I have managed to set up a Keycloak server embedded in a Spring Boot Application successfully, following this tutorial:
Keycloak Embedded in a Spring Boot Application
in order to avoid setting it up manually.
Since I am dealing with an old implementation that already has it's own DB, I decided to use Keycloak's User Storage SPI to connect to an external postgresql DB and use this for authentication instead of Keycloak DB.
To do this, I followed the tutorial on Keycloak documentation, but it envolves a standalone Keycloak server, creating a .jar with the custom provider and injecting it to <pathToKeycloak>/standalone/deployments/.
I have created an implementation that works with a standalone Keycloak server, but now I want to include it to the embedded one. Is it possible to use a Keycloak server Embedded in a Spring Boot Application and also have an embedded custom User Storage Provider, to avoid setting up manually?
If you have already implemented the provider and the provider factory, you only need to declare the provider factory class in the resources/META-INF/services/org.keycloak.storage.UserStorageProviderFactory file.
Then you can log in to the administration console and enable user storage provider on the User Federation page.
Related
I want to use keycloak in my Spring boot application, but I need user data in my business logic. I want to keep keycloak and business logic in different databases. I found a tutorial in here https://www.baeldung.com/java-keycloak-custom-user-providers
I use bitnami/keycloak in docker environment but in this image doesn't contains custom-user-provider option. It contains ldap and kerberos only. How can I add this option to bitnami/keycloak or is there a docker image of keycloak which contains this option?
thx
Zamek
I tried the project from here. It works for me.
And my custom-user-provider here.
I have setup Keycloak as a SAML broker, and authentication is done by an external IdP provided by the authorities. Users logging in using this IdP are all accepted and all we need from Keycloak is an OAuth token to access our system.
I have tried both the default setup using H2 and running with an external MariaDB.
The external IdP provides us with a full name of the user and a personal ID. Both data are covered by GDPR and I really do not like the sound of storing that data in a database running in the DMZ. Opening up for Keycloak to access a database in the backend is also not a good solution, especially when I do not need users to be stored.
The benefit of running without a database is that I have a simpler DMZ setup as I really do not need to store anything about the users but on the backend.
Do I need a database, and if not how do I run Keycloak without it?
Do I need a database, and if not how do I run Keycloak without it?
Yes, however, out-of-the-box Keycloak runs without having to deploy any external DB. From the Keycloak official documentation section Relational Database Setup one can read:
Keycloak comes with its own embedded Java-based relational database
called H2. This is the default database that Keycloak will use to
persist data and really only exists so that you can run the
authentication server out of the box.
So out-of-the-box you cannot run Keycloak without a DB.
That being said from the same documentation on can read:
We highly recommend that you replace it with a more production ready external database. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either.
So regarding this:
The benefit running without a database is that I have a simpler DMZ
setup as I really do not need to store anything about the users but
on the backend.
You would still be better offer deploying another DB, because Keycloak stores more than just the users information in DB (e.g., realm information, groups, roles and so on).
The external IdP provides us with a full name of the user and a
personal ID. Both data are covered by GDPR and I really do not like
the sound of storing that data in a database running in the DMZ.
Opening up for Keycloak to access a database in the backend is also
not a good solution, especially when I do not need users to be stored.
You can configured that IDP and Keycloak in a manner that the users are not imported to the Keycloak whenever those user authenticate.
We have an application that is deployed into CloudFoundry/Bluemix. The application reads its database connections from the VCAP_SERVICES environment variable. The db password stored in the environment variable is encrypted and we decrypt it when the application boots up.
We are looking at Spring Cloud Service Connectors. Do the cloud connectors provide any hook, so that we can decrypt the password from VCAP_SERVICES before the DataSource instance is created?
Why do you want to do this? Where does the app get its decryption key from? If it's hard-coded in the app, that's an antipattern that will make it hard to rotate the key. If it's through an environment variable, then it's no more secure than storing the database credentials unencrypted as services in Cloud Foundry - services in CF are nothing more than domain-specific groups of environment variables. I can't see that encrypting them adds any security.
To answer the question: Not out-of-the-box, but you could probably intercept the flow of Spring components that act on the environment variables that Cloud Foundry provides to your app.
The abstract class that creates ServiceInfo instances is CloudFoundryServiceInfoCreator. You could look at maybe providing a custom implementation of this? There is a blog post describing how Spring Cloud Connectors works. You might be able to extend CloudFoundryConnector too.
I am current using spring security oauth2 and configured the oauth2 as using the clients from inMemory, how to get the client id/client secret from mongodb and use mongodb as the store for the client details and how to configure spring oauth2 using that.
One approach I was thinking was to use mongo template to read the client details and configure the inMemory client details using those values. Will this be a way to go about this?
Is there another way to get client details from mongodb and configure the clients for spring security oauth2?
Try
this link. You will have to create custom client details storage along with custom access and refresh token implementation.
I am using Bluemix SSO service for user authentication and configured the Cloud Directory identity source as my identity provider. The SSO implementation is working perfectly fine for the Bluemix applications.
However, I have a need to add few custom user attributes and retrieve them as part of the user profile details once the authentication is successful. The Cloud Directory identity source only supports name & email as the user attributes and doesn't provide any feature to add additional custom attributes.
Is it possible to add any custom user attributes to Cloud Directory identity source? If not, what is the best way to configure the custom user attributes when using Bluemix SSO service?
It is not possible to add additional custom attributes using the Cloud Directory of Bluemix SSO (example: roles). There is not a best way to configure the custom user attributes, but you could develop your own login system. For example if you are using Bluemix nodejs runtime you could use the passport module and store all user information in a specific table of your DB. In this way you can manage the login and other custom fields. An alternative is to use SSO Cloud Directory, retrieve the username information from the SSO service in the session and use it as a key to retrieve other DB fields (roles, numbers, address).