Accessing KeycloakDeployment from KeycloakSecurityContext
by Thomas Raehalme
Hi!
At the moment KeycloakDeployment is accessible from
RefreshableKeycloakSecurityContext, but now from its superclass
KeycloakSecurityContext. Is there a reason why the deployment cannot be
accessed through the base class?
When using KeycloakConfigResolver it would simplify things if one could
access the deployment context from the security context.
Best regards,
Thomas
5 years, 3 months
Keycloak Pentaho Integration
by Shankar_Bhaskaran
Hi ,
I want to integrates SSO to Pentaho 6 BI server. On checking with the Pentaho team they informed that : If Keycloak can authenticate a visitor via a webservice, you can write the Spring Security based Pentaho extensions to authenticate using Keycloak. Again, they don't directly support Keycloak, but they can give you information about how to switch to a web services based authentication and authorization system.
Does keycloak authenticate a user via webservice. If so could you direct me to the documentation
Regards,
Shankar
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are not
to copy, disclose, or distribute this e-mail or its contents to any other person and
any such actions are unlawful. This e-mail may contain viruses. Infosys has taken
every reasonable precaution to minimize this risk, but is not liable for any damage
you may sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. Infosys reserves the
right to monitor and review the content of all messages sent to or from this e-mail
address. Messages sent to or from this e-mail address may be stored on the
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
5 years, 3 months
Help with Integration on Spring App on Tomcat 7
by Pawan Thakur
Hello All,
I am new to Key Cloak and trying to integrate this with a very basic two-page application to understand the working and integration basics.
Environment:
1. KeyCloack 1.7.1 Final Standalone
2. A Basic Spring Application deployed on Tomcat 7
What I have referred:
http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html_single/ind...
Tutorial Videos from Youtube Basic 1 and 2
Issues am facing:
When I set auth-method to KEYCLOAK
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>KnowledgeFlux</realm-name>
</login-config>
I get the following error
Jan 06, 2016 2:12:58 PM org.apache.catalina.startup.ContextConfig authenticatorConfig
SEVERE: Cannot configure an authenticator for method KEYCLOAK
Jan 06, 2016 2:12:58 PM org.apache.catalina.startup.ContextConfig configureStart
SEVERE: Marking this application unavailable due to previous error(s)
When I set auth-method to BASIC
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>KnowledgeFlux</realm-name>
</login-config>
Application runs fine but doesn't authenticate even though the user is able to login to Keycloak Realm's account.
What my files look like
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<security-constraint>
<web-resource-collection>
<web-resource-name>CloakTest</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>KnowledgeFlux</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>User</role-name>
</security-role>
</web-app>
Keycloak.json
{
"realm": "KnowledgeFlux",
"realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAggGsu2SLSsgi7WmVb4O2HGQX7CjcZQG3+LK0Ael6ErNf3dsv4eAR7dTw7OP3hSl57ByCuX5srFFnOMQR+WrjGFv6osaabzRAqYgfKF9H0dIuBLDfFcohGG1EIWh6jVn+jifflnEw7kbycKlXypuvrev7FXi0v1/8Iy/VPdRk+iVgSSIwU/InNPOrodVF/CV6p9VcPqGbDcOSdC0gu6kUA8S4Y6zVRtszlBD3g07p8QhkjoUeKHgHAT0CeCpLoe57ud9iTPTpX0iBnDCysJOQYK3FGAiz6Z9C/puolcrUIcuiasM6Z9bgglNTFvZCbk/XSDGTFKqkJGdcraeVdbQx3wIDAQAB",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "CloakTest",
"public-client": true
}
META-INF/context.xml
<?xml version="1.0"?>
<Context path="/CloakTest">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
Note: Application's name is CloakTest and am using the same name for the client and my realm's name is KnowledgeFlux
I have googled for similar issues with no luck and it's been a while since I am stuck here.
Please assist.
P.S. Sorry for the essay but I added as much detail as I thought would be necessary.
Thanks,
Pawan
5 years, 3 months
Control over audience parameter in JWT token
by Erik Mulder
In the JWT token there is a field 'aud', or audience, which function is to state for which client(s) that token is intended.
