We were using a very old release of Keycloak (3.4.3-Final) in which we had the “nbf” property inside our access tokens.
We had changed to the latest Keycloak 10.0.2, but now the “nbf” is gone and in the response of “/auth/realms/--our realm--/protocol/openid-connect/token” we have a new property “not-before-policy”.
We need to put back the “nbf” property back to the access token, so that our API Gateway can verify the value when processing requests, but we can’t find documentation about it. We understand that it should be there by default, but we can’t find any option how to put it back.
We use confidential clients with a default custom Client scope (migrated from a custom client template from the old release).
Other than that we have a custom protocol mapper to add client attributes to the claim.
Thanks for the help.
Related
I am running Keycloak (v.12) in a container. I need to send a header rquid to the identity provider while trying to get a token. The header must be a guid without dashes.
I know that you can write a plugin/extension to customize requests. However, I don't have any experience in Java.
Is it possible to adjust a request via some environment variables, properties in standalone-ha.xml file or anything else?
Any tip would be appreciated.
I wanted to capture user attributes coming from SAP IDP(Identity & Authentication tenant service like department,salutation ,company etc ,via UserAccessor SDK api,but although those attributes are set and has value in IDP user and all the integration with IDP and sub account is in place post authentication ,user attributes object is empty ,i am only able to retrieve specific attributes like first names ,last name,email address ,user groups etc via JWT and UserAccessor api ,but no luck with other attributes ,in IDP i have mentioned these attributes as well under assertion attributes in SAP Identity authentication tenant .
Please guide and help in this matter .
Thanks Siddharth
Update: As we have now identified the problem, I will update my answer to reflect that. The original answer below is outdated:
Okay so the problem is that you haven't mapped any additional user attributes from your Identity Provider (IdP) to your JWT. As far as I'm aware there are three things you will need to do:
You need to create attributes in your xs-security.json (the file you used to configure your XSUAA service instance). This documentation should explain how to do that.
You need to configure which attributes are exposed by your IdP (in your case the SAP Identity & Authentication service. This documentation looks like a good place to start looking).
You need to map the attributes exposed by your IdP to the attributes defined in your xs-security.json. You will probably need to reconfigure (i.e. delete, recreate and rebind) your XSUAA service instance with the updated config, before you can do this step. Then, navigate to your application in the Cloud Platform Cockpit, from the left toolbar click "Security > Roles" and create your mapping.
Let me know if this works for you!
Original Answer:
As far as I'm aware the default IdP does not support SAML. Without SAML, I'm not sure whether you can propagate any attributes from your IdP into the JWT.
Please also check out this discussion for more information.
I have created a RESTful API for all the WSO2 store APIs by using the swagger definition. (https://raw.githubusercontent.com/wso2/carbon-apimgt/v6.1.66/components/apimgt/org.wso2.carbon.apimgt.rest.api.store/src/main/resources/store-api.yaml)
The GET call which does not require any scope, can be called easily from the Stores API console but when trying to call the APIs which have the (apim:subscribe) scope I get "Unauthenticated Request".
NOTE: I am able to use the curl commands to access the STORE APIs by creating tokens but here I am trying to use the swagger file to publish the Store APIs. I have noticed that in the store under the Application-> Production Keys -> Scope there is the apim:subscribe scope available after I've created this API via the swagger file but even when I try to access the APIs using this scope, I still get the "Unauthenticated Request" error.
Can someone tell me what I am missing or doing wrong?
The Swagger specification has a Security Definitions Object:
https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-definitions-object
Once you configure it correctly you will have some new elements in the UI, you should see the Authorize button on the top left, and to the right of each action that requires authentication you should see a lock.
See the petstore demo:
http://petstore.swagger.io/
Here are a few more examples:
http://turoapi.azurewebsites.net/swagger/ui/index
This one has an API Key Authentication
http://swagger-net-test.azurewebsites.net/swagger/ui/index
This one has an OAuth2 Implicit Grant
In my current project I'm working with StreamSets and I would like to use Hashicorp Vault as my credentials store, however I'm not able to use credential:get() function wherever I want to. E.g. in Shared Access Key in Azure IoT Hub Producer block. I know that I could use Runtime Properties but I don't think it solves my problem.
Am I missing something or I can use credential:get() only in fields marked with a key icon?
You can only use credential:get() in fields marked with a key icon. This is by design, to minimize the chance of leaking credentials. For example, if credential:get() was allowed in URL parameters, a pipeline designer could send a request to a web server under their control to discover the credential. It may make sense to allow Shared Access Key to receive credentials. Please file an issue at https://issues.streamsets.com with your enhancement request.
I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
After successful authentication have keycloak pull extra claims from the application database somehow. This app database is postgres, for example.
Have the application update the jwt with extra claims using a shared key.
I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
Answering my own question here. I cross-posted this question to the Keycloak users mailing list here (http://lists.jboss.org/pipermail/keycloak-user/2017-April/010315.html) and got an answer that seems reasonable.
This is pasted from the answer I received there.
I use the first option. I do it with a protocol mapper, which is a convenient place to do it because there the token is already built by keycloak but hasn't been signed yet. This is the procedure :
User logs in
My custom protocol mapper gets called, where I overwrite the transformAccessToken method
Here I log in the client where the protocol mapper is in into keycloak, as a service. Here don't forget to use another client ID instead the one you're building the protocol mapper for, you'll enter an endless recursion otherwise.
I get the access token into the protocol mapper and I call the rest endpoint of my application to grab the extra claims, which is secured
Get the info returned by the endpoint and add it as extra claims