We Keep Coding

Keycloak - restrict the access to the admin console

Is there any way to restrict the access to the keycloak admin console at the level of groups or user roles? The way of restriction by ip (and undertow filter to block external access), unfortunately, does not quite suit me. I will be very grateful for any advice!
I tried to create roles for security-admin-console and realm-management clients, but it didn't work, all the users still have access to admin console.

It turned out, that the problem was because of realms' default groups. I checked them out and there was admin role by default in all the realms' default groups. For this reason, all imported from a third-party idp users had the admin role by default and had access to the admin console.

Nodemailer: response: '535-5.7.8 Username and Password not accepted

With the shut down of Less secure apps by Google on May 30, 2022, using Gmail with nodemailer now throws an error that says response: '535-5.7.8 Username and Password not accepted. Learn more at\n' + '535 5.7.8 https://support.google.com/mail/?p=BadCredentials. The Nodemailer docs appears to not be updated yet regarding this issue of Less secure apps but suggest to use another delivery provider. I used to just turn on LSA, store the credentials in an environment variable and let nodemailer do its thing, with this change, how can one still use gmail with nodemailer? There are no youtube tutorials to fix this yet and looking at the google documentation, it doesn't show nodemailer

Solved it by creating App password inside Google account. You must have 2-step verification actived.

Open Mail > Settings > See all Settings > Forwarding and POP/IMAP.
Enable POP download: & Enable IMAP access: (then save the settings). Mail Settings Image
Open Your Gmail Account > security > 2-step verification(enable it).
Go to App Passwords > select device > select app(you can create any custom app).
Copy App Password and use it in your application.

You should look into xoauth Nodemailer appears to support serval oauth options
let transporter = nodemailer.createTransport({
host: "smtp.gmail.com",
port: 465,
secure: true,
auth: {
type: "OAuth2",
user: "user#example.com",
clientId: "000000000000-xxx0.apps.googleusercontent.com",
clientSecret: "XxxxxXXxX0xxxxxxxx0XXxX0",
refreshToken: "1/XXxXxsss-xxxXXXXXxXxx0XXXxxXXx0x00xxx",
accessToken: "ya29.Xx_XX0xxxxx-xX0X0XxXXxXxXXXxX0x",
expires: 1484314697598,
},
});

Grafana OAuth with Keycloak

I am using helm charts. During the deploy process, I override values as below:
auth.generic_oauth: # for SSO
groups_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
enabled: true
name: Keycloak
allow_sign_up: false
client_id: grafana
client_secret: CLIENT_SECRET
scopes: openid,email,profile,groups
team_ids:
allowed_organizations:
auth_url: AUTH_URL
token_url: TOKEN_URL
api_url: API_URL
tls_skip_verify_insecure: true
In the Keycloke, I create a client, a client scope, a group mapper in the client scope, a group and assign GrafanaAdmins group to a user.
What I want to achieve is to be able to login to Grafana with a user defined in Keycloak that is also assigned the GrafanaAdmins group.
What I have is this error:
t=2021-12-27T13:32:18+0000 lvl=warn msg="Not allowing oauth_generic_oauth login, user not found in internal user database and allow signup = false"
t=2021-12-27T13:32:18+0000 lvl=eror msg="invalid username or password" logger=context userId=0 orgId=0 uname=
I don't want to sign up new users nor I want to use additional database. It should use Keycloak.
Grafana documentation is not very descriptive and it is hard to get around it.

You have a few problems:
Grafana documentation is clear:
Groups mapping: Available in Grafana Enterprise v8.1 and later versions.
You are using Grafana 7.1.5 and I guess also free OSS Grafana (not a paid enterprise version, where license is required), so group mapping (config groups_attribute_path) is not possible in your case.
You are mixing also Grafana role mapping (role_attribute_path) with Grafana group mapping (groups_attribute_path) Please note role != group. So I guess you wanted:
role_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
instead of:
groups_attribute_path: contains(groups[*], 'GrafanaAdmins') && 'Admin' || 'Viewer'
Grafana creates internal users, based on the OIDC response, so you want to sign up new users in auth.generic_oauth section:
allow_sign_up: true
I bet your scopes config has wrong syntax and it should be:
scopes: openid email profile groups
Generally, you are using groups in the Keycloak to map roles in the Grafana. It is possible, but better logic will be to use roles in the Keycloak to map roles in the Grafana. Keycloak/Grafana have concept roles/groups and it is up to you how will you use them for your users. I would start with basic roles concept first.

keycloak-js How to authenticate AND authorize users

I'm having a bit of trouble understanding how to link together authenticating and authorizing users in my frontend using Keycloak and the keycloak-js adapter.
To preface this: I know that the keycloak-js adapter requires the client to have public as the Access Type.
My main question is how can I use Keycloak authentication AND authorization via the same client. If the Access Type MUST be set to public for the keycloak-js adapter to work, then how can I restrict access to my API depending on the users permissions?
Will I need two clients for this? One for authentication and one for authorization? If so, how can I use the access token from the authentication client in the authorization client?
My current setup in Keycloak is as follows:
Realm: admin-service
Client: admin-service-api
Access Type: confidential (because I want to use authorization to restrict api requests according to permission levels)
Root URL: http://localhost:8080/
Valid Redirect URIs: http://localhost:8080/*
Roles:
admin
Users:
test-user
My authorization setup for admin-service-api is as follows:
Resources: Books Resource
Uri (these are my API endpoints):
/v1/books
/v1/books/{id}
Scopes:
books:delete
books:create
books:update
books:read
Policies:
Default Policy
Books Policy:
Realm roles:
admin (the required checkbox is not checked)
Permissions:
Default Permission
Books Resource Permission:
Resources: Books Resource
Apply Policy: Books Policy
So with this setup, I have restricted my API (which is written in GoLang) to only allow requests if the requesting user has the appropriate permissions by making a request to the Keycloak API via https://my.auth.server/auth/realms/{{realm_name}}/protocol/openid-connect/token to retrieve the users access token and a list of the users permissions.
From there I can use this access token to make requests to my API to create/read/update/delete books so long as my test-user has the admin role. If my user does not have the admin role, the user is presented with an unauthorized message (401).

JBPM_7.XX: How to change role name "admin" to other name?

Currently, I am integrating JBPM with LDAP with following guide: https://www.youtube.com/watch?v=0UpT92-GIxc.
I have done successfully. But, Our LDAP server already have role "admin" and I cannot add this role to my OU. So, How can i change configuration admin role to other name in jbpm?
Thank all!

In the jbpm.usergroup.callback.properties file, you should configure the "binding" user:
ldap.bind.user=cn\=admin,dc\=jbpm,dc\=org
ldap.bind.pwd=admin
You could try any other one, different than admin.
Notice that if the LDAP server doesn’t allow anonymous binding, then ldap.bind.user and ldap.bind.pwd parameters are mandatory in this file.
In this blog post, you can find a sample for a basic LDAP configuration ("LDAP structure" chapter):
https://blog.kie.org/2021/02/migrating-jbpm-images-secured-by-ldap-to-elytron.html
Take into account to update jboss LdapExtLoginModule with the bindDN and password accordingly.