your real backend in case of a new user. I would use this one by not using Keycloak local stored users but, by using your own database.
next (maybe last one). You can write an EventListener SPI to read all events and only filter the login events, see here and here. I think, that would be the easiest one. But be aware. In that case, the HTTP call to your backend coming from the event itself is based on a normal HTTP request (without OIDC at that time).
The last two examples create a JAR (which is explained in the links). That JAR with the SPI must be deployed in keycloaks standalone/deployments folder. The EventListener should be active by default, the UserStorage SPI must be activated per realm.
But - be aware - Keycloak/SSO/JWT - should not be used by creating users in multiple backends. Syncing the users between all backends in a SSO environment is maybe the wrong way. Most information is located in the JWT or can be called by a backend from one central user identity management. Do not store a user more then once. If you need the user reference in your backend - link just to the username or userid (string) instead of a complete entity.
There is no direct way of doing this, other sotfware like Openam, Okta allow you to trigger specific flows in a post-login configuration.
In keycloak, you can try to create your custom authn flow(using Default Identity Provider, its the only option that allow a redirect), and then select this flow in your Identity provider in post login flow.
The idea here is that after login, the user will be redirected to a link ( an api call that will verify his presence on the external database, and sent him back to keycloak once the verification is done.
More info here
I would like to create a new entity in Vault and generate a new token to give access to an user to the UI using the API.
So, I am generating the entity using /v1/identity/entity/name/:name, then consulting the mount accessor in /v1/sys/auth and creating a new entity alias with /v1/identity/entity-alias
I am not adding any policy, that's something I will do later, first I just want to give access to the UI.
So now I create the token /v1/auth/token/create, but I don't find a way to associate that token to the previously created entity.
The same example with username/password works as expected.
How do I associate the token to the entity?
It is currently not possible to associate entities directly with tokens. All auth methods are supported except the token auth. The alternative is to use the userpass auth method or to use the AppRole auth method (but without entity, only policies)