Re: [keycloak-user] App secured in Apache TomEE not works
by Grant Marrow
Hi
Is there a client adapter for TomEE. I don't remember seeing one? If there
is, maybe you need to add the adapter to you web server's respective
installation directory. With that being said, I am making the assumption
that the configuration steps for TomEE would be the same for the other
clients, ie: tomcat, jetty, etc
Regards
Grant
On 18 Nov 2016 14:50, <tecnologia(a)growingup.com.co> wrote:
Hello community:
I have secured my application on an Apache 8 server, following the steps,
but when accessing a protected resource I hope to be redirected to Keycloak
but nothing happens.
I'm getting this error (HTTP CODE 500)
Nov 18, 2016 1:02:19 AM org.apache.catalina.authenticator.FormAuthenticator
forwardToLoginPage
WARNING: No login page was defined for FORM authentication in context [/
sis]
I added the keycloak.json file in the WEB-INF and the context.xml file in
the META-INF. I have also done my security settings on the web.xml.
keycloak.json:
{
"realm": "expocafe",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "sis",
"credentials": {
"secret": "8ccc6994-2e05-48d3-9aea-f6f31beb2819"
}
}
context.xml:
<?xml version='1.0' encoding='utf-8'?>
<Context path="/sis">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
</Context>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured pages</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>expocafe_usuario</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>expocafe</realm-name>
</login-config>
<!-- Rol definido en Keycloak para permitir el acceso basico a la
aplicacion -->
<security-role>
<role-name>expocafe_usuario</role-name>
</security-role>
What could I check?
Keycloak v2.3.0.Final
Apache Tomcat 8.5
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 11 months
ssl apache2 difficulties
by mj
Hi,
The keycloak docs recommend to run keycloak over ssl. Doing that
directly in java seems quite tricky, so I decided to put an apache2
reverse proxy before keycloak, using Let's Encrypt ssl certificates.
I can't seem to find many official docs on this subject, but after a ot
of googling, I think I'm very close.
The main keycloak interface on
https://keycloak.company.com/auth
loads, using ssl, everything looks good.
The "administration console" link on that page goes to
https://keycloak.company.com/auth/admin/
So the link was generated good also.
However, actually clicking it, I end up somewhere else, namely:
http://keycloak.company.com/auth/admin/master/console/
NOT good, not anymore https, and thus we're getting "unable to connect".
Here are two configs I did: first the apache2 keycloak.conf:
> <VirtualHost *:443>
> ServerAdmin webmaster(a)keycloak.company.com
> ServerName keycloak.company.com
> DocumentRoot /var/www/html
>
> ProxyPreserveHost On
> ProxyVia Off
> ProxyRequests Off
> ProxyPass / "http://localhost:8080/"
> ProxyPassReverse / "http://localhost:8080/"
>
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> LogLevel info ssl:warn
> ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
> CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
>
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> SSLCertificateFile /etc/ssl/apache2/cert.pem
> SSLCertificateKeyFile /etc/ssl/apache2/cert.key
> SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
>
> </VirtualHost>
and I guess I need to make two changes to standalone.xml as well, lines
358 and 422:
edited line 385 to:
> <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
inserted this line at line 422:
> <socket-binding name="proxy-https" port="443"/>
Is there somewhere a place where the required details are outlined to
make this work? Seems I'm pretty close, and just missing some minor
detail somewhere...
Best regards,
MJ
8 years, 11 months
Best practices for combining web and mobile usage in one realm
by Aritz Maeztu
Hi all,
I'm using keycloak 2.2.1 to secure my application. The application can
be accessed both via web and mobile (Android app). Both of them use the
authorization code flow, which I believe it's the ideal form of
authentication for my case.
The topic I want to clarify here is token lifespans. As far as I
understand, the SSO session idle timeout determines how long can a token
last without being refreshed. On the other hand, SSO session max
determines how long can a token last, even if it's being refreshed once
and again. Well, now couple of questions:
1. Is there a way to make the web session limited to, let's say, 30
minutes and to have a long lived refresh token for the app?
