Undertow like ACL's in Keycloak.X
220 views
Skip to first unread message
EXTERNAL Weimer Benjamin (TNG, IOC/PAU1)
Nov 17, 2021, 8:05:17 AM11/17/21
to keycloak-dev (keycloak-dev@googlegroups.com), Matysiak Joerg (IOC/PAU1)
Hi,
in Wildfly it was possible to set a whitelist of ip-addresses that can access certain endpoints. This can be done via Undertow filter expressions, e.g. with a jboss cli command like this:
/subsystem=undertow/configuration=filter/expression-filter=metrics-access:add(expression="path(/metrics) -> ip-access-control(acl={'127.0.0.1 allow'},failure-status=403)")
Is it possible to configure something similar in Quarkus with Keycloak.X?
We already found out that there is a quarkus-undertow extension that can be used to set those Undertow filters. Currently Keycloak.X does not include this extension. Is there a plan to implement access control lists in Keycloak.X?
If not, would you accept a pull requests that includes the quarkus-undertow extension in Keycloak.X?
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
Project Delivery Berlin 2 (IOC/PDL2)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
Tel. +49 30 726112-0 | external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
in Wildfly it was possible to set a whitelist of ip-addresses that can access certain endpoints. This can be done via Undertow filter expressions, e.g. with a jboss cli command like this:
/subsystem=undertow/configuration=filter/expression-filter=metrics-access:add(expression="path(/metrics) -> ip-access-control(acl={'127.0.0.1 allow'},failure-status=403)")
Is it possible to configure something similar in Quarkus with Keycloak.X?
We already found out that there is a quarkus-undertow extension that can be used to set those Undertow filters. Currently Keycloak.X does not include this extension. Is there a plan to implement access control lists in Keycloak.X?
If not, would you accept a pull requests that includes the quarkus-undertow extension in Keycloak.X?
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
Project Delivery Berlin 2 (IOC/PDL2)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
Tel. +49 30 726112-0 | external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
Thomas Darimont
Nov 19, 2021, 7:19:52 AM11/19/21
to EXTERNAL Weimer Benjamin (TNG, IOC/PAU1), keycloak-dev (keycloak-dev@googlegroups.com), Matysiak Joerg (IOC/PAU1)
Hello Benjamin,
I'm not aware of any "DSL" for defining ACL rules for Keycloak.X / Netty to limit access to the admin / console endpoints. However you can simply create your own with a custom JAX-RS `ContainerRequestFilter`.
Here is a small example for this: https://github.com/thomasdarimont/keycloak-project-example/blob/main/keycloak/extensionsx/src/main/java/com/github/thomasdarimont/keycloakx/custom/security/AccessFilter.java#L24
Kind regards,
Thomas
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/AS8PR10MB458312E131C5A3DDA05F9B2EB39A9%40AS8PR10MB4583.EURPRD10.PROD.OUTLOOK.COM.
EXTERNAL Weimer Benjamin (TNG, IOC/PAU1)
Nov 24, 2021, 5:28:37 AM11/24/21
to Thomas Darimont, Matysiak Joerg (IOC/PAU1), keycloak-dev (keycloak-dev@googlegroups.com)
Hello Thomas,
Thank you very much for the example. Works great with the JAX-RS `ContainerRequestFilter`, didn’t know this is possible with JAX-RS.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
Project Delivery Berlin 2 (IOC/PDL2)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
Tel. +49 30 726112-0 | external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
Kind regards,
Thomas
On Wed, 17 Nov 2021 at 14:05, 'EXTERNAL Weimer Benjamin (TNG, IOC/PAU1)' via Keycloak Dev <keyclo...@googlegroups.com<mailto:keyclo...@googlegroups.com>> wrote:
Hi,
in Wildfly it was possible to set a whitelist of ip-addresses that can access certain endpoints. This can be done via Undertow filter expressions, e.g. with a jboss cli command like this:
/subsystem=undertow/configuration=filter/expression-filter=metrics-access:add(expression="path(/metrics) -> ip-access-control(acl={'127.0.0.1 allow'},failure-status=403)")
Is it possible to configure something similar in Quarkus with Keycloak.X?
We already found out that there is a quarkus-undertow extension that can be used to set those Undertow filters. Currently Keycloak.X does not include this extension. Is there a plan to implement access control lists in Keycloak.X?
If not, would you accept a pull requests that includes the quarkus-undertow extension in Keycloak.X?
