authz and SAML
by Gerard Laissard
HI,
Our applications (resource servers) are using SAML to authenticate users with Keycloak. We would like to use authorization services.
Authorization service can be activated on OIDC clients, will it be possible to activate authorization service on SAML client ?
Is there any way to use authz with a SAML client ?
Thanks
Gerard
8 years, 11 months
Failed to verify token
by Juan Diego
Hi,
I havent done this in a while. I have keycloak 1.9.8 running in a
server. I created a front-end and backend, front with angularjs backend
with java and wildfly10.
The front-end works, but when I try to send requests to my back end I get
the following:
18:51:42,377 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-38) Failed to verify token:
org.keycloak.common.VerificationException:
Invalid token signature.
at org.keycloak.RSATokenVerifier.toAccessToken(
RSATokenVerifier.java:73)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.
java:39)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.
java:35)
...
On my browser I get this
401 Unauthorized - http://localhost:8080/ramona-backend/configuracion/
grabarLista",
WWW-AuthenticateBearer realm="ramona", error="invalid_token",
error_description="Invalid token signature."x-powered-byUndertow/1
But I can see that a token is being sent
Accept application/json, text/plain, */*
Accept-Encoding gzip, deflateAccept-Languageen-US,en;q=0.5
Authorization Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1NmQxMTg2OS02M2ZiLT
QwZDEtYjllZS1jY2I0NDIxMzVlNWMiLCJleHAiOjE0Nzk3NzI4NzEsIm5iZi
I6MCwiaWF0IjoxNDc5NzcyNTcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Oj
gwODAvYXV0aC9yZWFsbXMvcmFtb25hIiwiYXVkIjoicmFtb25hLWZyb250ZW
5kIiwic3ViIjoiY2U1MTZiNmMtMjBmNS00NWQ2LTk2ZjctNTE5OTliNDEyMTZk
IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicmFtb25hLWZyb250ZW5kIiwibm
9uY2UiOiI4MTJhNTJmYy0xMjY4LTQwZGQtOWU0NC0wZGQ3OTE4NjQxYjYiLC
JzZXNzaW9uX3N0YXRlIjoiMzM2ZTczZWQtM2M4NS00MzZhLThmNDUtZTIzY2
Q1ZDdkYTM3IiwiY2xpZW50X3Nlc3Npb24iOiI3NmVjYjRlMS1jYjVmLTRkNj
YtOWU2Zi1jMTNiMTJlZGExMDAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDov
L3JhbW9uYS5sb2NhbGRvbWFpbiIsImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC
IsImh0dHA6Ly9sb2NhbGhvc3QiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIj
pbInVzdWFyaW9zIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6ey
Jyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm
5hbWUiOiJyYW1vbmEgIiwicHJlZmVycmVkX3VzZXJuYW1lIjoicmFtb25hIi
wiZ2l2ZW5fbmFtZSI6InJhbW9uYSIsImZhbWlseV9uYW1lIjoiIiwiZW1haW
wiOiJqdWFuZGllZ284M0BnbWFpbC5jb20ifQ.b1Fz1R3eVW22qO83mqn-
OSYxlA5pRYK-fQOPeW1TegD93_DrZXXJac7ZOlFv2yS58KWDixffVZz4
7QwmF_AtMrJTZ212zuTvf6tXQjja4EVMAfSN4ZOiXK6VvRyKkfElprwzqRkinjl5wDX-
8Thw3S2efLrroMcY1qtKxRFdXzH5Ms19-r2bW8zpxqG4V6QI7quvHGE2JlDY
EiI0Vuf9UiSMd1lCy2hdIhkNU5hryB8CX7ts2243M0kiG0KnJ6VQGZzNxfn0
HHUkY3EIhb07xgbnBqiCX-SgVwJOLBSxSmQ9_wVXyOAK6ZoZK-
59NaSDn7gDj5CNoXa9I4USGEXRyg
Host localhost:8080
Origin http://ramona.localdomain
Referer http://ramona.localdomain/configuracionUser-AgentMozilla/5.0 (X11;
Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
the front end is public the backend is bearer only in the same realm Web
Origins is
http://ramona.localdomain
http://localhost:8080
http://localhost and valid redirect uris
Thanks,
JD
8 years, 11 months
My KEYCLOAK_SESSION cookie is always wrong
by Colin Ritchie
Hello,
I am running keycloak behind an reverse proxy. After I log in, when
visiting the keycloak admin, the page refreshes every 5 seconds. It
appears to be because my session cookie does not match the expected
KEYCLOAK_SESSION value in the server response.
When I monitor the traffic between the browser and keycloak, the cookie
sent to keycloak matches the cookie in the response.
When I put a breakpoint in the login.status.iframe.html getCookie() method,
I see the desired cookie with the incorrect name
"!Proxy!clusterProxyKEYCLOAK_SESSION", and I sometimes see a an invalid
cookie with the correct name "KEYCLOAK_SESSION".
example:
"
!Proxy!clusterProxyKEYCLOAK_SESSION=master/127ff890-6fde-47f5-8a81-039c67d0a261/c7b9427b-eb59-4b2a-8b3c-f8436c130613"
Does anyone know what is happening here?
--
*Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*
8 years, 11 months
Logout session issues
by Haim Vana
Hi,
We are working on Keycloak 1.9.3 with spring security, and trying to implement backchannel logout (one application performs logout and the second application is not aware of it).
We would appreciate if you kindly could advice regarding the below:
1. What is the best practice to handle backchannel logout ? more specifically where and how the access token validation should be performed (how the second application should know that the first one performed the logout ?) ?
