I have a WSO2 Identiy server installed and i have written some java code to get user information with oauth 2. For this I am using OLTU. I have connected correctly and after negotiating the access_code, I ask for the userinfo endpoint like this:
https://<serverIP>:9443/oauth2/userinfo?schema=openid
I get user info correctly in JSON format:
{"email":"xxxx#xxx.aa","name":"xxx","family_name":"xx","preferred_username":"xxx","given_name":"xx"}
What I find is that no role information is returned. I have created some custom roles and asigned the users. They don't have any permisions asigned.
Do I have to configure anything in the server? The request has to be made in any other way? What am I doing wrong?
There are two ways to add this claim mapping. It's depends on your requirement.
To get this done has to add a role claim mapping under "http://wso2.org/oidc/claim" claim dialect. This can be done in following ways
Case 1 : For fresh WSO2IS before first startup
Go to <IS_HOME>/repository/conf/claim-config.xml file<br/>
Add following configuration under <Dialect dialectURI="http://wso2.org/oidc/claim"><br/>
<Claim>
<ClaimURI>Roles</ClaimURI>
<DisplayName>Roles</DisplayName>
<AttributeID>role</AttributeID>
<Description>role of the user</Description>
<DisplayOrder>10</DisplayOrder>
<SupportedByDefault />
</Claim>
Case 2: For already running server.
Login to the Identity server management console as admin user.
Click the Configure button to access the Configure menu
Click on http://wso2.org/oidc/claim Dialect.
Click on "Add New Claim Mapping" and set the above details.
(There you will get an error which is known issues. But that value will store. Then again edit it and set Mapped Attribute again)
Then restart the server. Now you can get user info with roles
Related
I have implemented a custom Keycloak UserStorageProvider SPI (following point 11 of official Doc: https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi) which does following:
Authenticate users (not previously existing on the local store) against an
external auth service.
Save the (successfully authenticated against our custom service) user into
the Keycloak local store.
After the users have been imported on keycloak's local store (after users
successfully loged themselves in), the admins are then able to map roles
to those users for resource authorization from keycloak's admin console.
The problem I'm running into is following: Step 1 and 2 work perfectly. And regarding step 3, I can log myself successfully with a user that was saved on the keycloak's local store (after finding it on the external UserProvider), BUT (an here lies the crux of the problem); as soon as I add any role to that imported user, then I can't log myself anymore into that account and the logs show that my custom UserStorageProvider isn't being used anymore from that point onwards when login for that user. Somehow attaching a role to that user makes him invisible to my custom UserStorageProvider (even if I delete the role/(s) again).
In the best case scenario I'm trying to achieve, I'd be able to "log in" with the user (saved locally after authenticated form external SPI), even after assigning roles to him.
Any feedback would be greatly appreciated!!
Thanks in advance for your suggestions.
In the case somebody has this problem in the future, when you implement a provider SPI, you have 2 options as the doc mentions. Federated Store and importing users to the local Keycloak store. If you go with the importing/synching strategy, it is necessary to set federation link to the provider like this:
<UserModel instance>.setFederationLink(<ComponentModel id>);
If you don't do this, then Keycloak can't "remember" that those imported users should be handled by your provider SPI, and in general you won't have the expected behaviour out of your custom Provider SPI.
I am trying to use java code mention on link: http://www.nexttutorial.com/faq/azureAD/1/Azure-active-directory-graph-api-user-authentication-in-java - but I get below error:
java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS50055: Force Change Password.\r\nTrace ID: 7596cf92-f3d6-4baf-a0c9-d166a92d1500\r\nCorrelation ID: 8cccb074-4ae4-4c9b-932b-1f4ddcb514cb\r\nTimestamp: 2017-05-05 08:20:28Z","error":"user_password_expired"}
I haven't used the Java APIs, but I can tell you two things that are the core of the problem:
The user's password has expired
You are using Resource Owner Password Grant flow
You need to change the application to instead show a browser window so the user can reset their password. If you just want to test the code as is, you can open a new Incognito/private/InPrivate window and sign in to e.g. portal.azure.com with the user. That will allow you to make sure they have a working password.
But I would advise against using that sign in flow because of potential problems like this one.
The reason you get the error is that the user needs to set a new password, but the flow you are using cannot support that scenario. It also cannot support the scenario where the user account has MFA enabled/is a Microsoft account etc.
And by the way, if this app is intended not to be used by a user, but just run as is, I would suggest making it a daemon with application permissions on the necessary APIs and then use client credentials flow for authentication. No user account needed then, since the app has the needed rights.
I am working on a java web project where a manager logs into a system and then completes activities on behalf his subordinates. Depending on what AD security group the subordinate belongs to an email may be sent for notification purposes. I am looking for a java 'hasRole' function that will allow me to pass a network id and security group name as parameters and return a boolean to indicate the membership in the group. The app is currently using UserPrincipal to authenticate and check for group membership but this requires user credentials. I would need to connect to AD via a service account then check for membership at that point. Has anyone seen anything like this before? All I have found online are ones simliar to my current setup that only check for the user with the active session.
