A Keycloak authenticator to restrict authorization on clients
License: MIT License
I'm Sven-Torben, a software engineering architect and partner at CONCISO.
๐ถ Born and raised in Dortmund, Germany.
๐ Diploma in computer science from TU Dortmund.
๐ฌ Socio-technical architecture, Domain Driven Design (DDD), and Keycloak.
๐ญ Currently working as a consultant at CONCISO.
๐ Free articles
๐ค Presentations, talks and workshops
๐ธWannabe guitar hero.
๐ Pronouns: he/him
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
When using the extension with an oauth provider, we are experiencing the problem, that the extension is not even executed (as it seems) when authenticating against the oauth provider.
When trying to login with an existing keycloak session, the extension is called and does exactly what it is supposed to do, we verfied that through putting users in and out of groups.
When using a keycloak local user, the extensions also works as expected. But it does not with the oauth provider, it just seems to bypass the extension and goes to the application.
So far we only implemented it in the Browser Flow.
I expect that the extension blocks (or allows) access to a client based on roles or policies also when using an oauth identity provider.
Implement the Browser Flow as documented
Toplevel -> Login (Required)
below the toplevel in login: -> Session, Identity Provider, Username Form (with the nested form itself) all as "Alternative)
In parallel the Restricted access extension. (Required)
Use an oauth identity provider in the respective step and the login will always be granted.
- Keycloak:23.0.6
- This extension:23.0.0We can see that the restriction step in the Browser Flow is create in parallel to the "Login" steps instead of after them in the visual representation. But we do not know whether the representation is actuall how it is executed (in the session step it seems to work)
When a users signs in to keycloak I would like to have them see all the applications they have access to without having to login to the site first and create a session.
Hello,
I would like to know if it is possible to enable "Always Display in Console" option in the client settings if the user is a member of the restricted group? If I am not able to do it with the keycloak-restrict-client-auth, can you recommend another approach, whether programmatically or otherwise.
Much appreciated.
I thought about enabling "Always Display in Console" for all apps, customizing the accounts page using something like Javascript and hide the icon if the user is not in the restricted group.
No response
No response
There are deployment scenarios where obtaining the keycloak-restrict-client-auth JAR from a Docker image is preferable to other means. In particular, when running Keycloak in a Kubernetes environment, an initContainer sidecar may be used to pull this JAR into a shared providers directory, thus allowing for runtime modification of the Keycloak Pod's providers.
This removes the need for an end user to modify/support their own Keycloak container images.
Alternatives may include using an initContainer to pull the released JAR at runtime. This adds additional possible failure modes (ie. network unavailability).
Users may also support their own custom Keycloak images, but this comes with a significant support overhead.
No response
Hello
I have installed redhat single sign-on 7.6 base on keycloak 18.0.0
i cant find the directory:
/opt/jboss/keycloak/providers
when i added the jar file in:
/opt/eap/standalone/deployments/
it added but empty (access provider)
can you help me?
so i can select (access provider) in action>config
Opening the settings window when editing authentication flow throws an error. Downgraded to 19.0.0 where everything works fine.
When configuring the jar, the README says to use this format
spi.restrict-client-auth-access-provider.client-role.client-role-name
But I couldn't get it to work unless I used all hyphens instead of dots.
spi-restrict-client-auth-access-provider-client-role-client-role-name
No response
No response
- Keycloak:17.0.1
- This extension: LatestNo response
Managed to get it to do what it needs to do: Grant access by IdP group and block access to other IdP users. But when a user doesn't have access the login page refreshes instead of showing an access-denied page
I was expecting to see an error of sorts so a user knows not to enter their credentials again in vain.
- Keycloak: 19.0.3
- This extension: 19.0.0As I'm new to Keycloak it's quite possible that my issue is simply user error.
I've updated Keycloak and this provider to 23.0.6 and 23.0.0 respectively. While everything was running perfectly on Keycloak v21, I cannot figure out why this provider suddenly doesn't work anymore. When logging in on my client, or when going to the Browser restricted client auth flow on the admin pages, the below error is thrown.
Cannot find authentication provider implementation with provider ID 'basic-auth'
I've spent many hours trying to make sure the .jar file is correctly installed and trying different things to get everything to work. The issue is definitely coming from somewhere in this package because the normal browser auth works fine. Any info would be great appreciated.
