Keycloak REST API Authenticator
by Quynh Nhat Nguyen
Hi,
I want to implement REST API as one of keycloak authenticators.
Specifically, when a user authenticates with keycloak, keycloak will
contact the REST API to request for authentication decision, for example
PrivacyIDEA REST API server (https://www.privacyidea.org/).
I would appreciate any feedback, and advice on this proposal!
Thank you.
6 years, 6 months
disable GitLab provider? Feedback desired
by Bill Burke
Seems that Gitlab tokens take a little bit to propagate. Our GitLab
identity provider will get a 401 error when it calls the Gitlab user
info service intermittently. This is solved by putting in a 1 second
delay. Seems like a hack. Should we just not provide Gitlab social
login?
Thanks,
Bill
--
Bill Burke
Red Hat
6 years, 6 months
Compression of Token Claims
by Muehlburger, Herbert
Hi,
does Keycloak compress token claims before base64 encoding? I have a custom claim that might get big. I'd like to always compress this claim but I'm not sure if this is already done by keycloak?
Best,
Herbert
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
6 years, 6 months
RequiredActionEmailVerificationTest failures
by Bill Burke
I still can't figure out why my build isn't running. I cloned fresh
from master and RequiredActionEmailVerificationTest is failing (I
think) when sending any email. I get read timeout errors on login
submit, but no other errors.
Anybody else seeing failures in RequiredActionEmailVerificationTests?
--
Bill Burke
Red Hat
6 years, 6 months
master failing build?
by Bill Burke
I pulled latest in fresh copy of master and a ton of tests are
failing. I'll take a look tomorrow if Europeans don't get there
first.
--
Bill Burke
Red Hat
6 years, 6 months
405 on importing a realm
by Kishan Sagathiya
Hi,
I am getting '405 Method Not Allowed' on trying to create a realm using
keycloak's admin rest api.
Following is the command that I am running
curl -H "Content-Type: application/json" -H "Authorization: bearer
$ACCESS_TOKEN" -d 'rep=$CONTENT_OF_THE_JSONFILE' -D- -X POST "
http://mykeycloakurl.com/auth/admin/realms/master"
Is this the right way?
6 years, 6 months
server-config-migration
by Vlasta Ramik
I'm working on rewriting server-config-migration tests. Currently there
is used wildfly-maven-plugin which does the migration in online mode,
I've redone this using exec plugin and the migration is done in offline
mode.
My question is how do we should handle changes what are done to
standalone.xml (or standalone-ha.xml, etc.) between different versions
of wildfly. It is out of keycloak scope, but according to migration
guide [1], users are supposed to replace default version (current) of
config with previous version.
As far as I was able to find out WF uses a tool [2] for migration. There
is not migration from WF10 to WF11.
Should be it somehow incorporated into our migration scripts?
If not then the migration guide should be updated with supported
migration steps.
[1]
http://www.keycloak.org/docs/latest/server_admin/topics/MigrationFromOlde...
[2] https://github.com/wildfly/wildfly-server-migration/releases
6 years, 6 months
Re: [keycloak-dev] KEYCLOAK-5032 - Pull Request
by carl-kristian.eriksen@telia.no
Hi.
Thanks. Everything seems ok now.
The commit now includes forwarding of acr_values and prompt. The nonce work has been removed from the commit.
Could any of you give it a review and merge it?
Carl Kristian Eriksen
From: Marko Strukelj <mstrukel(a)redhat.com>
Date: Tuesday 3 October 2017 at 12:37
To: "Eriksen, Carl Kristian K. /External" <carl-kristian.eriksen(a)telia.no>
Cc: Bill Burke <bburke(a)redhat.com>, keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] KEYCLOAK-5032 - Implementation question
CI uses extra options. Try running your tests with -Pauth-server-wildfly. That usually exposes extra issues.
On Mon, Oct 2, 2017 at 1:34 PM, <carl-kristian.eriksen(a)telia.no<mailto:carl-kristian.eriksen@telia.no>> wrote:
The second commit in the PR failed the CI build, but the tests does not fail locally.
Do you have any suggestions on how to handle this?
Carl Kristian Eriksen
On 29/09/17 16:41, "keycloak-dev-bounces(a)lists.jboss.org<mailto:keycloak-dev-bounces@lists.jboss.org> on behalf of carl-kristian.eriksen(a)telia.no<mailto:carl-kristian.eriksen@telia.no>" <keycloak-dev-bounces(a)lists.jboss.org<mailto:keycloak-dev-bounces@lists.jboss.org> on behalf of carl-kristian.eriksen(a)telia.no<mailto:carl-kristian.eriksen@telia.no>> wrote:
Hi.
I’ll follow up on the PR.
Br / mvh
Carl Kristian Eriksen
On 29/09/17 15:50, "Bill Burke" <bburke(a)redhat.com<mailto:bburke@redhat.com>> wrote:
Do you want to continue talking on the PR or here? I had some
concerns with your PR.
On Wed, Sep 27, 2017 at 5:45 AM, <carl-kristian.eriksen(a)telia.no<mailto:carl-kristian.eriksen@telia.no>> wrote:
> https://issues.jboss.org/browse/KEYCLOAK-5032 describes two requested query parameters: acr_values and nonce
>
> Our requirements are for acr_values and prompt, and I’m working on a pull request for these two.
>
> How many pull requests do you want?
> Should I make sure that (each)PR includes support for one, two or three query parameters
>
> Can the “prompt” parameter be added to KEYCLOAK-5032, or do I need another Jira task for the “prompt” parameter?
>
> Br / mvh
> Carl Kristian Eriksen
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6 years, 6 months
LDAP with Kerberos, login with different user
by Jože Mlakar
We are considering implementing this feature.
The feature requires Keycloak to allow the user to logon as another user even if Kerberos works.
The user scenario is two fold:
* Have an admin hold two accounts (normal with Kerberos and elevated using username/pass) and switch between them
* Have a user logged on using Kerberos when another user visits and wants to logon as himself without logging on to the computer.
The feature would be implemented via a new query parameter (i.e. skipAuthMechanism=cookie,kerberos) that would allow the client to skip certain methods of authentication.
I would like to make sure such a PR would not be rejected as work would have been wasted.
6 years, 6 months
