January 2018 - keycloak-dev - Jboss List Archives

Returning "attempted" status inside alternative sub-flow

by Michael Olney

Hi, I have two sub-flows set up as follows: Subflow 1 - Alternative Execution 1 - Required Subflow 2 - Alternative Execution 2 - Required Execution 1 is runs a custom authenticator that does the following: 1. Issues a challenge 2. Returns ATTEMPTED status The resulting behaviour is that the whole flow fails. I was expecting a jump to Subflow 2, which is what happens if the authenticator returns ATTEMPTED without first issuing a challenge. Is this a bug? I thought that perhaps REQUIRED might apply to the whole flow rather than to a particular sub-flow, but I couldn't find an explicit clarification in the documentation. However, this scenario was mentioned in passing on this list before: http://lists.jboss.org/pipermail/keycloak-dev/2016-May/007241.html The behaviour seems to originate in `org.keycloak.authentication.DefaultAuthenticationFlow.processResult`. Regards, Michael ********************************************************************************************** Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of IRESS Limited. It is the duty of the recipient to virus scan and otherwise test the information provided before loading onto any computer system. IRESS Limited does not warrant that the information is free of a virus or any other defect or error. **********************************************************************************************

7 years, 12 months

1
0
0 / 0

PRs for 7.2 and Keycloak 4.x

by Stian Thorgersen

Keycloak, Node.js and documentation are all forked for 7.2. It's to late to update code now unless it's a blocker for the release. In that case let me know asap. For documentation we can update, but that means PR to master and 7.2.x branch in private repo. Any docs changes to 7.2 has to be approved by Matthew and Pavel prior to merging. Master (except quickstarts, see below) is open for 4.x development. One thing to note here is that we have now started the review process so all PRs have to be reviewed. The general rule one jira, one commit and one PR applies. Also, only complete work including test and docs should be accepted. For quickstarts master is still aiming 7.2. So send changes to master. If it's only for 4.x hold off for now! Same rule applies any changes to quickstarts now need approval of me and Pavel before merging.

8 years

1
0
0 / 0

User prinicipal name with multiple backend MSAD servers

by Mariusz Godlewski

Hello, I'm considering deployement of Keycloak serving as an OAuth2 / Open ID provider for users managed in multiple MS Active Directory and Active Directory Lightweight services. For internal desktop users Kerberos should be used to prevent credentials re-entry following log-on to domain-joined computer. The tricky part is that usernames are considered to be unique only withing single AD domain, so username 'godlewsm' can exists both in Kerberos realm ACMEPL.LOCAL AND ACMECZ.LOCAL. For LDAP storage provider ( https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main... ) there is assumption that only username part of principal name would be used further, which prevents distinguishing accounts properly. Is there plan to change this behaviour or the only way would be implement a custom UserStorageProvider based on LDAPStorageProvider ? Best regards, Mariusz Godlewski

8 years

2
1
0 / 0

Trojan in Keycloak Javascript Adapter?

by Ariel Carrera

Hi, I have downloaded Keycloak Javascript Adapter from http://www.keycloak.org/downloads.html and when it is done a Windows Defender's popup alerts about a Trojan inside. Windows Defender info: adapter file: keycloak-js-adapter-dist-3.4.2.Final.zip trojan name: Trojan:JS/Jorv.A!cl file: keycloak-js-adapter-dist-3.4.2.Final/keycloak.min.js Am I the only one with this problem? Thanks, -- Ariel Carrera

8 years

3
6
0 / 0

Hot or Rolling upgrade

by Brian Towles

Howdy all, I was wondering if there is any advice on how to do a rolling upgrade of Keycloak, or any mechanism to maintain a running instance while upgrading? Ive seen the docs here (http://www.keycloak.org/docs/latest/upgrading/index.html) and they all ha type installs say that "all instances must be upgraded at the same time." Any hints or pointers would be great. Thanks -=Brian -- *Brian Towles* | Software Engineer t. (512) 415- <0000000000>8105 e. btowles(a)cloudera.com <jond(a)cloudera.com> cloudera.com <http://www.cloudera.com/> [image: Cloudera] <http://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------

8 years

3
3
0 / 0

Keycloak Database Table Overview

by Thomas Darimont

Hello, I just needed an overview of the current Keycloak Database schema, so I quickly generated a svg diagram (1MB) with IntelliJ / DataGrip. Perhaps someone might find this useful. See: https://gist.github.com/thomasdarimont/b1c19da5e8df747b8596e6ddcda7e36f Cheers, Thomas