No response
No response
- Keycloak: 23.0.6
- This extension: 23.0.0No response
When visiting any client I receive an error message upon the page loading that states "Invalid Username or Password".
It doesn't even ask a username or password or try to authenticate, I just immediately experience the above on all clients after binding.
I tested:
As soon as I remove the "Restrict user authentication on clients" step from the flow, it works.
This is my current flow (cloned from the default flow, and tested before/after adding the restrict step):
This is the configuration of the step:
The error message in action:
I expect to see the normal authentication dialog before getting access granted/access denied based on the authenticator and associated roles been given to users and clients per the readme instructions.
keycloak:
image: quay.io/keycloak/keycloak:latest
container_name: keycloak
restart: unless-stopped
command:
- 'start'
- '--hostname=x
- '--proxy=edge'
ports:
- x:8080
volumes:
- ./keycloak-restrict-client-auth.jar:/opt/keycloak/providers/keycloak-restrict-client-auth.jar
labels:
- 'traefik.http.routers.keycloak.entrypoints=websecure'
- 'traefik.http.routers.keycloak.rule=Host(`x`)'
- 'traefik.http.routers.keycloak.tls=true'
- 'traefik.http.routers.keycloak.tls.certresolver=myresolver'
- 'traefik.http.services.keycloak.loadbalancer.server.scheme=http'
- 'traefik.http.services.keycloak.loadbalancer.server.port=8080'
- 'traefik.enable=true
- Keycloak: 19.0.1 (quarkus)
- This extension: 19.0.0 (Latest Release)No response
Keycloak 16 will be the last preview of Keycloak.X and will become fully supported with Keycloak 17 by end of 2021.
https://www.keycloak.org/2021/10/keycloak-x-update
Make sure the library works with Keycloak.X
Implementation tasks:
Cleanup tasks:
allowTimestampedSnapshots (revert commit 5b27120)When an user will be log in at a client that isn't authorized, the Keycloak deny the access, but if this user log in a client that are been authorized, this same user can log in everyone client while the session is valid.
The role validation must be run in everyone authentication maked by user
No response
- Keycloak: 19.0.1
- This extension: 19.0.0No response
I have created the following form but when I always get Invalid username or password. Can someone tell me what I am doing wrong?
I should get a login form to enter my username and password
No response
Keycloak 24.0.0
I just updated Keycloak to version 22.0.1 and tested your provider with release v22.0.0.
The plugin still works but the error message in the frontend is just a "We are sorry - An internal server error has occurred".
This is the stack trace from the Keycloak error log:
| 2023-08-01 14:11:31,022 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-2) Uncaught server error: java.lang.NoSuchMethodError: 'org.jboss.resteasy.spi.HttpRequest org.keycloak.authentication.AuthenticationFlowContext.getHttpRequest()'
| at de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticator.errorResponse(RestrictClientAuthAuthenticator.java:87)
| at de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticator.authenticate(RestrictClientAuthAuthenticator.java:50)
which points to this line in your code:
I get an KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unknown flow provider type message in the logs (see below for complete stack trace), when trying to use the extension in KC24 (with proper extension version 24).
It's not a migrated flow, it's a newly created flow in the realm (see below for a picture of the flow). The flow is designed as mentioned in the README. Additionally, the same flow design works in KC23 with extension version 23.
In the UI I directly get an invalid username or password error message, I even can't start authentication properly (cant't entering anything like username/password).
No response
No response
- Keycloak: 24.0.1
- This extension: 24.0.0
kcd_kc | 2024-03-12 14:45:09,355 WARN [org.keycloak.services] (executor-thread-15) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unknown flow provider type
kcd_kc | at org.keycloak.authentication.AuthenticationProcessor.createFlowExecution(AuthenticationProcessor.java:879)
kcd_kc | at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1026)
kcd_kc | at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:884)
kcd_kc | at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
kcd_kc | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
kcd_kc | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
kcd_kc | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
kcd_kc | at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
kcd_kc | at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
kcd_kc | at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
kcd_kc | at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
kcd_kc | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
kcd_kc | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
kcd_kc | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
kcd_kc | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
kcd_kc | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
kcd_kc | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
kcd_kc | at java.base/java.lang.Thread.run(Thread.java:840)
This is more of a question then a feature request, but if the answer is no then it can be a feature request. Does this feature work with multiple clients, and by that I mean will it work to isolate more than one client?
