So, I'm build an API System. I want to use KeyCloak for authentication as well as user management because it has a nice access control. I'm integrating it with Ktor and I want my user to use their own UI. Or at least, I want to make the UI.
I've read about Theme Customization but that's not what I want. I also come to know that the KeyCloak UI is tightly integrated within their code. I was just hoping to know if at least when one of the client app is a mobile app, would I be able to use for example android UI for the whole login flow?
If it's not possible which I think it's unlikely to be possible, is there any other library or framework for access control, prefereably one that work with Ktor?
If you do not want to use Keycloak UI nor create your own custom themes, you can leverage the Resource Owner Password Credentials Grant flow.
For this create a new or use an existing confidential client. Make sure to toggle the Direct Access Grants Enabled switch to ON.
After this obtain a token from your client (web page, CLI, mobile). Here I'm using curl and jq for simplicity:
KCHOST=https://yourkeycloak.com
REALM=your-realm
CLIENT_ID=your-confidential-client
CLIENT_SECRET=xxxxxxx-yyyyyyyy-zzzzzzzzz
ACCESS_TOKEN=`curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "grant_type=client_credentials" \
"$KCHOST/auth/realms/$REALM/protocol/openid-connect/token" | jq -r '.access_token'`
P.S. For debugging I have created a CLI tool called brauzie that
can help you fetch and analyse your JWT tokens (scopes, roles, etc.). It could
be used for both public and confidential clients. You could as well
use Postman and https://jwt.io
HTH :)
You can also use the Keycloak Admin Client as described here.
Related
I can ask this question in many ways, like
How to configure Jenkins credentials with Github Personal Access Token
How to clone Github repo in Jenkins using Github Personal Access Token
So this is the problem
The alternate solution that I am aware of
SSH connection
username password configuration in Jenkins. However,
use of a password with the GitHub API is now deprecated.
But My question is how to setup Github connection with Jenkins using Personal Access Token
[UPDATE]
The new solution proposed by git is
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Which says:
Beginning August 13, 2021, we will no longer accept account passwords
when authenticating Git operations and will require the use of
token-based authentication, such as a personal access token (for
developers) or an OAuth or GitHub App installation token (for
integrators) for all authenticated Git operations on GitHub.com. You
may also continue using SSH keys where you prefer.
What you need to do:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#what-you-need-to-do-today
Basically, change the add URL as
https://<access token>#github.com/<userName>/<repository>.git
Something like this
https://<access token>#github.com/dupinder/NgnixDockerizedDevEnv.git
and set the credentials to none.
Thanks to #Gil Stal
[OLD Technique]
After many discussion on multiple threads from Stackoverflow
I found one thread that is useful.
Refer to this answer:
https://stackoverflow.com/a/61104603/5108695
Basically
Personal access token can be used as a password, as far as Jenkins is concerned at least. I added new credentials to the credential manager.
Go to Jenkins
Go to credentials > System > Global credentials > Add credentials a page will open.
In Kind drop-down select Username and password.
In User put a non-existing username like jenkins-user or user.
Add Personal Access Token in the password field
Now start configuring your project.
source code management tab, select new configured credentials from Drop-down near credential Under Repository URL
So this is how we can configure or setup Authentication between Jenkins and Github using Personal Access Token
References:
Git Clone in Jenkins with Personal Access Token idles forever
Change jenkins pipeline to use github instead of gitlab
The accepted answer wont work anymore because of this: https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations.
You will need to:
Change the URL of the repo to: https://<access token>#github.com/<user-name>/<repo-name>.git (Replace every <...> with the real parameters)
Set the credentials to none.
As of August 2021 the answer posted by Dupinder Singh is accurate. The only thing I would add is that if you are part of a team, the url format appears to be a bit different. This is what worked for me:
https://<access token>#github.com/<team>/<repo>.git
for example
https://ghp_6dh3jdk394jsmbh299jjdg20fh87hd83ksk39#github.com/MyKuleTeam/KuleGuyCode.git
Note that if you use a personal access token you don't need to have any github credentials stored in jenkins.
As for credentials for Jenkins Github Plugin, please be aware only Personal access tokens are now accepted by this plugin.
To generate such a token, follow the Github docs (e.g. here). Don't save it, it can be regenerated in Github and updated in Jenkins if lost or when migrating to a different server.
To add the token do Jenkins credentials store, go to <JENKINS_URL:PORT>/credentials/store/system/domain/_/newCredentials and select Kind "Secret text" (not the default "Username and password"), then paste the token as Secret and choose some ID.
Testing: the credential should appear on the list of Credentials at <JENKINS_URL:PORT>/credentials/ and be selectable from the drop-down list at <JENKINS_URL:PORT>/configure/, where pressing the "Test connection" button should display "Credentials verified for user <GITHUB_USER>".
More info: see the Github plugin docs.
Caveats: Git Plugin has its long-standing issues, so if the newly created "Secret text" does not appear in your pipelines, try if this solution helps (with "the user who triggered the build" considered safer than "SYSTEM"):
client-and-managed-masters/why-credentials-are-not-listed-in-the-git-scm-section
There is (yet another) way to do this as of 2020/04 which is supposed to be superior to personal access tokens. The best part is that you can continue using a username/password-style credential, and the plugin will handle authenticating with GitHub in the background.
