Admin Client Create User
by Scott Rossillo
Hi,
We’re using the admin client to create users in 1.2.0.Final. The call works, but the credentials are missing.
List<CredentialRepresentation> credentialsList = new ArrayList<>();
CredentialRepresentation credentials = new CredentialRepresentation();
credentials.setType(CredentialRepresentation.PASSWORD);
credentials.setValue(appUser.getPassword());
credentialsList.add(credentials);
user.setCredentials(createCredentials(source));
I see the credentials getting passed on the create user HTTP POST, but the CREDENTIALS table doesn’t contain an entry for the user.
Any suggestions?
Best,
Scott
9 years, 7 months
Can Keycloak be used to secure PHP applications?
by pubudu gunawardena
Hi All,
In the Adapters section of the
documentation(http://keycloak.github.io/docs/userguide/html/ch08.html#installed-applications)
it says "This section defines which application types are supported
and how to configure and install them" and lists some servers.
I thought that since Keycloak supports SAML, I could use a SAML client
library and secure any application. Is my assumption wrong?
--
Thanks,
Pubudu
9 years, 7 months
Keyloak - Securing SOAP/HTTP Web Service
by Sebastian Olscher
Hi,
is there any possibility to use Keycloak for the standard OAuth-2 workflow "Obtaining a Token in an Autonomous Client (Username and Password Flow)" described here (https://s3.amazonaws.com/dfc-wiki/en/images/7/76/OAuthAutonomousClientFlo...):
[OAuthAutonomousClientFlow.png]
The general goal is to realize an automated process for machine-to-machine authentication, e.g. Java client to SOAP web service deployed on wildfly secured by Keycloak without any redirect on a browser page. In the video tutorials on the Keycloak homepage are only browser login authentications shown.
What´s the best example to get an idea, how this can be configured within Keycloak-1.2.0-Final?
Thanks for your advices,
Sebastian
9 years, 7 months
Retrieving list of application roles for a given realm role
by Maciej Szewczykowski
Hi,
I'm working on a simple security service for enterprise application, and one of the requirements is to be able to determine list of application roles (composites, if I get the vocabulary right) for each user that has successfully signed in. User credentials are naturally acquired from session token.
According to the REST API docs, you can acquire list of application roles for a given realm role with the following request:
/admin/realms/{realm}/roles/{realm_role}/composites
It turns out however that in order to be successfully executed, this request requires the user to have "manage-realm" effective role assigned. This will naturally be the case only for admin users.
So I'd much appreciate if you could tell whether there is a way (using REST API or User/RoleRepresentation objects) to get list of application roles for a given realm role without the need of having "manage-realm" role assigned.
Thank you in advance for your help.
Best Regards,
Maciej Szewczykowski
Java Developer
________________________________
T +44 01628 539 800
E firstname.lastname(a)pjmedia.co.uk
PJ Media Limited,
Plac Wolności 21, 05-825
Grodzisk Mazowiecki, Warsaw, Poland
[Brandpath]<http://www.brandpath.com/>
PJ MEDIA LIMITED | Registered in England and Wales no. 04946760 | Registered Office: Network House, Third Avenue, Globe Park, Marlow, Buckinghamshire, SL7 1EY, United Kingdom | Web site: http://www.pjmedia.co.uk
The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender. To any recipient of this message within PJ Media, unless otherwise stated, you should consider this message and attachments as PJ Media confidential.
PJ MEDIA LIMITED,
Registered in England no. 04946760
Address: Network House, Third Avenue, Globe Park, Marlow, SL7 1EY, United Kingdom
9 years, 7 months
LDAP configuration
by Ayrton Araújo
I'm trying do add a new user federation provider for integrate keycloak
with a ldap server.
The parameters:
Console display name -> Active Directory
Priority -> 0
Edit Mode -> READ_ONLY
Sync Registrations -> OFF
Vendor -> Active Directory
Username LDAP attribute -> sAMAccountName
User Object Classes -> person, organizationPerson, user
Connection URL -> ldap://dom.example.com:389
Base DN -> DC=dom,DC=example,DC=com
User DN Suffix -> CN=Users
Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com
Bind Credential -> ********
Connection pooling -> ON
Pagination -> ON
Enable Account After Password Update -> OFF
Batch Size -> 100
Periodic Full Sync -> OFF
Periodic changed users sync -> ON
Changed users sync period -> 86400
I tried change User DN Suffix to only Users, but it not works. The log
always saying:
LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012
(DIR_ERROR)
And it says this when it tries to parse the User DN Suffix.
