Keycloak in Azure VM?
by Ed Hillmann
Hi. Has anyone had luck accessing Keycloak in a VM in Azure? I've got it
running, I believe. But I cannot access it all from my browser. What I
have done
- Created a VM in Azure (Ubuntu 15), and this created an equivalent Cloud
Service in Azure
- Installed a Java8 JDK to the VM
- Installed Keycloak 1.4.0 Final, standalone
- Created a self-signed certificate in a Keystore (as per the doco)
- Configured the standalone config to use the keystore (as per the doco)
- Started keycloak using standalone.sh
At this point, the log file looks like instances I have run on my local
PC. There's nothing in there that looks any difference.
For the Azure VM, I've added the following endpoints
public 80 maps to private 8080
public 443 maps to private 8443
public 9990 maps to private 9990
public 9993 maps to private 9993
Any attempt to access the instance from my browser, however, ends up pwith
a connection refused error. I can't even get to the launching page, let
alone the admin console.
Are there additional ports that need to be opened? If anyone has done this
and can point out a missing step, I'd be very happy to have the help.
Thanks,
Ed
10 years, 3 months
Roles for User Management
by Vito Vessia
Hi all,
I'm trying to use KC for a suite of multitenant webapps. Each
tenant/customer has a separated realm and I use a custom Federation
Provider to map users and roles to my company's legacy custom ACL database.
Customers also want to manage/create users by their own, but I don't want
they manage other realm stuff like Federation Provider parameters, client
apps, etc, so I have to provide to some users of each realm the only roles
of "manage-user"/"view-users" from the app realm-management, so they can
only view the Manage User option in the realm Console.
The problem is that through the console they may promote themselves
assigning to existing users or to new users the role of "manage-realm" and
after a simple refresh they can manage the entire realm.
Is there a way to avoid this or am I wrong to do this?
One more question connected to this one: is there a way to localize also
the realm console? If my customers have to manage their own users, they
would read labels and messages in their own languages.
Thank you very much for your time and for your great and versatile product.
Best regards
--Vito
10 years, 3 months
Docker Keycloak for version 1.4.1 not pushed to docker hub
by Jérôme Blanchard
Hi,
I'm trying to use keycloak in a docker and I'm facing an import realm
problem. I have exported my keycloak realm from version 1.4.0.Final but it
conflict in the docker when I import. If I run the docker container
jboss/keycloak-postgres alone and ask for version information in the UI, it
show 1.3.1.Final.
Stian, did you pushed your new images to docker hub for the 1.4.1 ?
I see your github push for this new version but it seems when I pull the
docker image I still have an old version ?
Best regards and congratulation for this great docker packaging which
really helps us, Jérôme.
10 years, 3 months
Upgrade from 1.1.0.Final to 1.4.0.Final - Liquibase script failing
by Stephen Flynn
Hi all,
I'm trying to upgrade Keycloak from 1.1.0.Final to 1.4.0.Final.
The liquibase db scripts are failing. The particular script that is failing is
'jpa-changelog-1.2.0.Beta1.xml' with the exception 'Caused by:
java.lang.ClassCastException: java.math.BigDecimal cannot be cast to
java.lang.Long'. More stack trace below.
Any ideas as to why this might be happening ? Is there anything else I can
provide to give more insight ?
best rgds,
Steve F.
Environment is...
* wildfly-9.0.1.Final + keycloak-overlay-1.4.0.Final
* jdk1.7.0_51
* Oracle 10 + odbcj6.jar (11.2.0.2.0)
Liquibase change log from the DB
* 1.0.0.Final sthorger(a)redhat.com META-INF/jpa-changelog-1.0.0.Final.xml
2014-12-04 00:55:28.95072 1 EXECUTED
* 1.1.0.Beta1 sthorger(a)redhat.com META-INF/jpa-changelog-1.1.0.Beta1.xml
2014-12-04 00:55:30.070692 2 EXECUTED
* 1.1.0.Final sthorger(a)redhat.com META-INF/jpa-changelog-1.1.0.Final.xml
2015-01-30 00:55:27.065618 3 EXECUTED
Error message in log...