Here is an example. Lets say I have 4 apps that I want to configure on one Realm. Can I create 4 different authenticators. Use those 4 different authenticators one per app, and users would be able to access 1, 2, 3 or 4 applications depending on their roles?
The problem trying to wrap my head around is if all clients have this restricted-access role needed for one or the other application, is it possible to have a user restricted to any more than 1 app at a time?
No response
No response
No response
User without restricted-access role is still being able to authenticate. Role itself created both in realm and client (In both cases there is 0 assignments). My current configuration is similar to this one https://user-images.githubusercontent.com/12183470/136276665-6b087651-baa9-43aa-addf-59db247529b7.png
User without restricted-access role is not being able to authenticate.
No response
- Keycloak: 22.0.4
- This extension: 22.0.0No response
I followed the instructions to set up the plugin. I'm using the Jar for 20.0.1 in my keycloak (20.0.2). I'm not using the restricted-access role yet. When I initiate a login process I directly get an invalid credentials' error.
The flow is:
The error:
The trace is:
2023-03-02 16:51:30,573 WARN [org.keycloak.services] (executor-thread-83) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: authenticator: restrict-client-auth-authenticator
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:423)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:250)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1017)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:879)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:338)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:194)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:112)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:578)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:564)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1589)
The expected behavior is to allow the login because i'm not using the restricted role yet.
I followed the instructions given.
- Keycloak:20.0.2
- This extension: 20.0.1No response
The description of the Keycloak Flow settings in the documentation is not entirely clear.
More detailed explanation of Flow settings.
Default Keycloak Browser Flow contains mixed required and alternative subflows/steps/authenticators, that, as described in documentation, can't be used in conjunction with keycloak-restrict-client-auth. Built-in Browser Flow contains Cookie, IdP and Forms alternatives on top. And you can't just add a keycloak-restrict-client-auth to the bottom of the list and set it as Required.
The solution is not just to create a copy of the built-in Bowser Flow, but to completely rebuild your own flow based on the Browser Flow. You need to create three sub-flows for Cookie, IdP and Forms and add keycloak-restrict-client-auth to each of this subflows.
No response
No response
Add SPI and provider configuration options once ProviderFactory supports it.
For details see: https://github.com/keycloak/keycloak-community/blob/master/design/keycloak.x/configuration.md#spi-and-provider-configuration-options
No response
No response
I am configuring the access restriction. I have no problem restricting access using Username Password Form. However, as soon as I use the configured identity provider, the restriction never applies.
The same operation between the Username/password connection and the identifty provider connection.
Here is the connection flow I have:
- Keycloak: 19.0.1 (quarkus)
- This extension: 19.0.0I searched through the existing issues, I did not find a clue to solve my problem. Sorry if this is the case.
I also wondered about "is this prodider supposed to work with an Identity Provider?". The only answer I could find in the README is here. And it just says, that this provider is better than the "Allow/Deny Access" feature which doesn't work with identity providers.
In any case, thank you for your work!
When the authenticator has not been configured (e.g. access provider is left empty or no authenticator config is present), RestrictClientAuthAuthenticator throws a NullPointerException:
{
"refId": 1,
"exceptionType": "java.lang.NullPointerException",
"message": null,
"frames": [
{
"class": "de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticator",
"method": "getAccessProvider",
"line": 66
},
{
"class": "de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticator",
"method": "authenticate",
"line": 34
},
{