Theres something wrong with my conf?
Ayrton Araújo
"If you can tell the false from the true you are already a scientist."
--
http://ayr-ton.net/
9 years, 7 months
LDAP configuration
by Ayrton Araújo
I'm trying do add a new user federation provider for integrate keycloak
with a ldap server.
The parameters:
Console display name -> Active Directory
Priority -> 0
Edit Mode -> READ_ONLY
Sync Registrations -> OFF
Vendor -> Active Directory
Username LDAP attribute -> sAMAccountName
User Object Classes -> person, organizationPerson, user
Connection URL -> ldap://dom.example.com:389
Base DN -> DC=dom,DC=example,DC=com
User DN Suffix -> CN=Users
Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com
Bind Credential -> ********
Connection pooling -> ON
Pagination -> ON
Enable Account After Password Update -> OFF
Batch Size -> 100
Periodic Full Sync -> OFF
Periodic changed users sync -> ON
Changed users sync period -> 86400
I tried change User DN Suffix to only Users, but it not works. The log
always saying:
LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012
(DIR_ERROR)
And it says this when it tries to parse the User DN Suffix.
Theres something wrong with my conf?
--
Ayrton Araújo
"If you can tell the false from the true you are already a scientist."
--
http://ayr-ton.net/
9 years, 7 months
mapping roles received from remote IDP token to keycloak roles during Identity brokering ?
by ROMELOT Didier
Hi, we try to implement the following use case using keycloak identity brokering functionnality :
- User request a resource to Service Provider, then select a remote IDP (SAML IDP in our case based on PicketLink...) and authenticates on this remote IDP
- Keycloak computes local Authentication / Identity Federation based on Authentication Response from remote IDP
- During local authentication, Keycloak maps roles contained in the Authentication response from remote IDP to roles defined in keycloak.
Does Keycloak support such scenario through mappers ?
regards
-- Disclaimer ------------------------------------
Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme.
*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.
9 years, 7 months
HTML resources over SSL (v1.2.0.CR1)
by ha.hamed@gmail.com
Hi,
I'm using docker image jboss/keycloak:1.2.0.CR1 with Nginx as reverse
proxy. With version 1.1.0.Final everything is fine but with version
1.2.0.CR1 I can not open admin console page. Because the page is over HTTPS
but the resources inside (JS+CSS) are still over HTTP and browser will can
load them!
Any solution!?
Regards,
Hamed
9 years, 7 months
Issues with Social Provider Logins
by Lohitha Chiranjeewa
Hi,
I have experienced a couple of issues when testing with Social Provider
logins:
1. It seems that a successful Twitter login doesn't return the user email -
hence it cannot be bound to other social accounts created with the same
email. I haven't seen any editable consent params on Twitter developer site
as well. So this means consistency with other social providers is not
maintained. Is there a way out of this?
2. When the 'Cancel' button is pressed on the LinkedIn login page, it
redirects to a Keycloak error page which says "Unexpected error when
authenticating with identity provider". Ideally this should return the user
to the Keycloak login page w/o showing an error. Seems like a bug.
Thanks,
Lohitha.
9 years, 7 months
Re: [keycloak-user] Keycloak Admin REST API (I-T)
by Eugene Chow
Hi Iqbal,
I wrote a BASH script to perform admin tasks using the REST API -
https://github.com/eugene-chow/keycloak-tools.
Hope it helps!
> Hello,
>
> I see that the Keycloak Admin REST API[
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html]
> is what keycloak itself is using whenever you need to add a new app via
> Chrome inspector.
>
> There is an 'Authorization: Bearer KEY' header in every request that the
> Admin UI app makes to Keycloak Server.
>
> I'm unsure where I can get the key from in a Script that I can use for
> Server to Server communications. I want my existing app to migrate to
> Keycloak and I want to be able to create new users on signup as well
> without having them to redirect to the keycloak service. Any help in this
> regard will be most appreciated.
>
> These are my notes for logging in and validating the users through various
> microservices:
> https://www.evernote.com/l/ALEH0fpLM1JLKYaFnbMQxQxLURc5cduo-oc
>
> I want to be able to build something similar for Admin functionalities. Any
> library / scripts that I write while accomplishing this talk will be open
> sourced.
>
> Best Regards,
>
> Iqbal Talaat Bhatti
>
> "If we did all the things we are capable of doing, we would literally
> astound ourselves." - Thomas Edison
9 years, 7 months