8 years

1
0
0 / 0

Keycloak Proxy & X-FORWARDED-PROTO

by Rory Hart

I may have found a bug (or lack of feature?) in the proxy. I'm running the proxy behind a AWS load balancer which is handling HTTPS but the redirect urls that the proxy is generating are HTTP. While this isn't blocking usage as HTTP is redirected to HTTPS it is a small security hole that I would like to close. Is this something wrong with the proxy, a feature that needs to be worked on or out of scope of the proxy all together and I should be asking another team? (undertow?) Thanks Rory Hart

8 years

2
2
0 / 0

Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter

by Thomas Darimont

Hello folks, I played a bit with the undocumented? [0] keycloak-installed adapter [1] for integrating desktop applications with Keycloak SSO and found some issues with it, which I'd like to share. Small explanation for those who are reading the list but don't know the adapter... [2] First some general notes / suggestions: Is the keycloak-installed adapter something that will stay in keycloak or was this just a PoC? In the former case I think there are some things that could be improved or extended a bit: - Allow users to customize the locale used for the login pages opened by the adapter - Provide customizable response templates (perhaps by leveraging a provided ResourceBundle) - Allow to customize pages shown after login / logout served by the keycloak-installed adapter - Add support for TLS (with custom certificates) for https:// with localhost I noticed that some browsers (e.g. Chrome) show an error page when trying to redirect to the local mini-webserver after a successful login since the mini-webserver (...server-socket) embedded in the adapter doesn't respond with a valid HTTP response. With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome). My current modifications of the keycloak-installed adapter (with HTTP response fixes and response customizations) are here: https://github.com/thomasdarimont/keycloak/commit/b8ee52a946e73503b1737f5... An extended example (using the the modified keycloak-installed adapter) can be found here: https://gist.github.com/thomasdarimont/c59c14f45ea2ee00d7b6fbe2c013c5f1 WDYT? Cheers, Thomas [0] Not mentioned here: https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java... [1] https://github.com/keycloak/keycloak/tree/master/adapters/oidc/installed [2] For those that haven't seen the adapter yet, it allows to authenticate against Keycloak from a desktop app (e.g. swing, javafx) by opening a desktop browser window where a user uses the regular keycloak login pages to login. The trick is now that login page is opened with redirect URL that points to a small local "web server" (server-socket) on a free ephemeral port which is started by the adapter. After logging in the mini web-server receives performs the authenorization code flow and eventually receives the tokens (access_token, refresh_token, id_token) which can then be used to call backend services from the client or retrieve new tokens A nice side effect of this is, that the desktop application never sees a users password and one can leverage existing SSO sessions. Btw. the google cloud cli uses the same approach to authenticate with gcp. The Keycloak repo contains a small example for this: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...

8 years

4
13
0 / 0

Keycloak 3.4.3.Final released

by Stian Thorgersen

http://blog.keycloak.org/2018/01/keycloak-343final-released.html

8 years

1
0
0 / 0

Re: [keycloak-dev] Migrating Keycloak to AWS environment

by Kalidindi, Sai Soma Kala

Hi, Our backup product is using Keycloak for SSO. We are migrating all our users to a new instance of keycloak in AWS environment. One of the requirement is all the existing clients which is an agent on the user box running in background which does backup, should not see any re-authentication or login window from their end after migration . User initially login when they have first installed our product and they never see any login any more(our client is non-intrusive, most users don't ever remember the login ), we just refresh every 15 minutes get new set of tokens and so on... and it works for us. We have tested locally where we have migrated the present keycloak database to our new keycloak aws instance just by using pg_dump and restore command for database of keycloak and we made sure the realm, redirect urls , client secrets are exactly same. We are assuming if everything is exactly the same refresh tokens should still workand we can avoid the login screen. Is this right assumption? In our test what we have found is, we made a DNS swap where the client initially going the old env gets routed to our new keycloak aws instance(We did CNAME change on the old env to route traffic to new environment ). The reason for this Is to make sure our redirect url does not change and the client could still talk to same old urls it is aware of. Long story short, old key cloak env and new key cloak env has exactly same of everything...What we have seen is that the client which is initalliay pointing to the old env, after the migration and after doing the DNS switch the old tokens still work on new environment. Once we remove the switch and when the clients go back to old env the tokens still work. Is this a bug or is this expected? Thanks, Sai.

8 years

3
4
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2018