SAML javascript protocol mapper: disable uploading scripts through admin console by default (#1677)
closes #1676
This commit is contained in:
parent
f70bd74b6b
commit
47ad5e2427
2 changed files with 21 additions and 14 deletions
|
@ -209,6 +209,7 @@ bin/kc.[sh|bat] build --spi-user-cache-infinispan-enabled=false
|
|||
* Authenticator
|
||||
* JavaScript Policy
|
||||
* OpenID Connect Protocol Mapper
|
||||
* SAML Protocol Mapper
|
||||
|
||||
==== Authenticator
|
||||
|
||||
|
@ -296,6 +297,13 @@ The `META-INF/keycloak-scripts.json` is a file descriptor that provides metadata
|
|||
"fileName": "my-script-mapper.js",
|
||||
"description": "My Mapper from a JS file"
|
||||
}
|
||||
],
|
||||
"saml-mappers": [
|
||||
{
|
||||
"name": "My Mapper",
|
||||
"fileName": "my-script-mapper.js",
|
||||
"description": "My Mapper from a JS file"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
@ -313,6 +321,10 @@ For JavaScript Policies when using {project_name} Authorization Services. You ca
|
|||
* `mappers`
|
||||
+
|
||||
For OpenID Connect Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
|
||||
+
|
||||
* `saml-mappers`
|
||||
+
|
||||
For SAML Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
|
||||
|
||||
For each script file in your `JAR` file, you need a corresponding entry in `META-INF/keycloak-scripts.json` that maps your scripts files to a specific provider type. For that you should provide the following properties for each entry:
|
||||
|
||||
|
@ -380,19 +392,6 @@ cp target/keycloak-server-copy/providers/*.jar KEYCLOAK_HOME/providers/
|
|||
```
|
||||
After re-augment the distribution with `kc.sh build`, the script engine should be deployed and your script providers should work.
|
||||
|
||||
==== Using the {project_name} Admin Console to upload scripts
|
||||
|
||||
NOTE: Ability to upload scripts through the Admin Console is deprecated and will be removed in a future version of {project_name}.
|
||||
|
||||
Administrators cannot upload scripts to the server. This behavior prevents potential harm to the system in case
|
||||
malicious scripts are accidentally executed. Administrators should always deploy scripts directly to the server using a
|
||||
JAR file to prevent attacks when you run scripts at runtime.
|
||||
|
||||
Ability to upload scripts can be explicitly enabled. This should be used with great care and plans should be created to
|
||||
deploy all scripts directly to the server as soon as possible.
|
||||
|
||||
For more details about how to enable the `upload_scripts` feature, see the https://www.keycloak.org/server/features[Enabling and disabling features] guide.
|
||||
|
||||
=== Available SPIs
|
||||
|
||||
If you want to see list of all available SPIs at runtime, you can check `Server Info` page in Admin Console as described in <<_providers_admin_console,Admin Console>> section.
|
||||
|
|
|
@ -12,3 +12,11 @@ bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation
|
|||
With this configuration, you can still use the logout endpoint without a user prompt.
|
||||
|
||||
WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.
|
||||
|
||||
= Deploying scripts through SAML javascript protocol mapper
|
||||
|
||||
Until now, administrators, which used SAML javascript protocol mapper on their SAML clients or client scopes, were allowed to upload scripts to the server through the {project_name} Administration Console as well as
|
||||
through the RESTful Admin API.
|
||||
|
||||
For now on, this capability is *disabled* and users should deploy scripts directly to the server. This behaviour is aligned with other script based providers. For more details,
|
||||
please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].
|
Loading…
Reference in a new issue