15:12:31,238 INFO [org.keycloak.services.resources.KeycloakApplication]
(ServerService Thread Pool -- 69) Load config from
/apps/wildfly/wildfly-9.0.1.Final/standalone/configuration/keycloak-server.json
15:12:34,416 INFO
[org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
(ServerService Thread Pool -- 69) Updating database
15:12:35,982 ERROR
[org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
(ServerService Thread Pool -- 69) Change Set
META-INF/jpa-changelog-1.2.0.Beta1.xml::1.2.0.Beta1::psilva@redhat.com failed.
Error: liquibase.exception.CustomChangeException: Update 1.2.0.Beta1: Exception
when updating data from previous version:
liquibase.exception.UnexpectedLiquibaseException:
liquibase.exception.CustomChangeException: Update 1.2.0.Beta1: Exception when
updating data from previous version
at
liquibase.change.custom.CustomChangeWrapper.generateStatements(CustomChangeWrapper.java:185)
at
liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1208)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:550)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:43)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73)
at liquibase.Liquibase.update(Liquibase.java:200)
at liquibase.Liquibase.update(Liquibase.java:181)
at
org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84)
[keycloak-connections-jpa-liquibase-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:150)
[keycloak-connections-jpa-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:39)
[keycloak-connections-jpa-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:27)
[keycloak-connections-jpa-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:99)
[keycloak-services-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34)
[keycloak-model-jpa-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16)
[keycloak-model-jpa-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:99)
[keycloak-services-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.models.cache.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:70)
[keycloak-invalidation-cache-model-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.models.cache.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:163)
[keycloak-invalidation-cache-model-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:40)
[keycloak-services-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:31)
[keycloak-services-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.services.resources.KeycloakApplication.setupDefaultRealm(KeycloakApplication.java:158)
[keycloak-services-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:88)
[keycloak-services-1.4.0.Final.jar:1.4.0.Final]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method) [rt.jar:1.7.0_51]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
[rt.jar:1.7.0_51]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.7.0_51]
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
[rt.jar:1.7.0_51]
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
[resteasy-jaxrs-3.0.11.Final.jar:]
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
[resteasy-jaxrs-3.0.11.Final.jar:]
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
[resteasy-jaxrs-3.0.11.Final.jar:]
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
[resteasy-jaxrs-3.0.11.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
[resteasy-jaxrs-3.0.11.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
[resteasy-jaxrs-3.0.11.Final.jar:]
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
[undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
[undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
[undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
[undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
[undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
[rt.jar:1.7.0_51]
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_51]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_51]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: liquibase.exception.CustomChangeException: Update 1.2.0.Beta1:
Exception when updating data from previous version
at
org.keycloak.connections.jpa.updater.liquibase.custom.JpaUpdate1_2_0_Beta1.generateStatementsImpl(JpaUpdate1_2_0_Beta1.java:43)
[keycloak-connections-jpa-liquibase-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.connections.jpa.updater.liquibase.custom.CustomKeycloakTask.generateStatements(CustomKeycloakTask.java:79)
[keycloak-connections-jpa-liquibase-1.4.0.Final.jar:1.4.0.Final]
at
liquibase.change.custom.CustomChangeWrapper.generateStatements(CustomChangeWrapper.java:178)
... 44 more
Caused by: java.lang.ClassCastException: java.math.BigDecimal cannot be cast to
java.lang.Long
at
org.keycloak.connections.jpa.updater.liquibase.custom.JpaUpdate1_2_0_Beta1.addDefaultProtocolMappers(JpaUpdate1_2_0_Beta1.java:296)
[keycloak-connections-jpa-liquibase-1.4.0.Final.jar:1.4.0.Final]
at
org.keycloak.connections.jpa.updater.liquibase.custom.JpaUpdate1_2_0_Beta1.generateStatementsImpl(JpaUpdate1_2_0_Beta1.java:41)
[keycloak-connections-jpa-liquibase-1.4.0.Final.jar:1.4.0.Final]
