Backwards compatibility with j_security_check?
by Guy Davis
Good day,
I'm looking to move our product to Keycloak for
authentication/authorization. Currently some of our apps/services are
protected with Java's form-based authentication. In particular, certain
clients (Java and .Net) are making HTTP POSTs of username/password to a URI
such as:
http://[SERVER]:8080/my_resource/j_security_check
They are then including all cookies in the POST response on all subsequent
HTTP requests.
I was wondering if there was way to mimic/redirect/support this behavior in
a Keycloak protected service without requiring changes in the various
client code accessing it as described above. If it helps, I'll be enabling
Keycloak's basic auth support (over SSL) as well.
Any hints or possible solutions would be greatly appreciated.
Thanks,
Guy
9 years, 9 months
Tried upgrading again (no luck)
by Dean Peterson
I tried upgrading from 1.1.0-Alpha1 to 1.2.0.Beta1.jar. I get many errors
that look like this:
[org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default
task-122) Invoking deprecated endpoint
http://localhost:8080/auth/realms/abecorn/tokens/login?client_id=trade-cl...
18:35:32,990 ERROR [io.undertow.request] (default task-122) UT005023:
Exception handling request to /auth/realms/abecorn/tokens/login
Also, I had to copy the themes folder from the dist appliance because the
war distributable is missing the themes folder.
9 years, 9 months
Impersonate User
by Scott Rossillo
Hi,
We’re looking for the best way to support having one user, such as an
admin, have the ability to impersonate another user. I don’t see a simple
way to do this with Keycloak at the moment.
Would you mind letting me know if this is on the roadmap - I didn’t see a
JIRA - or if you have any recommendations on implementing such behavior.
Thanks,
Scott
9 years, 9 months
Tomcat with 2 application
by Henk Laracker
Hi,
I have a tomcat 7 running with two web applications deployed , called ROOT and web client. I created a realm in keycloak and two applications. Configures tomcat with the correct json files. When I log in in Root it works fine, when I login in web client it works fine. But the following is the case. Both application are not owned by my , so I can not change the code. I login in ROOT, this application connects to web client through a rest call, this restcall results in a redirect to keycloak because I’m not logged in. the result of this is :
XMLHttpRequest cannot load https://keycloak-accdev.planoncloud.com/auth/realms/auth/protocol/openid-.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://auth-proddev.planoncloud.com' is therefore not allowed access.
I know that this has something todo with CORS, so I added the settings:
"enable-cors" : true,
"cors-max-age" : 1000,
"cors-allowed-methods" : "POST, PUT, DELETE, GET”,
To the json file. And added the keycloak url to web origin of both apps in the keycloak manager, but still I got the same result. What do I do wrong? Please advice.
Henk
9 years, 9 months
API Tokens and Permissions (like GitHub Personal Tokens)
by Scott Rossillo
We have a system in place where a user is granted API access tokens for a
project. These tokens can also have permissions associated with them (it
could be as simple as read/write or read-only). In any case, if we migrate
to SSO with OIDC, I'm not sure how best to re-implement such a solution.
Should it even be a concern of the OIDC system? If so, is it something
that's being considered as a Keycloak feature? For example, GitHub allows
tokens to be generated and used in place of a password to access their
OAuth 2.0 API.
Thanks,
Scott
9 years, 9 months
Clarification on Remember Me Functionality
by Lohitha Chiranjeewa
Hi,
The Remember Me requirement on our application(s) is such that, once logged
in with Remember Me enabled, the user should be able to visit the
application(s) without logging in again for another two week period.
When I tested the Keycloak Remember Me functionality, it seems that,
despite Remember Me is turned on, the use has to log in again if either of
SSO Session Idle Timeout or SSO Session Max Lifespan reached.
Is this the expected behavior of Keycloak? If so, how can I map it to cater
my requriement? Or is there any way I can change the default Keycloak
behavior?
Thanks!
9 years, 9 months
Multi-tenancy applications
by Egor Kolesnikov
I've been using Keycloak for quite some time now on a couple of projects,
and it's absolutely awesome - it just does the right thing, straight out of
the box.
However, what I found quite confusing is the "Realm" definition which is
missing from the documentation.
I'm trying to add multi-tenancy support to our application and found it a
bit confusing. It seems that Keycloak's approach to multitenancy is "Realm
per tenant" - which makes sense, until it comes to realisation that the
applications only exist within realms. This implies that if there are few
hundreds of tenants (i.e. organisations using the application), the task of
changing application config (i.e. adding application-level role or
adding/removing redirect URL) becomes maintenance nightmare.
Is it at all possible to define a "global", not realm-confined application
in Keycloak? Would it be hard to implement? Happy to put some effort into
it and send a pull request.
A bit more context:
- I have an webapp that serves multiple organisations.
- Each organisation has its own users and admins (who can create users and
other admins).
- There is a "Super" administrator who creates organisations and admins.
- Webapp can recognise the organisation based on Company ID or domain name.
Many thanks in advance.
9 years, 9 months
Using Informix DB with Keycloak ...
by Thomas Connolly
Hi All
As part of a standardisation process, I'm trying to get Keycloak working with Informix DB, the enterprise DB!I understand that Keycloak does not officially support Informix however given the use of JPA / Hibernate I though there was a good chance it would work out of the box.However this has proven not the case. The connection dialect does indeed recognise Informix but does not appear to correctly map to this DB.
The issue I've come across is the handling of boolean conditional in SQL.
In RoleEntry.java the query @NamedQuery(name="getRealmRoleByName", query="select role from RoleEntity role where role.applicationRole = false and role.name = :name and role.realm = :realm")
Generates the following select roleentity0_.id as id1_15_, roleentity0_.APP_REALM_CONSTRAINT as APP_REAL2_15_, roleentity0_.APPLICATION as APPLICAT7_15_, roleentity0_.APPLICATION_ROLE as APPLICAT3_15_, roleentity0_.DESCRIPTION as DESCRIPT4_15_, roleentity0_.NAME as NAME5_15_, roleentity0_.REALM as REALM8_15_, roleentity0_.REALM_ID as REALM_ID6_15_ from KEYCLOAK_ROLE roleentity0_ where roleentity0_.APPLICATION_ROLE=0 The above does not work with Informix as 't', 'f', true and false respectively is used. So it should be where roleentity0_.APPLICATION_ROLE='f'
Looking through the code, it appears I cannot configure this. Happy to be proven wrong here!I found I could override within Hibernate using the property hibernate.query.substitutions=true t, false f
I've added this change into DefaultJpaConnectionProviderFactory.java
String querySubstitutions = config.get("querySubstitutions"); if (querySubstitutions != null) { logger.debug("hibernate.query.substitutions=" + querySubstitutions); properties.put("hibernate.query.substitutions", querySubstitutions); }
Adding the setting in keycloak-server.json "connectionsJpa": { "default": { "dataSource": "java:jboss/datasources/KeycloakDS", "databaseSchema": "update", "querySubstitutions" : "true t, false f" }
However I've found the translation is not occurring as I would have expected.
Can you please advise on the approach I'm taking or any alternatives I have not looked into?
Also once we get this working with Informix how can I get it added to the supported DB list?
Regards
Tom Connolly.
9 years, 9 months
