What can bring this error "failed to turn code into token" over and over again?
by Mai Zi
We get lots of errors like this:
2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out
and which makes the login slow or failed .
We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The wildfly app server and keycloak both are standalone.
8 years, 11 months
Database migration error
by Boken Lin
Hi everyone,
I'm trying to upgrade Keycloak 1.2.0 Final to a newer version, encountered the following error while the system tries to update the database:
00:55:20,179 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 60) Change Set META-INF/jpa-changelog-1.3.0.xml::1.3.0::bburke@redhat.com fail
ed. Error: Can't DROP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig]: liquibase.exception.DatabaseException: Can't DR
OP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig]
I have tried upgrading to 1.3.1 as well as to 1.7.0 directly, but the same error message was shown.
Can someone point me in the right direction?
Thank very much!
Boken.
8 years, 11 months
Pentaho SSO integration
by alex orl
hi to all,
I'm facing up to the integration with Pentaho authentication mechanism.Pentaho authentication is based on Spring Security and i know Keycloak offers a Spring Security Adapter by which i can secure a spring-secured-application with keycloak authentication.
In particular i'd like to know if org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider is fully compliant with Pentaho login authentication in term of userDetails too.At a first glance the answer seems to be YES.But before i undertake a deeper integration process (which will take me time and a maybe a big activity effort), could be userful to know if i m missing something important i have to fight with.Thanks a lot.
8 years, 11 months
Spring Boot REST Service Example(s)
by Jeremy Simon
Hi,
Would anyone be willing to point me to some good working examples that
are REST services built with Spring Boot but can leverage Keycloak for
authentication? I had no trouble integrating a webapp with the SAML
protocol, but this OpenID Connect (/Oauth2?) area of things is really
confusing.
All I'm trying to do is security the REST endpoints I made and then
when I actually hit a controller, also be able to pull some role or
attribute information off the Authentication token.
I tried to cobble together something using the reference guide and the
adaptors sections, but to no avail. In particular I followed the 8.9
Spring Boot Adaptor but I get 302s and a this in the response if i try
a rest client...
----
302 Found
form
HEADERS
Content-Length:0 Bytes
Date:
2016 Jan 14 18:41:13
Location:http://localhost:11080/auth/realms/jeremy/protocol/openid-connect/auth?response_type=code&client_id=try&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fadmin&state=1%2F82011a10-3b29-44eb-9801-e723c03c94bf&login=true
S
----
At any rate, I tried some extra spring security and other mentions
down further in the guide, but I'm definitely digging myself into a
little hole! Any help would be greatly appreciated!
Possibly uneducated guess with this subject, can Spring Security OAuth
be used with this? Probably can't with the OpenID JWT responses?
jeremy
jeremy(a)jeremysimon.com
www.JeremySimon.com
8 years, 11 months
implicit flow response_type url parameter
by Ramon Rockx
Hi all,
I was trying to configure Swagger UI (http://swagger.io/swagger-ui/) so it
will use Keycloak for OAuth2 authorization.
Swagger UI supports the 'Authorization Code Grant' flow and the 'Implicit
Grant' flow. I managed to configure Swagger UI to use the 'Authorization
Code Grant' flow, but I did not succeed with the implicit flow.
I think this is because Keycloak expects the response_type url parameter to
be 'id_token token', while Swagger UI uses the url parameter
response_type=token.
rfc6749 also states (https://tools.ietf.org/html/rfc6749#section-4.2.1)
that the response_type parameter should be 'token'. So why is it that
Keycloak requires the value 'id_token token'?
Is it possible to configure Keycloak, so it will accept 'token' as
response_type?
Thank you!
Ramon Rockx
8 years, 11 months
Hotdeploy theme module
by Travis De Silva
Hi,
As the the KeyCloak docs (
http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html...
)
You can bundle a theme into a jar and deploy it as a wildfly module.
This all works fine but the module is not hotdeployable. Whenever you do
changes, you need to remove the module, then add it again and restart
KeyCloak.
As you can imagine this is not ideal.
I trying to deploy the jar as a normal deployment as in Wildfly you can
deploy jar file like you do war files.
When you deploy like this, the module name is deployment.javafilename.jar
Then I added this name to the keycloak-server.json file but when I restart
KeyCloak, it is not identifying the module.
Is there any other war where I can get my themes to reload once I redeploy
the jar?
Note that as per the Keyclok docs, I disabled theme cache as well.
Cheers
Travis
8 years, 11 months
Securing Application which is exposed to Guest Users
by Naresh Kumar Reddy
Hi,
We have two applications which provides webinar functionality.
1) Provisioning app-- Organizers provision webinar and manage their
account. Since organizers are Keycloak users, I can secure provisioning app
out of the box.
2) Webinar app-- The users of this app are organizers and participants.
Participants are no more provisioned as Keycloack users. Those are guest
users.
My question is how do we secure second app with keyclock?
* Note*: Both apps will be under same realm.
Is there anyway to secure with custom field like webinarId which is passed
as a parameter?
Or something better solution?
Under same realm securing one app with keycloak users and other app with
custom authentication?
Thanks for the great work.
Thanks & Regards
Naresh
8 years, 11 months
Issue with special character in CommonName / DistinguishedName from Active Directory
by Kroener, Hermann
Dear all,
I'm facing some issues with the Role Mapping of user accounts in Keycloak Server (v1.7.0) which are imported from our Active Directory.
I configured the User Federation and added some Role Mappers to map AD groups to Realm Roles.
The user accounts are imported from AD and the Groups are added as Realm Roles.
But the Roles are not assigned to the User Accounts inside Keycloak after the Import.
Finally I could break the issue down to the naming scheme in our Active Directory:
Our IT adds users as "CN=<LastName>, <FirstName>" and "DN=<LastName>\, <FirstName>,OU=...,DC=...,DC=..."
The DN (with escaped comma) is also used as Group member attribute.
It seems that Keycloak has an issue with special characters in CN / DN.
Is there anything I can do in my current Keycloak instance or needs this to be fixed in an upcoming version of Keyclaok?
BR, Hermann
____________________________
Hermann Kröner
Testing Engineer Security
Barco Control Rooms GmbH
Greschbachstrasse 5a
D - 76229 Karlsruhe
Telefon +49 721 6201 461
http://www.barco.com
mailto:hermann.kroener@barco.com
____________________________
Registered at 76229 Karlsruhe, Amtsgericht Mannheim, HRB 102241,
Management: Lutz Nehrhoff von Holderberg
This message is subject to the following terms and conditions: MAIL DISCLAIMER<http://www.barco.com/en/maildisclaimer>
8 years, 11 months
Direct Access Grants for user set up for totp
by Rajees Patel
Hi,
How can I get direct access grants for a user set up with totp?
I tried posting the totp code, but received this error.
{
"error_description": "Account is not fully set up"
"error": "invalid_grant"
}
Thanks
Rajees Patel
Product Architect
Invenco Group Limited
O: +64 9 905 5673
Rajees.Patel(a)invenco.com <mailto:Rajees.Patel@invenco.com>
www.invenco.com <http://www.invenco.com>
Disclaimer: This email is confidential and may be legally privileged.
If you are not the intended recipient you must not use any of the
information in it and must delete the email immediately.
8 years, 11 months
Custom Encryption module
by Stuart Jacobs
Good Day,
The project I am currently working on has its own unique encryption
module/methods.
I would like to know if it is possible to change the default keycloak
encryption with my own module?
Regards,
Stuart Jacobs
--
www.symbiotics.co.za
********************************************************************************
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.
********************************************************************************
8 years, 11 months
