how to intercept/flow: VerificationException: Token is not active
by java_os
Hi
I have 2 bearer rest layers (A,B): A calls B. In front I have an angular
web layer calling A -> B.
What is the best practices to handle "Token is not active" when user sits
in front idle and token becomes inactive, http session still valid but KC
token expired? If B reaches token not active, on the call from A to B -
how would I propagate this to the front layer?
A has to consume the ValidationException from B and notify front layer to
auto logout or prompt the user with a message saying 'your session
expired, please login' or automatically throw the user into the login
prompt in front.
For this scenario above, anyone share some thoughts?
Thanks
8 years
Flow supported by keycloak for openId connect and jboss
by Pulkit Gupta
Hi Team,
I have a basic question which I searched through the documentation but was
not able to find.
Can you please let me know which flow is supported by keycloak for OpenId
on jboss platform.
I am exploring openID connect as a way to secure my Java applications using
keycloak.
These applications are hosted on jboss.
--
Thanks,
Pulkit
AMS
8 years
Log out server sessions when using bearer authentication
by Dan Østerberg
Hi,
How can we make single sign out work when passing bearer tokens to a server guarded by a «traditional» session based Oauth2 client / adapter?
Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created – either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won’t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.
One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I’m just missing or misunderstanding something...
~Dan
8 years
COMPOSITE_ROLE table duplicate rows issue
by Haim Vana
Hi,
We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel.
We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE.
Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows.
Deleting the duplicate rows solved the issue.
Any idea what might have caused the duplicated rows ? or how to prevent it ?
Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup)
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years
Setting up webapplication to accept both bearer and openid redirect login
by David Delbecq
I have a wildlfy application where i need this behaviour:
1) If user provides a token during request and try to access a secure area,
use it (typically soap ant rest requests)
2) If user has no credentials to show, issue interactive web login
So far I managed to get either 1) or 2) on the application, depending on
using bearer-only accesstype or not. But i can't seem to find out how to
have both behaviour. Below is json export of my current realm config. I am
currently doing this in wildfly
<secure-deployment name="shipping.war">
<realm>Shipping</realm>
<auth-server-url>${authURL}</auth-server-url>
<public-client>true</public-client>
<ssl-required>EXTERNAL</ssl-required>
<resource>shipping-soap</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>
using this code to get a token from the WS client
Keycloak keycloak =
Keycloak.getInstance(System.getProperty("keycloak.url"), "Shipping",
username, password, "shipping-soap");
customHeaders.put("Authorization", Arrays.asList("Bearer:
"+keycloak.tokenManager().getAccessTokenString()));
but when i issue the ws request, i get a redirect to keycloak (see below).
I suspect i misunderstood some parts of the keycloak configuration and it's
behaviour, but i am not sure what i did wrong. Can somebody explain me how
to integrate both webservice and webpages with a single client id?
POST /shipping/service/1.0/shipping HTTP/1.1
Content-Type: text/xml; charset=UTF-8
Accept: */*
Authorization: Bearer:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZNjlCMm1aT2NuX0tnMTVEVC03MU5tUTNVN3NhdG1BLTJsc3BCM2VNRFNRIn0.eyJqdGkiOiI2ZGRmMjMxYy01YjY4LTQ4MDUtOWU4YS0zNWQ5YjQ2YzYwZDciLCJleHAiOjE0ODMwMjY0NzQsIm5iZiI6MCwiaWF0IjoxNDgzMDI2MTc0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjEzMDgwL2F1dGgvcmVhbG1zL1NoaXBwaW5nIiwiYXVkIjoic2hpcHBpbmctc29hcCIsInN1YiI6ImZiNjJlN2Y2LTIzMjAtNDc5YS04NTEwLWM4OTg0MzZiZmJlMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNoaXBwaW5nLXNvYXAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJkMWFhMTE1OS00Y2JiLTRkMDItOTcxNC0zNGQwMWJjZjYwYWYiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJmZWZkODg3Ni1lZWUyLTRiOWYtOWNkZS1kZGZhNWZkZjAyNjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJzaGlwcGluZy1zb2FwIjp7InJvbGVzIjpbImF1dGhlbnRpY2F0ZWQiLCJST0xFX2F1dGhlbnRpY2F0ZWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibG9naW5AbHNwNCJ9.d_mRQaUIrxW0poRS3cxZt37IWoRusLKq5OG9_zSd5YAjzQS1sRZgHEvK7yF1aQy_kqebrN4xT67QVYCwqMZzsjIYC0_QBGm6vddCgFXuPLADjVXZJ5UHwHig7aoLRWB511AvpFwCQQuTkYaWD7neGKh4TWOqAkMqTvhzUZPD1GrxyzdBTqCQEKlWgkvBUousKoYd6x4Ua6ofbFgYi5H-1GlSXCHVyqXv3zlDwujhtiZWoAWdoKgEDkQ_dV4SZFZFigGwwYwqKViXm0HIQMOT9QwkN_Yjrhc5eeOgeOKr_YxQ_GkIjPuD4-5C-oM4tp8ikMC-kqsPmaXstlZTM3z5kA
