SAML javascript protocol mapper: disable uploading scripts through admin console by default (#1677)

closes #1676
This commit is contained in:
Marek Posolda 2022-09-09 13:47:47 +02:00 committed by GitHub
parent f70bd74b6b
commit 47ad5e2427
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 14 deletions

View file

@ -209,6 +209,7 @@ bin/kc.[sh|bat] build --spi-user-cache-infinispan-enabled=false
* Authenticator
* JavaScript Policy
* OpenID Connect Protocol Mapper
* SAML Protocol Mapper
==== Authenticator
@ -296,6 +297,13 @@ The `META-INF/keycloak-scripts.json` is a file descriptor that provides metadata
"fileName": "my-script-mapper.js",
"description": "My Mapper from a JS file"
}
],
"saml-mappers": [
{
"name": "My Mapper",
"fileName": "my-script-mapper.js",
"description": "My Mapper from a JS file"
}
]
}
```
@ -313,6 +321,10 @@ For JavaScript Policies when using {project_name} Authorization Services. You ca
* `mappers`
+
For OpenID Connect Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
+
* `saml-mappers`
+
For SAML Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
For each script file in your `JAR` file, you need a corresponding entry in `META-INF/keycloak-scripts.json` that maps your scripts files to a specific provider type. For that you should provide the following properties for each entry:
@ -380,19 +392,6 @@ cp target/keycloak-server-copy/providers/*.jar KEYCLOAK_HOME/providers/
```
After re-augment the distribution with `kc.sh build`, the script engine should be deployed and your script providers should work.
==== Using the {project_name} Admin Console to upload scripts
NOTE: Ability to upload scripts through the Admin Console is deprecated and will be removed in a future version of {project_name}.
Administrators cannot upload scripts to the server. This behavior prevents potential harm to the system in case
malicious scripts are accidentally executed. Administrators should always deploy scripts directly to the server using a
JAR file to prevent attacks when you run scripts at runtime.
Ability to upload scripts can be explicitly enabled. This should be used with great care and plans should be created to
deploy all scripts directly to the server as soon as possible.
For more details about how to enable the `upload_scripts` feature, see the https://www.keycloak.org/server/features[Enabling and disabling features] guide.
=== Available SPIs
If you want to see list of all available SPIs at runtime, you can check `Server Info` page in Admin Console as described in <<_providers_admin_console,Admin Console>> section.

View file

@ -12,3 +12,11 @@ bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation
With this configuration, you can still use the logout endpoint without a user prompt.
WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.
= Deploying scripts through SAML javascript protocol mapper
Until now, administrators, which used SAML javascript protocol mapper on their SAML clients or client scopes, were allowed to upload scripts to the server through the {project_name} Administration Console as well as
through the RESTful Admin API.
For now on, this capability is *disabled* and users should deploy scripts directly to the server. This behaviour is aligned with other script based providers. For more details,
please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].