I'm using keycloak to get access tokens but I need those jwt tokens to have a 'policy' attribute/claim that MinIO requires.
Now, I can get those by calling the token endpoint with grant_type = password, plus username and pass.
I know that that policy attribute is mapped from the user, but, is there any possibility that I could get client creds (grant_type = client_credentials) including that attribute? or any other type of grant?
you can add Mapper to the client
Mapper Type: "hardcoded claim"
Token Claim Name: <token body key>, in your case is 'policy'
Claim value : <the value>
Related
As a newbie of Keycloak, I try to configure a client with a "Password" grant type. I know that this is not the preferred solution in most cases.
I created a realm 'realm2' with a client 'myclient2' and a user.
When trying to get the token with Postman, I get this error:
{
"error": "unauthorized_client",
"error_description": "Client secret not provided in request"
}
When I add the client_secret, I get the token. I tried to provide a username and password and no secret.
Via the Keycloak user interface I can also login as 'johan' in the 'realm2'.
This is my request in Postman:
In Keycloak I configured the 'realm2' with no special properties set:
The client 'myclient2' is:
I can see on the Credentials tab of the client:
I configured 1 user in the realm2 with just 'password' as a password:
How can I configure my Keycloack settings so I don't need the 'secret' but the username and password?
You could disable authentication for the client, making it public. You can do this by turning off "Client authentication" under the settings tab of your client.
EDIT: I just realized your keycloak version seems different to mine. This configuration is likely under the Access Type selector in your settings tab, by changing it from confidential to public
#Haf answer is right to the point; TL;DR: In the client Access Type dropdown menu select public instead of confidential.
Nonetheless, I want to add a bit more information behind the scenes since you stated that:
As a newbie for Keycloack I try to configure a client with a
"Password" grant type.
First, you should know that Keycloak implements OpenID Connect, which
is a simple identity layer on top of the OAuth 2.0 protocol.
According to the OAuth 2.0 protocol clients can be either confidential or public.
The main difference relates to whether or not the application is able
to hold credentials (such as a client ID and secret) securely.
Regarding the confidential clients:
Because they use a trusted backend server, confidential applications
can use grant types that require them to authenticate by specifying
their client ID and client secret when calling the Token endpoint.
Armed with this knowledge you can easily figure it out how to create a client that will not have a client secret.
Added a custom claim by navigating to WSO2 v5.11 IS console and navigating to Claims -> Add -> Add Local Claim. as shown below
New User created in WSO2 and profile updated with custom claims as shown below
Invoke published end point from Java client to get the JWT Token from request headers as shown below.
jWTToken = httpRequest.getHeader("X-JWT-Assertion");
JWT Token retrieved successfully from request headers.
After decoding the token we are seeing only default claims not the custom claims.
We are expecting the JWT token should return custom claims along with default claims.
Is there any configuration required in WSO2 5.11.0 to get the custom claims with JWT token?
Environment
WSO2 IS 5.11.0
WSO2 API Manager 4.1.0
Expectation
JWT Token should return custom claims
If you want to add the custom claims to your generated JWT tokens, you need to mark the claims in the service provider configuration as mandatory of the particular application you are using to generate the token.
Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.
Then you need to add the openid scope when invoking the token endpoint.
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
Refer https://apim.docs.wso2.com/en/latest/design/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.
Then the custom claim will be added to the token, and will be passed to the generated backend JWT token as well.
I've successfully configured Keycloak as identity server for WSO2 api manager and I need am able to login to keycloak and, with the bearer, call a WSO2 defined rest API.
Now I need to make WSO2 send to the backend, also claims based on keycloak user's information, like role, group or property.
WSO2 apim 4.1.0 and Keycloak 19
You can't group information from access token's claims but you can get client role, realm role, user name, username and client name.
User group or group member can get by separate API call.
You need to start this order
create realm -> create client -> add realm role -> add client role -> add user (with credential) -> assign realm role to user -> assign client role to user
Then
get access toke for user with grant_type is "password"
decode access token by jwt.io
Finally can map between Keycloak settings and token's claims
You needs to understand how to access the resource by Role Based Access Control in Keycloak.
Here is good explain for Resources, scopes, permissions and policies in keycloak
Below is my kubeconfig file for accessing kubernetes clusters:
kind: ClientConfig
apiVersion: authentication.gke.io/v2alpha1
spec:
name: dev-corp
server: https://10.x.x.x:443
certificateAuthorityData: ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
authentication:
- name: oidc
oidc:
clientID: aaaaad3-9aa1-33c8-dd0-ddddd6b5bf5
clientSecret: ccccccccccccccccc-
issuerURI: https://login.microsoftonline.com/aaaa92-aab7-bbfa-cccf-ddaaaaaaaa/v2.0
kubectlRedirectURI: http://localhost:12345/callback
cloudConsoleRedirectURI: http://console.cloud.google.com/kubernetes/oidc
scopes: offline_access,profile
userClaim: upn
userPrefix: '-'
groupsClaim: groups
preferredAuthentication: oidc
There are different OAuth grant types.
My understanding is, above OAuth grant type is client credential grant type, that requires client_id, client_secret, token URL(issuerURI), scope
What is the significance of fields kubectlRedirectURI, cloudConsoleRedirectURI, userClaim, userPrefix?
How OIDC different from OAuth2?
oauth2.Config does not store userClaim & userPrefix, groupsClaim information
, as shown here.... https://github.com/golang/oauth2/blob/master/oauth2.go#L41
How to store kind:ClientConfig with oidc based authentication into cache? for example api.Config can be stored with an API from client-go to write api.Config as shown here.
KUBECTL_REDIRECT_URL: the redirect URL that kubectl oidc login uses for authorization. This is typically of the format http://localhost:PORT/callback, where PORT is any port above 1024 that will be available on developer workstations, for example http://localhost:10000/callback. You must register the URL with your OIDC provider as an authorized redirect URL for the client application.
USER_PREFIX: prefix prepended to user claims to prevent conflicts with existing names. By default, an issuer prefix is appended to the userID given to the Kubernetes API server (unless the user claim is email). The resulting user identifier is ISSUER_URI#USER. We recommend using a prefix, but you can disable the prefix by setting USER_PREFIX to -.
userClaim: the user identifier in the token under the claim name configured in spec.authentication.oidc.userClaim in the client configuration file.
cloudConsoleRedirectURI the name tell the story, the cloud redirect URL for OIDC, for example in case of google https://console.cloud.google.com/kubernetes/oidc
OIDC vs OAuth2
What's the difference between OpenID and OAuth?
The file in the question from OIDC and you are comparing the value with Oauth, both handling at different way, better to update the question again with Oauth config file.
api-server-authentication
you can check kubeconfig builder
kubernetes-engine-oidc
How to store kind:ClientConfig with oidc based authentication into cache?
you can write to a file and then read, or somewhere in the cloud storage as well
In Keycloak 12, this call returned the client secret inside the 'credentials' object:
keycloak.realm(tenantId)
.clients()
.get(applicationId)
.getInstallationProvider("keycloak-oidc-keycloak-json");
As of Keycloak 13, the same call no longer includes the 'secret' property in the 'credentials object:
https://issues.redhat.com/browse/KEYCLOAK-18257
Is there an alternative API call that will return the secret?
You can use Get the client secret request from Keycloak Admin API (of course with correct permissions properly configured):
GET /{realm}/clients/{id}/client-secret
https://www.keycloak.org/docs-api/14.0/rest-api/index.html
I guess you can define secret directly in the registration payload, so you won't to retrieve secret after.