SOAPAction: ""
User-Agent: Apache CXF 3.0.5
Cache-Control: no-cache
Pragma: no-cache
Host: localhost:18080
Connection: keep-alive
Content-Length: 1784
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:createShipments
xmlns:ns2="urn:trimbletl:eshipco:shipping:1_0"><ShipmentData><id>shipmentid</id><type>full-truckload</type><freightCarryingUnitType>none</freightCarryingUnitType><freightCarryingUnitSubType>box-dry-van</freightCarryingUnitSubType><freightCarryingUnitDimension>standard</freightCarryingUnitDimension><cargoType>break-bulk</cargoType><name>shipment
name</name><consignor><id>consignorid</id><name>consignor
name</name><address><street>street1</street><number>1</number><city>city1</city><zipcode>zipcode1</zipcode><area>area1</area><country>AE</country></address><coordinate><latitude>1</latitude><longitude>2</longitude></coordinate><contact><name>name1</name><company>company1</company><phone>phone1</phone></contact><timewindow><startTime>1970-01-01T01:00:01+01:00</startTime><endTime>1970-01-01T01:00:02+01:00</endTime></timewindow></consignor><consignee><id>consigneeid</id><name>consignee
name</name><address><street>street3</street><number>3</number><city>city3</city><zipcode>zipcode3</zipcode><area>area3</area><country>AG</country></address><coordinate><latitude>3</latitude><longitude>4</longitude></coordinate><contact><name>name3</name><company>company3</company><phone>phone3</phone></contact><timewindow><startTime>1970-01-01T01:00:03+01:00</startTime><endTime>1970-01-01T01:00:04+01:00</endTime></timewindow></consignee><goods><id>box</id><amount>1</amount><volume>100.0</volume><weight>1000.0</weight><loadingMeter>10.0</loadingMeter><length>6</length><width>4</width><height>5</height><ref>testref</ref><desc>some
description</desc></goods><property><key>type.goods</key><value>1000</value></property></ShipmentData></ns2:createShipments></soap:Body></soap:Envelope>HTTP/1.1
302 Found
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
X-Powered-By: Undertow/1
Set-Cookie:
JSESSIONID=9XhPxotKq3r_uuhaVAya8iavBVSyqQ9Ibf1h2Emu.ddelbecq-precision;
path=/shipping
Set-Cookie:
OAuth_Token_Request_State=916/8084d5f9-fd05-4267-9d72-026acf016857; HttpOnly
Server: WildFly/9
Pragma: no-cache
Location:
http://localhost:13080/auth/realms/Shipping/protocol/openid-connect/auth?...
Date: Thu, 29 Dec 2016 15:43:16 GMT
Connection: keep-alive
Content-Length: 0
{
"id" : "c3558938-fa2a-43c6-8de0-17d6ebbe9750",
"clientId" : "shipping-soap",
"description" : "Workbench, Adminbench and Administration",
"rootUrl" : "http://localhost:8080/",
"adminUrl" : "/shipping",
"baseUrl" : "/shipping",
"surrogateAuthRequired" : false,
"enabled" : true,
"clientAuthenticatorType" : "client-secret",
"secret" : "b556a2b8-bb1d-478e-97a0-14105556427f",
"defaultRoles" : [ "authenticated", "ROLE_authenticated" ],
"redirectUris" : [ "http://localhost:8080/shipping/*" ],
"webOrigins" : [ ],
"notBefore" : 0,
"bearerOnly" : false,
"consentRequired" : false,
"standardFlowEnabled" : true,
"implicitFlowEnabled" : false,
"directAccessGrantsEnabled" : true,
"serviceAccountsEnabled" : false,
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
"saml.assertion.signature" : "false",
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
"saml_force_name_id_format" : "false",
"saml.client.signature" : "false",
"saml.authnstatement" : "false",
"saml.server.signature" : "false"
},
"fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1,
"protocolMappers" : [ {
"id" : "b2eb4fed-68e3-4064-b0a8-f5926696a99f",
"name" : "username",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${username}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "username",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "preferred_username",
"jsonType.label" : "String"
}
}, {
"id" : "1b943ce9-b67b-4ce5-a5d8-3d795900555b",
"name" : "locale",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-attribute-mapper",
"consentRequired" : false,
"consentText" : "${locale}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "locale",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "locale",
"jsonType.label" : "String"
}
}, {
"id" : "f14bc53c-1d7b-480d-b2da-72b1e47e7f1e",
"name" : "email",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${email}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "email",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "email",
"jsonType.label" : "String"
}
}, {
"id" : "5429c06f-8b9b-4b33-bbb3-015117922910",
"name" : "role list",
"protocol" : "saml",
"protocolMapper" : "saml-role-list-mapper",