... 46 more
--
===================================================
*Stephen Flynn*
*Director, JF Technology (UK) Ltd*
Cell (UK) : +44 7768 003 882
Phone : +44 20 7833 8346
IM : xmpp:stephen.flynn@jftechnology.com
IM : aim:stephen.flynn@jftechnology.com
Website : http://www.jftechnology.com
Tech support : support(a)jftechnology.com <mailto:support@jftechnology.com>
===================================================
10 years, 3 months
Error during LDAP syncing on Keycloak 1.4.0
by Nair, Rajat
Hi,
As part of testing another issue (Distributed Keycloak user sessions using Infinispan), I upgraded my nodes to Keycloak 1.4.0 (grabbed release from here - http://central.maven.org/maven2/org/keycloak/keycloak-server-dist/1.4.0.F...). I wiped out our Keycloak database and recreated it. After configuring our LDAP server (similar configuration which worked against Keycloak 1.3.1 Final), when we try to sync users we get following exception -
2015-07-29 09:00:42,062 ERROR [io.undertow.request] (default task-25) UT005023: Exception handling request to /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync: java.lang.RuntimeException: request path: /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
... 29 more
Caused by: java.lang.NullPointerException
at org.keycloak.models.cache.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:149)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory$2.run(LDAPFederationProviderFactory.java:294)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:242)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)
at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
at org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:143)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
... 37 more
Could this be a regression?
-- Rajat
10 years, 3 months
Angular app, login on click and not on load.
by Fabio Monteiro
Hi ,
I'm looking for a simple way to login to keycloak with an AngularJS app. If i use the example (angular-produt-app) one can find with the keyCloak appliance, the js adapter redirects the user to the Keycloak login pase "onload " (keycloakVar.init({onLoad: 'login-required'})...)
But i want to login only when I specifically click on some button. From what I can gather the method keycloakVar.login() from the docs & JS reference is the way to go.. but replacing the .init() method with the .login() method doesn't seem to work...
Also, in the "normal" case, the init() regular example itself lets me, after logging-in succesfully, with still empty Javasript objects once I am successfully redirected to my app page. (the auth global variable)
The official angular + js-adapter : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...
Could you help me ? I must be missing something.
Thanks a lot
Fabio M
10 years, 3 months
REST API: Create User With Roles
by Edem Morny
Hi,
We're currently using Keycloak 1.2.0.Final.
We are migrating users from an existing application with it's own user
management implementation to Keycloak, and have been making extensive
use of the Via the REST api to achieve this. I'm able to create a new
user, set their temporary password and so on. However, I'm finding that
all our attempts to add the roles to the created user seem not to be
taking effect when we observe the newly created user on the keycloak
side. Here's the code we are trying to use to do this
UserRepresentation user = new UserRepresentation();
user.setUsername(username);
user.setFirstName(employee.getFirstName());
user.setLastName(employee.getLastName());
user.setEmail(employee.getEmail());
user.setEnabled(true);
user.setEmailVerified(false);
List<String> requiredActions = new ArrayList<>();
requiredActions.add(UserModel.RequiredAction.UPDATE_PASSWORD.name());
List<String> userRoles = getMigrateRoles(employee);
user.setRealmRoles(userRoles);
user.setRequiredActions(requiredActions);
adminClient.createUser(settings.getKeycloackUrl(), settings.getRealm(), access, user);
It seams setting the list of roles to the Realm Roles isn't enough to
the user with these roles. The user gets created alright, but doesn't
come with any roles. Is there any other means by which we can specify
the user roles during the process of account creation?
The migration will be very tedious if we ask the administrators to
manually do the assignment of the user to their roles after our current
implementation of being able to automatically migrate the user accounts
themselves to keycloak.
10 years, 3 months
Having trouble with LDAP attribute mapping in 1.3.1
by Kevin Thorpe
Thanks to the team for 1.3.1. We were eagerly waiting for that to add LDAP
attribute mappings which I see has now been done. Unfortunately I can't
seem to get it to work.
I have added a user attribute mapper to my ldap federation. This maps the
LDAP atribute 'applications' which exists on my LDAP user record to
'applications' in Keycloak.
I have also added a user attribute token mapper to my Keycloak client
definition to map user attribute 'applications' to token claim
'applications'. I've also asked to add to both id and access token.
