After some efforts, I still unable to reproduce the feature of direct naked impersonation with OIDC.
refs: https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation
I got same errors.
curl -X POST http://localhost:8080/auth/realms/iot/protocol/openid-connect/token \
-d "client_id=backend-service" \
-d "client_secret=f0ead74d-c3eb-47c5-82fd-d8fccc5e5096" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=1c04c634-a64a-4905-b87f-e654ca01b889"
{"error":"access_denied","error_description":"Client not allowed to exchange"}
below is my development configuration.
$ cat docker-compose.yaml
version: '2.4'
volumes:
postgres_data:
driver: local
services:
postgres:
image: postgres:12-alpine
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
keycloak:
image: jboss/keycloak:10.0.1
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: postgres
DB_SCHEMA: public
DB_PASSWORD: postgres
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
#JDBC_PARAMS: "ssl=true"
ports:
- 8080:8080
volumes:
- /etc/localtime:/etc/localtime:ro
command: -Dkeycloak.profile=preview
depends_on:
- postgres
realm-export.json
https://gist.github.com/whisper-bye/20c86de26459efe641008ba5f448f3f1
In your expert there is no Policy that permits a specific Client to use the Impersonation feature.
Example from my Realm:
{
"id": "7588d6d2-82b6-42ef-9bd0-e9c01a2dc92b",
"name": "admin-impersonating.permission.users",
"description": "Client foo may impersonate any user",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"impersonate\"]",
"applyPolicies": "[\"foo client-policy\"]"
}
}
You can configure this hat Manage/User on the left and then "Permissions" on the right. This menu item only appears when starting Keycloak with -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled!
Then click on "impersonate" and make sure "Apply Policy" has something set.
Related
I want to run Keycloak and to play with it. So I run a container in Docker with quay.io/keycloak/keycloak:20.0.1 image.
version: '3.8'
networks:
default-dev-network:
external: true
services:
keycloak:
container_name: keycloak
image: quay.io/keycloak/keycloak:20.0.1
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgresdb:5432/keycloak
KC_DB_USERNAME: postgres
KC_DB_PASSWORD: pass
KC_DB_SCHEMA: public
KC_HOSTNAME: localhost
KC_HTTPS_PORT: 8443
KC_HTTPS_PROTOCOLS: TLSv1.3,TLSv1.2
KC_HTTP_ENABLED: "true"
KC_HTTP_PORT: 8080
KC_METRICS_ENABLED: "true"
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
ports:
- 18080:8080
- 8443:8443
command: start-dev
networks:
- default-dev-network
Then I created a realm test-realm, a client test-client. So I want to request a bearer token for it. I run
curl \
-d 'client_id=test-client' \
-d 'client_secret=xajewuZlBHL75rpiPttHday8t34aOnYa' \
-d 'grant_type=client_credentials' \
'http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token'
and I get
{"error":"RESTEASY003210: Could not find resource for full path: http://localhost:18080/auth/realms/test-realm/protocol/openid-connect/token"}
I'm reading a documentation on https://www.keycloak.org but there're so many details there that I'm afraid it will take weeks to figure everything out. Maybe there's a shorter guide?
New versions of Keycloak (after the rewrite in Quarkus) removed the /auth context path.
You can either remove it from the url or set the property KC_HTTP_RELATIVE_PATH=/auth.
I need to setup the Keycloak docker server with the External postgres Database connection URL.
Here's my current yaml file content which is working with POstgres docker container image as mentioned
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres:
image: postgres:11
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
ports:
- 5433:5432
keycloak:
image:jboss/keycloak:latest
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
KEYCLOAK_LOGLEVEL: DEBUG
ROOT_LOGLEVEL: DEBUG
ports:
- 8080:8080
- 8443:8443
depends_on:
- postgres
I checked the official documentation for passing external DB connection URL.
But exactly didn't get what changes will be needed in YAML file
ref: https://hub.docker.com/r/jboss/keycloak/
I tried removing the Postgres and depends_on section from services and passed the Database connection details in Kecyloak environment section in yaml but it did not worked for me
Can anyone suggest the correct YAML file changes to use PostgresDB connection URL
Thank You.
Docker containers can see each other by their service name, so here service name postgres is actually the connection url for keycloak container.
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres: # Service name
image: postgres:11
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
ports:
- 5433:5432
keycloak:
image: jboss/keycloak:latest
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres # <<< This is the address, change it to your external db ip/domain
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
KEYCLOAK_LOGLEVEL: DEBUG
ROOT_LOGLEVEL: DEBUG
ports:
- 8080:8080
- 8443:8443
depends_on:
- postgres
I am trying to use GitLab CI PostgreSQL for my integration tests but it doesn´t work.
Here's the code of the stage:
integration_test:
stage: test
tags:
- custom_tag
services:
- postgres
variables:
POSTGRES_DB: test
POSTGRES_HOST: postgres
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_HOST_AUTH_METHOD: trust
script:
- docker login -u ${DOCKER_USER} -p ${DOCKER_PASSWORD} ${DOCKER_REGISTRY}
- docker pull ${DOCKER_IMAGE_CI}
- export PGPASSWORD=${POSTGRES_PASSWORD}
- docker run --rm postgres psql -h ${POSTGRES_HOST} -U ${POSTGRES_USER} -d ${POSTGRES_DB} -c "SELECT 'OK' AS status;"
It returns an error like this:
psql: error: could not connect to server: could not translate host name "postgres" to address: Name or service not known
Anybody can help me?
