Keycloak 1.2.0 Beta1 and CORS
by Maurice Quaedackers
Hello,
Has somebody experience with the new 1.2.0 Beta1 release in combination with CORS.
I have a very simple html page (for testing purposes) that I have made available via keycloak.
When I configure this page to use a Keycloak 1.1.0 Final as authentication front end all works like expected.
When I configure the same page with a Keycloak 1.2.0 Beta1 authentication front end (exact the same configuration) I am not able to access my test html file.
Suggestions are highly appreciated.
9 years, 9 months
Application to applications using bearer token
by Scott Rossillo
In the demos, there’s a clear example of how a user is authenticated
against an application, say the customer-portal, and then the
customer-portal requests information from the database-service using the
access token as a bearer token.
In this example, the database-service accepts the bearer token and returns
data.
However, using the Keycloak Adapters and attempting to do the same thing,
the authentication is rejected. Any idea what may be causing this?
Thanks,
Scott
9 years, 9 months
User details storage
by Alik Kurdyukov
Hello!
First of all, thank you for implementing Keycloak, I made it work with Spring Security in a very short time.
I have architectural question: I need to store lots of additional field values for every user in the system. I see two ways:
1. extend existing Keycloak storage and add fields there
2. store additional info in the LDAP server and retrieve additional params by separate LDAP queries
What is the best way to store it?
--
Best regards,
Alik Kurdyukov
9 years, 9 months
Which adapter must I use ?
by Jérôme Blanchard
Hi all,
I'm facing a problem regarding which adapter to use in my case :
I have an application which runs on wildfly.
It is packaged as an ear containing an EJB backend (jar) and a web
application (war) that expose a REST API and a simple content browsing
servlet.
Both of the rest api and the content servlet allows anonymous access and
authentified access. The EJB layer takes in charge the access control usign
internal rules system.
The authentication on the REST API using bearer token works fine as it is a
javascript client that use it and the javascript adapter works fine.
What I want to do is to allow authentication on the content servlet in the
following way :
1. A user ask some content using the content servlet /content/file.txt
2. Because anonymous and the file.txt is protect, EJB layer return an
AccessDeniedException which is handled by the servlet to redirect the user
browser to an specific jsp page saying that content is protected and giving
a link to the keycloak server for eventual authentication.
3. The user follow this link to perform authentication and is redirected
back to the content url /content/file1.txt
4. I don't know how but the browser should be able to include something (a
cookie) that would holds the authentication token and allow the content
servlet to act as authentified.
Because my current adapter just check a bearer token header I don't see
which adapter to add, or how to handle authentication in another way
allowing the client navigator to propagate authentication token ??
Thanks in advance for your support and congratulation for this very nice
product that is keycloak.
Best regards, Jérôme.
9 years, 9 months
Roles/permissions specific to Client application.
by Raghu Prabhala
Hi Dev team,
The current KC model has very coarse grained roles that do not work for us, specifically in regards to the application management. Let me explain our use case.
We allow only a set of users to register/update client applications subject to the below conditions ( a simplification of our actual use case):
1) Every client application has a set of owners and only the owners of the application can register/update an application in KC in addition to the point 2) below.2) Every application is part of a family that has a set of owners who can register/update any application within that family.
When a user logs into KC, I can query our external repository to see if the user is in say "App1 owner" role or "App1 Family Owner" role and if so, allow him to register the application (App1) in KC. I should also be able to link that "App1 owner" role to the newly registered application in KC so that when if another user belonging to "App1 owner" or "App1 Family Owner" role comes in, I should allow him to update App1 and not any other application, subject to conditions 1 and 2.
How can we achieve the above functionality in KC? Appreciate some pointers and if there is something that can be done in KC then let me know and I will put in an enhancement request.
Thanks in advance,Raghu
9 years, 9 months
ldap import error with edirectory novell
by fiorenzo.pizza@ict-group.it
Hi,
keycloak newbie here..
We would like to use keycloak with our Novell eDirectory LDAP , but we
have problems in the procedures for importing user .
*Novell eDirectory uses GUID and not entryUUID.*
The users created in the keycloak's USER_ENTITY table from LDAP import
procedure have all attributes valorized, but in the USER_ATTRIBUTE
table, we missed the LDAP_ID:
NAME = LDAP_ID, VALUE = (null), USER_ID = xxxxxxxx
In picketlink code, *i found that LDAP_ID is entryUUID for non Active
Directory.*
https://github.com/picketlink/picketlink/blob/b500ad3d2753a354c29716cd666...
When you try to find someone in the users list, we receive a Null
Pointer ecception
Caused by : java.lang.NullPointerException
to org.keycloak.federation.ldap.LDAPFederationProvider.isValid (
LDAPFederationProvider.java:219 ) [ keycloak - ldap -federation -
1.2.0.Beta1.jar : 1.2.0.Beta1 ]
*My question is: can we customize the attribute LDAP_ID attribute in
keycloak?*
thanks in advance
Fiorenzo Pizza
9 years, 9 months
Keycloak + Spring Security
by Scott Rossillo
As mentioned in a previous post, we would provide information on how to
integrate the Keycloak Adapters with Spring Security.
Today, we went a step further and released an integration under the Apache
2.0 license at http://smartling.github.io/spring-security-keycloak/
This code enables Spring Security to integrate with the single sign-on and
single sign out features of Keycloak when running under Tomcat or Jetty.
Additionally, Keycloak roles are correctly represented as Spring Security
granted authorities.
Please let me know if this is something you’d like to see contributed to
Keycloak proper.
Regards,
Scott
9 years, 9 months
