In older versions of Keycloak Gatekeeper, there was the option
--skip-client-id skip the check on the client token (default: false)
I am using Keycloak Gatekeeper 7.0.0, where the option has been removed.
My problem is, I am using microservices with MULTIPLE client Id. But as I understood, the gatekeeper only supports 1 client Id.
The question is:
How can I configure the Gatekeeper to accept multiple client Id requests?
The documentation is not giving any hints for that.
Does anyone faced the same problem?
Thanks in advance!
Related
I have a requirement where I need to federate to an IDP. I have never had issues in the past and in this instance, I have an issue because the third party/external IDP has PKCE enabled and enforced.
Is there a way to federate to an IDP which has PKCE enabled. Basically in other words, I should be able to forward/send code_challenge and code_challenge_method to the external IDP. I can enable PKCE on my IDP without any issues and forward the same headers to the external IDP if required but I dont see a way to do it. I tried to configure "Forwarded Query Parameters" field on the Identity Provder Configuration as well but to no avail.
However I came across this ticket https://issues.redhat.com/browse/KEYCLOAK-9809 where is it said that this is not supported since its only supported for public clients - so is it still the case?
In addition to this, if this is not supported, what is the recommended way to get around this? I mean I could ask the external IDP folks to change their configurations but I'd like to know the recommended way before proposing a way out.
Thanks a lot.
The issue is apparently resolved on ticket - https://github.com/keycloak/keycloak/pull/7381
According to this ticket - the issue is resolved in version 13.0.0. Unfortunately, I have moved away from this project - so if someone can confirm that this works with 13.0.0 - I can mark this as the answer and close off the post.
According to this documentation -> https://apacheignite.readme.io/docs/advanced-security, it's said that the authentication mechanism only applies to JDBC connections.
Here is our scenario, we don't need any security per connection from client to server but, we want all clients to authenticate before entering the server topologies which will happen when doing this -> Ignition.getOrStart(CFG).
Is there any way we achieve this?
Take a look at: https://www.gridgain.com/docs/latest/administrators-guide/security/authentication
You have the option of building your own security plugin as detailed in the Authorization
section of the url you mentioned: https://apacheignite.readme.io/docs/advanced-security#section-authorization
More info here: https://www.gridgain.com/docs/latest/administrators-guide/security/custom-authenticators
Per https://www.rabbitmq.com/access-control.html, RabbitMQ has the ability to use authentication (who is the user) and authorization (what can the user do?)
I'm using a rather obscure plugin for authorization already. I was wondering if there was a way to use the HTTP backend ONLY for authentication, because it would gel extremely well with the Django server that this project is using (users on the Django server may be allowed onto the Rabbit server).
Thanks
Never used before, but this plugin should solve:
https://github.com/rabbitmq/rabbitmq-auth-backend-http
This plugin provides the ability for your RabbitMQ server to perform
authentication (determining who can log in) and authorisation
(determining what permissions they have) by making requests to an HTTP
server.
I have an application that uses a CAS server to authenticate. I first use a REST call to generate a ticket generating ticket which is then validated successfully and a service ticket is generated.
My next step is to pass this ticket to another webapp as a parameter in a web service call and let them login to the same CAS server with it. Apparently this kind of behaviour is possible if I use proxy granting tickets instead of ticket granting tickets but I can't see any way to get a PGT through the REST client.
Can anyone help with getting PGTs, or am I on a wild goose chase?
Try looking at https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
I went through the example, mimicking the various calls in code and it worked fine. The tricky bit was then writing the code to represent that code. In my case, it had to fit in with Spring Security
Spring Security comes with libraries for authenticating to a stateless service using CAS. This includes requesting a ProxyGrantingTicket and then requesting a ProxyTicket.
The Spring Security 3.1.6 docs describe this in section 22.3.3
Okay, I've asked on the Community Server Forums and was totally ignored. So I'll ask here. The OpenID provider (presumably janrain) for CommunityServer does not work with an SSL OpenID endpoint. I really don't know of a non SSL OpenID endpoint and even if I did...I'm not sure if I'd want to use it.
I have a community server installation and all of my users are complaining that the signup/login form appears to support openid but doesn't in reality. has anyone encountered this issue and addressed it?
Thanks in advance.
CS currently uses an old version of Janrain's C# library. I think the next version is expected to use dotnetopenid. But even in its current release I would expect it to work just fine with SSL OP endpoints. If it didn't, then no OpenIDs from myopenid.com would work for logging into CS and I would expect the CS guys would have noticed that.
However, if specific endpoints are broken, it may be a sign of another problem. If you can give specific OpenID endpoints that are not working then please send an email to dotnetopenid#googlegroups.com and I'll be happy to investigate it further.
There's a test OP Endpoint that is non-SSL that you can try out to see if it works by logging into your CS with this: http://nerdbank.org/opaffirmative/affirmativeidentity.aspx (yes, that's actually a valid OpenID you can log in with without using a password).