Small fixes
* keycloak by Keycloak * uri by URI * oAuth by OAuth * saml by SAML * oidc by OIDC * infinispan by Infinispan * uri vs URI
This commit is contained in:
parent
cca4dbef5c
commit
50406712fd
5 changed files with 14 additions and 14 deletions
|
@ -68,10 +68,10 @@ We've moved the themes and providers directories from `standalone/configuration/
|
|||
If you have added custom themes and providers you need to move them to the new location.
|
||||
You also need to update `keycloak-server.json` as it's changed due to this.
|
||||
|
||||
===== Adapter Subsystems only bring in dependencies if keycloak is on
|
||||
===== Adapter Subsystems only bring in dependencies if Keycloak is on
|
||||
|
||||
Previously, if you had installed our saml or oidc keycloak subsystem adapters into Wildfly or JBoss EAP, we would automatically include Keycloak client jars into EVERY application irregardless if you were using Keycloak or not.
|
||||
These libraries are now only added to your deployment if you have keycloak authentication turned on for that adapter (via the subsystem, or auth-method in web.xml
|
||||
Previously, if you had installed our SAML or OIDC Keycloak subsystem adapters into Wildfly or JBoss EAP, we would automatically include Keycloak client jars into EVERY application irregardless if you were using Keycloak or not.
|
||||
These libraries are now only added to your deployment if you have Keycloak authentication turned on for that adapter (via the subsystem, or auth-method in web.xml
|
||||
|
||||
===== Client Registration service endpoints moved
|
||||
|
||||
|
@ -95,11 +95,11 @@ Feedback in template.ftl has been moved and format has changed slightly.
|
|||
Most of our modules and source code have been consolidated into two maven modules: keycloak-server-spi and keycloak-services.
|
||||
SPI interfaces are in server-spi, implementations are in keycloak-services.
|
||||
All JPA dependent modules have been consolidated under keycloak-model-jpa.
|
||||
Same goes with mongo and infinispan under modules keycloak-model-mongo and keycloak-model-infinispan.
|
||||
Same goes with mongo and Infinispan under modules keycloak-model-mongo and keycloak-model-infinispan.
|
||||
|
||||
===== For adapters, session id changed after login
|
||||
|
||||
To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/Wildfly, Jetty 9), the keycloak oidc and saml adapters will change the session id after login.
|
||||
To plug a security attack vector, for platforms that support it (Tomcat 8, Undertow/Wildfly, Jetty 9), the Keycloak OIDC and SAML adapters will change the session id after login.
|
||||
You can turn off this behavior check adapter config switches.
|
||||
|
||||
===== SAML SP Client Adapter Changes
|
||||
|
@ -396,8 +396,8 @@ Facebook admin console).
|
|||
|
||||
* DB Schema has changed. We have added export of the database to Beta 1, but not the ability to import
|
||||
the database from older versions. This will be supported in future releases.
|
||||
* For all clients except bearer-only applications, you must specify at least one redirect uri. Keycloak
|
||||
will not allow you to log in unless you have specified a valid redirect uri for that application.
|
||||
* For all clients except bearer-only applications, you must specify at least one redirect URI. Keycloak
|
||||
will not allow you to log in unless you have specified a valid redirect URI for that application.
|
||||
* Direct Grant API
|
||||
+`ON`
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Usually, identity providers are based on the following protocols:
|
|||
|
||||
* `SAML v2.0`
|
||||
* `OpenID Connect v1.0`
|
||||
* `oAuth v2.0`
|
||||
* `OAuth v2.0`
|
||||
|
||||
In the next sections we'll see how to configure and use {{book.project.name}} as an identity broker, covering some important aspects such as:
|
||||
|
||||
|
|
|
@ -45,8 +45,8 @@ Regardless the identity provider you are creating, you'll see the following conf
|
|||
|
||||
|Alias
|
||||
|The alias is an unique identifier for an identity provider. It is used to reference internally an identity provider.
|
||||
Some protocols require a redirect uri or callback url in order to communicate with an identity provider. For instance, OpenID Connect.
|
||||
In this case, the alias is used to build the redirect uri.
|
||||
Some protocols require a redirect URI or callback url in order to communicate with an identity provider. For instance, OpenID Connect.
|
||||
In this case, the alias is used to build the redirect URI.
|
||||
Every single identity provider must have an alias. For example, facebook, google, idp.acme.com, etc.
|
||||
|
||||
|Enabled
|
||||
|
|
|
@ -42,5 +42,5 @@ NOTE: Different protocols may require different authentication flows.
|
|||
|
||||
As you may notice, at the end of the authentication process {{book.project.name}} will always issue its own token to client applications,
|
||||
what this means is that client applications are completely decoupled from external identity providers.
|
||||
They don't need to know which protocol (eg.: SAML, OpenID Connect, oAuth, etc) was used or how the user's identity was validated.
|
||||
They don't need to know which protocol (eg.: SAML, OpenID Connect, OAuth, etc) was used or how the user's identity was validated.
|
||||
They only need to know about {{book.project.name}} !
|
||||
|
|
|
@ -5,8 +5,8 @@ An attacker could use the end-user authorization endpoint and the redirect URI p
|
|||
An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation.
|
||||
An attacker could utilize a user's trust in an authorization server to launch a phishing attack.
|
||||
|
||||
{{book.project.name}} requires that all registered applications and clients register at least one redirection uri pattern.
|
||||
Any time a client asks {{book.project.name}} to perform a redirect (on login or logout for example), {{book.project.name}} will check the redirect uri vs.
|
||||
the list of valid registered uri patterns.
|
||||
{{book.project.name}} requires that all registered applications and clients register at least one redirection URI pattern.
|
||||
Any time a client asks {{book.project.name}} to perform a redirect (on login or logout for example), {{book.project.name}} will check the redirect URI vs.
|
||||
the list of valid registered URI patterns.
|
||||
It is important that clients and applications register as specific a URI pattern as possible to mitigate open redirector attacks.
|
||||
|
||||
|
|
Loading…
Reference in a new issue