2. How to deal with the refresh token in the app? What I do right now is
to launch a webview when application starts and store the access and
refresh tokens in user preferences (which is secured in Android). I wrap
each http request made from the app and add the access token, unless it
has expired, then I request a new access token with the refresh token.
But when should I check the validity for the refresh token itself? I
don't want a chain of requests being interrupted because of the refresh
token being expired!
Thanks in advanced for your help!
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 11 months
Keycloak & API for users to create their own accounts (from iOS)
by Scott Corscadden
Hello everyone. Fairly new to the list and the Keycloak technology, so I appreciate your patience. I dislike cross-posting, so I have *not* added aerogear-users(a)lists.jboss.org <mailto:aerogear-users@lists.jboss.org>, but suspect I’ll need some input from that side as well. Corinne, I have added you as I suspect you’d be able to decide if I should CC it in. The background:
I’d like to use a Keycloak (2.3.0) deployed instance to abstract user account management, including Facebook/Google/LinkedIn/etc Identity providers. I’ve been able to set up this instance & link it to Facebook without too much trouble; I can log into the keycloak website as a Facebook user. Nginx is being used as the SSL reverse proxy.
The primary “client” is an iOS application, which needs to read graph information from said providers if available. I’ve been able to find a swift 3 fork of the wonderful "aerogear-ios-oauth2” library. A minor change to not assume the Bundle Id can be used as the redirectURL protocol (mine contains dots and dashes, which seems to cause the server to reject with “invalid redirect_url”) and hooray! I can authenticate against Facebook-into-keycloak, receive an Authorization Code, and “exchangeAuthorizationCodeForAccessToken” successfully.
The two problems I am trying to solve (I’ve been trying to find documentation but may be miserably bad at finding it):
Ideally I’m only asking keycloak for graph information (name, address, etc). Thus I *suspect* this is what the “Mappers” section is needed per Identity Provider? Is that right, or not necessary?
The iOS app will have a native “Create account” screen with native Email & Password fields. I’d like to make either an Oauth2 call, or HTTPS POST call to keycloak to do that. I do see the “Create a new user <http://www.keycloak.org/docs/rest-api/index.html#_create_a_new_user>” link, but so far I only see a “temporary password” api. Obviously I could use a native WebView and fill the fields manually but that doesn’t feel quite right.
Any suggestions here are very, very welcome, and thanks for reading this far.
I’m very impressed so far with both keycloak and the aerogear Oauth2 library.
./scc
8 years, 11 months
Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource
by Chris Savory
“The user then tries navigates to
another page. This page then executes a GET request on my REST service
which returns a list which is displayed in a table. But while executing the
GET request, I receive the error:”
Which page is the user navigating to (please include domains) and what is the GET call that is being made?
--
Christopher Savory
Software Engineer | EdLogics
From: Grant Marrow <grantmarrow(a)gmail.com>
Date: Wednesday, November 16, 2016 at 1:26 PM
To: Chris Savory <chris.savory(a)edlogics.com>
Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource
Hi Chris
Thanks for getting back to me. I have done that and it didnt work. I have also tired adding *. That did not work as well. What else can I try?
Please let me know. Thanks
Regards
Grant
On 16 Nov 2016 20:15, "Chris Savory" <chris.savory(a)edlogics.com> wrote:
In the admin, click on Clients, then select your client. Do you have any values for “Web Origins” there? If not, you need to add ‘http://localhost:9000’
--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com <http://www.edlogics.com/>
<http://www.edlogics.com/>
<https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>
On 11/16/16, 1:08 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Grant Marrow" <keycloak-user-bounces(a)lists.jboss.org on behalf of grantmarrow(a)gmail.com> wrote:
Hi,
I really need some help. I keep on getting the following error:
*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*
This is my setup:
*Front End:*
- angular 1.5 web application running at http://localhost:9000
- client configuration on keycloak admin console:
- keycloak.json:
{
"realm": "leap",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-web",
"public-client": true
}
*Auth Server*
- keycloak version 2.30Final running at http://localhost:8080
*Web service*
- java REST service running on Tomcat version 8.5
- client config on keycloak admin console:
- web.xml of rest service:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
<display-name>Archetype Created Web Application</display-name>
<module-name>leap-service</module-name>
<listener>
<listener-class>com.hm.leap.service.init.ContextListener</listener-class>
</listener>
<context-param>
<param-name>persistentUnit</param-name>
<param-value>leap</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>Leap-Service</web-resource-name>
<url-pattern>/resources/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>leap</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
- I also have the valve setup on my context.xml that lives in the META-INF
directory
<Context path="/leap-service">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
- keycloak.json:
{
"realm": "leap",
"bearer-only": true,
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-service",
"enable-cors": true
}
The error occurs in the following scenario:
- The angular web app launches, the user clicks the login button which
redirects to Keycloak. The user signs in. The user then tries navigates to
another page. This page then executes a GET request on my REST service
which returns a list which is displayed in a table. But while executing the
GET request, I receive the error:
*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*
In my Tomcat log file. I see the following warning message:
*11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
login page was defined for FORM authentication in context [/leap-service]*
I really can't seen to pinpoint the error. I find it quite strange because
I have the same setup but using an older version of keycloak (1.9*), which
worked fine. I know this might be a silly problem, but if you have some
time to help me, I would really appreciate it. Thanks.