Benefits include:
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication. No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens. This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
Links:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc
I'm using CKAN with Apache and an SSO system called Cosign. Cosign works as an authenticator in Apache and ends up setting REMOTE_USER before the python code fires up. What I'm trying to do is use LDAP user lookup based on that preset REMOTE_USER. Can I do that with the CKAN ldap plugin (http://extensions.ckan.org/extension/ldap/)? Any advice greatly appreciated - I'm a Python and CKAN novice.
The short answer is that ckanext-ldap doesn't do that. What it does is provide a custom login form (username and password) that authenticates the credentials via LDAP. It then creates a session for the corresponding CKAN user, creating a user account first if required. Having it do anything else would require customisation of the extension although there are a number of options documented in its readme that alter the behaviour in small ways.
Whether ckanext-ldap would be a suitable extension to build upon to achieve what you want depends on what you want to do, which isn't clear from your question.
I want to share data between multiple devices and users running a couchdb server on iriscouch.com and using couchbase-lite on ios and android. Users should be able to login with facebook and email. How do I handle user access to specific documents? I dont dont want anyone to be able to access the documents and databases. I thought about using HTTP basic auth (replication security), hard coding username and password into the app code. Unfortunately it is sent as plain text and seems totally insecure. Can you help me out with some ideas about this scenario?
You can use SSL ecncryption for security. Please refer the link for enabling SSL
https://wiki.apache.org/couchdb/How_to_enable_SSL.
I had similar problem while using Basic Auth, hence we had to use SSL to make it more secure.
If can follow this method If you want to use Basic AUth.
1. Encode the username and Password
ex: username#password which after encoding becomes dXNlcm5hbWVAcGFzc3dvcmQ=
(use https://www.base64encode.org/ to encode).
Using curl try to authenticate
curl -v -H "Authorization: Basic dXNlcm5hbWVAcGFzc3dvcmQ=" -H "Content- type:application/json" -X GET IP_Address_and_DatabaseName
In this way you can hide the Username and Password but still anyone can have the encoded string. Hence If possible, try to implement SSL.
Currently I'm accessing JIRA API in C#.Net application with username and password. But I need to access the JIRA API without entering a username and a password even without hashed username and passwords. Is there any way to create an API key and access JIRA API with that?
Yes, JIRA supports OAuth for that purpose, see: https://developer.atlassian.com/display/JIRADEV/JIRA+REST+API+Example+-+OAuth+authentication
Unfortunately there's no C# sample code provided, but you should be able to assemble a solution from the other programming languages here:
https://bitbucket.org/atlassian_tutorial/atlassian-oauth-examples/src
You should use a generic OAuth library anyhow.
Oauth is great for when you need the actual user to log in and you are in the context of a browser.
However, for server-to-server communication that is not linked to any specific user (e.g. CI) you may want to create a "bot" account on your jira server and authenticate with API tokens. Creation of tokens is described here: https://confluence.atlassian.com/cloud/api-tokens-938839638.html
Then you can use [user-email]:[auth-token] as user/password to basic auth. Examples:
Curl
curl -u bot#company.com:AAABBBCCC https://[company].atlassian.net/rest/api/latest/issue/DEV-123
NodeJS got:
const issueContent = await gotService.get(
'https://[company].atlassian.net/rest/api/latest/issue/DEV-123',
{
auth: 'bot#company.com:AAABBBCCC'
}
)
Best approach for this is to read the documentation of the JIRA version you are using, since different versions could have different ways to approach Rest APIs.
For me below endpoint worked with Basic auth:
curl -u username:password -X GET -H "Content-Type: application/json" http://localhost:8080/rest/api/2/issue/createmeta
Does the WSO2 API Manager provide APIs for user registration and management?
To be more specific, the documentation states that the user can sign up using the store interface. Is there also an equivalent API that I can use to:
register new users
to authentication existing users
to initiate password recoveries
Please add the wso2am tag to this question (see related comment).
Apart from managing users through the product's Management Console, every carbon server also exposes its management services as web services.
As far as user management is concerned, you can find API samples at the following links (note that these might be specific to work on a particular carbon version):
https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/user-manager/user-admin-client/
http://blog.facilelogin.com/2010/05/managing-users-and-roles-with-wso2.html
Yes, API Store has an exposed API which can be used to register new users (User Signup) and authenticate users (Login).
SignUp
curl -X POST -b cookies http://localhost:9763/store/site/blocks/user/sign-up/ajax/user-add.jag -d "action=addUser&username=user2&password=xxx&allFieldsValues="
(Above allFieldsValues will be | seperated values for user fields, firstname, lastname, email, etc. ex :allFieldsValues=lakmali|erandi|lakmali#abc.com)
Login
curl -X POST -c cookies http://localhost:9763/store/site/blocks/user/login/ajax/login.jag -d 'action=login&username=user1&password=xxx'
But password recovery functionality is not available yet. It will be avilable in future releases.