kc2.4 - breaks PK idp brokering to adfs
by java_os
Hi,
In KC 2.3 I can establish trust with adfs by exporting kc meta and
importing into adfs.
With KC 2.4 - this breaks - I tried to re-gen the rsa key, export meta,
import into adfs - it fails on this adfs error:
"ID4037: The key needed to verify the signature could not be resolved from
the following security key identifier 'SecurityKeyIdentifier"
I'm seeing from UI perspective you've added stuff into around PK in 2.4 -
but behind the scenes something is breaks on the 'key' or something - so,
going back to 2.3 - regen a new RSA, exported meta into adfs, works just
fine.
Please raise a JIRA with the info above.
thx
9 years
Recommendation for the choice of RDBMS with keycloak
by abhishek raghav
Hi,
We’re looking into databases to use with Keycloak. We have been using
Mongo, but Keycloak has indicated they might drop support for that. Does
anyone keycloak or somebody who is using RDBMS have a strong or weak
recommendation between Postgres, MySQL, and SQL Server?
Keycloak seems to have good support for Postgres and MySQL, while also
supporting SQL Server. Does it matter which one to choose and if yes in
what manner.
We might be dealing with users between 2k to 5k in a multitenant
environment.
Let me know the thoughts on that.
Thanks
Abhishek
9 years
ECP example?
by Carlos Villegas
I want to secure a servlet REST application. My client is java, so far
I've been using apache httpclient.
The Keycloak docs mention SAML ECP binding is supported, but I don't see
an example.
The admin pages seems to assume only POST or redirect binding.
Does the client adapter support ECP binding. Any pointers or help on how
to go about it?
I need help on both the client adapter and how to use Keycloak as a SAML
ECP IDP.
Thanks,
Carlos
9 years
User Search by Attribute
by Dana Danet
I am replacing a custom java built IdP build in Spring with Keycloak. Initially I was hoping to leverage Realms as a way to separate users across tenants, unfortunately clients cannot be registered across Realms (AFAIK?).
Since I am replacing a user db including some minor attribution with Keycloak, I will need to support fetching users by tenantId. As far as I know this can only be done via user attributes and using client templates to expose those attribute to token primary level objects. My question is.. Is there a way to leverage the Java Client API to search for realm users belonging to a specific tenantId?
Ideally….
List<UserRepresentation> users = keycloak.realm("iacuc").users().search(“tenantId:<some uuid>", <start>, <limit>);
or
List<UserRepresentation> users = keycloak.realm("iacuc").users().search(“attribute:tenantId:<some uuid>", <start>, <limit>);
-dana
9 years
spring boot protected resource not effect until restart
by uğur kolip
Hi,
I use keycloak 2.4.0.Final , keycloak-spring-boot-adapter ,
keycloak-tomcat8-adapter ,kyecloak-authz-client and keycloak-admin-clinet
When i create protected resource , it is not effect until spring boot app
restart . is it a bug or i should do samething to effect .
Thank you for helping
9 years
Create user with roles using java client
by Steve Chernyak
Hello,
I'm trying to create a user associated with a role:
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue(password);
UserRepresentation user = new UserRepresentation();
user.setUsername(email.getAddress());
user.setCredentials(Arrays.asList(credential));
user.setRealmRoles(Arrays.asList(someRole));
Response response = kc.realm(appRealm).users().create(user);
The response status is the expected 201 and I can see the user in the realm
through the admin console. However, the user is not associated with
"someRole"...
I'm not sure what I'm missing...
How should I go about creating a user associated with a role progrmatically?
Thanks
9 years
Info about locked user at login?
by Niko Köbler
Hi all,
is there a possibility to show at the login form that the current user trying to login is locked/disabled due to brute force settings?
I understand that this is also a security issue to show that the user is (temprorarily) locked, b/c then you know that the user exists.
But anyway, is there a possibility to show this information? And if yes, how do I configure/implement it?
Thanks,
- Niko
9 years
Native App Authorization with multiple Identity Providers
by Matthew Woolnough
I'm trying to:
1) Use Facebook as an initial Identity Provider for a native app
2) Have the native app pass it's access token back to a service which would
then retrieve the fb_exchange_token. Another service would then retrieve
additional information back from Facebook via the approved scopes.
3) Have an option to use LinkedIn to provide additional information about
the user, so have it as an addtional supplemental identity provider.
4) Have the native app pass the token back to a service. Another service
would retrieve additional information from LinkedIn to supplement the users
profile.
I'd like to know how much of this functionality Keycloak can provide.
Should I be using aerogear-ios-oauth2 configured with Facebook and LinkedIn
providers, or configuring aerogear-ios-oauth2 with a keycloak provider &
configuring Facebook and LinkedIn as provider there?
Any assistance appreciated!
mW
9 years
Login without Keycloak Login Page
by ruiwp13
Hello,
I am trying to make the login without keycloak login page. If I use
HttpServletRequest.authenticate() it will redirect me to the keycloak login
page. Is there any way to do this without the keycloak login page?
Also, I tried making the flow by GET and POST calls to the auth and token
endpoints. I am able to get an access_token and I set the
client_session_state to my current session id. When I logout all the user's
sessions in keycloak through the keycloak admin-client I get a success for
logging out the sessionId [{sessionId}] answer and a "logout success for
{Admin URL}: true" but no token is invalidated. No incoming request from
keycloak when the logout is performed whereas when I revoke tokens I do get
the POST call to revoke tokens, so the Admin URL is OK.
Can anyone help me with this?
Best Regards
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Pag...
Sent from the keycloak-user mailing list archive at Nabble.com.
9 years