However this attribute is not present in either the ID or access token when
testing. Is there something I've missed?
Something that may be an issue though is that I'm using a home written
openid-connect Lua client based on your javascript one. This uses the
endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
openid-connect endpoint doesn't support these attributes yet?
*Kevin Thorpe*
CTO, PI ltd
10 years, 3 months
Re: LDAP with Kerberos, login with different user
by Michael Gerber
Should I create a Jira issue for that task?
Or will you anyway implement something in this direction?
Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian(a)redhat.com>:
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Raghu Prabhala" <prabhalar(a)yahoo.com>, "Bill Burke" <bburke(a)redhat.com>
Cc: "Stian Thorgersen" <stian(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Friday, 24 July, 2015 9:49:45 AM
Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
Support for prompt=select_account will be cool. Another suggestion for
adding query parameter for skip some mechanisms (like
skipAuthMechanism=cookie,kerberos ) might be good too.
That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters.
Not sure if we need to support both, but IMO it will be good to have
solution not tightly coupled to Kerberos. I can imagine similar
situation with other login mechanisms as well. For example with
authenticating users by certificate, admin may also want to skip
automatic login with the certificate from his browser and instead login
with username/password form.
Marek
On 23.7.2015 17:43, Raghu Prabhala wrote:
> The select account prompt wouldn't work for us as some of our applications
> require that the user login only by entering userid/pw but your other
> suggestion might work as long as we do the Kerberos authentication using
> Id/ow
>
> Sent from my iPhone
>
>> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke(a)redhat.com> wrote:
>>
>> All this interaction is defined by the SAML and OIDC specifications.
>> Logout redirects you back to the application and its up to the
>> application what to do next. We could add a query param that if it is
>> set, to not do kerberos. This could be in addition to the "login
>> automatically" flag.
>>
>>
>>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>>> Why can't we have two separate authentication mechanisms - one IWA, in
>>> which case the user is logged in automatically and on logout he is taken
>>> to a login page where a diff userid can be entered and two, a login page
>>> that allows userid/password? That would address our use case.
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
>>>>
>>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>>> "login automatically" . If it's off, another confirmation screen for the
>>>> user will be displayed?
>>>>
>>>> Marek
>>>>
>>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>>> "Is this you?"
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: keycloak-user(a)lists.jboss.org
>>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
>>>>>> user
>>>>>>
>>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>>> want to login as that user or another.
>>>>>>
>>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>>> Do you want that for normal users or just for admin users? Just
>>>>>>> trying
>>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
>>>>>>> that
>>>>>>> you login into the desktop and then you're automatically logged into
>>>>>>> integrated web applications without need to deal with any login
>>>>>>> screens
>>>>>>> and username/password. When user has just one keycloak account
>>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>>> different user?
>>>>>>>
>>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>>> different user for testing purpose etc. For this, isn't it possible
>>>>>>> in
>>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>>> kerberos?
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>>> Isn't it possible to create a cookie or add an url parameter after
>>>>>>>> the
>>>>>>>> logout, so the user is not logged in automatically?
>>>>>>>>
>>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>>>
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
>>>>>>>>> <mposolda(a)redhat.com>:
>>>>>>>>>
>>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>>>
>>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>>> screen and login as different user.
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>>> with a different user (no kerberos login, just keycloak username
>>>>>>>>>> and
>>>>>>>>>> password dialog).
>>>>>>>>>> Is that possible?
>>>>>>>>>>
>>>>>>>>>> cheers
>>>>>>>>>> Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10 years, 3 months
common roles within multiple clients
by Tim Dudgeon
I have a keycloak realm that contains a number of clients (app1, app2,
app3 ...).
Those clients share a set of common roles (user, editor, manager ...).
Is there a way I can directly assign those roles to the keycloak user so
that they apply across all clients?
The only approach I can find is to set up each of those roles for every
client (e.g. for 5 clients set up 5 sets of identical roles) and then
for each client apply the relevant roles to each of the users (e.g.
repeat the same process for every user/client combination).
Is there a better way?
Thanks
Tim
10 years, 3 months