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
Project Delivery Berlin 2 (IOC/PDL2)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bosch.io%2F&data=04%7C01%7Cexternal.benjamin.weimer%40bosch.io%7Cd5bdbf44f8b341127b3f08d9ab56e45b%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637729211946495480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7%2ByMaRQuREumgY2ypZMgBOjE5e2k00dzCuQtwutsy4M%3D&reserved=0>
Tel. +49 30 726112-0 | external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com><mailto:external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com>>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com<mailto:keycloak-dev%2Bunsu...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/AS8PR10MB458312E131C5A3DDA05F9B2EB39A9%40AS8PR10MB4583.EURPRD10.PROD.OUTLOOK.COM<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FAS8PR10MB458312E131C5A3DDA05F9B2EB39A9%2540AS8PR10MB4583.EURPRD10.PROD.OUTLOOK.COM&data=04%7C01%7Cexternal.benjamin.weimer%40bosch.io%7Cd5bdbf44f8b341127b3f08d9ab56e45b%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637729211946495480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CMKwmia1B9KbLJ%2FqR3xvzsT8Z1Jf1n5sIbjW7D7v7LM%3D&reserved=0>.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAK-7U1iPw0LM8vh4xeW9QuKZ_B_HBSdHhRRFc-oaKk7PMFi3JA%40mail.gmail.com<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FCAK-7U1iPw0LM8vh4xeW9QuKZ_B_HBSdHhRRFc-oaKk7PMFi3JA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cexternal.benjamin.weimer%40bosch.io%7Cd5bdbf44f8b341127b3f08d9ab56e45b%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637729211946505433%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Qaqe332S8EX7SIrAS7%2BLX0Ir%2BBLbWLRp6wtyxp4n8%2BA%3D&reserved=0>.
Thank you very much for the example. Works great with the JAX-RS `ContainerRequestFilter`, didn’t know this is possible with JAX-RS.
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
Project Delivery Berlin 2 (IOC/PDL2)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
Tel. +49 30 726112-0 | external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
Von: 'Thomas Darimont' via Keycloak Dev <keyclo...@googlegroups.com>
Gesendet: Freitag, 19. November 2021 13:20
An: EXTERNAL Weimer Benjamin (TNG, IOC/PAU1) <external.Ben...@bosch.io>
Cc: keycloak-dev (keyclo...@googlegroups.com) <keyclo...@googlegroups.com>; Matysiak Joerg (IOC/PAU1) <Joerg.M...@bosch.io>
Betreff: Re: [keycloak-dev] Undertow like ACL's in Keycloak.X
Hello Benjamin,
I'm not aware of any "DSL" for defining ACL rules for Keycloak.X / Netty to limit access to the admin / console endpoints. However you can simply create your own with a custom JAX-RS `ContainerRequestFilter`.
Here is a small example for this: https://github.com/thomasdarimont/keycloak-project-example/blob/main/keycloak/extensionsx/src/main/java/com/github/thomasdarimont/keycloakx/custom/security/AccessFilter.java#L24<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fthomasdarimont%2Fkeycloak-project-example%2Fblob%2Fmain%2Fkeycloak%2Fextensionsx%2Fsrc%2Fmain%2Fjava%2Fcom%2Fgithub%2Fthomasdarimont%2Fkeycloakx%2Fcustom%2Fsecurity%2FAccessFilter.java%23L24&data=04%7C01%7Cexternal.benjamin.weimer%40bosch.io%7Cd5bdbf44f8b341127b3f08d9ab56e45b%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637729211946485523%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=N8ckq7351I6wXjLhuQaJS6HmV42XmvycvCSGOyKfYR8%3D&reserved=0>
Gesendet: Freitag, 19. November 2021 13:20
An: EXTERNAL Weimer Benjamin (TNG, IOC/PAU1) <external.Ben...@bosch.io>
Cc: keycloak-dev (keyclo...@googlegroups.com) <keyclo...@googlegroups.com>; Matysiak Joerg (IOC/PAU1) <Joerg.M...@bosch.io>
Betreff: Re: [keycloak-dev] Undertow like ACL's in Keycloak.X
Hello Benjamin,
I'm not aware of any "DSL" for defining ACL rules for Keycloak.X / Netty to limit access to the admin / console endpoints. However you can simply create your own with a custom JAX-RS `ContainerRequestFilter`.
