I am facing the following problem.
I have to log in users in Openshift using Keycloak and then these users should be able to use the Openshift API using a custom external Web GUI which I made.
When I log in, Keycloak returns a Keycloak JWT-token. But my problem is that with this Keycloak JWT-token I cant use the Openshift API, for that I need an Openshift token, which is a different token. I could get the Openshift token using an http request to -openshiftmaster-/oauth/authorize , But I don't wanna do this cause this second authentication would mean a second login screen for the user.
Is there a way, once logged in usingKeycloak and in possession of a Keycloak JTW-token, to get the Openshift token without having to authenticate again against Openshift with username and password?
You can set up keycloak as an open id provider. Link 2. Link 3.
Related
I am using google cloud auth for signing my requests for a firebase based project. Until yesterday it worked seamlessly, after using the gcloud auth print-identity-token I have received a token for the selected project and account. Yesterday after a restart this functionality stopped working. I still receive a token and the gcloud seems to be configured well(re-initialised it, and tried to completely uninstall/install it), but the returned token has different aud field. Therefore my firebase functions consider my requests as unauthenticated. let me paste the error message below:
Failed to validate auth token. FirebaseAuthError: Firebase ID token has incorrect "aud" (audience) claim. Expected "xyzmyproject" but got "32512345659.apps.googleusercontent.com". Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK
I have checked the identity token via jwt.io and the aud is set to the wrong 32512345659.apps.googleusercontent.com value as the error message describes it.
Furthermore while was investigating I found out that the gcloud auth login command redirects me to the url the client_id is specified as 32512345659.apps.googleusercontent.com.
I got MySql Server on Azure and is configured with Azure Directory Admin.
Example
MySql Servername: mysqlserver and
MySql AD Admin Account: admin#organistionname.com.au (this organisation domain account)
Can see above account from MySql Server under User Accounts.
I stood-up Azure Web App for phpMyadmin and configured to pointed to above MySql db.
When an logging into phpMyAdmin with above Active Directory Admin Account is getting validated against AD, but getting error
mysqli::real_connect(): (HY000/9013): An error occurred while validating the access token. Please acquire a new token and retry.
I need to get a Ad token which need to passed to MySql server.
How to achieve this in Azure Web App?
This documentation should help you: https://learn.microsoft.com/en-gb/azure/mysql/howto-configure-sign-in-azure-ad-authentication#connecting-to-azure-database-for-mysql-using-azure-ad.
You need to acquire an access token in your code for your user against the resource: https://ossrdbms-aad.database.windows.net or against the scope (if using v2): https://ossrdbms-aad.database.windows.net/.default.
Acquiring access tokens with AAD is a whole another topic and the exact way depends on your app.
This answer might help for that: https://stackoverflow.com/a/33512913/1658906
I have the same set up (except phpmyadmin running in a container in AKS).
I believe phpmyadmin can't connect to mysql with azure ad enabled (at least with an AD user/group) because the token (password) is required to be sent in cleartext, and phpmyadmin hashes it before sending it.
I think that's why I get the An error occurred while validating the access token. Please acquire a new token and retry. error.
That's also why in the docs, they set the --enable-cleartext-plugin flag on their example mysql cli commands.
Also in the docs, they state that it's only tested with myqsl cli and mysqladmin.
I'm currently planning on ditching phpmyadmin for azure bastion and a VM running mysqlworkbench for this reason.
I am integrating wirecloud and fiware-idm. Installed both through docker successfully. However, after installing fiware-idm, i am not able to login from admin. username - admin#test.com password - 1234.
Everytime it redirect it to "ip:3000/auth/login". Do I have to make any other configuration in wirecloud or fiware-idm?
Also, even after entering wrong credential, it redirects me to /auth/login and does not display any error message.
My wirecloud, fiware-idm and mysql database are in different containers. Is this can be the issue?
IdM should be deployed on production to be used by WireCloud. That is, you should configure the IDM service using public domains names, using https, and so on... Seems you are creating a local installation, so you should deploy some workarounds. Well, some of those requirements are not enforced by WireCloud, so it should be enough by ensure you use a domain name for accessing the IdM.
You can simulate having the idm server configured using public domains by adding the proper value to /etc/hosts (See this link if you are running windows), the correct value depends on how did you configured the IdM service. So, the idea is to ensure the domain used for accessing the idm resolves to the correct ip address both in the WireCloud container and from your local computer. We can provide you more detailed steps if you provide us more details about how are you launching the different containers.
I am trying to setup Keycloak server for our organisation. I have couple of questions.
How can we use our existing user database to authenticate users - User Federation. Keycloak only has LADP/Kerberos options. Is there any custom plugin which can be used for MySQL user authentication or can we use existing connectors itself (LDAP/Kerberos) via some adapter for the database?
Is it possible to have multiple Identity providers within Keycloak environment - (Have Keycloak as IDP for few services, while Keycloak Google IDP for other services).
I have followed the official documentation, but for some reason not able to view the content of the link. Any helpful links to proper guide would be great.
Check Keycloak Custom User Federation
It means that, to use diffirent datasource (or process) while Keycloak username / password login
see =>
https://github.com/keycloak/keycloak-documentation/blob/master/server_development/topics/user-storage/simple-example.adoc
https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c github => (https://github.com/Smartling/keycloak-user-migration-provider)
First link => explaining how to configure external db to keycloak.
Second link (need changes)=> these examplecan change like that,
you can create a custom federation implementation,
it will be call your service,
your service will be query your db
your service will response your result
Second example(my suggestion) will be abstract your custom code (federation process, your service) and keycloak. Keycloak ony call your service, everything else are your implementation.
You should implement your own user storage SPI to integrate your MySQL db as an external user storage db
https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi
I answered a similar question regarding existing databases user and keycloak authentication (link here)
I published my own solution as a multi RDBMS implementation (oracle, mysql, postgresl, sqlserver) to solve simple database federation needs, supporting bcrypt and several types of hashes.
It is a configurable keycloak custom provider, you will only need the to set some SQL queries and it is ready to use.
It is already compatible with new keycloak quarkus deployment.
Feel free to clone, fork, contribute or do whatever you need to solve your issue.
GitHub repo:
https://github.com/opensingular/singular-keycloak-database-federation
Can we authenticate against OpenShift enterprise 3.2 or 3.3 REST API's using username and password instead of tokens?
Thanks much in advance!
As stated in openshift documentation:
Requests to the OpenShift Container Platform API are authenticated using the following methods:
OAuth Access Tokens
Obtained from the OpenShift Container Platform OAuth server using the /oauth/authorize and /oauth/token endpoints.
Sent as an Authorization: Bearer… header or an access_token=… query parameter
X.509 Client Certificates
Requires a HTTPS connection to the API server.
Verified by the API server against a trusted certificate authority bundle.
So you need to authenticate using either of these ways