2. We have noticed that Keycloak spring security filters (straight from documentation) don't try to authenticate the token after it revokes. What's the best practice to handle access token expiration ? is it implemented by keycloak or should we handle it in the server or client side ?
3. getToken() method of RefreshableKeycloakSecurityContext does not fail if the token is expired, is it on purpose ? if so should we handle it in our application code ?
4. We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring security authentication object (SecurityContextHolder.getContext().getAuthentication()) after logout, as a result the client 'thinks' it is still authenticated, what's the best practice to handle it ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 11 months
Issue with Rest API "Add a social login provider to the user"
by Laghuvaram, Raghu
Team,
I am using Rest API to create a user and add social login provider to that user. I am able to add the user but I am not able to add Social Login Provider. When I am trying to add Social Login Provider as
kc = KeycloakBuilder.builder() //
.serverUrl("http://localhost:8080/auth") //
.realm("SocialDemo")//
.username("admin") //
.password("admin") //
.clientId("admin-cli") //
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) //
.build();
response = kc.realm("SocialDemo").users().get(createdUserId).addFederatedIdentity("facebook", link);
I am getting NPE as below, Please help. Is there any other approach than what I am following?
00:27:14,145 ERROR [io.undertow.request] (default task-124) UT005023: Exception handling request to /auth/admin/realms/SocialDemo/users/87b95eea-a04c-48b2-87ce-b8e0e7eb43d8/federated-identity/facebook: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
...........
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at org.keycloak.models.jpa.JpaUserProvider.addFederatedIdentity(JpaUserProvider.java:166)
at org.keycloak.storage.UserStorageManager.addFederatedIdentity(UserStorageManager.java:158)
at org.keycloak.models.cache.infinispan.UserCacheSession.addFederatedIdentity(UserCacheSession.java:621)
at org.keycloak.models.UserFederationManager.addFederatedIdentity(UserFederationManager.java:163)
at org.keycloak.services.resources.admin.UsersResource.addFederatedIdentity(UsersResource.java:478)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
.................
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
________________________________
Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.
8 years, 11 months
keycloak-session returns userModel as null in eventListenerProvider SPI
by abhishek raghav
Hi
I am trying to implement a welcome email to newly registered users by admin.
I am using event listener SPI and emailSenderProvider to do this.
I am implementing a provider for the Event Listener SPI and notifying users
by sending an email and react to create user OperationType using
emailSenderProvider.
Here i am overriding, onEvent method which gets triggered on any
AdminEvents.
Now inside this method, i am preparing the content and calling
emailSenderProvider.send() which takes realmModel and userModel.
The issue is, I am able to get the realmModel, but not the userModel.
Code for reference:
@Override
public void onEvent(AdminEvent event, boolean includeRepresentation) {
UserModel user =
session.users().getUserById(event.getAuthDetails().getUserId(), realm);
......
Same works perfectly in the onEvent() for loginEvents.
Is it that the newly created resource is not available in the session but
when we try updating an existing resource, it is able to fetch it.
Please help me where I am doing wrong. Or is there any other way to get the
userModel object.
Thanks in advance.
Cheers
Abhishek
8 years, 11 months
Join Group Issue in keycloak2.3.0 with mongo db
by Jitendra Chouhan
Hi,
We are evaluating keycloak-2.3.0 in standalone mode as well as with docker
images. During our validations we came across issue with group assignment
to user. Please find below listed information.
Everything works fine when we do our testing keycloak-2.3.0 with default
configuration which uses h2 database internally. We encounter issue with
group assignment(others functionality working fine) when we use mongo db as
external database to store information. Just to let you know we have
configured mongo db related configuration in keycloak by referencing "
https://keycloak.gitbooks.io/server-installation-and-configuration/conten..."
link.
Upon checking backed server logs we found below stack trace:
Caused by: java.lang.NullPointerException
at
org.keycloak.models.mongo.keycloak.adapters.UserAdapter.isMemberOf(UserAdapter.java:263)
at
org.keycloak.models.cache.infinispan.UserAdapter.isMemberOf(UserAdapter.java:368)
at
org.keycloak.services.resources.admin.UsersResource.joinGroup(UsersResource.java:992)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
Everything works fine with keycloak-2.2.1 version. Please confirm if this
is an issue or something is wrong.
Thanks,
Jitendra Chouhan
8 years, 11 months
App secured in Apache TomEE not works
by tecnologia@growingup.com.co
Hello community:
I have secured my application on an Apache 8 server, following the steps,
but when accessing a protected resource I hope to be redirected to Keycloak
but nothing happens.
I'm getting this error (HTTP CODE 500)
Nov 18, 2016 1:02:19 AM org.apache.catalina.authenticator.FormAuthenticator
forwardToLoginPage
WARNING: No login page was defined for FORM authentication in context [/
sis]
I added the keycloak.json file in the WEB-INF and the context.xml file in
the META-INF. I have also done my security settings on the web.xml.
keycloak.json:
{
"realm": "expocafe",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "sis",
"credentials": {
"secret": "8ccc6994-2e05-48d3-9aea-f6f31beb2819"
}
}
context.xml:
<?xml version='1.0' encoding='utf-8'?>
<Context path="/sis">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
</Context>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured pages</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>expocafe_usuario</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>expocafe</realm-name>
</login-config>
<!-- Rol definido en Keycloak para permitir el acceso basico a la
aplicacion -->
<security-role>
<role-name>expocafe_usuario</role-name>
</security-role>
What could I check?
Keycloak v2.3.0.Final
Apache Tomcat 8.5
8 years, 11 months
