OIDC Provider Flask. Password Credentials Grant - authlib

Does anybody know wether authlib python library support the Resource Owner Password Credentials Grant flow for Flask OIDC Provider?
In the documentation only appear Code, Implicit and Hybrid Flow.
https://docs.authlib.org/en/latest/flask/2/openid-connect.html
If so, please could you tell me how do you implement the functionality?

There is no Password Credentials Grant in OpenID Connect. Password Credentials Grant is a normal OAuth 2.0 grant type, please check https://docs.authlib.org/en/latest/flask/2/grants.html
Here is the documentation of OpenID Connect, you can find it has only code, implicit and hybrid grants: https://openid.net/specs/openid-connect-core-1_0.html

Related

Keycloack - get accessToken via Password grantType - requires client_secret

As a newbie of Keycloak, I try to configure a client with a "Password" grant type. I know that this is not the preferred solution in most cases.
I created a realm 'realm2' with a client 'myclient2' and a user.
When trying to get the token with Postman, I get this error:
{
"error": "unauthorized_client",
"error_description": "Client secret not provided in request"
}
When I add the client_secret, I get the token. I tried to provide a username and password and no secret.
Via the Keycloak user interface I can also login as 'johan' in the 'realm2'.
This is my request in Postman:
In Keycloak I configured the 'realm2' with no special properties set:
The client 'myclient2' is:
I can see on the Credentials tab of the client:
I configured 1 user in the realm2 with just 'password' as a password:
How can I configure my Keycloack settings so I don't need the 'secret' but the username and password?
You could disable authentication for the client, making it public. You can do this by turning off "Client authentication" under the settings tab of your client.
EDIT: I just realized your keycloak version seems different to mine. This configuration is likely under the Access Type selector in your settings tab, by changing it from confidential to public
#Haf answer is right to the point; TL;DR: In the client Access Type dropdown menu select public instead of confidential.
Nonetheless, I want to add a bit more information behind the scenes since you stated that:
As a newbie for Keycloack I try to configure a client with a
"Password" grant type.
First, you should know that Keycloak implements OpenID Connect, which
is a simple identity layer on top of the OAuth 2.0 protocol.
According to the OAuth 2.0 protocol clients can be either confidential or public.
The main difference relates to whether or not the application is able
to hold credentials (such as a client ID and secret) securely.
Regarding the confidential clients:
Because they use a trusted backend server, confidential applications
can use grant types that require them to authenticate by specifying
their client ID and client secret when calling the Token endpoint.
Armed with this knowledge you can easily figure it out how to create a client that will not have a client secret.

Azure B2C SAML Policy Access URL For Password Reset

I am configuring Azure B2C with Tableau using SAML protocol. How do I expose the password reset user journey? I can't do it from the portal and the policy URL doesn't load in the browser either.
When using a SAML SaaS app where the forgot password error cannot be handled, you can use this sample which embeds the password reset steps into the sign in journey.
https://github.com/azure-ad-b2c/samples/tree/master/policies/embedded-password-reset

Authorization on Keycloak

I would like to configure Authorization within Keycloak.
Right now I have Keycloak working with Kong and OIDC plugin.
It works well without authorization, i.e., my page is accessible only to logged users. But I could not configure authorization to control who can access the web page.
In order to test with the less configuration possible, I enabled authorization for my Client in Keycloak, set the policy enforcement mode to "Enforcing" and deleted every authorization resources, policies and permissions.
As stated by the documentation, it should not allow anything.
I tried also to evaluate my test user, and he does not have right to access anything.
However, after login I'm redirected to my 'protected' page.
Am I missing something ?
Kong's OIDC plugin implements OpenId Connect spec only, it does not work with UMA authorization. Actually it is a hude topic and I suggest you to read Authorization Services article of Keycloak documentation first.

does Github support OAuth 20 resource owner password credential grant type?

Does Github support OAuth 20 resource owner password credential grant type? I know you can use basic authentication for CLI to login with Github account. The basic authentication can be used to directly request all sorts of user data (like emails, teams, etc). I am curiously to know if CL can request an OAuth access_token by using ROPC, then uses access_token (similar to authorization code grant type) to request user data.
Github's oAuth implementation only supports authorization code grant type. As an alternative (and similar to CLI), you can retrieve a personal access token via basic auth, then use the token for subsequent resource access.

Using auth0 with keycloak

I would like to be able to use auth0 as identity provider, so having all login part done through auth0 and using keycloak as authorization manager, so having all user permission management done through keycloak. Is there any way to do this ?
Yes there is.
Keycloak allows you to create mappers for custom identity providers, so that you can extract roles and attributes from your provider to keycloak. That way you will be able to use ABAC or RBAC in Keycloak, with still user permission management done through Auth0.
First you can add Auth0 as an identity provider through OpenID Connect or SAML2. Go to your Auth0 app config > advanced setttings > endpoints to get all the required information to create a new identity provider.
Then you need to create mappers in your identity provider, so you can import attributes or roles from Auth0 token. Documentation is available at https://www.keycloak.org/docs/4.8/server_admin/index.html#_mappers
Now your user in Keycloak will have attributes and roles you mapped from Auth0.
Next enable Authorization on your client. You can now define your resources, scopes, policies and permissions in it. See https://www.keycloak.org/docs/4.8/authorization_services/index.html