You can inspect the source code of my Tomcat ActiveDirectoryRealm. I does exactly what you are looking for.
I am working on a third party Java application for which I need to authenticate its users using Active Directory.
This application is hosted on RHEL 6.5, and uses LDAP to authenticate with Windows Active Directory. The AD server has been set up, and is working fine with an earlier version of the application (which was configured to enable the integration).
For the newer version, the vendor has laid out some steps to modify/configure the application files to connect with the AD server, and which are expected to help us authenticate. After making required changes, we are only able to open the UI page, which does not accept the (correct) credentials, the page that helps us with application configuration is not accessible at all.
I am a newbie to this area, and as far as my understanding goes, I would just need to make the suggested changes, and not follow the steps presented in this document, as those are for authenticating the Linux users, and NOT the application's users. Could someone also please confirm the same.
Any help/guidance in this issue would be greatly appreciated.
Thanks very much!
Edit:
I am unable to provide details of the files as it is confidential property, but the changes have to be made in the server property files.
Kindly request more details if necessary, I will try my best to provide them as I can't disclose everything, citing confidentiality reasons.
Thank you very much.
Edit 2:
Have added more details with this edit, which are given below:
The application has one of its component as CAS, which is currently configured to use database as its authentication handler. When we enter the credentials - username: abcd, password: samplepswd, we are able to login successfully.
As the business requirement is that of authentication with Active Directory using LDAP, we have to modify the CAS properties file. As per instructions from the product vendor, we have changed the following properties to use ldap -
authenticationHandler.type=ldap
ldapSSLConfig.enabled=false
ldapContextSource.url=ldap://sample.ADserver.example.net:389
ldapContextSource.userDn=abcd
ldapContextSource.password=samplepswd
ldapAuthenticationHandler.filter=uid=%u
ldapAuthenticationHandler.searchBase=OU=DEF,OU=PQR,OU=XYZ,DC=ADserver,DC=example,DC=net
We also need to make changes in the casAuthConfig xml file for the following properties (as anonymous search is not supported):
1. anonymousReadOnly, value is set to false
2. java.naming.security.authentication, value is set to simple
There is provision to use ldap over SSL as well, but currently we are not using that.
However, if we do use SSL, additional changes have to be made to the following properties:
ldapSSLConfig.enabled=true
ldapSSLConfig.trustStorePath=/home/dir1/subdir1/subdir2/keystorename.keystore
ldapSSLConfig.trustStoreType=jceks
These are the only configuration changes done on our (client) side; and in fact the only changes done. Nothing has been added/modified on the server (AD server), except another user, but that has no impact on the existing setup.
After restarting cas to reflect the changes, we encounter the error of bad credentials, although the values entered are correct:
2015-09-16 12:12:30,558 INFO [com.emeter.cas.authentication.support.DelegatingAuthenticationHandler] - Authenticating credential using handler
com.emeter.cas.adaptors.ldappwd.BindLdapAuthenticationHandler
2015-09-16 12:12:30,558 DEBUG [com.emeter.cas.authentication.support.DelegatingAuthenticationHandler] - credentials.getUsername() = abcd
2015-09-16 12:12:30,672 INFO [com.emeter.cas.adaptors.ldappwd.BindLdapAuthenticationHandler] - Search for cn=abcd returned 0 results.
2015-09-16 12:12:30,672 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler:
com.emeter.cas.authentication.support.DelegatingAuthenticationHandler failed to authenticate the user which provided the following credentials:
[username: abcd]
2015-09-16 12:12:30,676 ERROR [org.jasig.cas.integration.restlet.TicketResource] - error.authentication.credentials.bad
org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket_aroundBody10(CentralAuthenticationServiceImpl.java:423)
Can anybody please help with this issue? Or possibly point in the right direction?
Any help would be greatly appreciated.
Thank you.
I have next use case:
We have webstore where user can select some goods and then buy them. He can add goods to his cart before login to application. All of this items must be stored in his session. When user click "pay" button we will ask his credentials/card/etc.
My problem: When I login before add items to cart all works correctly. But when I try to add items to cart as anonymous user, items are not storing. I always receive different JSESSIONID after refreshing each page as anonymous user.
I decide create simple application which illustrate my problem. I think it can't be fixed without my sources.
Here is my application:
https://github.com/AlexTestAccount/simple_test
It very simple. It contais only one controler and session bean where I try save something.
For run it you need gradle, tomcat and define enviropment variable CATALINA_HOME,
than you can use:
gradle deploy
p.s. Sorry for my english
Enable Debug log level for org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
There must be a log statement when you login:
>Invalidating session with Id '<originalSessionId>' <and : without> migrating attributes
If it prints "without migrating attributes" then you need to configure spring securitys SessionFixationProtectionStrategy.migrateSessionAttributes to true (but this should be the default)
An other problem maybe is, that tomcat change the session when you switch from http to https.
To verify that this is the problem: first switch to https (NOT loggedin) and item to your cart and then check if they disappear. But tomcat should normaly preserve the session content while switching from http to https (but not the other way around).
Sorry guys, it was environmental issue.
I just clean all my cookies for localhost and now all works.