I guess Keycloak has predefined algorithms/Active Keys such like RSA256,AES and HS256?
Is it possible to use RSA512 instead of RSA256?
Thank you for your kind helps
You're right. It has some predefined algorithms and keys. But you can change their settings and force Keycloak to use RSA512. In order to do so, in your realm settings, go to the "Keys" tab and select "Providers" sub-tab. There you can click on the "Edit" button of the rsa-generated provider (that exists by default) and change its algorithm or key size to another value. In short:
Realm Settings > Keys > Providers > Edit (of rsa-generated row)
In the providers list, you have also the option to upload your own keystore with proper private key that is using the algorithm you prefer.
In addition to the rsa-generated provider settings, you may need to go to "Client details" -> "Advanced" -> "Fine grain OpenID Connect configuration" and specify RS512 in "Access token signature algorithm" and "ID token signature algorithm". Otherwise, Keycloak creates fallback-RS256 provider and keeps using RS256 protocol
Related
I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.
I'm upgrading my Keycloak from 16 to 20.
In 16 I could use this screen to add a custom mapper.
In 20.0.2 I can't find this form in the admin panel. There is a Client scopes tab for each client, and it has an add button. But it does not allow me to define my custom mapper. I just adds predefined mappers.
Where is that form?
How can I add custom mapper to a client in Keycloak 20.0.2?
IMO the old ui was a bit more intuitive in this regard. With the new one you need to:
Go to your Realm
Go to Clients and click on your client
switch to 'Client Scopes'
In the 'Assigned client scope' click on your client-id-dedicated:
then you go to the following menu:
Click on 'Configure a new Mapper' and then select 'User Attribute' and you get something as follow:
I'm trying to update the header for my apis with a sif token that is retrieved from another login call. I know how to do this in Postman. There I go to the Tests tab and add something like this for the login api, which would set my global variable.
var data = JSON.parse(responseBody);
postman.setGlobalVariable("SIF_TEACHER", data.sifToken);
I've read this tutorial from the Insomnia official support page but can't really understand it and couldn't find any other doc on chaining requests there.
Thank you.
In your workspace press CTRL+E to open "Manage Environments" window
Add a variable like "token" to the environment
Put a response function (teal f) as value of this variable by pressing CTRL+SPACE.
Select one to your liking from the dropdown, in your case "Response => Body Attribute" should work well.
This will open a "Tag" form, like this one:
Select your login request and filter the response json or xml for the value containing your token value, f.e. $.access_token. Probably set trigger behaviour to "When Expired" too.
You can now access this variable anywhere in your workspace for other requests by pressing CTRL+SPACE in any form field and selecting the variable (purple x).
If you only need this for one request, you can skip setting up the environment variable for this and directly put the function where you need it, same way as described before.
You can check the link, in the comments there is a mini clip with the indications
https://github.com/Kong/insomnia/issues/2744
There is a plugin that allows you to have variables which you can set its value from different request an use them in others. This is great for when you want to chain requests but you have multiple possible parents and don't want to duplicate the child request, for example you could have "Login with A" and "Login with B" and both save to id, then you can have a "Get info" with the id.
Setting a variable is done using an special tag in the header of the request ("Save variable") and then use its value wherever you want with the "Variable" tag.
You can see more about the plugin in https://insomnia.rest/plugins/insomnia-plugin-save-variables .
In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
I came across a similar problem and after reading this SO post, came to know that although you can disable/hide fields in ftl, you cannot disable form validation
For e.g I hid firstname field , but still cannot submit. Same was the result with disable as well:
I am not aware about disabling a particular field in some other way. However there is a workaround in which you can disable the entire account modification flow (Password can still be changed by Forgot Password option).
Bu default, account modification is enabled, but you can disable it for a particular realm by going to Realms -> Clients -> Account.
The result of this will be, the account page will be inaccessible:
You can remove the client role 'manage_account' for client 'account'.
In Keycloak, by default, users are able to change their first and last
name in the account manager page. Is it possible to disable this
behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully
supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
Go to the according Realm;
Go to the tab General;
Set User Profile enabled to ON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
You can use readonly property to disable email you can just change the following line:
<input type="text" class="form-control" id="email" name="email" readonly autofocus value="${(account.email!'')}"/>
I am following
https://godaddy.com/help/windows-generate-csr-for-code-or-driver-signing-certificate-7282
guide to generate a CSR to request a code signing/software publishing certificate.
In management console when I Right-click Certificates, and then go to All Tasks > Advanced Operations > Create Custom Request & Click Next I don't find "Active Directory Enrollment Policy" to select.
I don't know Whether I need to download any template or generate some custom policy and how?
I am using windows 8 and my user account is not under any active directory domain nor I administer any active directory.
I am not sure if it is the right forum to ask this question. Pardon me, and direct me to the right forum, if it is not.
I ran into the same problem today and found the solution on MSDN. Try the following:
Instead of selecting Active Directory Enrollment Policy select Proceed without enrollment policy.
Click Next.
Select (No template) CNG key from the Template list.
Select PKCS #10 as the Request format.
Click Next.
Click the Details arrow and then the Properties button.
Enter a name for your certificate in Friendly name box on the General tab.
Click the Subject tab.
Under Subject name, select Common name from the Type list. Enter a common name in the Value box and click the Add button.
Repeat step 9 for Organizational unit, Locality, State and Country.
Click the Extensions tab.
Under Key usage select Digital signature and click the Add button.
Under Extended key usage select Code signing and click the Add button.
Under Basic constraints click the Enable this extension checkbox.
Click the Private key tab.
Under Key options select 2048 as the Key size.
Click the Make private key exportable checkbox.
Under Select hash algorithm select sha256 from the Hash Algorithm list.
Click OK.
So far it appears to be working. I was able to use my new code signing certificate to export a PFX file and successfully sign an executable.
Note: I chose sha256 instead of sha1 in step 18 because SHA-1 is deprecated.