Regards
Grant
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 11 months
No 'Access-Control-Allow-Origin' header is present on the requested resource
by Grant Marrow
Hi,
I really need some help. I keep on getting the following error:
*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*
This is my setup:
*Front End:*
- angular 1.5 web application running at http://localhost:9000
- client configuration on keycloak admin console:
- keycloak.json:
{
"realm": "leap",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-web",
"public-client": true
}
*Auth Server*
- keycloak version 2.30Final running at http://localhost:8080
*Web service*
- java REST service running on Tomcat version 8.5
- client config on keycloak admin console:
- web.xml of rest service:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
<display-name>Archetype Created Web Application</display-name>
<module-name>leap-service</module-name>
<listener>
<listener-class>com.hm.leap.service.init.ContextListener</listener-class>
</listener>
<context-param>
<param-name>persistentUnit</param-name>
<param-value>leap</param-value>
</context-param>
<security-constraint>
<web-resource-collection>
<web-resource-name>Leap-Service</web-resource-name>
<url-pattern>/resources/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>leap</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
- I also have the valve setup on my context.xml that lives in the META-INF
directory
<Context path="/leap-service">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
- keycloak.json:
{
"realm": "leap",
"bearer-only": true,
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-service",
"enable-cors": true
}
The error occurs in the following scenario:
- The angular web app launches, the user clicks the login button which
redirects to Keycloak. The user signs in. The user then tries navigates to
another page. This page then executes a GET request on my REST service
which returns a list which is displayed in a table. But while executing the
GET request, I receive the error:
*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*
In my Tomcat log file. I see the following warning message:
*11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
login page was defined for FORM authentication in context [/leap-service]*
I really can't seen to pinpoint the error. I find it quite strange because
I have the same setup but using an older version of keycloak (1.9*), which
worked fine. I know this might be a silly problem, but if you have some
time to help me, I would really appreciate it. Thanks.
Regards
Grant
8 years, 11 months
Custom Required Action Emails
by William Drescher [CELUM]
Hello everyone,
We're having the problem that we need a different email text for different custom required actions, however when we use the API to send an email for a required action it always uses the same text. Is there a way to provide different email text for different required actions?
Would appreciate any help anyone could offer
8 years, 11 months
Redirect after verifying e-mail doesn't work
by Martin Johansson
Hi,
I'm still experiencing troubles when the users have verified the e-mail.
The issue is the following.
1. Create a user via REST API
2. Add send-verify-email to the created user
3. The user receives a verification e-mail
4. When clicking the link, the e-mail is verified but the user stays on
the verification page
I've tried the following to resolve the issue without any luck:
- Update to Keycloak 2.3.0
- Add required actions when creating the user
- Pass query paramenters client_id along with redirect_uri
- Pass only client_id and configuring the Base URL for said client
The JIRA board has an issue ( KEYCLOAK-2806
<https://issues.jboss.org/browse/KEYCLOAK-2806>) that is unresolved and
without any comments.
So, have anyone got this to work or have a workaround?
Any help is would be much appreciated.
BR,
Martin
8 years, 11 months