"class": "org.keycloak.authentication.DefaultAuthenticationFlow",
"method": "processSingleFlowExecutionModel",
"line": 446
},
{
"class": "org.keycloak.authentication.DefaultAuthenticationFlow",
"method": "processFlow",
"line": 253
},
{
"class": "org.keycloak.authentication.DefaultAuthenticationFlow",
"method": "processSingleFlowExecutionModel",
"line": 389
},
{
"class": "org.keycloak.authentication.DefaultAuthenticationFlow",
"method": "processFlow",
"line": 253
},
{
"class": "org.keycloak.authentication.DefaultAuthenticationFlow",
"method": "continueAuthenticationAfterSuccessfulAction",
"line": 184
},
{
"class": "org.keycloak.authentication.DefaultAuthenticationFlow",
"method": "processAction",
"line": 164
},
{
"class": "org.keycloak.authentication.AuthenticationProcessor",
"method": "authenticationAction",
"line": 950
},
{
"class": "org.keycloak.services.resources.LoginActionsService",
"method": "processFlow",
"line": 312
},
{
"class": "org.keycloak.services.resources.LoginActionsService",
"method": "processAuthentication",
"line": 283
},
{
"class": "org.keycloak.services.resources.LoginActionsService",
"method": "authenticate",
"line": 267
},
{
"class": "org.keycloak.services.resources.LoginActionsService",
"method": "authenticateForm",
"line": 340
},
{
"class": "jdk.internal.reflect.NativeMethodAccessorImpl",
"method": "invoke0"
},
{
"class": "jdk.internal.reflect.NativeMethodAccessorImpl",
"method": "invoke",
"line": 62
},
{
"class": "jdk.internal.reflect.DelegatingMethodAccessorImpl",
"method": "invoke",
"line": 43
},
{
"class": "java.lang.reflect.Method",
"method": "invoke",
"line": 566
},
{
"class": "org.jboss.resteasy.core.MethodInjectorImpl",
"method": "invoke",
"line": 138
},
{
"class": "org.jboss.resteasy.core.ResourceMethodInvoker",
"method": "internalInvokeOnTarget",
"line": 546
},
{
"class": "org.jboss.resteasy.core.ResourceMethodInvoker",
"method": "invokeOnTargetAfterFilter",
"line": 435
},
{
"class": "org.jboss.resteasy.core.ResourceMethodInvoker",
"method": "lambda$invokeOnTarget$0",
"line": 396
},
{
"class": "org.jboss.resteasy.core.interception.PreMatchContainerRequestContext",
"method": "filter",
"line": 358
},
{
"class": "org.jboss.resteasy.core.ResourceMethodInvoker",
"method": "invokeOnTarget",
"line": 398
},
{
"class": "org.jboss.resteasy.core.ResourceMethodInvoker",
"method": "invoke",
"line": 365
},
{
"class": "org.jboss.resteasy.core.ResourceLocatorInvoker",
"method": "invokeOnTargetObject",
"line": 150
},
{
"class": "org.jboss.resteasy.core.ResourceLocatorInvoker",
"method": "invoke",
"line": 104
},
{
"class": "org.jboss.resteasy.core.SynchronousDispatcher",
"method": "invoke",
"line": 440
},
{
"class": "org.jboss.resteasy.core.SynchronousDispatcher",
"method": "lambda$invoke$4",
"line": 229
},
{
"class": "org.jboss.resteasy.core.SynchronousDispatcher",
"method": "lambda$preprocess$0",
"line": 135
},
{
"class": "org.jboss.resteasy.core.interception.PreMatchContainerRequestContext",
"method": "filter",
"line": 358
},
{
"class": "org.jboss.resteasy.core.SynchronousDispatcher",
"method": "preprocess",
"line": 138
},
{
"class": "org.jboss.resteasy.core.SynchronousDispatcher",
"method": "invoke",
"line": 215
},
{
"class": "org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher",
"method": "service",
"line": 245
},
{
"class": "org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher",
"method": "service",
"line": 61
},
{
"class": "org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher",
"method": "service",
"line": 56
},
{
"class": "javax.servlet.http.HttpServlet",
"method": "service",
"line": 590
},
{
"class": "io.undertow.servlet.handlers.ServletHandler",
"method": "handleRequest",
"line": 74
},
{
"class": "io.undertow.servlet.handlers.FilterHandler$FilterChainImpl",
"method": "doFilter",
"line": 129
},
{
"class": "org.keycloak.provider.wildfly.WildFlyRequestFilter",
"method": "lambda$doFilter$0",
"line": 41
},
{
"class": "org.keycloak.services.filters.AbstractRequestFilter",
"method": "filter",
"line": 43
},
{
"class": "org.keycloak.provider.wildfly.WildFlyRequestFilter",
"method": "doFilter",
"line": 39
},
{
"class": "io.undertow.servlet.core.ManagedFilter",
"method": "doFilter",
"line": 61
},
{
"class": "io.undertow.servlet.handlers.FilterHandler$FilterChainImpl",
"method": "doFilter",
"line": 131
},
{
"class": "io.undertow.servlet.handlers.FilterHandler",
"method": "handleRequest",
"line": 84
},
{
"class": "io.undertow.servlet.handlers.security.ServletSecurityRoleHandler",
"method": "handleRequest",
"line": 62
},
{