Kind regards,
Thomas
On Wed, 17 Nov 2021 at 14:05, 'EXTERNAL Weimer Benjamin (TNG, IOC/PAU1)' via Keycloak Dev <keyclo...@googlegroups.com<mailto:keyclo...@googlegroups.com>> wrote:
Hi,
in Wildfly it was possible to set a whitelist of ip-addresses that can access certain endpoints. This can be done via Undertow filter expressions, e.g. with a jboss cli command like this:
/subsystem=undertow/configuration=filter/expression-filter=metrics-access:add(expression="path(/metrics) -> ip-access-control(acl={'127.0.0.1 allow'},failure-status=403)")
Is it possible to configure something similar in Quarkus with Keycloak.X?
We already found out that there is a quarkus-undertow extension that can be used to set those Undertow filters. Currently Keycloak.X does not include this extension. Is there a plan to implement access control lists in Keycloak.X?
If not, would you accept a pull requests that includes the quarkus-undertow extension in Keycloak.X?
Mit freundlichen Grüßen / Best regards
Benjamin Weimer
Project Delivery Berlin 2 (IOC/PDL2)
Tel. +49 30 726112-0 | external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com><mailto:external.Ben...@bosch-si.com<mailto:external.Ben...@bosch-si.com>>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/AS8PR10MB458312E131C5A3DDA05F9B2EB39A9%40AS8PR10MB4583.EURPRD10.PROD.OUTLOOK.COM<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FAS8PR10MB458312E131C5A3DDA05F9B2EB39A9%2540AS8PR10MB4583.EURPRD10.PROD.OUTLOOK.COM&data=04%7C01%7Cexternal.benjamin.weimer%40bosch.io%7Cd5bdbf44f8b341127b3f08d9ab56e45b%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637729211946495480%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CMKwmia1B9KbLJ%2FqR3xvzsT8Z1Jf1n5sIbjW7D7v7LM%3D&reserved=0>.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com<mailto:keycloak-dev...@googlegroups.com>.
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAK-7U1iPw0LM8vh4xeW9QuKZ_B_HBSdHhRRFc-oaKk7PMFi3JA%40mail.gmail.com<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FCAK-7U1iPw0LM8vh4xeW9QuKZ_B_HBSdHhRRFc-oaKk7PMFi3JA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Cexternal.benjamin.weimer%40bosch.io%7Cd5bdbf44f8b341127b3f08d9ab56e45b%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637729211946505433%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Qaqe332S8EX7SIrAS7%2BLX0Ir%2BBLbWLRp6wtyxp4n8%2BA%3D&reserved=0>.
Pascal Knüppel
Dec 10, 2021, 2:53:39 PM12/10/21
to keyclo...@googlegroups.com
Hi,
I am currently trying to update the data of my user after an identity
provider login. I have setup aws identity provider with saml and use
keycloak as a service provider. If I initiate a login I can successfully
login but I want the user-details updated with the data of the
SAML-Assertion. The email is the important attribute in the current
usecase. The user details are added if the user did not exist on first
login. But if the user does exist it does not matter if an account-link
is already present or not, the user data is simply not updated. I was
not able to determine an authenticator-execution that does this except
for "Review Profile" that updates the profile only on the very first
login on the idp though.
Is there currently a way to do this?
Best regards
Pascal Knüppel
I am currently trying to update the data of my user after an identity
provider login. I have setup aws identity provider with saml and use
keycloak as a service provider. If I initiate a login I can successfully
login but I want the user-details updated with the data of the
SAML-Assertion. The email is the important attribute in the current
usecase. The user details are added if the user did not exist on first
login. But if the user does exist it does not matter if an account-link
is already present or not, the user data is simply not updated. I was
not able to determine an authenticator-execution that does this except
for "Review Profile" that updates the profile only on the very first
login on the idp though.
Is there currently a way to do this?
Best regards
Pascal Knüppel
Pascal Knüppel
Dec 10, 2021, 3:00:54 PM12/10/21
to keyclo...@googlegroups.com
Never mind...
Sitting on it for an whole hour in found the sync-mode option on the identity provider two minutes after sending the question...
Works now :-)
Best regards
Pascal Knüppel
Sitting on it for an whole hour in found the sync-mode option on the identity provider two minutes after sending the question...
Works now :-)
Best regards
Pascal Knüppel
Reply all
Reply to author
Forward
0 new messages