This is Shiva. I am keen to know how about contributing to Keycloak.
For example, fix a bug in JIRA i.e. How/where to request for pushing
the bug fix to upstream etc. Eagerly waiting for the reply.
We are using 1.9.8 version of keycloak. We have few customers, who has integrated their identity providers like ADFS, OKTA, Ldap ...with our Key cloak and it works. Lately we are seeing this below error message after their successful initial login, this happens to couple of users once in two weeks or so . When they try to login they see the error "User with user name XXXX already exists. How do you want to continue". Initially it used to happens once in few months, at that time, I would go to user_entity table in keycloak and delete the entry with this username and then when user try to log in, it works and entry gets re-created . This is our fix for now, every time any user hits above error, I delete the entry form user_entity tabel.
Lately it has been happening once in few days, and we are trying to find permanent fix for this. I would like to understand why this is happening after a series of successful logins by the same user . We are using old version of keycloak, does upgrading to latest version solve this issue? Any recommendation or help on above error is greatly appreciated.
I'd like to contribute to Keycloak. I've read the
but I still don't know how to start. I don't have any specific issue or
problem that I'd like to fix. In the JIRA
(https://issues.jboss.org/projects/KEYCLOAK/issues) I see that there is
a lot open issues but I'm not sure if I can start working on anything
that suits me. Can somebody point me in the right direction?
This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierzów
Hi keykloak developers,
my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute “mobile” to the user but the REST API does not allow to search for custom attributes.
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
Implementation of artifact binding (JIRA KEYCLOAK-831)
Last week I did a PoC implementation of the SAML artifact binding in a branch off keycloak 4.3.0.Final. The implementation can be seen here at https://github.com/AlistairDoswald/keycloak/tree/projectathon (don't judge me too harshly for the quality of the code if you look at it, I had about 2 days to have a working implementation, which included finding out how that part of the protocol worked).
However, I now want to write a "correct" implementation against keycloak/master and if possible I'd like some feedback/advice on my intended implementation.
1. General implementation
>From the description in the SAML specification (see here section 3.6, https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf), artifact binding can be used for transmitting the request message, the response message or both.
Initially, I intend only to do the implementation for the response messages. If I'm not mistaken, this means only for the Response and LogoutResponse messages. Would this be considered a suitable implementation of the JIRA?
2. User interface
When a SP requests an artifact, it can do so by specifying HTTP-Artifact instead of HTTP-POST or HTTP-redirect, and the process is then transparent with regard to the configuration of the client. However, I believe that the client should have a "Force artifact binding" binary slider and also a field to specify an artifact binding address. In this manner, the artifact binding can be used in conjunction with the IdP initiated login method.
Importing must also set the artifact binding address if it is present in the SP metadata.
3. IdP metadata
IdP metadata must contain at least one ArtifactResolutionService, I intend to have only one, with its index set to 0 and isDefault=true, and the binding set to the same address as the HTTP-POST (as for ECP)
4. Sending an artifact instead of the normal saml message
This is the section for which I have the greatest uncertainty with respect to a correct implementation.
Broadly this means intercepting the output response, and sending a 302 redirect or a POSTed form with the artifact instead. Considering the length of the artifact, I see no reason to use a form, but should this be an option in the GUI?
More practically, this means generating the response, saving it in the cache, and sending the redirect (or form) instead. I believe that the client's cache would be the best place to save this information (through the AuthenticatedClientSessionModel to be precise), but I'm not certain because it's the first time I'm seeking to store some new information in the cache. The key would be the artifact, and the value in my view should be the document, as that way we can create a complete signed/encrypted ArtifactResponse containing the Response or LogoutResponse.
For the implementation details I'm not sure if it would be best to make the changes directly in the SamlProtocol class, or to do something similar to the SamlECPProfileService which overrides the methods of the SamlProtocol. For SamlECPProfileService the current implementation makes sense, but for artifact binding I fear there would be significant code duplication (of course, I could also do a mix with some small modifications in the SamlProtocol class and a SamlArtifactProfileService, or something similar).
For triggering this artifact workflow, it would either be if the AuthnRequest has a ProtocolBinding set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact, or if the client has "force artifact binding" set to true.
5. Receiving an ArtifactResolve message
For this part, my current implementation seems correct to me: the soapBinding method in class SamlService is modified to check the contents of the soap message arriving: if it is an ArtifactResolve, the corresponding ArtifactResponse generated earlier is packaged in a soap message and sent as a response. If not, the ECP profile is tried.
The key-ArtifactResponse pair is removed from the cache during this operation. I am, however, not sure yet how the cache should handle purging of expired ArtifactResponse messages that are never asked for.
6. Errors, logging and audit
Obviously, the error handling should work as described in the protocol, but also be logged as such. I don't think there's any messages to log in INFO, but the DEBUG logs should show the messages and allow an admin to easily put the entire sequence together.
Also, I don't think there's any need for any extra information in the audit logs.
Obviously, I'll have to add some tests for these functions, which should be:
- Standard unit tests for individual functions that can be separated from objects that would otherwise have to be mocked
- Tests with arquillian to test the flow with artifact binding (sp initiated and idp initiated), the options available in the GUI (extra field, forced) as well as the error cases (i.e. asking twice for the same artifact, for an artifact that doesn't exist, etc...).
If you have any comments (anything missing, things that should be implemented differently in your view, etc...) feel free to let me know.
I would like to propse a fix to the bug KEYCLOAK-6788. I have already
fixed the bug and verified that it works.
The fix includes a small function that ensures that the string given by
the user as the flow name is not empty or doesn’t contain the character
Should I also include the source file with this email? Eagerly waiting
to hear from you guys! Please correct me if I am wrong as I am pretty
new to opensource contribution.