search

vzakharchenko / keycloak-radius-plugin

Make the radius server as part of keycloak SSO
Apache License 2.0
188 stars 46 forks source link

"Update RADIUS password" action not available with Keycloak 17.0.0 #520

Open candlerb opened 2 years ago

candlerb commented 2 years ago

Describe the bug

(Or this may be user error - can you enable "Discussions"?)

When I install keycloak-radius-plugin over Keycloak 17.0.0, I don't get the "Update RADIUS password" action under "Required User Actions"

To Reproduce I installed Keycloak 17.0.0 from scratch already (it's in /opt/keycloak-17.0.0, with a symlink from /opt/keycloak), using the now-default Quarkus version.

I unzipped the relevant parts of keycloak-radius-plugin over it. Note that kc.sh build appears to be necessary to pick up the radius plugin.

unzip -d /opt/keycloak-17.0.0 -n keycloak-radius.zip 'config/**' 'providers/**' 'themes/**'
systemctl stop keycloak
/opt/keycloak/bin/kc.sh build --db=postgres --metrics-enabled=true
systemctl start keycloak

I was then able to add a client name "radius", protocol "radius-protocol", and it responds to RADIUS requests. It works if I do simple Access-Request and I set the Keycloak password on an account:

# radtest brian xyzzy 127.0.0.1 1 secret
Sent Access-Request Id 245 from 0.0.0.0:34311 to 127.0.0.1:1812 length 75
    User-Name = "brian"
    User-Password = "xyzzy"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 1
    Message-Authenticator = 0x00
    Cleartext-Password = "xyzzy"
Received Access-Accept Id 245 from 127.0.0.1:1812 to 127.0.0.1:34311 length 20

However, I'm having difficulty setting the separate RADIUS password.

I set the realm admin console theme to "radius". However when I go to the Users > (username) > Details page, I do not see any option for "Update RADIUS password"

image

I restarted keycloak just to be sure.

There is also no RADIUS option under "Users > (username) > Credentials > Credential Reset"

Expected behavior The documentation shows a new option "Update Radius password" should be available:

image

Screenshots Inline above

Additional context My goal is to disallow users from setting a Keycloak password (using IDP links to login to Keycloak), and use the RADIUS password only for RADIUS authentication.

Warnings are generated by kc.sh build showing that the RADIUS modules are being picked up:

root@keycloak1:~# /opt/keycloak/bin/kc.sh build --db=postgres --metrics-enabled=true
Updating the configuration and installing your custom providers, if any. Please wait.
2022-03-02 16:34:31,816 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: mikrotik-password (com.github.vzakharchenko.radius.password.RadiusCredentialProviderFactory) is implementing the internal SPI credential. This SPI is internal and may change without notice
2022-03-02 16:34:32,282 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: radius (com.github.vzakharchenko.radius.dm.api.RadiusServiceImpl) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice
2022-03-02 16:34:32,428 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: radius-protocol (com.github.vzakharchenko.radius.client.RadiusLoginProtocolFactory) is implementing the internal SPI login-protocol. This SPI is internal and may change without notice
2022-03-02 16:34:32,760 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: oidc-radius-password (com.github.vzakharchenko.radius.mappers.RadiusPasswordMapper) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2022-03-02 16:34:32,806 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: radius-disconnect-message-factory (com.github.vzakharchenko.radius.dm.jpa.RadiusLogoutJpaEntityProviderFactory) is implementing the internal SPI jpa-entity-provider. This SPI is internal and may change without notice
2022-03-02 16:34:34,554 WARN  [org.keycloak.services] (build-42) KC-SERVICES0047: UPDATE_RADIUS_PASSWORD (com.github.vzakharchenko.radius.password.UpdateRadiusPassword) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2022-03-02 16:34:57,866 INFO  [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 37347ms
Server configuration updated and persisted. Run the following command to review the configuration:

    kc.sh show-config
candlerb commented 2 years ago

Aha, I found it! Authentication > Required Actions > Register, Update Radius Password.

I'm happy to close this issue, although I think this requirement should be noted in the README.

I have a couple of minor comments about RADIUS password:

  1. If you set 'update radius password' action, then the screen that the user sees just says "Update password". It would be clearer if it said "Update RADIUS password", to distinguish from Keycloak normal password.
  2. Once you've set this, there's no indication in the /realms/<realm>/account/ page that it has been set up, nor any option to change it (unless this is hidden by some other setting that I haven't found?)

I note that at the moment, RADIUS password is not affected by password policy rules. This is how I want it, because I want to set an impossible policy like .{400} to prevent people setting a Keycloak password on their account (forcing them to use IDP logins only). I hope this stays - or if password policy is set for RADIUS then a separate one is used.