Perhaps it's better to look at dockerizing test functions. This approach also provides better control over networking by means of docker bridge.
In this way your config could looks like this:
.gitlab-ci.yml:
stages:
- test
before_script:
- docker login -u ${DOCKER_USER} -p ${DOCKER_PASSWORD} ${DOCKER_REGISTRY}
integration_test:
stage: test
script:
- docker-compose build
- docker-compose up
docker-compose.yml:
version: '3'
networks:
database:
services:
postgres-db:
image: ${DOCKER_IMAGE_CI}
networks:
- database
container_name: postgres
test-container:
build:
context: .
dockerfile: Dockerfile
networks:
- database
container_name: testcon
Dockerfile:
FROM postgres
ENV POSTGRES_DB=test \
POSTGRES_HOST=postgres \
POSTGRES_USER=postgres \
POSTGRES_PASSWORD=postgres \
POSTGRES_HOST_AUTH_METHOD=trust
CMD psql -h ${POSTGRES_HOST} -U ${POSTGRES_USER} -d ${POSTGRES_DB} -c "SELECT 'OK' AS status;"
Your pipeline looks like it uses shell executor with gitlab services.
Command docker run --rm postgres <docker command> does not automatically connect to postgres network. You could try running your docker image with --link postgres, more details here. Note that link is legacy feature and may be removed in the future.
Personally I would try running my pipeline job using docker image. If your image is not publicly visible then you can bypass it with DOCKER_AUTH_CONFIG
If you used docker runner with password protected image then yaml would look like:
integration_test:
image: ${DOCKER_IMAGE_CI}
stage: test
tags:
- custom_tag
services:
- postgres
variables:
POSTGRES_DB: test
POSTGRES_HOST: postgres
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_HOST_AUTH_METHOD: trust
script:
- PGPASSWORD=${POSTGRES_PASSWORD} psql -h ${POSTGRES_HOST} -U ${POSTGRES_USER} -d ${POSTGRES_DB} -c "SELECT 'OK' AS status;"
DOCKER_AUTH_CONFIG environment variable would be as follows(gitlab docs):
{
"auths": {
"${DOCKER_REGISTRY}": {
"auth": "(Base64 content from ${DOCKER_USER}:${DOCKER_PASSWORD})"
}
}
}
and to generate base64 auth you can use echo -n "${DOCKER_USER}:${DOCKER_PASSWORD}" | base64
I'm following http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html and when trying to run the first keycloak instance:
docker run --name postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e POSTGRES_ROOT_PASSWORD=password -d postgres
docker run -p 8080:8080 --name keycloak --link postgres:postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -d jboss/keycloak-ha-postgres
I am getting the error:
javax.resource.ResourceException: IJ031083: Wrong driver class [org.postgresql.Driver] for this connection URL [jdbc:postgresql://postgres:tcp://172.17.0.2:5432/keycloak]
Has anyone got experience using this Keycloak Docker image? Or is there an easier way to deploy a Keycloak cluster to Docker?
an example for deploy keycloak in HA mode with postgres
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres:
image: 'postgres:alpine'
volumes:
- ./postgres:/var/lib/postgresql/data
restart: 'always'
# ports:
# - 5432:5432
environment:
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
POSTGRES_DB: keycloak
POSTGRES_HOST: postgres
traefik:
image: library/traefik:alpine
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: >
--logLevel=ERROR
--api.dashboard
--docker
--entrypoints="Name:http Address::80"
--defaultentrypoints="http"
ports:
- 80:80
- 3000:8080
keycloak:
image: jboss/keycloak
environment:
DB_VENDOR: postgres
DB_ADDR: postgres
DB_PORT: 5432
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: Pa55w0rd
# KEYCLOAK_LOGLEVEL: DEBUG
JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING
JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"
depends_on:
- postgres
labels:
traefik.enable: true
traefik.port: 8080
traefik.protocol: http
traefik.frontend.rule: Host:localhost
traefik.frontend.passHostHeader: true
# traefik.backend.loadbalancer.stickiness: true
https://gist.github.com/ERRECabrera/a4fb1ebdba300521b46587881b66aaf4
You should try using this more updated docker-compose file provided by the people behind the image wich might contain updated var names and versions. I ran it and it created the containers correctly. Just download the file and run docker-compose up and you'll have the stack running.
In the example you mentioned they just start another docker container, which in docker compose would only mean adding a new entry. Checkout this gist: https://gist.github.com/pacuna/e7427d8fef752992ff1df944223ad0ab
Now, that's not the ideal way of running a cluster of docker containers, you may want to checkout docker swarm or Kubernetes if it's a serious project. The docker compose template would be easy to translate to Kubernetes files.
Given this docker-compose.yml, am experiencing difficulties connecting the docker stack to my pgAdmin.
version: '3.1'
services:
database:
image: postgres
restart: always
environment:
POSTGRES_USER: db-user
POSTGRES_PASSWORD: db-user
POSTGRES_DB: db
ports:
- 5432:5432
For the pgAdmin Connection properties, here's what I've used (others, default values):
Host: 127.0.0.1
Username & Password: db-user
And for the error message when saving:
Error saving properties: UNAUTHORIZED
Unable to connect to server
The docker postgresql page suggest the stack.yml:
# Use postgres/example user/password credentials
version: '3.1'
services:
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: example
adminer:
image: adminer
restart: always
ports:
- 8080:8080
And then visit http://localhost:8080.
Or:
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" ...
In your case, adding port to the database itself suggests your queries should use that port.