"consentRequired" : false,
"config" : {
"single" : "false",
"attribute.nameformat" : "Basic",
"attribute.name" : "Role"
}
}, {
"id" : "95315e0e-1136-4e06-9f04-8ccbb29d2c70",
"name" : "family name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${familyName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "lastName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "family_name",
"jsonType.label" : "String"
}
}, {
"id" : "a371b53c-5543-4188-a16f-005db9a73d7a",
"name" : "full name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-full-name-mapper",
"consentRequired" : true,
"consentText" : "${fullName}",
"config" : {
"id.token.claim" : "true",
"access.token.claim" : "true"
}
}, {
"id" : "e3ca3001-3f19-4654-b84c-7a352306cad1",
"name" : "given name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${givenName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "firstName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "given_name",
"jsonType.label" : "String"
}
} ],
"useTemplateConfig" : false,
"useTemplateScope" : false,
"useTemplateMappers" : false
}
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
8 years
can we use authorization with bearer-only ?
by uğur kolip
can we use bearer-only with authorization ?
if it can be , how can we use ? are there any example ?
when i try to use with photoz example , i get bad request (or 403 i am not
sure , i change a lot of thing)
Because i don't want redirect or store session , it can be used by mobil
apps .
Thank you for helping
8 years
Some questions about user authentication with external IDP
by Reed Lewis
We are planning on using Keycloak to authenticate users in our environment. There will be multiple sources of user logins.
1. Local to Keycloak
2. Using a Federation provider to pull accounts from on a one time basis (The first time the user logs in they will authenticate using the p/w in the Federation server, and subsequent logins will occur entirely in Keycloak)
3. Using a third party IDP (Like Microsoft/ Google/ etc.) But the initial source of these accounts might be local in keycloak.
I of course can do #1, and know how to do #2. For #3 I have the external 3Rd party IDP working.
But what we would like to have is this:
1. A user goes to a form in which they enter the username only.
2. If the user is new, it asks them to create an account
3. If the user is new, but we know the login to be associated with a third party IDP, we go there, and link the account.
4. If the user is not new, and if they are linked to third party IDP, it automatically loads that IDP page without having to pick that login.
Here is the workflow we are thinking.
An admin adds a list of accounts (either csv, or somehow else) into keycloak, but it says that all these accounts need to be authenticated by some third part IDP. So when a user logs into Keycloak and enters their password, it automatically redirects the user to the 3rd part IDP and then associates the local keycloak login with the IDP without having to do too much.
Does this make sense?
Reed Lewis
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
8 years
Can I create the bearer token by administrator on behalf of other users?
by Michael Furman
Hi,
I need to the create bearer token by admin on behalf of other users.
In means:
1. I have admin user and password.
2. I have the user name (e.g. bob).
3. I want to create the bearer token and to access the bearer client.
4. When I access the bearer client with the bearer token it authenticates user (e.g. bob).
How can I do it?
Thank you for your help,
Michael
8 years
user group management from servlet app
by smichea@gmail.com
Hi all,
Is there a way to access/manage groups of a user from the KeycloakSecurityContext obtained in a servlet ?
Thank you,
Sebastien
8 years
Best way to add custom attributes to the user session?
by Edgar Vonk - Info.nl
Hi,
We would like to a add custom attributes (using custom logic including custom database queries) to the user session in Keycloak on authentication. What is the best way to do this? We use an LDAP/AD user federation provider.
Should we write a custom user attribute mapper and add it to our user federation provider? I guess we could also write a custom token mapper and misuse it a little in that it will only add data to the user session and not to the token?
Previously we had a custom token mapper that added this custom data to the token, however it is becoming too much data and we have reached the max size limit (JWT tokens are transported as HTTP headers and those have a max size of 8kb). So now we are thinking of adding this data to the user session and Keycloak and when we need it later on get it from Keycloak using Keycloak’s REST API.
cheers
8 years
