I have been trying to setup my full test system in keycloak using the kcadmin cli, but I have some problems creating protocol mappers:
HTTP error - 400 Bad Request
I have been trying to implement a request using:
http://www.keycloak.org/docs-api/3.3/rest-api/index.html
http://blog.keycloak.org/2017/01/administer-keycloak-server-from-shell.html
Am I missing something in the request:
/opt/jboss/keycloak/bin/kcadm.sh create \
clients/7e8ef93b-0d0f-487d-84a5-5cfaee7ddf13/protocol-mappers/models \
-r $test_realm \
-s config.user.attribute=tenants \
-s config.claim.name=tenants \
-s config.jsonType.label=String \
-s config.id.token.claim=true \
-s config.access.token.claim=true \
-s config.userinfo.token.claim=true \
-s config.multivalued=true \
-s name=tenants \
-s protocolMapper=oidc-usermodel-attribute-mapper
This works:
/opt/jboss/keycloak/bin/kcadm.sh create \
clients/7e8ef93b-0d0f-487d-84a5-5cfaee7ddf13/protocol-mappers/models \
-r $test_realm \
-s name=tenants1 \
-s protocol=openid-connect \
-s protocolMapper=oidc-usermodel-attribute-mapper
You need to specify nested config values like this in Linux:
-s 'config."id.token.claim"=true'
-s 'config."included.client.audience"=theclient'
In the failing example the following value is missing:
-s protocol=openid-connect
Related
For my CI, I know need to launch ZAP from the CLI, this works fine:
docker run --net mynetwork -v $(pwd):/zap/wrk/:rw \
-t owasp/zap2docker-stable zap-full-scan.py -I -j -m 10 -T 60 \
-t http://myapiserver.com:8080/api/docs \
-r report-$(date +%Y%m%d-%H%M%S).html
Now, my REST API server uses OAuth2/OIDC/Keycloak, I know how to get a token, no problem with that.
But I can't see how can I activate a community script, AddBearerTokenHeader.js to include a token in each call. The doc is not clear for me and basically demands installing the app to find the keys using the mouse, which I can't (no right to install apps on my PC).
Where can I find what are the parameters to activate this script?
Update
Although I was able to launch the Swing interface from Docker...
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
# Browse for http://localhost:8080/zap/
... can't make the config.xml differences raise following the doc (yes, I know how to use docker, share directories, RTFM, etc.).
#SimonBennets' answer provides a nice solution, not the best (what if I want to add multiple headers? how to update tokens?), but it works:
TOKEN=$(curl -ks -X POST \
${URL}realms/${REALM}/protocol/openid-connect/token \
-H "Accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "cache-control: no-cache" \
-d "grant_type=password" \
-d "username=${USER_NAME}" \
-d "password=${USER_PASS}" \
-d "client_id=admin-cli"|jq -r .access_token|tr -d "\n"
)
docker run --net net_oia \
--name zap \
-v $(pwd):/zap/wrk/:rw \
-e ZAP_AUTH_HEADER="Authorization" \
-e ZAP_AUTH_HEADER_VALUE="Bearer $TOKEN" \
-t owasp/zap2docker-stable zap-full-scan.py -I -j -m 10 -T 60 \
-t http://apidb:8080/api/ \
-r report-$(date +%Y%m%d-%H%M%S).html
My logs showing how the OWASP Zap HEADER is generated (notice the authorization header... why lowercase? anyway, this is ok):
apidb | Headers({'host': 'apidb:8080', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'authorization': 'Bearer eyJhbGciOiJSUzI1NiIsIn...'})
An easier option it to use the ZAP_AUTH_HEADER_VALUE env var.
Its explained in more detail here https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
I need to enable update password under default actions in keycloak with kcadm, can one help in achieving this !!!
I want to do this as part of my realm creation
I don't know a specific admin cli command to do that.
But, you can achieve this by using the resource uri :
./kcadm.sh update /authentication/required-actions/UPDATE_PASSWORD \
-s alias=UPDATE_PASSWORD \
-s defaultAction=true \
-s enabled=true \
-s name="Update Password" \
-s priority=30 \
-s providerId=UPDATE_PASSWORD \
-r <REPLACE_BY_REALM_IF_NEEDED>
More info here : https://www.keycloak.org/docs/latest/server_admin/index.html#basic-operations-and-resource-uris
From Add protocol-mapper to keycloak using kcadm.sh
Has anyone figured this out yet? I tried it the way Oscar suggested and it still does not work.
The lines that are not commented work perfectly.
