Can't get redirect to work when using send-verify-email on a newly created user
by Martin Johansson
Hi,
I can't seem to get the redirect to work when I crate a user and send an
e-mail verification mail to said user. The mail arrives, the link can be
clicked and the e-mail is verified. However, the *redirect_uri* that I send
as a query parameter along with a valid *client_id *is not used to redirect
the user after the verification of the e-mail is completed. The user stays
at the verification page. Most likely I'm doing something wrong but I can't
wrap my head around what it is.
Thanks in advance for any help.
BR,
Martin
8 years, 12 months
KeycloakJS and Angular ui-router
by Niels Bertram
Hi there,
has anyone ever attempted to marry the Keycloak JavaScript adapter with
Angular ui-router? The basic AngularJS example from the Keycloak github
page does not really integrate with Angular components such as ui-router
and the bootstrapping of the auth system outside of Angular kills
test-ability of our site. A set of ng services that plays nice with other
ng components would make much life much easier.
Curious to find anyone who managed to get Keycloak working in an angular
way.
Kind Regards,
Niels
8 years, 12 months
ERROR sending email with my companies SMTP server : Exception writing multipart
by abhishek raghav
Hi
I am facing a weird issue when i try sending emails from keycloak. I try
digging the issue and figured out that when keycloak tries to template the
email content in HTML formatat.
I dont want to use the plain text body content in the email to go, so i
removed the text folder itself from the email theme.
When i tried with google SMTP, everything works perfectly fine (even HTML
content processes and can be sent).
*It says exception writing multi part.*
Can somebody help me, where is the problem.? Is it my companies SMTP not
allowing it or should i prepare the content in a different manner. ?
Below is the stack trace.
[0m [31m06:29:44,321 ERROR [org.keycloak.services] (default task-110)
KC-SERVICES0029: Failed to send email: javax.mail.MessagingException:
IOException while sending message; nested exception is:
java.io.IOException: Exception writing Multipart at
com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1290) at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:191)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:183)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:156)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExecuteActions(FreeMarkerEmailTemplateProvider.java:139)
at
org.keycloak.services.resources.admin.UsersResource.executeActionsEmail(UsersResource.java:855)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException:
Exception writing Multipart at
com.sun.mail.handlers.multipart_mixed.writeTo(multipart_mixed.java:83) at
javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:897) at
javax.activation.DataHandler.writeTo(DataHandler.java:330) at
javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1645) at
javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1850) at
com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1241) ... 57
more Caused by: javax.mail.MessagingException: Empty multipart:
multipart/alternative; boundary="----=_Part_0_766978197.1478845783718" at
javax.mail.internet.MimeMultipart.writeTo(MimeMultipart.java:548) at
com.sun.mail.handlers.multipart_mixed.writeTo(multipart_mixed.java:81) ...
62 more
Cheers
Abhishek
8 years, 12 months
Clarifications regarding advanced authentications (LDAP, Kerberos, SAML)
by Michael Furman
Hi all,
I will happy for clarifications regarding advanced authentications (LDAP, Kerberos, SAML).
1. Why Kerberos is "User Federation" but SAML is "Identity Provider"?
Both are SSO protocols (I do understand difference between protocols but it is seamless from the user point of view).
What is the difference between User Federation and Identity Provider in Keycloak?
Will Keycloak import all users from the defined in "User Federation" into internal database?
2. How I incorporate "User Federation" or "Identity Provider" into the authentication flow?
I see that I can add "Identity Provider Redirector" but how I add "User Federation"?
3. Regarding LDAP: I have added LDAP User Federation.
The "Test connection" and the "Test authentication" pass successfully but I can not authenticate LDAP users in UI.
What I have missed?
Should I add LDAP to the authentication flow?
Thank you in advance for your help.
Michael
8 years, 12 months
Keycloak Securty Proxy redirects to http
by Daniel Bachler
Hi,
I am having trouble with the Keycloak Securty Proxy. I want to secure a
jupyter notebook with it. When I go to the https enabled url where it is
available (behind the Keycloak Security Proxy), I get redirected to the
Keycloak login screen, but when I submit my details there it tries to
redirect me to the http version of the endpoint and dies.
