We need to import hundreds of users to Keycloak from csv-file. I haven't found any ready-made import functionality to do this.
Has anyone made any import routine or at least some skeleton to build on? REST API is probably the only way to do it - or is there another way?
I've recently build something like that in Java. You can use the REST Api, but there is also the admin-client. See Programmatically adding users in Keycloak for some pointers. It should be trivial to add CSV support for that using e.g. Apache Commons CSV.
Basically you can add a Maven dependency:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>1.4.0.Final</version>
</dependency>
And use it like this:
Keycloak kc = Keycloak.getInstance(
"http://localhost:8080/auth",
"master", // the realm to log in to
"admin", "password", // the user
"security-admin-console");
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue("test123");
UserRepresentation user = new UserRepresentation();
user.setUsername("testuser");
user.setFirstName("Test");
user.setLastName("User");
user.setCredentials(Arrays.asList(credential));
kc.realm("master").users().create(user);
Related
I am trying to implement the following:
https://next-auth.js.org/tutorials/securing-pages-and-api-routes#nextjs-middleware
I want to list all my secure pages in the const config object. However on that page it references that 'since NextAuth 4.2....` Well the npmjs page only shows up to v4.17 - Is this why I can't get it to work? Why is it documenting something that we cannot even use yet?
I am currently working on a Quasar app that uses axios library. User is authenticated as usual by a token that, when expired, has to be renewed using a renewal token. I need an axios interceptor to filter status 401 so that I can ask for a new token and send the request again.
The interceptor is already coded, now the problem is that I don't know how to make Quasar use the plugin. The app that is currently in production, which is done with Vue 2, does it like this:
const _axios = axios.create(*config*);
axios.interceptors.request.use(.....);
Plugin.install = function(Vue, options) { .... }
Vue.use(Plugin)
export default Plugin;
Currently Quasar is based on Vue 3, and Plugin is deprecated, I know in Vue 3 the plugin should be included in the /src/main.js file like this:
import { createApp } from 'vue'
const app = createApp({})
app.use(myPlugin, {
/* optional options */
})
But in Quasar there is no main.js file, I can't see an app.use anywhere, and don't know how to tell Quasar to use the plugin with the axios interceptor. I know there's a quasar.conf.js file that you can set to use Quasar plugins, such as Dialog for example,but I don't know if this file would be the place to make Quasar use the plugin I coded or how it should be done. I have not been able to find info on this subject, could someone please tell me how to make Quasar insert my plugin or point me to where I could find info about it? Thanks.
I'm trying to use my existing Cognito User Pool when adding AWS Amplify to a react project.
In result, I want to use Amplify Datastore functionality for existing users in my manually created Cognito User Pool. Also, I like the Amplify CLI functionality for managing GraphQL schema for API, so, this means that I need to initialize amplify project inside my react project.
I started by this chapter https://docs.amplify.aws/lib/datastore/getting-started/q/platform/js. But this chapter uses API Key authentication.
I know, that I can add Authentication to the amplify project by amplify auth add, but it has no option for using existing User Pool.
I can use my User Pool without initializing amplify project by amplify init - by using manually composed aws-exports.json. But as I pointed, I need also add amplify project for API.
I would combine configs, something like Amplify.configure({...aws_config_by_amplify, ...my_aws_config}), but it still unclear how to manage amplify api authentication with my user pool then.
Ideally, it would be great to use some command for amplify project configuration with an existing user pool, but I have not found one.
Also, I suppose that it's possible to make some manual changes in amplify project's cloudformation template/params, and to update the stack with that, but, unfortunately, I am not so good in CloudFormation usage.
How to solve this?