The lines that are commented do not work. I get an error that says "./clientmapper.sh: 59 (or whatever line number that I have uncommented): -s: not found"
sudo docker exec $keycontainer /opt/jboss/keycloak/bin/kcadm.sh create \
clients/$cid/protocol-mappers/models \
-r myrealm \
-s name=roles \
-s protocol=openid-connect \
-s protocolMapper=oidc-usermodel-attribute-mapper
#-s 'config."id.token.claim"=true' \
#-s claim.name=roles \
#-s jsonType.label=String \
#-s multivalued=true \
#-s userinfo.token.claim=true \
#-s access.token.claim=true
I made this work by formatting as Oscar suggested and using -i after the docker exec command. It works perfectly now.
sudo docker exec -i $keycontainer /opt/jboss/keycloak/bin/kcadm.sh create \
clients/$cid/protocol-mappers/models \
-r testrealm \
-s name=testmap \
-s protocol=openid-connect \
-s protocolMapper=oidc-usermodel-realm-role-mapper \
-s 'config."id.token.claim"=true' \
-s 'config."claim.name"=testmap' \
-s 'config."jsonType.label"=String' \
-s 'config."multivalued"=true' \
-s 'config."userinfo.token.claim"=true' \
-s 'config."access.token.claim"=true'
I'm trying to automate the configuration setup for a Realm in Keycloak using the kcadm.sh CLI tool. When I add our LDAP configuration for user federation using a command like the following
kcadm.sh create components -r API \
-s name="Active Directory" \
-s parentId=f19b715d-272d-4b29-8474-dc538fb5e5c8 \
-s providerId=ldap \
-s providerType=org.keycloak.storage.UserStorageProvider \
-s 'config.priority=["1"]' \
-s 'config.fullSyncPeriod=["-1"]' \
-s 'config.changedSyncPeriod=["-1"]' \
-s 'config.cachePolicy=["DEFAULT"]' \
-s config.evictionDay=[] \
-s config.evictionHour=[] \
-s config.evictionMinute=[] \
-s config.maxLifespan=[] \
-s 'config.batchSizeForSync=["1000"]' \
-s 'config.editMode=["READ_ONLY"]' \
-s 'config.syncRegistrations=["false"]' \
-s 'config.vendor=["ad"]' \
-s 'config.usernameLDAPAttribute=["sAMAccountName"]' \
-s 'config.rdnLDAPAttribute=["sAMAccountName"]' \
-s 'config.uuidLDAPAttribute=["objectGUID"]' \
-s 'config.userObjectClasses=["person, organizationalPerson, user"]' \
-s 'config.connectionUrl=["LDAP://192.168.110.50"]' \
-s 'config.usersDn=["OU=ST Users,DC=something,DC=com,DC=au"]' \
-s 'config.authType=["simple"]' \
-s 'config.bindDn=["CN=Webauth LDAP,OU=System Accounts,OU=AIH Users,DC=something,DC=com,DC=au"]' \
-s 'config.bindCredential=["secret"]' \
-s 'config.searchScope=["2"]' \
-s 'config.useTruststoreSpi=["ldapsOnly"]' \
-s 'config.connectionPooling=["true"]' \
-s 'config.pagination=["true"]' \
-s 'config.allowKerberosAuthentication=["true"]' \
-s 'config.serverPrincipal=["HTTP/alb-keycloak-shared.int.something.cloud.local#SOMETHING.COM.AU"]' \
-s 'config.keyTab=["/opt/keycloak/standalone/configuration/int-keycloak.keytab"]' \
-s 'config.kerberosRealm=["SOMETHING.COM.AU"]' \
-s 'config.debug=["true"]' \
-s 'config.useKerberosForPasswordAuthentication=["true"]'
it is successfully added to the realm (as verified by inspecting the database component and component_config tables). BUT, when I sign-in to the Keycloak Admin console to inspect that setup for the realm I do not see any User Federation setup. It is not until I made some benign change to the realm (change the realm display name) or flush the realm caches does the configuration for the LDAP user federation becomes visible in the Admin console UI.
Is there something I should be doing to automate adding user federation with LDAP?
Note: I'm using Keycloak v8.0.1.
This might happen because you haven't passed the -s parentId correctly
PARENT_ID=$(/opt/jboss/keycloak/bin/kcadm.sh get /auth/admin/realms/$REALM_NAME --fields id --format csv --noquotes)
/opt/jboss/keycloak/bin/kcadm.sh create components -r $REALM_NAME -s name="migration-provider" -s providerId="migration-provider" -s providerType="org.keycloak.storage.UserStorageProvider" -s parentId="$PARENT_ID" -s 'config.priority=["0"]' -s 'config.enabled=["true"]' -s 'config.cachePolicy=["NO_CACHE"]'
Try something like this it worked for me :)
I have custom provider created and deployed.
Now I goto user federation select the drop down and add my provider using UI and fine. Image using UI
Can some one please let me know how to add the same using CLI as I want to automate the manual process.
This worked for me:
kcadm.bat create user-federation/instances -r Test1 \
-s providerName=tatts-asg-authentication \
-s priority=0 \
-s config.debug=false
This is what works for Keycloak 3.4.3:
kcadm.bat create components -x -r MyRealm \
-s providerType=org.keycloak.storage.UserStorageProvider \
-s name=my-provider \
-s parentId=MyRealm \
-s providerId=my-provider \
-s 'config.path=["C:\\path\\to\\properties"]' \
-s 'config.priority=["0"]'
user-federation/instances has been replaced with components: issues.jboss.org/browse/KEYCLOAK-6583
The -x option is to output the stacktrace on error.