Here are more details of my setup: The entire setup is hosted in a
Kubernetes cluster, with Traefik acting as a reverse proxy / ingress
controller. Traefik is configured to automatically generate SSL
certificates using Let's Encrypt for all publicly availble services and
handle the SSL termination. All traffic inside the cluster uses plain http.
Inside the cluster is one container that runs the Keycloak server, one that
runs the jupyter notebook and one for the Keycloak Security Proxy.
When I remove the constraints patterns in the config below and just let
traffic through, the https flow works and I can access the site through the
security proxy (but without seeing a login mask at any point of course). It
is only when I enable the authentication workflow that it fails by
redirecting to http.
I don't need authorization / user management for my jupyter notebook, I
just need to make sure that the user logged in successfully, so if there is
another way to configure this that would work in this case that would also
be fine.
Here is my Keycloak Security Proxy config. Please let me know if any other
information would be helpful to debug this situation. Thanks!
{
"target-url": "http://jupyter-service:8888/",
"send-access-token": true,
"bind-address": "0.0.0.0",
"http-port": "8080",
"applications": [
{
"base-path": "/",
"adapter-config": {
"realm": "Testrealm",
"auth-server-url": "https://OMITTED/auth",
"ssl-required": "external",
"resource": "jupyter",
"public-client": true
},
"constraints": [
{
"pattern": "/*",
"roles-allowed": [
"jupyter-users"
]
}
]
}
]
}
Best,
Daniel
8 years, 12 months
Looking for User Experiences
by Roger Turnau (US - Advisory)
Hi all,
I am working with a client who is considering adopting Keycloak, and I
wanted to reach out to this group to see if anyone is using Keycloak in
production, and if I could ask you some questions privately on what your
experience has been with the product.
Please feel free to email me at roger.turnau at pwc.com.
Thank you in advance for your help.
Best,
--
*Roger Turnau*
PwC
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
9 years
How to Pass User Attributes on Bearer Only Application?
by Carlos Feria
Hi all. I have an Angular2 application(frontend) and a Restful(jax-rs) for
rest services. My Angular2 application has a *Public Client* Configuration
and my Rest Services has a* Bearer Only* Client Configuration. I'm trying
to get user attributes using this code:
HttpServletRequest request = servletRequest.get(); org.keycloak.
KeycloakPrincipal kcPrincipal = (org.keycloak.KeycloakPrincipal) request.
getUserPrincipal();
org.keycloak.representations.AccessToken accessToken = kcPrincipal.
getKeycloakSecurityContext().getToken();
Map<String, Object> otherClaims = accessToken.getOtherClaims();
The problem is that accessToken.getOtherClaims() doesn't return any data. *I
think that this happens because my rest application is BEARER ONLY*, but
i'm not sure.
Please help me, *I need to pass data using user attributes (Employe
Department for example). How could I solve my problem?*
*Thank you very much!!!*
--
Carlos E. Feria Vila
9 years
Single Sign On without browser redirect.
by Laghuvaram, Raghu
I have two applications App1 and App2(both are on different servers and both have different branding) and I want to achieve single sign on using key cloak. I have few concerns,
1. I want to make use of our own login/signin pages residing in App1 and App2 rather than redirecting to KeyCloak Login Page, and post the request to KeyCloak similar to org.keycloak.testsuite.util.OAuthClient#doGrantAccessTokenRequest. I am successful in getting AccessToken in App1, but how can I achieve SSO with App2 in this scenario?
2. If I can't have login pages to be on my apps, then can I have multiple login themes, in such a way that I can have different theme per app(per client). Right now I see that I can have only one theme per realm.
3. I have native mobile apps for these two apps, so I need to make sure my architecture supports login thru native apps as well.
4. Currently I am using Java Servlet Filter Adapter to make use of KeyCloak, I gave my secured pages url (/secured/*) for the filter KeycloakOIDCFilter and for non secured pages in my application ( where url is "/*") I have added another filter to refresh the token using "refreshableKeycloakSecurityContext.refreshExpiredToken(true);" This works perfect when I am using httpsession, but when I make stateless using the tokenstore to use cookie, then I can't get hold of refreshableKeycloakSecurityContext with out replicating the httpsession across multiple instances of my web servers. If this is not the right way, then how can I maintain session with IDP from my non secured pages?
Thanks,
Raghu
________________________________
Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.
9 years