"class": "io.undertow.servlet.handlers.ServletChain$1",
"method": "handleRequest",
"line": 68
},
{
"class": "io.undertow.servlet.handlers.ServletDispatchingHandler",
"method": "handleRequest",
"line": 36
},
{
"class": "org.wildfly.extension.undertow.security.SecurityContextAssociationHandler",
"method": "handleRequest",
"line": 78
},
{
"class": "io.undertow.server.handlers.PredicateHandler",
"method": "handleRequest",
"line": 43
},
{
"class": "io.undertow.servlet.handlers.RedirectDirHandler",
"method": "handleRequest",
"line": 68
},
{
"class": "io.undertow.servlet.handlers.security.SSLInformationAssociationHandler",
"method": "handleRequest",
"line": 117
},
{
"class": "io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler",
"method": "handleRequest",
"line": 57
},
{
"class": "io.undertow.server.handlers.PredicateHandler",
"method": "handleRequest",
"line": 43
},
{
"class": "io.undertow.security.handlers.AbstractConfidentialityHandler",
"method": "handleRequest",
"line": 46
},
{
"class": "io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler",
"method": "handleRequest",
"line": 64
},
{
"class": "io.undertow.security.handlers.AuthenticationMechanismsHandler",
"method": "handleRequest",
"line": 60
},
{
"class": "io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler",
"method": "handleRequest",
"line": 77
},
{
"class": "io.undertow.security.handlers.NotificationReceiverHandler",
"method": "handleRequest",
"line": 50
},
{
"class": "io.undertow.security.handlers.AbstractSecurityContextAssociationHandler",
"method": "handleRequest",
"line": 43
},
{
"class": "io.undertow.server.handlers.PredicateHandler",
"method": "handleRequest",
"line": 43
},
{
"class": "org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler",
"method": "handleRequest",
"line": 61
},
{
"class": "io.undertow.server.handlers.PredicateHandler",
"method": "handleRequest",
"line": 43
},
{
"class": "org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler",
"method": "handleRequest",
"line": 68
},
{
"class": "io.undertow.servlet.handlers.SendErrorPageHandler",
"method": "handleRequest",
"line": 52
},
{
"class": "io.undertow.server.handlers.PredicateHandler",
"method": "handleRequest",
"line": 43
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler",
"method": "handleFirstRequest",
"line": 269
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler",
"method": "access$100",
"line": 78
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler$2",
"method": "call",
"line": 133
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler$2",
"method": "call",
"line": 130
},
{
"class": "io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1",
"method": "call",
"line": 48
},
{
"class": "io.undertow.servlet.core.ContextClassLoaderSetupAction$1",
"method": "call",
"line": 43
},
{
"class": "org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction",
"method": "lambda$create$0",
"line": 105
},
{
"class": "org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction",
"method": "lambda$create$0",
"line": 1530
},
{
"class": "org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction",
"method": "lambda$create$0",
"line": 1530
},
{
"class": "org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction",
"method": "lambda$create$0",
"line": 1530
},
{
"class": "org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction",
"method": "lambda$create$0",
"line": 1530
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler",
"method": "dispatchRequest",
"line": 249
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler",
"method": "access$000",
"line": 78
},
{
"class": "io.undertow.servlet.handlers.ServletInitialHandler$1",
"method": "handleRequest",
"line": 99
},
{
"class": "io.undertow.server.Connectors",
"method": "executeRootHandler",
"line": 387
},
{
"class": "io.undertow.server.HttpServerExchange$1",
"method": "run",
"line": 841
},
{
"class": "org.jboss.threads.ContextClassLoaderSavingRunnable",
"method": "run",
"line": 35
},
{
"class": "org.jboss.threads.EnhancedQueueExecutor",
"method": "safeRun",
"line": 1990
},
{
"class": "org.jboss.threads.EnhancedQueueExecutor$ThreadBody",
"method": "doRunTask",
"line": 1486
},
{
"class": "org.jboss.threads.EnhancedQueueExecutor$ThreadBody",
"method": "run",
"line": 1377
},
{
"class": "org.xnio.XnioWorker$WorkerThreadFactory$1$1",
"method": "run",
"line": 1280
},
{
"class": "java.lang.Thread",
"method": "run",
"line": 829
}
]
}Should not throw a NullPointerException but use the default authenticator and access provider client-role instead.