Currently (TokenManager:433) this is set to the client id:
token.audience(client.getClientId());
This seems fine in general, but we would like to have a token with multiple entries in the audience field. This is possible and an array value is even claimed to be the 'general case': https://tools.ietf.org/html/rfc7519#section-4.1.3 (where one single value is the 'special case')
Background is that we have a Keycloak running for a login of a frontend that talks to multiple different resource servers. We'd prefer to use one token for all of those resource servers. The resource servers use Spring Security, which explicitly checks that the 'name' you give to your Spring service is matched by (a value of) the audience field of the JWT token. So now we have to give all resource servers the same 'name', which doesn't feel right.
So we need some way to influence the value of the audience field. This could be achieved by following this RFC: https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00 which suggests to include a parameter to the request for the token. But that RFC does not consider multiple values for the audience. Another option would be to add an audience field in the settings of a Client in Keycloak. Which would, if set, define the audience field of the JWT token. This could be a comma separated string value that would translate to a JSON array. A question about this could be: 'then where to leave the client id?'. As suggested by this: https://stackoverflow.com/questions/32013835/client-id-or-multiple-audien... the best place to put the client id is in the 'azp' field (authorized party).
<https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00>Does the KeyCloak team see this as a valuable addition? Will it be implemented somewhere in the future? Or can we make a pull request ourselves that will be merged?
Thanks, Erik
5 years, 3 months
Additional Required functionalities
by Satyajit Das
Hi Team,
Can you guys please incorporate the below functionalities in subsequent
releases.
1)Bulk User creation via restful services(for a particular realm)
2)Reset password/ Forgot password functionality for a particular user via
restful services.
3)Social network ids registration and login via restful services eg: google
or facebook registering to keycloak.
Regards,
Satya.
5 years, 3 months
Release notes for the next release
by Thomas Raehalme
Hi!
My pull request #1945 [1] was merged yesterday, that's great!
Since the changes may break backwards compatibility I suggest something
like the following is added to the release notes regarding the Spring
Security adapter:
The AdapterDeploymentContextBean has been replaced with
AdapterDeploymentContextFactoryBean which is a Spring BeanFactory
implementation for AdapterDeploymentContext. The constructor accepts either
a Resource to specify where the keycloak.json resides (as before), or a
KeycloakConfigResolver which will then resolve the configuration at
runtime.
[1] https://github.com/keycloak/keycloak/pull/1945
Best regards,
Thomas
5 years, 3 months
Configurable User Federation Providers
by Thomas Darimont
Hello list and happy new year!
I'm implementing a custom org.keycloak.models.UserFederationProviderFactory
which should
be configurable via the keycloak admin console.
The possible configuration are currently specified via the "Set<String>
getConfigurationOptions()"
method of the UserFederationProviderFactory interface,
Since the "Set<String" only describes the raw option names there seems to
be no way to
specify custom labels, help texts, default options, etc.
it would be great if it were possible to configure custom keycloak
federation provider factories like
custom ConfigurableAuthenticatorFactory. For the latter one can specify a
list of configuration options
via the "List<ProviderConfigProperty> getConfigProperties()" method on the
"org.keycloak.provider.ConfiguredProvider" interface.
"org.keycloak.provider.ProviderConfigProperty" has name, label, helptext,
type and defaultValue which is all I need.
It seems that currently
"org.keycloak.services.resources.admin.UserFederationProvidersResource.getProvider(String)"
isn't aware of the "ConfiguredProvider" interface. I guess making it aware
of ConfiguredProvider with some additional UI tweaks should do the trick.
What do you guys think?
Cheers,
Thomas
5 years, 3 months
Allow TOTP issuer name to be set in the admin console?
by Cory Snyder
Hey guys,
Currently the TOTP issuer is just set to the name of the realm. Since the issuer name is the heading of the entry that appears in the Google Authenticator app, we’d love to be able to customize the issuer name in the admin console. Would this be reasonable? Can I create a ticket?
Thanks,
Cory Snyder
5 years, 3 months
Login Rest Service Service Delay
by Satyajit Das
Hi Team,
We are using login restful service of 1.4.0 final version.
Sometimes the login takes quite some time(around 15 secs) to fetch the
token id given back by login service.
On subsequent call for login rest service takes very less time(75 milisecs)
This is a complete random behavior.
Kindly let me know how to overcome this issue.
below is the snap of Token timeouts.
[image: Inline image 1]
Regards,
Satya.
5 years, 3 months
