I am trying to setup Keycloak server for our organisation. I have couple of questions.
How can we use our existing user database to authenticate users - User Federation. Keycloak only has LADP/Kerberos options. Is there any custom plugin which can be used for MySQL user authentication or can we use existing connectors itself (LDAP/Kerberos) via some adapter for the database?
Is it possible to have multiple Identity providers within Keycloak environment - (Have Keycloak as IDP for few services, while Keycloak Google IDP for other services).
I have followed the official documentation, but for some reason not able to view the content of the link. Any helpful links to proper guide would be great.
Check Keycloak Custom User Federation
It means that, to use diffirent datasource (or process) while Keycloak username / password login
see =>
https://github.com/keycloak/keycloak-documentation/blob/master/server_development/topics/user-storage/simple-example.adoc
https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c github => (https://github.com/Smartling/keycloak-user-migration-provider)
First link => explaining how to configure external db to keycloak.
Second link (need changes)=> these examplecan change like that,
you can create a custom federation implementation,
it will be call your service,
your service will be query your db
your service will response your result
Second example(my suggestion) will be abstract your custom code (federation process, your service) and keycloak. Keycloak ony call your service, everything else are your implementation.
You should implement your own user storage SPI to integrate your MySQL db as an external user storage db
https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi
I answered a similar question regarding existing databases user and keycloak authentication (link here)
I published my own solution as a multi RDBMS implementation (oracle, mysql, postgresl, sqlserver) to solve simple database federation needs, supporting bcrypt and several types of hashes.
It is a configurable keycloak custom provider, you will only need the to set some SQL queries and it is ready to use.
It is already compatible with new keycloak quarkus deployment.
Feel free to clone, fork, contribute or do whatever you need to solve your issue.
GitHub repo:
https://github.com/opensingular/singular-keycloak-database-federation
Related
For our product we have decided to implement a Secret Management tool (AWS secrets manager) that will securely store and manage all our secrets such as DB credentials, passwords and API keys etc.
In this way the secrets are not stored in code, database or anywhere in the application. We have to provide the AWS credentials - Access Key Id and Secret access key to programmatically access the APIs of Secrets manager.
Now the biggest question that arises is, where to keep this Initial Trust – the credentials to authenticate the AWS secrets manager.? This is a bootstrapping problem. Again, we have to maintain something outside of the secret store, in a configuration file or somewhere. I feel If this is compromised then there is no real meaning to store everything in a Secret management tool.
I read the AWS SDK developer guide and understand that there are some standard ways to store AWS credentials like – storing them in environmental variables, credentials file with different profiles and by Using IAM roles for Amazon EC2 Instances.
We don’t run/host our application in Amazon cloud, we just want to use AWS secrets manger service from AWS cloud. Hence, configuring the IAM roles might not be the solution for us.
Are there any best practices (or) a best place to keep the initial Trust credentials?
If you're accessing secrets from EC2 instance, ECS docker container, Lambda function, you can use Roles with policy that allows access to Secrets Manager.
if IAM Role is not an option, You can use Federation Login to get temporary credentials (IAM Role) with policy that allows access to Secrets Manager.
As #Tomasz Breś said, you can use federation if you are already using an on-premis Auth system like Active directory or Kerberos.
If you do not have any type of credentials already on the box, you are left with two choices: store your creds in a file and use file system permissions to protect them, or use hardware like an HSM or TPM to encrypt or store your creds.
In any case, when you store creds on the box (even AD/Kerberos), you should ensure only the application owner has access to that box (in the case of a stand alone app and not a shared CLI). You should also harden the box by turning off all un-necessary software and access methods.
just two questions about Ejabberd. I saw and adapted PHP tool found through GitHub (https://github.com/leesherwood/ejabberd-php-auth) for external authentication, but I have a doubt: when exploiting external authentication, how Ejabberd links users (who are not stored into Ejabberd database but into an external mySQL database used for Web purposes) with conversations, please?
Second question. I have followed guidelines for setting external authentication. It works like a charm when testing by command line, mocking a command like 00auth:username:servername:password
But, when I try to connect to Ejabberd's administration web platform, I receive an error of connection. Instead, when I use internal authorization, the platform is reachable.
Do you figure out the reason, please?
how Ejabberd links users (who are not stored into Ejabberd database but into an external mySQL database used for Web purposes) with conversations, please?
How? With their username+hostname.
when I try to connect to Ejabberd's administration web platform, I receive an error of connection. Instead, when I use internal authorization, the platform is reachable.
Try to login with a Jabber client, does it work? In the WebAdmin, remember to provide the Jabber ID, which is username#hostname, not only the username.
We're using Vault to store our application secrets and config. When our app (Java) starts, a script does all the magic of getting the secrets and config from Vault and storing them locally for the application to read. The script is authenticating to Vault using AWS IAM role.
Now we're getting to a situation where the application needs to read secrets from Vault on the go, not just on startup. For that purpose, I need it to be able to do the authentication pretty much on every request. It's worth mentioning that the app might also run on the developer machine, so whatever authentication done - it needs to work on the EC2 instance as well as the local development environment.
I'm currently leaning towards creating a username and password, store them in Vault for the application to get when starting up. Then the application could use that username/password to authenticate to Vault when it needs.
I'm also considering AppRole, but can't really see any real advantage to it over simple user/password setup.
What's the best solution for this use-case? Any advise would be highly appreciated!
Thanks,
Yosi
The AWS recommendation for storing secrets is to use AWS Systems Manager Parameter Store.
Software running on an Amazon EC2 instance with an assigned Role can use those credentials to access the Parameter Store to retrieve application secrets.
The Parameter Store can also be used outside of EC2, but some AWS credentials will still be needed to authenticate to the Parameter Store.
Since I am making an android application that has its own mysql database in my server, how can I map the user of wirecloud with the user of my own database? The point of this is to recognize which user is consuming a widget deployed on the wirecloud.
I suppose that Wirecloud uses mongo db?
The best way for mapping the users of WireCloud with the ones of you own database is the use of a single authentication source.
WireCloud is based on Django so you can use any of the method supported by it for customising the authentication. This include the use of third-party modules (e.g. django-auth-ldap for authenticating using a LDAP server) and the use of the integration with the FIWARE IdM provided by WireCloud.
It's technically possible to make WireCloud use your database directly, but I don't recommend you to do that because will be a pain to maintain such integration. In my opinion, the best options are migrating your app for using the FIWARE IdM or creating a custom authentication backend for authenticating users using your database.
Can one easily 'plug-in' an existing credentials repository to use when authenticating users on a DotNetNuke web site and can we then take advantage of the DNN authorization framework?
More specifically: we have a database of user credentials (mySql) used to authenticate users. We're investigating using DNN for a new web site but are restricted to using the existing credentials repository. We can easily make the repository accessible but will we need to do any 'tweaking in the MS-Sql database that DNN uses etc?
Btw, am complete DNN newbie and just investigating feasability.
Pointers appreciated.
DotNetNuke has an authentication provider and membership provider, both of which you would probably need to implement to be able to use a separate database for credentials (though if it's just for credentials, you would just write an authentication provider to check that database upon login, then user regular DNN users for the membership part, if you're not pulling profile info from there).
As Brian Dukes mentioned there is a provider model that makes this really easy. And I might be able to get your 99% of the way there. I have a commercial product External Database Authentication Provider that connects to any external SQL Server for this type of thing. Now it only communicates to SQL Server, but you can either grab the source and make 2-3 changes and be set, or I know other users in the past have actually created a SP in SQL Server that went to MySQL and used my module as is.