i have a requirement to implement basic authentication at dispatcher side
I have below basic auth configuration in my virtual host(www.abc.com) configuration file.
<Location /content/abc/jp-JP >
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /opt/cq/www/htdocs/password(this is name of file, contains uname and password)
Require valid-user
</Location>
when i try to access www.abc.com/jp-JP getting basic auth prompt and authenticated succefully from password file(username and password file ) located under /opt/cq/www/htdocs . after first prompt successfully validated username and password , second prompt displaying with requires username and password .The server Says (Sling development). if i disable basic authentication in apache sling authentication service of publish instance ..then it's redirecting me to correct page what i expected ..but unable to publish contents from author(blocked inside replication agent queue). so enabled back..but basic authentication blocked with The server Says (Sling development).
I am sure it is difficult to understand what i am trying to say here ..but any idea how to by pass prompt of "The server Says (Sling development)" from dispatcher level basic auth. Any help would be appreciated!!!
Let me paraphrase your description: you have setup HTTP Basic Auth on the Apache level and it works fine, but the credentials entered in the browser are sent not only to the Apache but also to the CQ. CQ treats credentials as its own username and password and returns error. Disabling HTTP Basic Authentication Handler authenticator is not an option, as it's used by the replication process.
In order to make Apache HTTP Basic and the CQ publish coexists, you can remove the Authorization header (used in the HTTP Basic Auth) on the Apache, using mod_headers module and its RequestHeader directive. Enable the mod_headers and place following line in your VirtualHost configuration:
RequestHeader unset Authorization
Apache will use the header to authenticate the request, but then it'll be removed and CQ won't get it.
Related
I am having trouble trying to figure out what the values should be for 'Valid Redirect URIs', 'Base URL', 'Backchannel Logout URL'.
I am using Keycloak 15.02 along with 10 Spring Boot applications, and 2 Realms. The suite of applications and Keycloak are deployed to our customer sites, and may have more than 2 realms in some cases.
In our dev environment we have two hosts (api.dev, and web.dev) that are running Keycloak, and client apps. Everything is running Docker containers.
The client config for `Valid Redirect URIs', and 'Backchannel Logout URL' currently include the host name web.dev. I'd like to be able to remove that host name to make the Realm configs portable between environments. Having to configure each client in each realm makes for a lot of repetitive and mistake-prone work.
But when I remove the hostname, I get the error: Invalid parameter: redirect_uri.
The redirect URL shown by Keyloak in the request parameters looks the same for both configurations so I dont really understand why its telling me that its invalid.
This works:
That configuration produces the redirect_uri value seen in the following request:
http://api.dev.etisoftware.local:8080
/auth/realms/OSS/protocol/openid-connect/auth
?response_type=code
&client_id=launchpad
&scope=openid%20profile%20email%20roles
&state=E-8VBZUc1CbsIUi5HdPG68pNK1IVNB8bzDT3Aengx9Q%3D
&redirect_uri=http://web.dev.etisoftware.local/launchpad/login/oauth2/code/OSS
&nonce=3OUMxVmrglSC0KK-WGWDjG4yB9TOuvqBO5TMnDk4R-A
But this does not:
That configuration produces the redirect_uri value seen in the following request:
http://api.dev.etisoftware.local:8080
/auth/realms/OSS/protocol/openid-connect/auth
?response_type=code
&client_id=launchpad
&scope=openid%20profile%20email%20roles
&state=cGh1zZ3et0ssogIsNclL2sHcrfDxNePaHf5UXxw0aR8%3D
&redirect_uri=http://web.dev.etisoftware.local/launchpad/login/oauth2/code/OSS
&nonce=Qm846RYZZnU3fG4Cj75e8lBejupf24VbV1WjDVW1NJA
As you can see the values for redirect_uri in the request parameters are same for both requests and client configurations so its unclear (to me) what Keycloak is trying to tell me.
I also happen to have Keycloak and the client apps running in a K3s cluster. For some reason on that environment I dont have to have the hostname in the Valid Redirect URIs and it works perfectly fine. Is it just a fluke?
Redirect URIs tooltip:
"Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/’. Relative path can be specified too such as /my/relative/path/. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request"
So if you want to use relative paths in the redirect URIs, then configure properly Root URL, not Base URL.
I got this answered on Keycloak's site but Jangaraj.
https://keycloak.discourse.group/t/trouble-with-configuring-client-valid-redirect-uris/13251
I'm creating Java appliation, where I will need users to log in. Currently I'm verifying if I can configure Keycloak safe enough. I'd like to make sure my application is really authenticating users against my Keycloak server - eg I know there is something like DNS Poisining or other attacks, where my application could get to attackers server with duplicated/attackers Keycloak instance. What surprised me, I have currently configuration with follwing keys:
keycloak.auth-server-url=...
keycloak.realm=...
keycloak.resource=...
