Only Allowing Access To Master Realm From Internal Network
by Kenyatta Clark
First of all, I would like to thank your team for doing such a nice job on Keycloak. It is a very solid project.
We are getting ready to deploy Keycloak to production and our IT director is nervous about having the Master realm accessible from the internet. Is there anyway to configure Keycloak to disallow access to the Master realm from the open internet? If not, what methods do you suggest employing that would mitigate the risk?
Kenyatta Clark
Principal Engineer, Systems Development
MBO Partners
t: 703.793.6314
w: www.mbopartners.com<http://www.mbopartners.com/>
[cid:42F12EDC-D9A1-4A54-90DA-E2D34ED2DD68]
Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed. If you have received this email in error please notify postmaster(a)mbopartners.com<mailto:postmaster@mbopartners.com>and permanently delete the e-mail and files.
10 years, 1 month
How to store additional data for the SSO session of an user?
by Hermann Hill
Hi everybody,
I'm currently working on attaching a company-internal authentication API to Keycloak by implementing an UserFederationProvider.
Basically it is working, but when authenticating to our internal API I get back some additional data that should be tied to the lifetime of the SSO session of the authenticating user. Is there any pre-defined place to store such data?
As an alternative approach, I stored this data in a HashMap and tried to use the LOGIN and LOGOUT events to keep the contents of the HashMap current. This approach would work for the login (though I'd have to introduce an intermediate storage - the LOGIN event comes some time after the "validatePassword" call), but in my experiments a LOGOUT event was only generated when I was logging myself out, not when my SSO session expired or was removed by an administrator account. Is there a way to be reliably notified at the beginning and the end of a session?
By now I'm really out of ideas. I would really appreciate if somebody could be so kind and point me in the right direction...
Best regards,
Hermann Josef Hill
Software Architect
optile GmbH
Ganghoferstraße 39 | 80339 München
Mobil +49 (151) 5385 0784
hermann.hill(a)optile.net | www.optile.net
USt.Id.-Nr. DE268847980
Geschäftsführer: Daniel Smeds
Handelsregister München HRB 183178
+++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, Köln, Halle 7.1 Stand F013 +++
10 years, 1 month
Can't get roles of user via REST
by Patrick Andreas Näf
Hi everybody
Started with the example:
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...
That worked.
Then tried to get also the other interfaces.
Also that works:
/auth/admin/realms/REALM/users
But i don't get the roles of the user here.
So i think the permissions are there, i can get data.
If i try this:
/auth/admin/realms/REALM/users/NAME_OF_USER/role-mappings
i get an 404 error.
my code is:
String url =
"http://localhost:8081/auth/admin/realms/REALM/users/NAME_OF_USER/role-map...";
HttpGet get = new HttpGet(url);
get.addHeader("Authorization", "Bearer " + res.getToken());
HttpResponse response = client.execute(get);
if i open the same url in the browser i see "Bearer", what is logic to
me and it shows that the server is there and the url is correct.
Keycloak version is 1.3.1.Final
Java: 8
Thanks a lot for you help / pointing me to the right place.
10 years, 1 month
KeyCloak Server as OpenID provider for AppEngine
by Andrew Moedinger
Hi folks!
I'd like to use my KeyCloak server to authenticate an AppEngine application.
I'm currently authenticating using Google accounts as it works out of the
box, but I want to handle account management myself, largely for user
perception issues.
I see two options:
1) Implement a new KeyCloak Adapter for AppEngine - I haven't found an
existing one so far.
-- This seems pretty doable with all the examples to base it on... but I'd
rather not write and maintain another 1000 lines of code if it's not
necessary!
2) Use the experimental OpenID Connect-based federated login of AppEngine
-- I'm currently hitting an issue here where AppEngine is looking for an
XRDS document. I'll try returning one pointing to the OpenId service of my
server, but I suspect more issues will come up with this route, and
debugging issues in the internal AppEngine auth flow is a bit tricky.
Is this a crazy approach? Has anyone else tried something similar or have
better ideas?
Cheers,
Andrew
10 years, 1 month
Password Expiration not applied to Token
by Chris Atkinson
Hi,
We have set a password policy to have passwords expire after a number of days. This works fine through the Keycloak login screen. However, when we use the REST API to do a direct grant (we call '/protocol/openid-connect/token' on Keycloack 1.3.1) a valid token is returned even after the password has expired.
This does not seem like the correct behavior. Is there an issue here?
Thanks,Chris
10 years, 1 month
Can TOTP be configured to be optional?
by Niels Bertram
We would like to give users a choice to further enhance their profile
security by enabling TOTP. We can only see this being configured at a realm
level. Is it possible to enable this at an account level too?
Kind Regards,
Niels
10 years, 1 month
AWS IAM
by Felipe Braun Azambuja
Hey all,
Has anyone configured Amazon IAM console to authenticate using Keycloak?
I tried, but... Nothing so far :(
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun(a)intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.
The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.
10 years, 1 month
ldap synch filtered by group membership
by Kevin Hirschmann
Hello,
I want to synch from an active directory. But the selection should
be limited to users which are members in a specific group.
CN=Group, OU=Users,DC=company,DC=de gives no result.
Is this possible? If so, which keycloak version supports this?
Thx for your help.
Kind regards
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.
10 years, 1 month
