I am using keycloak, and I have created a dropwizard service that I want to start enforcing roles in.
I have tried using the #RolesAllowd("user") annotation, but it always returns 403.
I have also tried #PermitAll, and that works fine.
I know I am connected correctly to the server, as the user has the correct information in it (email, name, etc), but where do the roles come from?
Is there a way to see the roles that a user has?
(answering my own question)
The issue that I was having #RolesAllowd("user") always returns a 403, is because of a checkbox in the Keycloak UI called "Scope Param Required". and the tooltip reads:
This role will be granted just if scope parameter with role name is used during authorization/token request.
It turns out, if you are trying to use that role, and the checkbox is on, it will not be sent to the client, so it will seem to the client that the user does not have that role. That checkbox was clicked ON for me, so that is why the annotation was showing the user was not authenticated.
So, if that checkbox is checked, you need to explicitly ask for the role, here is how you do that with user:
"scope" : {
"realm" : [ "user" ]
}
And here is more information from Keyclaok: https://issues.jboss.org/browse/KEYCLOAK-231
In your application realm on the keycloak admin console, you have a section called roles. There you must add the roles that will be checked by java security.
If you want that a user after a registration automatically receive a role, you need to add this role into default roles (roles -> default roles). You can also add manually roles to existent users in users -(select a user)->role mapping->assigned roles
Related
I entered the following data, but after applying these settings, the input is not carried out, several questions arise. during authorization, the user returns to the page with minio and so on indefinitely
MINIO_IDENTITY_OPENID_CONFIG_URL=https://test.local.ru/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
MINIO_IDENTITY_OPENID_CLIENT_ID="292085223830"
MINIO_IDENTITY_OPENID_CLIENT_SECRET="12344556"
MINIO_IDENTITY_OPENID_SCOPES=openid
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC==https://minio.local.ru/*
how do I even understand why it brings me back to the page? are
there any logs, I don't understand how to debug
do I still need to have policies and users that are in sso? if you start, then you need to specify the access key. It is unclear why authorization is needed then. if you still get the keys to enter.
is it possible to enable both OpenID and standard authorization at the same time?
I finally figured out this problem
you need
to go to the rules section in your keycloak sso client to create a role with a name equal to the policy from the minio:
for example role name
consoleAdmin or readonly
in addition to the name, you do not need to fill in any attributes in the role, do not put it as a composite
after adding the role, we need to perform two steps
create a claim name (the name can be any), for example, minio-roles
mapper type - user client role
claim json - string
client id - the name of your sso client
token claim name - minio-roles
then it remains to assign this role to users in the users section
user - role mapping - client roles ( select client name SSO) - select the right role for this user
We're using Keycloak 12 for authentication in our portal and there are two different types of users:
Internal users (read from our internal LDAP)
External users (stored in Keycloak but without being synced with the LDAP)
We'd now like to use the "Forget Password" feature provided by Keycloak. After having configured the feature and the mail server, this works fine out-of-the-box.
However we'd like to restrict the "Forget Password" feature to all users which belong to (2), i.e. the internal users. These users are not allowed updating their password via Keycloak as this is done by another mechanism.
I couldn't find any information in the documentation so far if this is possible at all?
The Keycloak Forgot Password feature is applied at the Realm level, hence applied to all the users belonging to the Realm. For Keycloak, the LDAP is just an external storage with users to authenticate against. Consequently, out of the box, there is no way (as far as I know) for the Forgot Password to only be enabled to certain users within the Realm.
Even if it would be possible IMO it would not be a very user-friendly feature, since when one activates such a feature a new link will be shown to the users on the login page in case they have forgotten their passwords. So if a user from the LDAP would click on it, it would display an error or something?!
Alternatively, you can configure the LDAP of the so-called internal users in another Realm than the one with the Forgot Password enabled. And then configure the newly created realm to be an external Identity Provider, which the users could explicitly authenticate against it. So in practice, the users would lend in the normal login page, the external users could login normally, and would have the Forgot Password option enabled. The internal users would explicitly click on the external IDP to authenticate themselves. Log in using the external IDP would be a similar user-experience as log in to the normal login page, however, the Forgot Password option would not be shown.
You can see an example such configuration here.
My organization runs a grafana 7.0 instance that only allows SSO logins. I would like to create an API token for my user account but based on these instruction it seems like doing so is not possible without supplying a password. Is this understanding accurate?
As #Amal.Touzani mentioned, API key is created per organisation, not per user.
Instruction, mentioned by you, needs admin password to authenticate the admin user during API token creation. Later on access level will be defined by role specified in request, in example it is "role": "Admin". Role could be Viewer, Editor or Admin (as mentioned here)
Of course, all these steps could be done from Grafana Administration UI:
I think your user should have the permission to create API token but you don't supply the
password.
Based on the documentation , the Admin API needs (username , password ) to authenticate .
But API Tokens are currently only linked to an organization and an organization role , please see these links :
https://grafana.com/docs/grafana/latest/http_api/admin/
https://grafana.com/docs/grafana/latest/http_api/auth/
https://grafana.com/docs/grafana/latest/tutorials/api_org_token_howto/
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I came across similar scenario and the way I solved it was by enabling a default role to the newly added user.
This role can be changed later on but with a default role in place, your flow will complete.
There are 2 ways to assign a default role in keycloak. With both these configs, whenever a new user is registered even from external service providers, they will be assigned this default role:
Assign a default role directly to user:
Assign a default group to user & map a role to that default group
Please note that Default Group & Role names in above are my own and they are not predefined in keycloak.
After logging in to Keycloak admin console --> roles -> go to 'Default Roles' tab and add the role from available section to default realm roles section and save...Now when a user is registered, it will have the role assigned .
I want to secure my user registration page with keycloak but couldn't think of any approaches while reading the docs. The best option for me:
New user register, but his account is unavailable.
When ADMIN accept this new account, user can log in.
Is it possible do it in keycloak ? Or any similar solution ?
Sure you can do it. The easiest way is to give a default role to newly registred users. The default role would give only minimal privileges. Then ADMIN can promote the user to the more appropriate group or role.
Probably to "automate" or smoothen the second part of this flow you might need some flow customization. Cf. https://www.keycloak.org/docs/latest/server_development/#required-action-walkthrough and related.
Another solution is to give to the default minimal role the possibility to request acceptation, or make the request automatically at first logging (eg. mail sent to ADMIN).
EDIT
Programmatically it is also possible to make calls to the Keycloak Admin API (through native Admin Client). For example, you can write some logic (and associated UI or whatever) that will assign or remove groups from a user.
See. Admin REST API