Comments (4)
Thanks a lot for your feedback on this.
It's great to have a solution for the Java side of things.
However I think the best approach would be to have a Keycloakify build option that enable to filter out some path.
Like:
vite.config.ts
export default defineConfig({
plugins: [
react(),
keycloakify({
kcContextExcludes: [
"client.attributes.*"
]
})
],
})
I'll will work on something.
from keycloakify.
Thanks for the quick reply @garronej.
I totally agree that most of the information Keycloak adds to FreeMarker context isn't sensitive in a sense that it can't be exploited directly like secrets and private keys, but exposing realm configuration details and client certificate without a need might still raise a huge red flag for security analysts. So, adding a way to directly control what Keycloakify adds to kcContext
would be very useful.
But currently, for anyone else who might be concerned about this and stumbles upon this thread - I managed to find a way to get control over what data is added to the FreeMarker context by replacing the default FreeMarkerLoginFormsProvider implementation with a custom one. It's not straightforward nor pretty, but it does solve the problem. Here is a quick example of how it looks like:
public class ReactFreeMarkerLoginFormsProvider extends FreeMarkerLoginFormsProvider {
public ReactFreeMarkerLoginFormsProvider(KeycloakSession session) {
super(session);
}
@Override
protected void createCommonAttributes(Theme theme, Locale locale, Properties messagesBundle,
UriBuilder baseUriBuilder, LoginFormsPages page) {
if (!theme.getName().startsWith("react-")) {
// Theme name doesn't start with "react-" - proceed with default implementation to not break default theme
super.createCommonAttributes(theme, locale, messagesBundle, baseUriBuilder, page);
return;
}
// Remove any unused attributes added by parent implementation before this method is called
attributes.remove("messagesPerField");
attributes.remove("scripts");
attributes.remove("properties");
if (realm != null) {
URI baseUri = baseUriBuilder.build();
attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri));
// Any realm related attributes are added here
}
if (client != null) {
// Any client related attributes are added here
}
}
}
And to make it work, the default login forms provider needs to be disabled:
kc.sh build --spi-login-freemarker-enabled=false
And Keycloak will automatically find and use the custom FreeMarker forms provider because it's the only one available.
from keycloakify.
Hello @gim-,
This is a legitimate preocupation however Keycloak itself, in principle should not expose any sensitive info to the FreeMarker context.
There is currently no way to controle what's exposed but I can do it.
If there are fields that you think thould be removed you can reach me on Discord and I will remove them asap
https://discord.gg/kYFZG7fQmn
from keycloakify.
Another approach could also be to perform statitical analisis on the theme source files and to only includes in the client side values that are acutally used.
This requires more work though.
from keycloakify.
Related Issues (20)
- Why when i login using 2FA using security key can't logged in? HOT 4
- Storybook Upgrade Request HOT 1
- interceptor and mock ftl file creation HOT 1
- how to specfiy Keycloak Version 20.0.1 HOT 1
- [Error screen] Back to application button HOT 5
- How to overide default locale from keycloak HOT 4
- [Error page] skipLink variable is missing from Error.tsx HOT 1
- Register User Profile Page was removed in Keycloak 24 HOT 6
- window.kcContext expose the user credentials (username+password) in case of authentication failure. HOT 2
- "Bundler not supported" error despite using Webpack HOT 3
- JAR building - problem with CSS HOT 1
- FTL Error: Failed at: #if !object[key]?? HOT 2
- Accessing User Attributes in Keycloakify Forms HOT 2
- When I run yarn build-keycloak-theme I got an error and I didn't generate the .jar file HOT 4
- Removing JS comments for productionized builds HOT 2
- adding a custom css file and importing it HOT 2
- idp-review-user-profile.flt page not updating HOT 4
- Infinite "Loading the Admin UI" with 404 "Not found" errors when running ./dist_keycloak/start_keycloak_testing_container.sh HOT 4
- Keycloakify-starter is heavy/inefficient: uses 7 webfonts (400kB) for login page alone, and loads keycloakify logo (100kB) twice HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keycloakify.