Re: [keycloak-dev] Is it possible to combine Kerberos authentication with an User Federation Provider?
by Vito Vessia
Hi all,
I've a legacy solution that uses its own users (included the password) and
roles database, so due to the migration to Keycloack I've written a User
Federation Provider. Optionally some users may use their Active Directory
credentials to log in on the realm and my User Federation Provider is able
to manage both cases. So I don't use the official LDAP User Federation
Provider provided by Keycloack. I'd like to offer to users mapped on LDAP
the Kerberos authentication. Is it possible to create a similar login
pipeline:
1) The User Kerberos token is valid, so Keycloack grabs it and then calls
my User Federation Provider passing it the username that comes from
Kerberos;
2) OR, the User Kerberos token is NOT valid, so Keycloack shows the login
page to the user and then passes the credentials to my User Federation
Provider.
Thank you in advance,
--Vito
8 years, 7 months
Email verification and redirect_uri
by Thomas Raehalme
Hi,
We are doing some testing regarding email verifications.
Everything seems to work great as long as the user keeps using the same
browser for every request (try to access a protected resource, register a
new account and click the email verification link).
If the user, however, registers with Firefox and the verification link in
email is opened to a different browser, say, Chrome, the user is shown a
message regarding successful verification and a link "Back to application".
The user is not redirected to the original protected resource.
If you read your email with a browser this is probably not going to happen.
But if your email client opens a different browser for any reason, then it
will break the process.
What do you think would it make sense to include the original redirect_uri
in the verification link to ensure that the user is redirected back to the
original protected resource? Or maybe you could store the redirect_uri on
the server next to the verification token?
Best regards,
Thomas
8 years, 7 months
refresh_token request should trigger update of access token payload
by Mr. Graf
Hey all,
we are evaluating keycloak and run into an issue.
We implemented a UserFederationProvider. This Provider authenticates let’s say old users and new users.
„old“ users should receive an LTPA token within the payload of the access token. We used user attributes to achieve it. Fine so far.
Our current issue is, that this LTPA token needs to be updated when a refresh_token request comes in and should be put into the „new“ access token too.
Initially we tried to achieve it using the refresh_token event until we noticed that this is fired after the „new“ access token has been created, so too late.
Does someone has a smart approach or an example how to add custom payload, to be retrieved from a legacy system, to the access token when refreshing it?
Thanks in advance
Thomas
8 years, 7 months
User Federation Provider with JPA
by alex orl
I'm developing a keycloak user-federation-provider and i need to integrate it with the JPA persistence system in order to write on my legacy db and on the keycloak db.I read that Jboss WildFly already uses Hiberante 4.3 JPA, so i choose to follow this line for my project.Another requirement is to decouple the provider and the JPA model-mapping-project, so my JPA model-mapping-project has to be deployed a separated jar file.Following the keycloak userguide i deploy the provider simply coping the built jar project into the .../standalone/configuration/providers directory.The JPA model-mapping-project jar file is deployed into the Wildfly using the management console deployment section.Now i'm facing up to 2 problems:1) the user-federation-provider doesn't see the model-mapping-project classes (throwing the ClassNotFoundException)2) if i simply copy the model-mapping-project.jar into the /standalone/configuration/providers directory, the fereration provider sees the classes but the EntityManager dependency injection does not work (NullPointerException)
What the way i can solve this problem?Is there another way to deploy providers? and what about the jar and the depecency injection?ThanksRegards.
8 years, 7 months
KEYCLOAK-1794
by Bill Burke
Angular people take a look at this:
https://issues.jboss.org/browse/KEYCLOAK-1794
I swear this used to work. It looks like the scope within the ng-repeat
inherits from the parent scope instead of the isolated scope of the
directive. I've tried a ton of stuff to no avail...Any ideas?
I'm thinking of pulling out the ng-repeat from the template and doing it
within the actual page. This is the only thing I can think to do at
this time. I'm nervous that the role dialog will now no longer work too.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 7 months
Keycloak Authentication Switch off
by Satyajit Das
Hi Team,
I am using keycloak with tomcat integration along with multi tenancy. I use
Keycloak to secure rest services.
Is there any way to switch off the authentication when not required I dont
want to make any changes to web.xml or the context.xml, which contains the
adapter
<Context path="/talent-entity-layer">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
I also have pathresolver to resolve the multitenancy.
Is there anyway to switch off authentication.
Regards,
Satya.
8 years, 7 months
