Forgot password flow + TOTP
by Johan Heylen
Hello,
we currently have a keycloak server setup with both TOTP and the forget
password (reset-credential) flow active.
When we organize a update password action for a user through the admin
panel, he gets an email with a link, and after choosing a new password, the
user has to enter the TOTP in the login screens before actually being
logged in.
When the user himself organizes a forget password on the login screen, he
gets an email with a link, and after choosing a new password, the user DOES
NOT have to enter the TOTP in the login screens before actually being
logged in.
We want both actions to be the same, or at least always want the TOTP be
entered in logging in.
Can this last part be changed, either through a configuration setting or
creating a whole new reset credential flow within the current Keycloak
version (1.6.0) or do I need a JIRA ticket for a feature request?
Tnx,
Johan Heylen
9 years
Login redirects in KC 1.6
by Libor Krzyzanek
Hi,
I just realized how many redirects happens when I hit login button.
On KC 1.2 there was just one http post and that’s it.
Now on KC 1.6 I see following redirects:
- POST /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1&execution=7eedb65f-1f55-4ca9-863a-8f4951a3d805
-> /auth/realms/rhd/login-actions/authenticate?code=DArGN8ahUbUNezHDrGU0eBdzME3yJLzNi9C7Rh3fmv0.bf31e3e7-291e-4af8-ba60-23c562813bd1
-> /auth/realms/rhd/login-actions/required-action?code=x3p6FRPUGzSOEcwdfOdH_y87tFp6kdv3eMnBdAeNURk.bf31e3e7-291e-4af8-ba60-23c562813bd1
-> /auth/realms/rhd/account/login-redirect?code=x04AO-tQJB69EfKe6unU1UkHupW6bGkLxJ1Cov-Abf8.bf31e3e7-291e-4af8-ba60-23c562813bd1&state=0%2Ffdb40d87-d522-43a5-820a-66cdba051607
GET /auth/realms/rhd/account/
So I see 3 additional redirects.
Is it expected? Can it be somehow minimized to give better performance? Every redirect can generate in reality aprox 300 ms which is almost 1 second just because of redirects.
Thanks,
Libor Krzyžanek
jboss.org Development Team
9 years
No email send out while creation of ne user
by Sebastian Olscher
Hello,
when I create a new user in the admin console of keycloak no email is send out. Neither when I add "required user actions" such as "verify email" in the user creation dialog. The only possibility to send emails is, to change to the credentials dialog within the user profile and click the "send email" button.
Is this a wanted behaviour that no email is sended when the user is created or is this a bug? From my understanding it would be helpful to send the email directly while creating a user.
Thanks,
Sebastian
9 years
tomcat libs dir
by Tim Dudgeon
When deploying the Tomcat adapter (presumably the same applies to other
containers) I find that the 3rd party libs needed by the Keycloak
adapter can clash with different versions of the same libs deployed with
a web app. For instance I just needed to spend quite a bit of time
finding out why a webapp would not deploy, and it resulted from
bcprov-jdk15on-1.50.jar provided by Keycloak, and hence in the Tomcat
lib dir and bcprov-jdk15on-1.53.jar in my application and hence in the
webapp's WEB-INF/lib dir.
Some of these 3rdparty libs are quite common and might be be expected in
many web apps.
The docs state that the Keycloak libs must be deployed to the lib dir.
Presumably there's no way round that and hence no way around potential
conflicts?
Tim
9 years, 1 month
How to implement long user sso sessions with reauthentication for important actions?
by Vlastimil Elias
Hi,
I'd like to use long session authentication mechanism known from many
sites like google. facebook, linked in etc.
It is about really long user SSO sessions (eg. weeks or even months)
with reauthentication for important actions when last authentication
timestamp is older than some limit.
Is this somehow possible with current Keycloak server and Keycloak adapters?
I see few subquestions in this problem for our use:
*****
open-id connect protocol defines few auth request parameters to support
this use case, mainly max_age or prompt=login. Are they correctly
implemented in Keycloak server?
*****
Wildfly/EAP adapter - is it possible and is there some example how to
use "reauth if auth is older than 30min" action in Java app secured by
this adapter? Or is info about last auth timestamp somehow available in
the app?
*****
Keycloak user account application itself - it is part of the Keycloak
server, but it contains sensitive actions which typically require
reathentication in this long session scheme (password change, email
change, ...). Is it somehow possible to configure Keycloak to force
timeout reauth for this app?
