imagov / keycloak Goto Github PK

Is there a way to display actual requests and responses that are being sent to the keycloak server? This would help with troubleshooting tremendously.

Current version of keycloak depended on json=2.6.2 that can cause issues especially on ruby ~>3.2 which have json=2.6.3 as it's default json gem.
If the user activate any gem that require "json", on ruby 3.2.2 -> json version 2.6.3 will be activated.
And if this happens before keycloak was loaded you will get activation exception after loading keycloak:
Unable to activate keycloak-3.2.2, because json-2.6.3 conflicts with json (= 2.6.2) (Gem::ConflictError)
See #49

Probably just a typo, but when using the gem without manually generated config/keycloak.json, but only using an initializer file config/initializers/keycloak.rb I couldn't use Keycloak::Client.get_token method, because of error:

/home/XYZ/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/keycloak-3.2.2/lib/keycloak.rb:339:in `get_installation': undefined method `exists?' for File:Class (NoMethodError)

        if File.exists?(Keycloak.installation_file)
               ^^^^^^^^
Did you mean?  exist?

Hey there,

I issued PR #40 a while back, and it was closed recently by e22054f

Unfortunately, the gem versions declared are still too strict:

  spec.add_runtime_dependency "rest-client", "~> 2.1.0"
  spec.add_runtime_dependency "jwt", "~> 2.4.1"
  spec.add_runtime_dependency "json", "~> 2.6.2"

The jwt gem's latest version is currently on 2.8.2, and the json gem is currently on 2.7.2.

When you declare your runtime dependencies with the ~> operator, it effectively means we cannot run the latest versions of those gems in our project alongside this gem, and can only run 2.4.1+ to > 2.5.0 for jwt and 2.6.2+ to > 2.7.0 for json respectively.

I've checked, and there is no reason to not allow 2.4.x+ and 2.6.x+ as dependencies, as this gem will a) be more compatible with existing projects, and b) allow us to upgrade shared dependencies past the versions declared in this gem, which is especially important when vulnerabilities have been found.

Please can you change the runtime dependencies to at least something like the below, which will make this gem more compatible without causing problems for itself?

  spec.add_runtime_dependency "rest-client", "~> 2.1"
  spec.add_runtime_dependency "jwt", "~> 2.4"
  spec.add_runtime_dependency "json", "~> 2.6"

Hi,

I've noticed that when Keycloak's realm is set to user "Email as username", the method Keycloak::Internal.create_simple_user raises a Keycloak::UserLoginNotFound. Which is confusing because the user was actually created in Keycloak with email replacing the username (as expected).

Digging a bit into the code I've found that this line might be the source of the trouble.

I have some ideas on how to solve this. I will try it later when i get some free time.

cheers!

Currently the lib forces you to receive the token through cookies and to store it on cookies and this makes this lib impossible to work with Rails in API mode.

I suppose this is the same issue on #23

Hi, i am using keycloak 14 and basically the example code from the example app for this gem.. however, even though i get my token, it still thinks i am not signed in..

did sign myself in manually from the better_errors console:

but still nothing..

any help is highly appreciated!

thanks,
Andreas

Hi guys,

Why do we need to parse the token to JSON? it causes an error since access_token is not a JSON format String
https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L299

I read the example you provided, it seems proc_cookie_token returns a string
https://github.com/imagov/example-gem-keycloak/blob/master/app/controllers/application_controller.rb#L8

Keycloak.proc_session_token = lambda do
session[:keycloak_token]
end

Keycloak.proc_session_token.call
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ2endqUkFJdE10dHlONjR5RTBCRlh6WTV0MFFOn4iNvn3wOD8OAKn5G4n3AdWgh9HuU-fmHgkrIUSyXx1Evci0OT3row8jHVR-zvobRqaF79BJB43kjhLjMjOwgTKjtEw7yM4wgtwTIX_4Vl3MjkXHSZ96dWhoG7Tw5HV1lIbGaCuPtjtcD_7IF2N8pKZK02lYO6gmBPkB4eNtyTmGYsG3_58IAi6vnqTljzX4IrcLhCWuxWvOrFg"

JSON Keycloak.proc_session_token.call
*** JSON::ParserError Exception: 784: unexpected token at 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ2endqUkFJdE10dHlONjR5RTBCRlh6WTV0MFFOn4iNvn3wOD8OAKn5G4n3AdWgh9HuU-fmHgkrIUSyXx1Evci0OT3row8jHVR-zvobRqaF79BJB43kjhLjMjOwgTKjtEw7yM4wgtwTIX_4Vl3MjkXHSZ96dWhoG7Tw5HV1lIbGaCuPtjtcD_7IF2N8pKZK02lYO6gmBPkB4eNtyTmGYsG3_58IAi6vnqTljzX4IrcLhCWuxWvOrFg'

When using Keycloak without a proxy, if the proxy is not explicitly set to an empty string '', then certain Keycloak requests will fail with NoMethodError: undefined method empty?' for nil:NilClass`.

This is caused by calling empty? on Keycloak.proxy here: https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L331 . In a non-rails project without ActiveSupport, the empty? method is not present on NilClass.

Solution:
Check for nil before attempting to call empty?, or use the safe navigator operator.
A major caveat to using the safe navigator operator in a gem is that it is only present in ruby versions 2.3.0 and newer.

I cannot create a new user via function Keycloak::Internal.create_simple_user(... as it is implemented in the demo app. I found out, that there is a problem with the code here:

      begin
        username.downcase!
        user = get_user_info(username, true, client_id, secret)
        new_user = false
      rescue Keycloak::UserLoginNotFound
        new_user = true
      rescue
        raise
      end

where the code does not run into the first rescue block. I could quickfix it with

     ...
      rescue Keycloak::UserLoginNotFound
        new_user = true
      rescue
        new_user = true # the explicit rescue handler above does not work
        #raise
      end

Can anybody confirm this bug?
I will dive deeper soon, since we need the gem urgently.

