Skip to content

Third party resources

The customization of the deployment might require additional files. This is made possible in Cloud-IAM, through the third party resources.

Concept

Third party resources can be uploaded to Cloud-IAM storage through the API (create a service account to use Cloud-IAM REST API). The files are gathered during the deployment and installed on each Keycloak nodes.

However, depending on the third party resource type, additional behaviour can be added.

INFO

As third party resources can contain sensible data, they are stored in a crypted way in the Cloud-IAM infrastructre

API overview

The API helps you to manipulate the resources.

Resources can be added, updated and deleted. Each change triggers a rolling upgrade of the deployment.

shell
$ DEPLOYMENT_ID=df47bd9a-f416-4bd1-a2a9-6fc17b41c004
$ TOKEN=$( get-token )
$ curl -X POST -F content=@/tmp/mTLS.pem -H "Authorization: Bearer $TOKEN" \
       https://api.cloud-iam.com/deployments/${DEPLOYMENT_ID}/third-parties/mTLS/
$ DEPLOYMENT_ID=df47bd9a-f416-4bd1-a2a9-6fc17b41c004
$ TOKEN=$( get-token )
$ curl -X POST -F content=@/tmp/mTLS.pem -H "Authorization: Bearer $TOKEN" \
       https://api.cloud-iam.com/deployments/${DEPLOYMENT_ID}/third-parties/mTLS/

trusted-certificates

If you need to connect the deployment with an external services, the Keycloak server checks that the connection to it is properly secured with a valid certificate.

In case the service is protected with a self-signed certificate or so, you'll need to declare this certificate as trusted.

This is done via the trusted-certificates type. All the certificates are added to the truststore of Keycloak and will be accepted.

TIP

Untrusted certificates usually generate this kind of stacktrace:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 26 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 26 more

password-blacklists

Password complexity remains one of the key to keep the user's identity safe. Keycloak offers various configuration to ensure minimum requirements regarding the user passwords.

A good practice is to forbid several passwords that are known to be unsafe because of there weakness or because they leaked.

All the deployments come with a predefined list of the top 10 000 worst passwords provided by Cloud-IAM.

However, you might need to customize this blacklist. Simply upload a third party resource of type password-blacklists to make this file available for Keycloak.

mTLS

Adding a third party resource of type mTLS is necessary to enable the mTLS support in Keycloak. There can be only one file of that type. However, it can contain multiple chains that will be used for setting up the mTLS.

Please read our documentation about configuring the certificate authentication in the realm authentication flow.

Console overview

To manage thirds parties from the console, go on a deployment, click on Configuration tab and scroll to the Third parties section:

third-parties-section
Third parties section

Manage trusted certificates

To upload a trusted certificate, click on Upload trusted certificate file and select a .pem file:

third-parties-manage-trusted-certificates
Manage trusted certificates

TIP

Make your management easier by using versions.

For example, instead of uploading a file named demo.pem, name it demo-1.0.0.pem.

This is useful for you so that you can find your way around easily and it's useful for our support when we need to work on your deployments.

Next, it is possible to:

  • Download it on your local machine
  • Replace it by an another version for example
  • Remove it from the list

Manage password deny list

To upload a password deny list, click on Upload password deny list file and select a .txt file:

third-parties-manage-password-deny-list
Manage password deny list

TIP

Make your management easier by using versions.

For example, instead of uploading a file named password-deny-list.txt, name it password-deny-list-1.0.0.txt.

This is useful for you so that you can find your way around easily and it's useful for our support when we need to work on your deployments.

Next, it is possible to:

  • Download it on your local machine
  • Replace it by an another version for example
  • Remove it from the list

Manage mTLS

WARNING

This feature are in active development, please contact us at support@cloud-iam.com