January 2015 - keycloak-dev - Jboss List Archives

Re: Strange behaviour with invalid state param

by Michael Gerber

Someone in our company bookmarked the login URL https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie... And he reported this behaviour. I dont understand why the login is permitted with an invalid state. I know the login was successful but the application did not request this login (state is wrong), so it should not allow it. @stian this behaviour is easy reproducible. Open the customer-portal example app in a browser, copy the login url. Close the browser and open it again and use the old url. (or clear your cookies ;-) Remove all parameters from the url after you received the bad request error and you should get in. Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>: What I think is happening is that you have an invalid state cookie (as per the oauth spec), you reload the app URL again and authentication is successful. While I don't know why you are getting "No state cookie" the rest makes sense as you're just going through a successful login. On 1/9/2015 7:45 AM, Michael Gerber wrote: Hi, I have a strange behaviour with an invalid state param. The server writes the following log, which is correct: WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No state cookie After that I receive a 400 error in my browser with the following URL: https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd... I can load this URL again and than I am successfully logged in. Is this the correct behaviour? Best Michael _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

10 years, 11 months

3
2
0 / 0

Re: A disabled user receives a confusing info message, if he tries to reset his password

by Michael Gerber

Unfortunately, it isn't implemented like that. Have a look at the authenticateInternal method of the AuthenticationManager class. AuthenticationStatus.ACCOUNT_DISABLED; is returned before the validCredentials method is invoked. Best Michael Am 12. Januar 2015 um 12:25 schrieb Stian Thorgersen <stian(a)redhat.com>: ----- Original Message ----- From: "Michael Gerber" <gerbermichi(a)me.com> To: "Stian Thorgersen" <stian(a)redhat.com> Cc: keycloak-dev(a)lists.jboss.org Sent: Monday, 12 January, 2015 11:20:02 AM Subject: Re: [keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password Thank you, that sounds logical. I just wondered, because you have a different error message for disabled users on the login screen. "Account is disabled, contact admin" That should only be shown after a user has logged in with valid username/password, if you try to login with an invalid password and disabled user it should show invalid username/password. Best Michael Am 12. Januar 2015 um 10:45 schrieb Stian Thorgersen <stian(a)redhat.com>: This is intentional. If we provide specific error messages on reset password it can be used to find out whether or not a username/email is valid. Same applies to login, instead of saying invalid username it just says invalid username or password. As an improvement we could extend the message to say if you haven't received a message within a certain time, then retry or contact an admin/support. ----- Original Message ----- From: "Michael Gerber" <gerbermichi(a)me.com> To: keycloak-dev(a)lists.jboss.org Sent: Friday, 9 January, 2015 4:01:49 PM Subject: [keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password A disabled user receives the following info message, if he tries to reset his password: You should receive an email shortly with further instructions. This is a bit confusing. A message like that would be nicer: Failed to send email, please contact the administrator. I will create a PR if that is ok with you? _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

10 years, 11 months

2
1
0 / 0

Re: A disabled user receives a confusing info message, if he tries to reset his password

by Michael Gerber

Thank you, that sounds logical. I just wondered, because you have a different error message for disabled users on the login screen. "Account is disabled, contact admin" Best Michael Am 12. Januar 2015 um 10:45 schrieb Stian Thorgersen <stian(a)redhat.com>: This is intentional. If we provide specific error messages on reset password it can be used to find out whether or not a username/email is valid. Same applies to login, instead of saying invalid username it just says invalid username or password. As an improvement we could extend the message to say if you haven't received a message within a certain time, then retry or contact an admin/support. ----- Original Message ----- From: "Michael Gerber" <gerbermichi(a)me.com> To: keycloak-dev(a)lists.jboss.org Sent: Friday, 9 January, 2015 4:01:49 PM Subject: [keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password A disabled user receives the following info message, if he tries to reset his password: You should receive an email shortly with further instructions. This is a bit confusing. A message like that would be nicer: Failed to send email, please contact the administrator. I will create a PR if that is ok with you? _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

10 years, 11 months

2
1
0 / 0

A disabled user receives a confusing info message, if he tries to reset his password

by Michael Gerber

A disabled user receives the following info message, if he tries to reset his password: You should receive an email shortly with further instructions. This is a bit confusing. A message like that would be nicer: Failed to send email, please contact the administrator. I will create a PR if that is ok with you?

10 years, 11 months

2
1
0 / 0

Master bumped to 1.2.0.Beta1-SNAPSHOT

by Stian Thorgersen

I created 1.1.x branch for 1.1.0.Final release and bumped master to 1.2.0.Beta1-SNAPSHOT So go ahead and start work on 1.2 features :) There's still some issues left to do for 1.1.0.Final, which me and Marek will sort out. I'm aiming to release in a few days. If there's anything you'd like to add to 1.1.0-Final please let me know in advance.

10 years, 11 months

1
0
0 / 0

HA Support For Keycloak

by Lakshmi Narayana VADALI (lvadali)

Hi , Does Keycloak1.0.4_Final has HA Support? If not, then from which release Keycloak HA support is available? Thanks, Lakshmi Narayana V

10 years, 11 months

2
1
0 / 0

Strange behaviour with invalid state param

by Michael Gerber

Hi, I have a strange behaviour with an invalid state param. The server writes the following log, which is correct: WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No state cookie After that I receive a 400 error in my browser with the following URL: https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd... I can load this URL again and than I am successfully logged in. Is this the correct behaviour? Best Michael

10 years, 11 months

3
2
0 / 0

Keycloak in JBoss projects

by Stian Thorgersen

There's a lot of JBoss projects already integrating or looking at using Keycloak: * AeroGear UPS * LiveOak * RTGov * Hawt.io * Fabric8 * Fuse * S-RAMP * APIMan * ... I think now is the time to make sure we can provide the best and consistent experience for all projects. With that regards there's improvements we can make: * Embeddable Keycloak - provide a slimmed down profile of Keycloak that can easily be embedded into existing projects. The big question here is should we support deploying to other containers than WildFly? I reckon as long as projects support other projects and we want to be the main auth solution we do. I'd hate to see projects having to provide alternative mechanisms themselves to continue to support Tomcat for example * External Keycloak - make it simpler to link a project to an external Keycloak, including sharing the master realm for SSO to all consoles * Configuration - for both embeddable and external we need to make it easier for projects to bootstrap and update application configuration (for example if hostname changes) * Unified console - we need to align better with PatternFly and RCUE. We should also provide a mechanism for linking between consoles

10 years, 11 months

2
1
0 / 0

Build on top of Vert.x?

by Bill Burke

Don't care that much at all about AIO, but what is compelling to me about Vert.x is that it is a polyglot platform. If our SPIs could be written in any language and deployed easily this would be a huge win and could potential bring together very diverse communities (node.js and linux-python-admins). Something to think about for Keycloak 2.0. Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 11 months

3
2
0 / 0

LoginProtocol endpoints not shown in rest api documentation

by Marek Posolda

Looks that with LoginProtocol abstraction, the endpoints for OpenIDConnectService and SamlService are missing in the rest api docs http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/rest-api/overview-index.html . I've created jira https://issues.jboss.org/browse/KEYCLOAK-946 . There's dummy solution to explicitly add method for each protocol into RealmsResource like this https://github.com/mposolda/keycloak/commit/f7391fef849aef5a8537ab563b37b... . But unfortunately SamlService is not available to "services" project, so it works just for OpenID :-( Does it worth to do some refactoring because of this? Any better idea? Marek

10 years, 11 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2015