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=..
keycloak.security-constraints[0].securityCollections[0].patterns[0]=...
keycloak.principal-attribute=preferred_username
and no public key is needed. Even worse here: https://stackoverflow.com/a/40516696/520521 I see upvoted comment telling, my application may download key from (malicious) server.
Are there any extra steps I need to follow, to authenticate Keycloak server before starting to authenticate users against it?
Based on your configuration, it seems that you've defined your client in Keycloak as public. This allows your client to be able to call Keycloak without any authentication. This type of client is used for example when you're going to authenticate via js in webpage in which nothing can be hidden from attacker as they have access to the source of the page.
If you set the "Access Type" of your client to "confidential" (in Client Settings on Keycloak Admin UI) and save the settings, there will appear another tab (next to "Setting" tab of the client) titled "Credentials". There you can see the default secret that is created for your client. You should then put this secret as below in your keycloak.json file inside your application:
"credentials": {
"secret": "paste-the-secret-value-here"
}
You can also re-generate the value by selecting the "Regenerate Secret" button.
You can also change the "Client Authenticator" there and set it to "X509 Certificate". Then you would be asked to define a regular expression to validate the "Subject DN" of the certificate that client will be using for authentication. Any certificate matching that regex would be considered as valid and authenticated. Then you have to setup your client to use such certificate instead of defining the "secret" value in the keycloak.json file.
There is of course another option which uses "Signed JWT" which is also secure and you can find the details about how to set it up in Keycloak documentation at Client Authentication section.
I can't see a word that this is the aim, but seeing where public and private key is placed I understand that answer is, that in realm settings -> keys -> active there is list of keys. You may download public key or certificate with button on right side. In my case of Spring boot, enter application.properties file a public key under keycloak.realm-key.
I have problems setting up Keycloak for a project I do.
Keycloak is running on http://localhost:8180.
Thorntail server is running on http://localhost:8080/users which serves data for an
Angular frontend on http://localhost:4200/*. What I want to do is that a User can only see http://localhost:4200/sign-in without logging in. Once logged in they can access for example http://localhost:4200/list-user.
I was using this guide to set up Keycloak, but I'm not sure what I my Client settings should be. This is what I thought:
Root URL: http://localhost:4200/sign-in
*Valid Redirect URIs: http://localhost:4200/list-user
Base URL: http://localhost:4200/sign-in
Admin URL: http://localhost:8080
Somebody please explain the purpose of these settings as I struggle to understand.
Root url is just a value that will be used for relative paths resolving.
Root: http://localhost:4200/sign-in
Valid Redirects: /* (After login user could be redirected to any URI that matches pattern http://localhost:4200/sign-in/*)
Base URL: / (Is not mandatory. Used when keycloak need to calculate application url by client_id only)
Admin URL: / (Used when Keycloak need to notify applications about revocation or when user logs out. For example when user logs out in application A if he has session in application B, Keycloak will send backchannel request to Admin URL of application B, so Application B will also flush user session in it)
Check out docs and info badges in Admin Console
I managed to use the auto update feature of Intsall4J by setting URL of updates.xml. For testing I used server (to host Installer.exe and updates.xml) with anonymous access. It worked fine.
But now requirement is that server needs HTTP request with Authorization header.
Is it possible to use HTTP request with Authorization header in auto update feature?
HTTP authentication is supported by downloads, the updater will ask the user for user name and password.
If you want to hard-code the login in the installer, you can add a "Run script" action to the startup node and execute
System.getProperty("serverAuthUser", "user name");
System.getProperty("serverAuthPassword", "password");
Hello I am using Nexus OSS, and wanted to simulate SSO, using Remote User Token. Currently the Nexus is configured to LDAP authentication, and is working fine.
As per the instructions found here https://books.sonatype.com/nexus-book/reference/rutauth.html
Basically enabled Remote User Token and added header field Name "REMOTE_USER". This user is ldap and has access.
This instance is behind apache, so from apache, To test this RUT, I can set the header value REMOTE_USER, whoever, I don't see passed in user getting logged nor I see cookie being generated. I even tried firefox rest api client and set header, but with the same results. I can see that HTTP header is being set right.
Am I missing something?
Is there a way to debug that? Appreciate any help.
Thanks
S
RUT handles authentication, but the authenticated user still needs to be authorized to access the web UI. What this means is that you need an LDAP user or group mapping in Nexus which assigns the necessary roles and privileges to the user.
I had a similar issue with Nginx, the header was not set using the correct value.
This can be quite confusing, as the reverse proxy does not complain and simply sends a blank request header to Nexus.
Using Keycloak and Nginx (Lua), instead of a preferred_username field in the IdP response:
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-Proxy-REMOTE-USER", res.preferred_username)
I had to use the preferred_username field returned in the response's id_token element:
-- set headers with user info: this will overwrite any existing headers
-- but also scrub(!) them in case no value is provided in the token
ngx.req.set_header("X-Proxy-REMOTE-USER", res.id_token.preferred_username)