ERROR: failed verification of token
by Henk Laracker
Hi,
I have tomcat with the key cloak library’s installed onder the domain https://cust001-accdev.planoncloud.com
Keycloak itself is installed on open shift-online http://keycloak-ciwwa.rhcloud.com/auth/
When I go to my application the redirect works fine, I can log in and I’m pointing back to my original url. On that moment, a exception is shown in the catalina.log
==> planon/logs/catalina.out <==
Mar 30, 2015 1:07:47 PM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed verification of token
I had I quick look at the code, but I have no clue how to solve this. The keycloak.json is pointing to the right server with the correct keys.
Any Idea’s ?
Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,
Henk Laracker
9 years, 9 months
How to map Google groups to a token (e.g. as roles)?
by Thorsten
I was wondering if it is somehow possible to map group memberships Google
hosted domains into Keycloak (e.g. as roles into an idtoken)?
This would be great since we already have been using groups in Google to
perform authorization in some apps so I know how to get them from the
Google API. I am already using the social provider for authentication so I
was wondering what SPI implementation or configuration/customization I'd
need to do in order to get this done.
Any pointers were to start would be very helpful. I am building Keycloak
from github "master".
Thanks
Thorsten
9 years, 9 months
Keycloak sp filter
by Chen Keong Yap
Hi,
Please share some lights for implementing Keycloak sp filter which is
similar to picketlink sp filter.
org.picketlink.identity.federation.web.filters.SPFilter
9 years, 9 months
Multiple Identity Support?
by Stephen Russett
Hi
Is there support for handling multiple identities for a single user? If so, is there a video or write up explaining how this is handled?
Example use case:
You have your user profile (with multiple Identities) that is associated with KC. KC is connected to three systems. When you log into System 1, you use Identity A, and when you log into System 2, you use Identity B, and When you log into System 3, you use Identity C.
The different identities are due to the need for the user wanting to share specific information depending on the system they are logging into.
This openID connect video has a great intro that outlines the use case for multiple identities: https://www.youtube.com/watch?v=Kb56GzQ2pSk
Thanks.
Stephen
9 years, 9 months
Fwd: User Activation
by Nils Preusker
---------- Forwarded message ----------
From: Nils Preusker <n.preusker(a)gmail.com>
Date: Wed, Mar 25, 2015 at 3:04 PM
Subject: Re: [keycloak-user] User Activation
To: Stian Thorgersen <stian(a)redhat.com>
Hey Stian,
thanks for your reply! That works, however we have a couple of issues with
the suggested flow:
* if I'm not mistaken the e-mail template is the same one that is used for
the "forgot password" link, this is not ideal in our case because it would
be the first e-mail (first contact) that new users in our system would
get...
* when I follow the flow that you suggested I always get redirected to the
account page (/auth/realms/{realm}/account) after creating a password and I
wasn't able to figure out why (I would have expected to be redirected to
the default redirect URL, so to my application)
Cheers!
Nils
On Wed, Mar 25, 2015 at 9:49 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
> Create a user in admin account, set the users email, click on credentials
> and there's an option to send a password reset email.
>
> ----- Original Message -----
> > From: "Nils Preusker" <n.preusker(a)gmail.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Wednesday, 25 March, 2015 9:43:32 AM
> > Subject: [keycloak-user] User Activation
> >
> > Hi,
> >
> > I'm wondering whether there is a way to set up user activation so that
> >
> > * we create a new user via the admin API
> > * the account has no credentials (password) and is inactive
> > * the user receives an e-mail when the account is created
> > * when the user logs in for the first time (following a link in the
> e-mail),
> > he is prompted to set up his password and the account is activated
> >
> > So far I have only been able to get this to work with an initial
> "default"
> > password followed by a prompt to re-set it. I also didn't find a way to
> > notify a user of the new account via e-mail. Am I missing something?
> >
> > Cheers,
> > Nils
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9 years, 9 months
User Activation
by Nils Preusker
Hi,
I'm wondering whether there is a way to set up user activation so that
* we create a new user via the admin API
* the account has no credentials (password) and is inactive
* the user receives an e-mail when the account is created
* when the user logs in for the first time (following a link in the
e-mail), he is prompted to set up his password and the account is activated
So far I have only been able to get this to work with an initial "default"
password followed by a prompt to re-set it. I also didn't find a way to
notify a user of the new account via e-mail. Am I missing something?
Cheers,
Nils
9 years, 9 months
Limit Google authentication by domain?
by Thorsten
Hi,
is there a way to limit the Google authentication to only work for users
that have a Google account in a specific Google app domain? Right now it
seems that anybody with a Google+ account can login once you enable it.
Is there an out-of-the box way to get this done though configuration and if
not what would be the simplest way to implement this?
Thanks
9 years, 9 months
User Entitlements/Attributes
by Lohitha Chiranjeewa
Hi,
I had a look at the code + documentation, but couldn't find support for
user entitlements or attributes. For example, I have a use called "John",
who is an (1) Admin of my system. He can (2) View Reports and (3) Create
Reports.
If I am to store all three of the above against the user (or 2 and 3
against the user role), what approach should I take? Is there a current
feature in KeyCloak through which I can achieve this?
Thanks!
9 years, 9 months
Relative host possible in redirect URI when using Keycloak appliance?
by Guy Davis
Good day,
A few weeks ago, I was deploying auth-server.war inside a JBoss 6.1.0alpha
instance and using relative URIs for redirects on my registered
applications. For example, a single redirect uri of '/hello-world/*' meant
that I could access our app from:
- http://localhost:8080/hello-world/
- https://localhost:8443/hello-world/
- http://[workstation]:8080/hello-world/
- https://[workstation]:8443/hello-world/
This was very convenient as we deploy the JBoss container on site for
customer use via automated installer, so trying to minimize the local
configurations required is important.
However, as per recent exchanges with Stian, I am now running a separate
Keycloak appliance instance (Wildfly 8.2), port-shifted by 100, along-side
our old JBoss instance.
This seems to require that I add 4 separate redirect_uris (above) in order
for things to work. As well, the latter two require knowledge of the
target machine's hostname.
I'm wondering if there is a way to use relative host URI, but keep the port
for application redirect_uri. Or perhaps a hostname placeholder? Possible
example:
- http://${jboss.host.name}:8080/hello-world/
Any sort of placeholder for the current host-name would simplify the
current post-install configuration required.
Thanks,
Guy
9 years, 9 months
Application Management
by Alex Gouvêa Vasconcelos
Hi all...
We started using keycloack a few weeks ago, trying a SSO solution for our
company. We used to use a proprietary system for
authentication/authorization and our users have a console admin which allow
them to manage users and roles per application.
We tried doing that in keycloack but the only way we found to do something
similar to that, was giving realm-management rights to the application
admin. This was not what we were trying to do, because those rights allow
the admin of app1 give permission to users of app2.
We found another user of this forum with a similar question in february
archives... [1] but the answer did not specify if this is in future plans.
If not, is there any help we could count on to implement ourselves?
[1] http://lists.jboss.org/pipermail/keycloak-user/2015-February/001540.html
Best regards.
Alex Gouvêa Vasconcelos
mailto:alexgv99@gmail.com
9 years, 9 months