The solution was found here: https://github.com/aws-amplify/amplify-cli/issues/779
Init amplify project amplify init
Add API amplify add api with choosing of GraphQL
Update ampilfy/backend/api/backend-config.json, changing defaultAuthentication to
"defaultAuthentication": {
"authenticationType": "AMAZON_COGNITO_USER_POOLS"
}
Update ampilfy/backend/api/amplifyDatasource/parameters.json:
{
"AppSyncApiName": "amplifyDatasource",
"DynamoDBBillingMode": "PAY_PER_REQUEST",
"DynamoDBEnableServerSideEncryption": "false",
"authRoleName": {
"Ref": "AuthRoleName"
},
"unauthRoleName": {
"Ref": "UnauthRoleName"
},
"AuthCognitoUserPoolId": "<USERPOOL ID>"
}
(I am unsure that authRoleName and unauthRoleName are needed)
amplify push, and voila, the Appsync will have the user pool as the default authentication.
One solution, assuming you want to use the Amplify UI Authenticator component in your React project:
(Note this does not require any Amplify add/pull/push, config file generation, or any of that. It's 100% client side, you just drop in a component, configure it, and use it).
npm install #aws-amplify/ui-react aws-amplify
In your top-level style file, import the theme:
import '#aws-amplify/ui-react/styles.css';
Note: if you are in a Next.js project or get some complaints about pure selectors, import this in your top level app file, like _app.tsx
Add your config object to _app.tsx:
Amplify.configure({
Auth: {
region: 'us-west-2', << whatever region
userPoolId: 'your-userpool-id',
userPoolWebClientId: 'you-web-client-id', << found in App Integrations
},
});
Note that you can get your region from the userPoolId (at least, at this time), it's the part to the left of the underscore.
Add the Authenticator to your markup:
<div className="authenticator">
<Authenticator>
{({ signOut, user }) => (
// Next.js
<Component {...pageProps} signOut={signOut} user={user} />
// react-router-dom
<Routes>[Your Routes]</Routes>
)}
</Authenticator>
</div>
Import note: to use this component, make sure in your user pool Advanced app client settings -> Authentication Flows, "ALLOW_USER_SRP_AUTH" is in the list. The Authenticator component sends data a certain way and needs this protocol.
That's pretty much it. It assumes the userpool has things like verification and an app integration configured correctly, but as for the client side the above is all there is to it, I've used it a number of times recently.
By default web interface of BuildBod is a public readable, so anyone can view my builds, etc. I want to close it from guests, so only registered developers will be able to view my BuildBot page.
How can I do it?
I use BuildBot 0.8.9.
I am using Buildbot 0.8.8 and not try to do this, but in Buildbot 0.8.9 documentation there seems a "view" options for authorization, probably this is what you want.
Basic implementation could be like this;
from buildbot.status.html import WebStatus
from buildbot.status.web.authz import Authz
from buildbot.status.web.auth import BasicAuth
users = [('bob', 'secret-pass'), ('jill', 'super-pass')]
authz = Authz(auth=BasicAuth(users),
view='auth' # only authenticated users
...
)
c['status'].append(WebStatus(http_port=8080, authz=authz))
You can also move your buildbot machine under vpn, and give access to developer. This way you can hide BuildBot UI completely from outside. This is how it is done in company I work.
I am using HttpServletRequest.login() method provided by servlet 3.0 in a Java EE-container (jdbc-realm) and all works fine.
According to this [Java EE 6: How to implement "Stay Logged In" when user login in to the web application, I have implemented a remember-me-method.
However I stuck with the following in the filter-class:
if (user != null) {
request.login(user.getUsername(), user.getPassword());
request.getSession().setAttribute("user", user); // Login.
addCookie(response, COOKIE_NAME, uuid, COOKIE_AGE); // Extends age.
}.
I have a jdbc-realm with encrypted pw, how can I make the container-managed-authentication via rememberMe? user.getPassword() needs the clear (unhashed) pw which I cannot know! I do not want to store clear passwords in the db.
If the ready-use login module that you use only accepts the clear (unhashed) password, then you probably would need to modify it, and then install that modified version.
Your existing JDBC-realm most likely has a vendor specific login module, but Java EE 6 does have a standardized dedicated API for building login modules (auth modules), which is called JASPIC. See this article for some background.
Incidentally for a OmniFaces sub-project called OmniSecurity we have been prototyping a JASPIC auth module which also supports remember me. It's open source so you could use it for inspiration.