I am using Keycloak 11.0.0 to secure my Asp.Net Core 3.1 Application.
I am looking for a way to allow users to access certain resources without the need of an own account.
Which resources can be accessed without an account should be configured in Keycloak. Currently we are using a simple role based system.
My idea was to add an Login with Anonymous User Button next to the Login Form in Keycloak. This anonymous user is a normal Keycloak user to which i can assign roles.
How can this be done in Keycloak? I think I might need to write an extension, but I do not know which interface i need to implement for this functionality.
Or is there even a better way to accomplish my goal?
Related
So, im doing research to know if its a good alternative to implement keycloak on the environment i'm working at.
Im using LDAP to manage users at my workingplace. I was wondering if is there a way to use keycloak as auth service in all upcoming systems and some of the existing ones. We are currently managing it with an IDP that we need to improve or replace, also there are some systems use their own login (this will eventually change).
The main problem i've crossed is that keycloak synchronizes against ldap and i dont want user data to be stored on keycloak, maybe if its only login data. User data is planned to be kept only on ldap's database in case that any userdata needs to be updated.
So is there a way to use keycloak only as an auth service fetching user credentials from ldap on every auth request?
pd: maybe i am mistaken on the meaning of what's an auth service an whats an IDP.
Actually it is not necessary that LDAP users are synced to Keycloak.
Keycloak supports both options
Importing and optionally syncing users from LDAP to Keycloak
or
Always getting the User info from LDAP directly.
But keycloak will always generate some basic federated user in it's database (e.g. for keeping up a session when using OpenID Connect - but you should not really care about that).
As far as I know (but I've not used that myself) you could also use keycloak to maintain the LDAP users data and write changes back to LDAP (see "Edit Mode" in Keycloak documentation)
Check Keycloak documentation regarding LDAP stuff to get more information https://www.keycloak.org/docs/6.0/server_admin/#_ldap
Beside the User-Data Topic, Keycloak provides a lot of different Protocols (like SAML and OpenIDConnect) to provide authentication for your services. So you could use different/multiple authentication protocols depending on your applications with just one "LDAP-Backend"
I have scoured this and many other sites to find an answer but have come up short every single time. If this is a duplicate, I am very happy to accept direction to the original question with an answer:
I have built an MVC 4 site and I am using the Authorize tag where needed and this is working as expected.
My issue is that I require a mechanism by which to prompt the user (already logged in or some other valid user in the domain) to enter their windows credentials on one page in order to confirm/authorize that user. This is not what the authorize filter is doing. The authorize filter is actually authenticating the user. Thus changing the User.Identity information accordingly.
Is it possible to just authorize a user (not authenticate) without actually changing the User object?
Just returning the 401 response forces the windows prompt but that, in turn, does an authentication, not an authorize.
While a solution could be achieved with a custom action that accepts username/password input, my requirement specifically calls for the native browser windows prompt to be displayed.
The site is using IIS Express and is set up for windows authentication and every aspect of this does what I need. Except for the issue of "true" authorization mentioned above. The browser has to be IE9. Currently running on Windows 10.
No. You're currently using Windows Authentication, and this is how it works. There is no need to login because the user is already logged into Windows, that's the point.
To do what you want, you would need to use an individual auth library like Identity. Which will give you the login capability. However, that doesn't work with AD out of the box, but you can add that in yourself. In otherwords, instead of using the Identity functionality to look a user up by username and password to authenticate, you'd connect to AD over LDAP, and verify the credentials there. You'd also need to use the LDAP connection to add the user's groups in AD to the their roles in Identity. Then, you can utilize the Authorize attribute as normal.
Long and short, if you want to actually allow the user to login as any AD user, then you're pretty much on your own. There's no builtin functionality for that. It's relatively straight-forward, if not entirely easy, to set something up yourself for that that, but again, that's on you.
I am developing kentico application and i need to used windows authentication or claim based authentication depend on the user. If the user is Active directory user user should be able to login using username and password. If the user is not a Active directory user, user redirect to third party site for claim based authentication.
