we are using keycloak in our product. I am trying to find a way to integrate root user of the machine hosting the keycloak as keycloak admin. Main criteria is on the machine in which keycloak is installed root should be able to access keycloak functions as keycloak admin without providing password. Is it possible now, if possible how to do this.
Let me know if you need more information.
Thanks,
Naga
You can use admin CLI on the server https://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli
Related
My Rundeck detail Rundeck version: 4.10.0
install type: DEB
OS Name/version: Debian 11
DB Type/version: h2
A LDAP user without a Role membership can properly login but can not see any Projects - so far fine.
How can i block such a user to Login at all?
We have one "userBaseDn" Group (userBaseDn="cn=Users,ou=PROD,dc=company,dc=com") in which all users are stored. But of course, only users in following roleBaseDn (roleBaseDn="cn=Rundeck_Admins,cn=Applications,ou=PROD,dc=company,dc=com") Group should have access to Rundeck Web UI.
I expect, only users in Group "Rundeck_Admins" can Login to Rundeck at all
Currently, you can only restrict that using an ACL policy (the user can log in but cannot view/edit/run any project/job, as you say), please take a look at this.
Alternatively, you can create a specific branch in your LDAP server only for Rundeck users.
Currently, means there will be a change on this behavior?
As far a i understand LDAP right, for a specific LADP branch in which a place users, i have to manage users twice. 1st, in user directory and 2nd in the specific Rundeck Group. For me quite unhandy...
Is there any way to restrict the access to the keycloak admin console at the level of groups or user roles? The way of restriction by ip (and undertow filter to block external access), unfortunately, does not quite suit me. I will be very grateful for any advice!
I tried to create roles for security-admin-console and realm-management clients, but it didn't work, all the users still have access to admin console.
It turned out, that the problem was because of realms' default groups. I checked them out and there was admin role by default in all the realms' default groups. For this reason, all imported from a third-party idp users had the admin role by default and had access to the admin console.
I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.
We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.
According to https://docs.wso2.org/display/IS460/Enabling+IWA+in+WSO2+Identity+Server IS seems to be configured to use WAFFLE which can be used only on Windows.
Did anyone have a chance to successfully install using http://spnego.sourceforge.net/ framework?
It would be appreciated to not limit the environment to Windows only.
If you use Tomcat, you can simply use my library: http://tomcatspnegoad.sourceforge.net/
We have managed to create a custom authenticator where
the authenticator redirects user to a page hosted in Tomcat (Custom logon page
the logon page doesn't display any logon form, but using the Tomcat SPNEGO user is authenticated with SPNEGO / Kerberos and a JWT ticket is posted back to the authenticator (commonAuthId) instead of username and password
the authenticator assumes identity of the user (set the username in the authentication context)
This is de facto a custom claim authentication, do not forget to sign / validate the posted ticket.