Thanks in advance
Vl.
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
9 years, 1 month
can not delete user using REST API -401 unauthorized.
by harsh mahey
I am getting 401 unAuthorized when im trying to delete a user.I was able to
create the user with this id.And i am able to delete the user using
Advanced REST Chrome client using same DELETE URL.
Can you guide what am i doing wrong here.
Thanks
*****************ERROR***********************************************************
org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(
DefaultResponseErrorHandler.java:91)
at org.springframework.web.client.RestTemplate.handleResponse(
RestTemplate.java:641)
at org.springframework.web.client.RestTemplate.doExecute(
RestTemplate.java:597)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557
)
at org.springframework.web.client.RestTemplate.delete(RestTemplate.java:429)
at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.deleteUser(
KeyCloakAdminAdapter.java:256)
at com.snrapps.mwp.domain.security.KeyCloakAdminAdapter.main(
KeyCloakAdminAdapter.java:55)
*****************CODE**************************************************************
public boolean deleteUser(String userId) {
AccessTokenResponse accessTokenResponse = getToken();
org.springframework.http.HttpEntity<String> entity = new
org.springframework.http.HttpEntity<String>(getHeaders(accessTokenResponse
.getToken()));
HttpHeaders httpHeaders=entity.getHeaders();
System.out.println(httpHeaders);
RestTemplate restTemplate = new RestTemplate();
String urlForDeleteUser = "http://XXXXX.com:XXXX
/auth/admin/realmsMyAppsRealm/users/" + userId;
System.out.println(urlForDeleteUser);
restTemplate.delete(urlForDeleteUser, entity);
System.out.println("done");
return true;
}
9 years, 1 month
Issue (500 Internal Server Error) with "Update the client" via Admin REST API
by Juraj Janosik
Hi,
I want to announce an issue with "Update the client
<http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"
via Admin REST API.
*Description:* I want to change the description for existing client #3.
*Note:* From the documentation ("Update the client
<http://keycloak.github.io/docs/rest-api/index.html#_update_the_client>"),
body parameter attributes
are required in schema "ClientRepresentation".
Description of schema "ClientRepresentation" notes for any mandatory
attribute.
Are some parameters mandatory for successfuly running of this scenario ?
*Tested scenario:*
*Tested data:*
"Update Client":
"method":"PUT","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients/3"
"headers":
[["Content-Type","application/json"],
["Authorization","Bearer <ACCESS_TOKEN>]]
"body":
"{
"id":"3",
"clientId":"testclient-3",
"name": "testclient-3",
"description": "TESTCLIENT-3 v.2"
}"
*Test Result:* Status Code: 500 Internal Server Error
*Some parts from console logs:*
10:35:31,591 ERROR [io.undertow.request] (default task-18) UT005023:
Exception handling request to /auth/admin/realms/universities/clients/3:
java.lang.RuntimeException: request path:
/auth/admin/realms/universities/clients/3
...
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
... 29 more
*Caused by: java.lang.NullPointerException*
at
org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:106)
Thanks a lot.
Best Regards,
Juraj
9 years, 1 month
Custom User Attributes - incorrect paths
by Bystrik Horvath
Hello,
I tried to create my own theme by the description in Keycloak Reference
Guide 1.6.1. There are incorrect path (at several places) in chapter 31. -
Custom User Attributes, e.g.:
1. Create a new theme within the themes/admin/mytheme directory in your
distribution. Where mytheme is whatever you want to name your theme.
should be:
1. Create a new theme within the themes/mytheme/admin/ directory in your
distribution. Where mytheme is whatever you want to name your theme.
or
1. Copy the file
themes/admin/base/resources/partials/user-attribute-entry.html into the
a mirror directory ...
should be:
1. Copy the file
themes/base/admin/resources/partials/user-attribute-entry.html into the
a mirror directory
Anyway, the file
1. themes/base/admin/resources/partials/user-attribute-entry.html
is not presented in the distribution, I found only
1. themes/base/admin/resources/partials/user-attributes.html
2.
There are several places in chapter 31 where incorrect paths are given as
an example.
Best regards,
Bystrik
9 years, 1 month
Generic keycloak function support
by Andrej Prievalsky
Hi,
I would like to ask you if actually or in future will provide/support this
function:
1.) 2nd factor Authorization ?
2.) User Notifications via Email ?
Thanks for answer.
Andrej.
9 years, 1 month