JS adapter constantly refreshing page
by sesnor.silva@sapo.pt
Hello,
I'm trying to integrate keycloak's JS adapater into an application.
However for some reason the page keeps refreshing (every 5 seconds or
so?) after successfully logging in.
I managed to reproduce the problem with the following minimal code:
<!-- index.html FILE -->
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<script type="text/javascript"
src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script>
<script type="text/javascript" src="<MY KEYCLOAK
SERVER>/auth/js/keycloak.js"></script>
<script type="text/javascript">
angular.element(document).ready(function() {
var keycloakAuth = Keycloak('keycloak.json');
keycloakAuth.init({
onLoad: 'login-required'
}).success(function(authenticated) {
keycloakAuth.loadUserInfo().success(function (userInfo) {
console.log(userInfo)
});
}).error(function() {
var error = "There was an error initializing the
authentication module.";
console.error(error);
});
});
</script>
</body>
</html>
I tried searching around but I didn't find too many answers. I tried
to base my implementation around:
https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl...
and
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...
But I get the same behavior every time: The page just keeps refreshing.
It seems to be related to blocking third-party cookies on the
browser. I use Firefox 53. Since my Keycloak isn't on the same host
as the application, I think the browser rejects the keycloak's
cookies. If this is the case, what could be a workaround for this? Is
there any option on the adapter's side? I'm worried some browser might
block third-party cookies by default (Opera and Brave Browser come to
mind).
Thank you,
My best regards,
Silva
6 years, 5 months
How to display user information from keycloak SAML adapter assertions/session?
by ken edward
Hello,
I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
I created a simple web app with a protected /saml directory. It seems
to work. BUT how can I display the logged in user information after
the user is authenticated?
org.keycloak.adapters.saml.SamlSession :
org.keycloak.adapters.saml.SamlSession@13a50bc9
Ken
6 years, 5 months
Force token refresh with the Spring Security adapter
by Aritz Maeztu
I'm using keycloak in a java client, configured with the Spring Security
adapter.
I've got a custom mapper in my keycloak configuration, so when the
access token is refreshed, keycloak accesses an endpoint to retrieve
some user permissions and they're stored in the token itself. Later on,
my client application checks the token without having to perform the
access to the permission endpoint itself (increased performance).
However, when an admin user changes his own permissions, I would like
the keycloak adapter to refresh the token after the permissions are
stored, this way the admin user is not required to have its token
refreshed or to re-login to load his new permissions.
Is there a way to achieve it? Some kind of operation to refresh current
session's token?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 8 months
Detect existing IdP session
by Adam Keily
Hi,
Forgive me if this is a dumb question. I'm just wondering if it's possible for keycloak to detect that a user has already authenticated to a configured IDP before being presented the the login page. E.g.
We have multiple IDP's configured in Keycloak. Facebook, Google, corporate ADFS. If they have an existing session, can that be detected e.g.
1. User is already authenticated to ADFS
2. They attempt to access a KC protected application.
3. Instead of having to click the IDP link on the KC login screen to be redirected to ADFS and back again, they are instead just authenticated using their existing ADFS session.
I know about kc_idp_hint and default IdP but this is more a case where a user might be already authenticated to one of multiple IDP's. Something like "Detected ADFS session. Continue as ADFS userA?". I guess if you've authed to more than one IDP it could be a problem.
Thanks
Adam
6 years, 8 months
Skip Broker First-Time Flow?
by Peter K. Boucher
We have a need to pre-provision user accounts that are to be accessed with
SAML from an outside IdP. These accounts are only ever to be used via SAML
from this external IdP (i.e., we never want them to have to use a password
to verify anything to Keycloak.
Is there any way for the account-linking the first time the user comes in
with SAML to happen automatically and silently?
We understand that in some circumstances it would be a security hole to
allow someone to connect via a brokered IdP to an existing account that has
already been used, but these accounts are being created specifically to be
accessed by this particular broker.
Any help?
Thanks!
Regards,
Peter K. Boucher
6 years, 8 months
programmatic authentication flow
by Steve Favez
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
6 years, 9 months
Realm configuration under Version Control
by Christian Schneider
Hi,
we wan't to have our Keycloak-Realm configuration under Version Control.
The goal is that every stage (Development, Integration, Testing and
Production) should have an own configuration file for the realm (without
users of course, they should stay over time). When we want to change
something, it should be done over the configuration file.
My initial Idea was to user the migration import and export parameters for
that.
First export the current configuration on every stage, commit it, and then
import it on startup. But the problem is, that the realm is first dropped
(including the users) and then imported. After that, all existing users are
removed :(.
What is your strategy to have the keycloak configuration under version
control? So that every change is transparent and documented?
Best Regards,
Christian.
6 years, 9 months
Upgrading from Red Hat SSO 7.0 to Keycloak 3.1
by Marcelo Nardelli
Hi,
At work, we have an installation of Red Hat SSO 7.0 and we were going to
upgrade it to version 7.1. However, I was told that the our Red Hat
subscription won't be renewed, so now we want to upgrade to the last
Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported?
I've been trying to follow the instructions on the documentation (
https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...),
but it's not working. Specifically, when I try to run the migration script
(after copying the old standalone.xml and the keycloak-server.json file)
jboss-cli.sh --file=migrate-standalone.cli
I get this error:
Cannot start embedded server: WFLYEMB0021: Cannot start embedded
process: Operation failed: WFLYSRV0056: Server boot has failed in an
unrecoverable manner; exiting. See previous messages for details.
I suppose the Keycloak version used in SSO 7.0 is too old and I will have
to do some manual work here, but I wanted to know if there is some specific
advice for this case...
Thanks,
Marcelo Nardelli
6 years, 9 months