I wonder it is possible to implement this requirement with Kentico 9 CMS. If possible what is the best approach ?
Based on Kentico documentation claims based authentication with AD would work out of the box with just proper settings.
You can start on the following page and links over there should connect you t configuration as well:
https://docs.kentico.com/display/K9/Claims-based+authentication
Aproach Michal suggested would work for third party authentication.
Here is how you can implement AD authentication (quite easy): https://docs.kentico.com/display/K9/Configuring+mixed-mode+authentication
Unfortunately I'm not sure you can mix them together.
Authentication.Execute custom event handler might be a right place to inject your custom implementation for it.
Scenario
We are building a new RESTful API for our web application. This API will serve our mobile applications, our web application and authorised customers.
We are using Apigility to build the API and are making use of the OAuth2 implementation it provides.
Currently, our web application relies on a users table, with permissions assigned to each user. These users simply log-in using a web form, and the session is then stored and appropriate permissions checked upon access.
We want to be able to authenticate API access (such as our web app, and authorised customers), so no unauthorised access to the API can happen. However, we also want to authorize the permissions at a user level, therefore some sort of user authentication must also happen as well.
Any authorised access to the API may use a different user, so relying on a single user per client will not work, especially since the permissions are on a per user basis. We also do not want any user to be able to use the API without prior authentication, so wanted to avoid adding every user as a client to OAuth2.
For example:
The web app is authenticated with the API with two users using it:
UserA has user management permissions
UserB does not have user management permissions
Therefore, UserA can POST to /users and receive a 200 OK while UserB should receive a 403 Forbidden.
What we have tried
We have created an example application, and have successfully set up authentication using OAuth2 for the high-level clients and can make calls as expected. But we have not been able to create an authorization model for our users based on this.
We though adding a custom HTTP header with a user token that is provided after an authenticated call to /user/login. But we are not sure if this is the correct method.
The question
How can we both authenticate the high-level clients (such as our web app, or authorised customers) but then authorize access based on the user actually using the system?
You have a few options available to you:
Token-level permissions
You can provide different tokens for each user account, and tie permissions to the token. This runs the risk of the wrong tokens being mixed up with the wrong users. However, this also has the advantage of not having to maintain a user<->token relationship, as the permission is decided at the token level. How you decide which token to generate can be tricky.
User-level permissions
You can tie a user account to a token and that user can then be given read/write permissions. This reduces the risk of a user having a wrong token as they're linked. With this method, you can use the same method of token generation for all user accounts as the token is ignorant of the permission, but does allow them "access" to the API (thus preventing unauthorised access).
I've deliberately avoided mentioning specific types of authentication tokens, as these two concepts can apply to most of the popular choices on the web (token-based, OAuth based).
OAuth has no concept of Identity.
You should look into using OpenID Connect which is a profile on top of Oauth 2.0.
I'm trying to implement OpenID authentication in a simple JSP app.
The FORM-based authentication really drives me nuts, since there is no way to listen for pre, post-authenticate events.
When I receive user information from OpenID-provider I want to suggest them to fill out simple registration form (i.e. edit details received from identity provider, and optionally add some additional information). But if I use standard "j_security_check" action, those details are lost. If I try to log in user programmatically (i.e. using HttpServletRequest#login(user, password) I can't redirect the user to the originally requested URL (since only FormAuthenticator keeps this information).
Is there a way to manually control authentication mechanism, using some pre-configured JDBC realm? That is, I don't want to specify <login-config /> in my web.xml, but when calling HttpServletRequest#login I want to authenticate against JDBC realm. Is this possible?
no, that is basically not possible with what GlassFish offers ootb.
You need to dig deeper. You would end up using a custom JAAS LoginModule and the JSR-196 Login Bridge.
Some more pointers:
http://www.java.net/forum/topic/glassfish/glassfish/gf-and-generic-jaas-loginmodule?force=316
https://blogs.oracle.com/nasradu8/entry/loginmodule_bridge_profile_jaspic_in