- Keycloak: 15.1.1
- This extension: 15.2.0, 16.0.0No response
logs:
`admin:~/keycloak/keycloak-22.0.0/bin$ ./kc.sh build
Updating the configuration and installing your custom providers, if any. Please wait.
2023-07-18 10:26:09,542 WARN [org.keycloak.services] (build-25) KC-SERVICES0047: restrict-client-auth-authenticator (de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
2023-07-18 10:26:09,580 WARN [org.keycloak.services] (build-25) KC-SERVICES0047: policy (de.sventorben.keycloak.authorization.client.access.policy.PolicyBasedAccessProviderFactory) is implementing the internal SPI restrict-client-auth-access-provider. This SPI is internal and may change without notice
2023-07-18 10:26:09,580 WARN [org.keycloak.services] (build-25) KC-SERVICES0047: client-role (de.sventorben.keycloak.authorization.client.access.role.ClientRoleBasedAccessProviderFactory) is implementing the internal SPI restrict-client-auth-access-provider. This SPI is internal and may change without notice
2023-07-18 10:26:09,599 WARN [org.keycloak.services] (build-25) KC-SERVICES0047: restrict-client-auth-auto-config (de.sventorben.keycloak.authorization.client.clientpolicy.executor.AutoConfigClientPolicyExecutorFactory) is implementing the internal SPI client-policy-executor. This SPI is internal and may change without notice
2023-07-18 10:26:09,940 WARN [org.keycloak.services] (build-25) KC-SERVICES0047: restrict-client-auth-enabled (de.sventorben.keycloak.authorization.client.clientpolicy.condition.RestrictedClientAuthEnabledPolicyConditionProviderFactory) is implementing the internal SPI client-policy-condition. This SPI is internal and may change without notice
2023-07-18 10:26:09,950 WARN [io.quarkus.arc.deployment.SplitPackageProcessor] (build-19) Detected a split package usage which is considered a bad practice and should be avoided. Following packages were detected in multiple archives:
2.I dont see any option which is metioned in the document
Configure the **authenticator** by clicking on **Actions** -> **Config** and select client-role as the Access Provider.
it should provide the UI to create client role
Download latest jar from the link https://github.com/sventorben/keycloak-restrict-client-auth/releases/download/v22.0.0/keycloak-restrict-client-auth.jar
${kc.home.dir}/bin/kc.sh build
- Keycloak:22.0.0
- This extension:22.0.0No response
In a cluster of two nodes does not give a choice access provider (client-role or policy)
choice access provider (client-role or policy)
No response
- Keycloak:15.1.1
- This extension:15.2No response
Hello,
At first I would like to say thank you for your attempt to resolve one the most popped up question regarding setting up restrictions for users.
I am one of those people who want to limit access for members of specific Active Directory group to a certain client. I found your solution and tried to apply to it. I did everything in accordance to the guide described in the description of the solution, but still did not get the desired behavior.
So here are some facts about the installation:
KeyCloak 15.0.2 running in Docker
PostgreSQL database is used
Authenticator is installed and is added into a custom authentication flow, which was copied from the standard Browser flow, as the latest step
The role restricted-access was created within client's configuration
and was added to group kiali_users
The Role Mappings of my user contains the info about assigned role
However, I can't log in to the client.
I found the following events in KeyCloak logs:
18:36:17,407 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-26) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-
provider-redirector, null]
18:36:17,408 WARN [org.keycloak.services] (default task-26) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: authenticator: restrict-client-auth-authenticator
at [email protected]//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:431)
at [email protected]//org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:253)
at [email protected]//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:990)
at [email protected]//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:852)
at [email protected]//org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
at [email protected]//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:300)
at [email protected]//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:183)
at [email protected]//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:106)
at jdk.internal.reflect.GeneratedMethodAccessor835.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at [email protected]//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:546)
at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:435)
at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:396)
at [email protected]//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:398)
at [email protected]//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:365)
at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
at [email protected]//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
at [email protected]//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
at [email protected]//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
at [email protected]//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at [email protected]//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
at [email protected]//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
at [email protected]//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at [email protected]//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at [email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at [email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at [email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at [email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:829)
18:36:17,416 WARN [org.keycloak.events] (default task-26) type=LOGIN_ERROR, realmId=Company, clientId=kiali-dev-server, userId=null, ipAddress=10.47.250.28, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://lsn-kiali.example.com/kiali, code_id=08413b01-d357-489e-9ddb-dcc6c5dbfd8c, response_mode=query, authSessionParentId=08413b01-d357-489e-9ddb-dcc6c5dbfd8c, authSessionTabId=GpbPyq5G8K
Among events I see the message like the following in administrative interface of KeyCloak:
Could you please point me to a misconfiguration if it is somewhere or point the direction that I should pay attention for figuring out the cause of the wrong behavior?
