Keycloak, PKCE and external IDP - authorization

I have a requirement where I need to federate to an IDP. I have never had issues in the past and in this instance, I have an issue because the third party/external IDP has PKCE enabled and enforced.
Is there a way to federate to an IDP which has PKCE enabled. Basically in other words, I should be able to forward/send code_challenge and code_challenge_method to the external IDP. I can enable PKCE on my IDP without any issues and forward the same headers to the external IDP if required but I dont see a way to do it. I tried to configure "Forwarded Query Parameters" field on the Identity Provder Configuration as well but to no avail.
However I came across this ticket https://issues.redhat.com/browse/KEYCLOAK-9809 where is it said that this is not supported since its only supported for public clients - so is it still the case?
In addition to this, if this is not supported, what is the recommended way to get around this? I mean I could ask the external IDP folks to change their configurations but I'd like to know the recommended way before proposing a way out.
Thanks a lot.

The issue is apparently resolved on ticket - https://github.com/keycloak/keycloak/pull/7381
According to this ticket - the issue is resolved in version 13.0.0. Unfortunately, I have moved away from this project - so if someone can confirm that this works with 13.0.0 - I can mark this as the answer and close off the post.

Related

Bypass a specific user in shibboleth SSO

I have been trying to bypass shibboleth sso for a specific user. Only one user need password authentication to an application running behind Apache reverse proxy. Rest all users need to go through the SSO login.
I tried tweaking few attribute-map files, but in vain.
Any idea on the shibboleth config file to modify for bypassing sso for a single user. Any suggestion on this is greatly appreciated.
Do you have code that constructs an "application session" from headers/environment variables within the app, or does the app directly access the existence/absence of the headers/environment variables set by Shibboleth?
If you have an external application session, then you just need to deploy some code to a separate path that's not protected by Shib, but some other means (maybe even Apache Basic Auth), that'll construct the relevant session cookie for the application and do the redirect.
If you're using the existence of the Shibboleth session info directly in the app, then you're probably better off just asking the IdP for an account.
Regardless, you're in the territory of building a back-door... so you must exercise extreme caution to not implement a vulnerability that can be leveraged in some way, and frankly StackOverflow doesn't know the intricacies of your application well enough to give more than general suggestions.
I suppose the short answer is... I don't think you're going to find a short answer.

CherryPy authentication token

This is my first question in SO, sorry if it's poorly structured.
I'm a relative noob developer trying to make a REST Api with Token Authentication. I already made one with Flask and I want to make the same one with the help of CherryPy. The problem is that I'm quite lost finding some sort of plugin for CherryPy, I'm either blind or I just can't find examples nor plugins in order to make the token authentication. Could someone help me? Any info or advice will be of great help :)
This is what I achieved with Flask https://github.com/themese/flask-api
Really my problem is that with Flask and Cherrypy i found the same issue with the token auth, but with various SO posts and wiki info, I managed to code the token auth. I just seem not to be able to reporduce it with Cherrypy, perhaps the lack of info :(
I realize this post is a little old, but I would recommend you look at implementing tokens with JWT. You should use the PyJWT package and create a CherryPy Tool for route authentication & authorization checks.
Another method would be to generate a token using something like a uuid4 hex and persisting that token in your db.
I'd recommend you investigate JWT and how to implement it properly - Auth0.com.
I am a noob too. probably more so. Just trying to help.
From the docs:
Authentication
CherryPy provides support for two very simple authentication mechanisms, both described in RFC 2617: Basic and Digest. They are most commonly known to trigger a browser’s popup asking users their name and password.
link: http://docs.cherrypy.org/en/latest/basics.html#authentication

SSO and ServletRequest.login() and ServletRequest.logout() not working in Glassfish 3.1

// I'll try to improve the question a bit to see if I can get help.
We have a set of applications in our glassfish server, and we'd like to use SSO across them. So, we came up with a "authentication" web application, which simply contains the form to authenticate users. This user is then routed by this application to the whichever application he wants to acess.
The problem is that, when using the FORM authentication method and the programmatic login through ServletRequest.login(), the SSO cookie is not created. Only through BASIC authentication or through j_security_check we are able to see the SSO session cookie being created.
Similarly, the ServletRequest.logout() method is also unable to log the user off the SSO session, leading to nasty security bugs.
I'd like to know whether the approach using programmatic login/logout and SSO does not work at all (and thus, we're doing it wrong); or, if we're missing something altogether about SSO and security in Glassfish.
Guess I've found the reason: http://java.net/jira/browse/GLASSFISH-18356
The bug is open, likely to make it into the new version... but voting it up would help make it happen. If you came across this question with the same problem, please help voting for it!

What's recommended for authentication check? Servlet Filters or Form based authentication?

We are working implementing Single Sign On(SSO) using pingfederate. The basic implementation uses a login token sent via browser cookies for checking user authentication. What's the recommended way of doing the authentication check? Should I use a login filter or configure form-based authentication?
Both can be done as good. The difference is only that you've to write all the code yourself in one case and just do some (XML) configuration according existing guidelines in the other case.
Either way, I think the benefits and caveats are obvious enough. In this particular case, I'd go for container managed authentication to avoid future maintenance headaches.

OpenID on Community Server

Okay, I've asked on the Community Server Forums and was totally ignored. So I'll ask here. The OpenID provider (presumably janrain) for CommunityServer does not work with an SSL OpenID endpoint. I really don't know of a non SSL OpenID endpoint and even if I did...I'm not sure if I'd want to use it.
I have a community server installation and all of my users are complaining that the signup/login form appears to support openid but doesn't in reality. has anyone encountered this issue and addressed it?
Thanks in advance.
CS currently uses an old version of Janrain's C# library. I think the next version is expected to use dotnetopenid. But even in its current release I would expect it to work just fine with SSL OP endpoints. If it didn't, then no OpenIDs from myopenid.com would work for logging into CS and I would expect the CS guys would have noticed that.
However, if specific endpoints are broken, it may be a sign of another problem. If you can give specific OpenID endpoints that are not working then please send an email to dotnetopenid#googlegroups.com and I'll be happy to investigate it further.
There's a test OP Endpoint that is non-SSL that you can try out to see if it works by logging into your CS with this: http://nerdbank.org/opaffirmative/affirmativeidentity.aspx (yes, that's actually a valid OpenID you can log in with without using a password).