The keycloak gem should provide a configuration option without the keycloak.json file. Currently settings like client_id or secret can only be supplied via that file, and without those settings, operations like get_token or get_token_by_refresh_token fail.

Use Case: I don't want sensitive information (client_id, secret) to be stored in a file that does not integrate well with the "normal" way I use to configure environment specific setup (e.g. for test environment, prod environment). I use environment variables for that. In my view it would be best if keycloak allowed to configure all necessary settings in code via the Keycloak module, like it is already the case for realm and auth_server_url.

Hi,

recently I found an issue with using the keycloak gem inside a Rails application backed by the Puma web server with a multi-threaded setup. When simulating multiple requests coming from two different sessions the content of the keycloak_token cookie gets overwritten. This results into processing a request with a "foreign" access_token potentially exposing sensitiv data. After excluding all kinds of sources for the error. I came to the conclusion that the following line of code inside the ApplicationController initialize function

Keycloak.proc_cookie_token = -> do cookies.permanent[:keycloak_token] end

as described in your README (...Note: The Keycloak.proc_cookie_token and Keycloak.proc_external_attributes attributes can be defined in the initialize of the controller ApplicationController...) is the source of the problem. If multiple requests from different sessions are rolling in it comes to a race condition wrongly altering the access_token for some of the requests.

If you need further information please let me know. I also wrote a small ruby script showcasing the issue in a nutshell (not related to keycloak but using a lambda set to a static variable using multiple threads)

Gem version: 2.4.1
Rails version: 5.2.3
Ruby version: 2.6.3

The installation file location is fetched from the hardcoded constant here:
https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L290

It would be more appropriate to make this also configurable while maintaining the default file location.

Hey,

First, thanks this repository !

I had a problem when using keycloak 8.0.0 with your gem.
Add a 404 response from keycloak. I noticed, it comes from a double slash.
Here is my keycloak.json from client installation tab :

 {
  "realm": "my_application",
  "auth-server-url": "http://localhost:8080/auth/", <-- last slash
  "ssl-required": "external",
  "resource": "client_name",
  "verify-token-audience": true,
  "credentials": {
    "secret": "secret_key"
  },
  "use-resource-role-mappings": true,
  "confidential-port": 0,
  "policy-enforcer": {}
}

I changed my keycloak.json for now.

Wondering if the gem will be maintained going forward or not ?

Keycloak implicitly depends on Ruby on Rails because it depends on Rails constants being present and loaded when performing certain actions.

For example, here it raises ActionController::RoutingError, which is a rails-specific error and which neither exists in the keycloak gem nor in the gem's dependencies specified in the gemfile. https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L876

The gem should not implicitly depend on any libraries not explicitly included in the gemfile.

Hi,

I'd like to know if you plan on translating the README into english, as I (sadly) can't read Portuguese.

Thanks in advance,

I want to integrate keycloak with rails api app, In the npm package there is a function called login-required, Is there any similar function available on keycloak gem?

I was thinking of contributing to the GEM so that I don't have to re-event the wheel, but it seems like the project does not have any maintainer!

I've just quickly read the code and found that there is no access token's signature verification.

https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L326

JWT.decode refresh_token, @public_key, false, { :algorithm => 'RS256' }

as you can see the third argument needs to be set as true to check the signature
https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/decode.rb#L11-L31

here is a quick solution

public_key = "-----BEGIN PUBLIC KEY-----\n" +
 @public_key.scan(/.{1,64}/).join("\n") +
 "\n-----END PUBLIC KEY-----\n"

JWT.decode(token, OpenSSL::PKey::RSA.new(public_key), true, algorithm: 'RS256')

Hopefully, this would help someone
Cheers

Hey there 👋

I just noticed after bundle updating our project that the newest version of keycloak has these dependencies:

    keycloak (3.2.1)
      json (= 2.3.0)
      jwt (= 2.2.1)
      rest-client (= 2.1.0)

I think this is problematic - imagine another gem which depends on json, but specifies = 2.3.1. This would not allow installing both gems at the same time. I think it would be better to e.g. only specify something like ~> 2.3, which would allow patch and minor updates. What do you think? 🙂

According to https://www.keycloak.org/docs/latest/upgrading/#non-standard-token-introspection-endpoint-removed the Keycloak version 11 change the name of the introspection_endpoint key. This means that there should be version-sensitive or some other logic to properly get introspection endpoint url.

Potentially this code:

token_introspection_endpoint = @configuration['token_introspection_endpoint'] if isempty?(token_introspection_endpoint)

could be updated as follows:

token_introspection_endpoint = (@configuration['introspection_endpoint'] || @configuration['token_introspection_endpoint']) if isempty?(token_introspection_endpoint)

What do you think about this update?

I just wanna inform that token_introspection_endpoint has been changed to introspection_endpoint on Keycloak v.18.
This outdated cause Keycloak::Client.user_signed_in? always return False.

This is my .well-known Configuration:

{
"issuer": "...",
"authorization_endpoint": "...",
"token_endpoint": "...",
"introspection_endpoint": "...",
"userinfo_endpoint": "...",
...
}

This gem causes issues when you use multiple realms within the same application.

For a better understanding how to use this gem to interact with KeyCloak, a short and simple usage example would be great!

Is there anywhere I can set verify_ssl=false on the RestClient function that is being used by keycloak?

I needed RestClient to connect to https that has invalid cert.

is there any ways to do it? Thanks .