Thank you in advance.
With Keycloak 19 the new admin console became the default and the old one got deprecated.
Update all screenshots in the README to reflect changes in the new admin console.
No response
No response
Hi,
i'm interested by your extension, particular for policy-based mode. I have a question about this mode :
we can configure policy for client about differents endpoints, for exemple :
Thx
Describe the usage of this extension in combination
See also #114, #121, or #224 as a starting point.
No response
No response
No response
Build process cannot find Keycloak 17.0.0 due to changes in naming pattern.
See https://groups.google.com/g/keycloak-dev/c/RQpL7L4FRy0 for details.
No response
No response
- Keycloak: 17.0.0 (quarkus and wildfly)
- This extension: 16.0.1No response
Using keycloak-restrict-client-auth` with Policy-Based mode. When I want to use Regex Client Policy on multivalue attributes it does not work.
For example, I have User user1 with an attribute:
"attr": [
"1test",
"2test"
],
If I define the target_claim to my_attr and regex pattern to 1test it works, but when I would like to check the 2test I have no idea how to do it ๐. Do you know any solution?
Check each value from multivalued attribute not only first.
- Keycloak: 24.0.1
- This extension: 24.0.0No response
Screenshots in the docs are from the old admin console. Should be updated with screenshots from the new admin console.
No response
No response
No response
When multiple clients exist, an active keycloak session created by logging in to one client bypasses restrictions set on another client and allows a user to log in
I tried with the "Role-based mode"
If we go to client that has restrictions first it works as expected and user is stopped at keycloak page
I expect that when I logged in to one client and keycloak session is active, when I go to another client that has restricted-access I would NOT be allowed to access
client1 that has restrictions and client2 that doesn'tuser1 cannot log in to client1 because they don't have the restricted-access role for client1client2 with user1 - this works fine because there were no restrictionsclient1 and keycloak will log you in bypassing the restrictions set by this plugin- Keycloak: 15.0.2 (wildfly)
- This extension: 15.1.0No response
I setup a simple test case following the documentation with Keycloak v21.0.2. Everything seems to work fine playing with the policies, but when the configured policies deny access no access-denied error message is shown in the resulting browser page instead an error of "An internal server error has occurred" is shown. Follow the error stacktrace on the Keycloak logs...
2023-04-05 16:53:34,964 WARN [de.sventorben.keycloak.authorization.client.access.policy.PolicyBasedAccessProvider] (executor-thread-48) Access for user 'duck' is denied. User does not have permission to access resource 'Keycloak Client Resource' on client 'f90a0346-a98b-4fdd-a290-90e5ee520352' in realm 'bemsi'. 2023-04-05 16:53:34,965 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-48) Uncaught server error: java.lang.NoSuchMethodError: 'org.keycloak.http.HttpRequest org.keycloak.authentication.AuthenticationFlowContext.getHttpRequest()' at de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticator.errorResponse(RestrictClientAuthAuthenticator.java:87) at de.sventorben.keycloak.authorization.client.RestrictClientAuthAuthenticator.authenticate(RestrictClientAuthAuthenticator.java:50) at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:446) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:250) at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:381) at org.keycloak.authentication.DefaultAuthenticationFlow.continueAuthenticationAfterSuccessfulAction(DefaultAuthenticationFlow.java:182) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:158) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:977) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:311) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:282) at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:274) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:339) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161) at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247) at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82) at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84) at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430) at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408) at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284) at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173) at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140) at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:833)
Default access denied error message.
No response
No response
No response
I installed the extension on a new keycloak docker instance from jboss/keycloak
When i try to configure the extension i can not select an โAccess Providerโ as the field shows no entries.
The Access Provider list should display the correct options
- Keycloak: 15.0.2
- This extension: 15.1.0No response
Hello
how can I make restricted-access multiple clients?
I saw the #92
but where to put the role
the client or authentication?
