Small fixes

* keycloak by Keycloak
* uri by URI
* oAuth by OAuth
* saml by SAML
* oidc by OIDC
* infinispan by Infinispan
* uri vs URI
This commit is contained in:
Bruno Oliveira 2016-06-01 11:16:15 -03:00
parent cca4dbef5c
commit 50406712fd
5 changed files with 14 additions and 14 deletions

View file

@ -68,10 +68,10 @@ We've moved the themes and providers directories from `standalone/configuration/
If you have added custom themes and providers you need to move them to the new location. If you have added custom themes and providers you need to move them to the new location.
You also need to update `keycloak-server.json` as it's changed due to this. You also need to update `keycloak-server.json` as it's changed due to this.
===== Adapter Subsystems only bring in dependencies if keycloak is on ===== Adapter Subsystems only bring in dependencies if Keycloak is on
Previously, if you had installed our saml or oidc keycloak subsystem adapters into Wildfly or JBoss EAP, we would automatically include Keycloak client jars into EVERY application irregardless if you were using Keycloak or not. Previously, if you had installed our SAML or OIDC Keycloak subsystem adapters into Wildfly or JBoss EAP, we would automatically include Keycloak client jars into EVERY application irregardless if you were using Keycloak or not.
These libraries are now only added to your deployment if you have keycloak authentication turned on for that adapter (via the subsystem, or auth-method in web.xml These libraries are now only added to your deployment if you have Keycloak authentication turned on for that adapter (via the subsystem, or auth-method in web.xml
===== Client Registration service endpoints moved ===== Client Registration service endpoints moved
@ -95,11 +95,11 @@ Feedback in template.ftl has been moved and format has changed slightly.
Most of our modules and source code have been consolidated into two maven modules: keycloak-server-spi and keycloak-services. Most of our modules and source code have been consolidated into two maven modules: keycloak-server-spi and keycloak-services.
SPI interfaces are in server-spi, implementations are in keycloak-services. SPI interfaces are in server-spi, implementations are in keycloak-services.
All JPA dependent modules have been consolidated under keycloak-model-jpa. All JPA dependent modules have been consolidated under keycloak-model-jpa.
Same goes with mongo and infinispan under modules keycloak-model-mongo and keycloak-model-infinispan. Same goes with mongo and Infinispan under modules keycloak-model-mongo and keycloak-model-infinispan.
===== For adapters, session id changed after login ===== For adapters, session id changed after login
To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/Wildfly, Jetty 9), the keycloak oidc and saml adapters will change the session id after login. To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/Wildfly, Jetty 9), the Keycloak OIDC and SAML adapters will change the session id after login.
You can turn off this behavior check adapter config switches. You can turn off this behavior check adapter config switches.
===== SAML SP Client Adapter Changes ===== SAML SP Client Adapter Changes
@ -396,8 +396,8 @@ Facebook admin console).
* DB Schema has changed. We have added export of the database to Beta 1, but not the ability to import * DB Schema has changed. We have added export of the database to Beta 1, but not the ability to import
the database from older versions. This will be supported in future releases. the database from older versions. This will be supported in future releases.
* For all clients except bearer-only applications, you must specify at least one redirect uri. Keycloak * For all clients except bearer-only applications, you must specify at least one redirect URI. Keycloak
will not allow you to log in unless you have specified a valid redirect uri for that application. will not allow you to log in unless you have specified a valid redirect URI for that application.
* Direct Grant API * Direct Grant API
+`ON` +`ON`

View file

@ -17,7 +17,7 @@ Usually, identity providers are based on the following protocols:
* `SAML v2.0` * `SAML v2.0`
* `OpenID Connect v1.0` * `OpenID Connect v1.0`
* `oAuth v2.0` * `OAuth v2.0`
In the next sections we'll see how to configure and use {{book.project.name}} as an identity broker, covering some important aspects such as: In the next sections we'll see how to configure and use {{book.project.name}} as an identity broker, covering some important aspects such as:

View file

@ -45,8 +45,8 @@ Regardless the identity provider you are creating, you'll see the following conf
|Alias |Alias
|The alias is an unique identifier for an identity provider. It is used to reference internally an identity provider. |The alias is an unique identifier for an identity provider. It is used to reference internally an identity provider.
Some protocols require a redirect uri or callback url in order to communicate with an identity provider. For instance, OpenID Connect. Some protocols require a redirect URI or callback url in order to communicate with an identity provider. For instance, OpenID Connect.
In this case, the alias is used to build the redirect uri. In this case, the alias is used to build the redirect URI.
Every single identity provider must have an alias. For example, facebook, google, idp.acme.com, etc. Every single identity provider must have an alias. For example, facebook, google, idp.acme.com, etc.
|Enabled |Enabled

View file

@ -42,5 +42,5 @@ NOTE: Different protocols may require different authentication flows.
As you may notice, at the end of the authentication process {{book.project.name}} will always issue its own token to client applications, As you may notice, at the end of the authentication process {{book.project.name}} will always issue its own token to client applications,
what this means is that client applications are completely decoupled from external identity providers. what this means is that client applications are completely decoupled from external identity providers.
They don't need to know which protocol (eg.: SAML, OpenID Connect, oAuth, etc) was used or how the user's identity was validated. They don't need to know which protocol (eg.: SAML, OpenID Connect, OAuth, etc) was used or how the user's identity was validated.
They only need to know about {{book.project.name}} ! They only need to know about {{book.project.name}} !

View file

@ -5,8 +5,8 @@ An attacker could use the end-user authorization endpoint and the redirect URI p
An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation. An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation.
An attacker could utilize a user's trust in an authorization server to launch a phishing attack. An attacker could utilize a user's trust in an authorization server to launch a phishing attack.
{{book.project.name}} requires that all registered applications and clients register at least one redirection uri pattern. {{book.project.name}} requires that all registered applications and clients register at least one redirection URI pattern.
Any time a client asks {{book.project.name}} to perform a redirect (on login or logout for example), {{book.project.name}} will check the redirect uri vs. Any time a client asks {{book.project.name}} to perform a redirect (on login or logout for example), {{book.project.name}} will check the redirect URI vs.
the list of valid registered uri patterns. the list of valid registered URI patterns.
It is important that clients and applications register as specific a URI pattern as possible to mitigate open redirector attacks. It is important that clients and applications register as specific a URI pattern as possible to mitigate open redirector attacks.