SAML Subsequent login fails with Account disabled error
by Kamal Jagadevan
Hello, We are using Keycloak 1.9.2 for our Authentication flow and SAML interactions (not using SAML adapters) and they are working well in DEV/QA instances.But in Integration environment we are seeing a strange issue of ONLY FIRST TIME login works fine. Further login fails with the following error even though user is enabled.
"Account is disabled, contact admin." Is there anything obvious that we have missed please advise. Enabling debug log didnt reveal anything other than fetching entities from db.Any inputs to debug further is also welcome.
Setting in Federated Identity - First login flow is set to First Broker Login flow
Settings in First login flow - Disabled Review profile page, rest of the properties was set to default values altering rest of the fields didnt change the behavior.
Following are the sequence of steps
- With the help of static login URL to Keycloak with suffixed by the KC_IDP_HINT, Keycloak redirects to External IDP
- Verified for the SAML request being sent using SAML Tracer.
- External IDP login prompts for username and password.
- After entering credentials, redirected back to Keycloak for getting token but THROWS error "Account is disabled, contact admin"
- Verified the SAML response with Assertion status as success using SAML tracer.
- Verified the user is enabled from the Admin console.
- Verified the user_entity table for the status.
BestKamal
8 years, 6 months
Need to add a system dependency path to modules\system\layers\base\sun\jdk\main\module.xml
by Peter Nalyvayko
Hi,Can somebody shed some light on what generates the module.xml at the location in the subj? I need to add a missing system dependency path to the aforementioned file, but unsure as to where in the source code tree and to which files the changes are supposed to be applied. Right now the contents of the file look like this:
<module xmlns="urn:jboss:module:1.3" name="sun.jdk"> <resources> <!-- currently jboss modules has not way of importing services from classes.jar so we duplicate them here --> <resource-root path="service-loader-resources"/> </resources> <dependencies> <module name="sun.scripting" export="true"/> <system export="true"> <paths> ... <path name="sun.security.XXX.XXX"/> /// <-- Intended changes
... </paths>
....
RegardsPeter
8 years, 6 months
Using provided AccessToken in Keycloak client
by Thomas Darimont
Hello group,
I have the following scenario:
1) A SSO authenticated User1 calls Service1 (confidential client).
2) Service1 extracts access token.
3) Service1 performs a remote call to Service2 passing the access token
along.
4) Service2 needs to do something in the name of User1 in Keycloak (e.g.
set a user attribute, or create a new users)
5) Service2 uses org.keycloak.admin.client.Keycloak to communicate with
Keycloak
to perform the requested operation.
I want to be able to propagate the access token in
Service to service calls and use the 'org.keycloak.admin.client.Keycloak'
client
with the provided access token to perform an operation in Keycloak.
Currently 'org.keycloak.admin.client.Keycloak' only supports client
credentials and / or password,
which it uses to get an refresh token to renew a potentially timed out
access token.
As a PoC I slightly adjusted the Keycloak client to allow for externally
provided access tokens:
https://gist.github.com/thomasdarimont/d82c4478df997556a9d16afb79787459
I think the Keycloak Client should also support "call once" scenarios with
a provided access token out of the box.
Shall I create a JIRA for this?
Cheers,
Thomas
8 years, 6 months
Fwd: Getting CLIENT_NOT_FOUND Exception
by swanand dhawan
---------- Forwarded message ----------
From: swanand dhawan <swananddhawan(a)arvindinternet.com>
Date: Fri, Aug 5, 2016 at 12:09 PM
Subject: Getting CLIENT_NOT_FOUND Exception
To: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Cc: Anunay Sinha <anunay.sinha(a)arvindinternet.com>
Hello,
I am getting the following error frequently in my logs:
*ERROR [org.keycloak.authentication.AuthenticationProcessor] (default
task-22) Failed client authentication: CLIENT_NOT_FOUND:
org.keycloak.authentication.AuthenticationFlowException*
I am attaching the log file with the error.
Please help in fixing this error.
--
Thanks & Regards,
Swanand Dhawan
--
Thanks & Regards,
Swanand Dhawan
8 years, 6 months
Keycloak 2.1.0.CR1 released
by Marek Posolda
Keycloak 2.1.0.CR1 has just been released. The final release will follow
next week if no major issues are reported. Few highlights of this release:
* *Password Policy SPI* - Now it's possible to plug your own
implementation of password policy. This is useful if available
builtin policies are not sufficient for you.
* *Jetty 9.3 adapter* - Allow you to secure your applications deployed
on Jetty 9.3 server.
* *Authorization fixes & improvements* - There are lots of fixes and
improvements in authorization services, which were recently added in
2.0 release. It really worth to check this out and eventually
provide us some feedback.
* *Better OpenID Connect interoperability* - There are lots of minor
fixes related to OpenID Connect support.
For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and to download the release go to the Keycloak homepage
<http://blog.keycloak.org/www.keycloak.org/downloads>.
8 years, 6 months