I tested 1 client 1 group
example (Zabbix)
in it has a roles called (restricted-access) and in
Groups (group role mappings) (client role) selected (restricted-access) for the Zabbix client
it's working but how to rename each client have different names like
(zabbix01.restricted-access)
(kibana03.restricted-access)
Zabbix01
(roles)=(zabbix01.restricted-access)
and in
(group role mappings)->(client role) selected (zabbix01.restricted-access) for the (Zabbix01 client)
So I got around to trying this today. It doesn't appear to work with SAML authentication on version 18.0.2, or more likely I am not doing something correctly.
After adding the provider, restarting KC, I created a copy of the browser flow, edited it as per instructions. I then created the role in a client, and changed the "Authentication Flow Overrides" to the newly created flow which has the restrict feature enabled. when I try to login from an app using SAML, it redirects to KC and immediately presents me with "Invalid username or password" without prompting for either.
No response
No response
- Keycloak:
- This extension:No response
No response
Each client will check different requirements, so the message to the user should explain the reason why access has been denied.
I have made a modification to the RestrictClientAuthAuthenticator.htmlErrorResponse method to look for whether there are messages of the form . and in that case that message is displayed instead of the configured in the authentication step
No response
Hi,
first of all, thanks a lot for making this SPI, it works very well and it is very easy to set up :)
I was wondering if there is a way I could configure this plugin so I can set a different role per client.
For example in my organization we have GitLab and Slack both protected with Keycloak. Since they both use a pay-per-user license model I only want users with the slack_user role to be authorized to use Slack and role_gitlab for gitlab.
Is this something currently possible? If not, do you think it can be something that could be added to the current code?
Thank you very much,
Daniel.
No response
No response
No response
In case user use the classic form, the restriction works and he get the normal message that he's not allowed to access it.
He should not be allowed to logged in.
No response
- Keycloak: 16.0.0
- This extension: 16.0.0I'm not an expert on Keycloak so maybe I missed something ... My first idea is that using action token uses another flow but I can't identifie it (and "events" doesn't sho which flow has been used).
Regards
After copying the Browser Flow and adding the Restrict user authentication on clients , I cant go in settings of this card, because I get the error can't convert undefined to object . In the browser console I see the error
TypeError: can't convert undefined to object index.4ad08902.js:25:73
It should show the Settings UI as described in the Readme
Using Podman on Coreos:
Dockerfile
ARG KEYCLOAK_VERSION=19.0.2
ARG KEYCLOAK_RESTRICTED_CLIENT_AUTH_VERSION=19.0.0
FROM quay.io/keycloak/keycloak:latest
ARG KEYCLOAK_RESTRICTED_CLIENT_AUTH_VERSION
ENV KC_DB=mariadb
#ENV KC_FEATURES=declarative-user-profile
RUN curl -fsSL https://github.com/sventorben/keycloak-restrict-client-auth/releases/download/v19.0.0/keycloak-restrict-client-auth.jar \
-o /opt/keycloak/providers/keycloak-restrict-client-auth.jar
RUN /opt/keycloak/bin/kc.sh build
Service for building the the Image
- name: keycloak-build.service
enabled: true
contents: |
[Unit]
Description=Build custom kecloak container with client auth plugin
Requires=network-online.target
After=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/podman build --no-cache -t mykeycloak /var/srv/builds/mykeycloak/
ExecStop=sh -c 'podman image exists mycaddy && podman rmi --force mykeycloak'
[Install]
WantedBy=multi-user.target
Keycloak Service:
- name: keycloak-app.service
enabled: true
contents: |
[Unit]
Description=Run keycloak
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
BindsTo=keycloak.service
After=keycloak.service
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run \
--cidfile=%t/%n.ctr-id \
--cgroups=no-conmon \
--rm \
--pod-id-file %t/keycloak.pod-id \
--sdnotify=conmon \
--replace \
--detach \
--name keycloak-app \
--env KEYCLOAK_ADMIN=test \
--env KEYCLOAK_ADMIN_PASSWORD=test mykeycloak start \
--hostname=auth.${domain} \
--proxy=edge \
--db=mariadb \
--db-url=jdbc:mariadb://keycloak-db.localhost/test \
--db-username=test \
--db-password=test
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
[Install]
WantedBy=default.target
- Keycloak: 19.0.2 quarkus
- This extension: 19.0.0
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.