Keycloak logout flow
by Andrey Saroul
I'm using keycloak 1.7.0 with WildFly 9.0.2
I have rest service and Keycloak deployed on one the same machine.
Consider this scenario:
1) In browser i try to test my rest service (e.g.
http://my-ip-address:8080/rest/test) secured under Keycloak
2) I got redirect to login page.
3) I enter my login and password.
4) I got some response from my rest service. That's Ok!
5) Then I go to Keycloak admin console, find my user and force session
logout.
6) Then I try to access my rest service again by the same url, and NO
redirect happens. Browser caches jsessionid cookie and don't know anything
about user beeing logout.
It seems to my that during step #6 server should invalidate expired session
cookie due to admin logout.
I considere that user after beeing logout will get redirect to login page
again, and will not be able to access service with old jsessionid cookie.
Is this a bug, or could you help me explain what am i doing wrong?
9 years, 11 months
Keycloak saml v1.1 to oauth2 token
by Porfyrios Vasileiou
Hello, I have a project that includes 2 client applications.
In ONLY ONE of the clients(web application in angular) users login via a
3rd party authorization server that also has a login procedure where the
user logs in and it returns an saml v1.1 xml token and then they can access
the client. (This procedure cannot be changed) But i want this client to
also be secured with keycloak so i can have a token that i can pass to my
rest services that are also secured with keycloak.
Can i convert this saml v1.1 token to oauth2 via keycloak?
Once we have logged in I want to login this user to keycloak
programmatically and get an oauth2 token instead that can be used for the
rest services requests in the Bearer authentication header. How can i do
this?
I also want to say that the keycloak is setup to use the same active
directory that the 3rd party authorization server is using to authenticate
the users.
Is this possible?
Thanks, Porfyrios
9 years, 11 months
Class is swallowing exceptions
by Manfred Duchrow
Hi,
I just got a "Failed to introspect token" result when trying to use this
new endpoint.
When I tried to find out what went wrong I observed that also no
additional log entry was available.
Looking at the code (1.8.0.Final) of class TokenIntrospectionEndpoint
revealed that in method
introspect() there is a try-catch that swallows all caught exception
information.
In methods
private AccessToken toAccessToken(String tokenString)
private void authorizeClient()
its the same pattern.
A new exception gets thrown without any information about the caught
exception.
You might consider opening an issue to add either some log statements in
all catch blocks of this class
or propagate the exception information in the new thrown exceptions.
So currently there is no chance to find out why an introspection request
failed.
Cheers,
Manfred
9 years, 11 months
changes in Email SPI
by Mark Hayen
Hi,
In keycloak 1.4.0.Final I've made a custom EmailSender, plugging into
the Email SPI.
Now we're upgrading to 1.8.1.Final but I'm running into problems porting
my existing
EmailSender to 1.8.1.
From the docs I understand that it has been split up.
Has there been changes to the registration of the email SPI in
keycloak-server.json?
How do I register the emailtemplate and emailsender providers?
Thank you
Mark Hayen
First8
9 years, 11 months
Realm wide custom id / access token claims.
by Thomas Darimont
Hello group,
In my user model I have a custom user attribute that I want to make
available to multiple
clients via the id / access token with just one definition. Is this already
possible somehow?
Currently one can define custom mappers for a single client via:
(In Admin Console) Realm -> Clients -> example-client -> Mappers -> create
There I can specify a new mapper of type "user attribute" where I can refer
to the actual user attribute, give it a "token claim name" (e.g.
"myattribute") and specify whether this should be included in the ID and /
or access token.
The user attribute in the token can then be accessed from within the client
via:
KeycloakSecurityContext:getIdToken().getOtherClaims().get("myattribute")
This apporach however requires that I configure this for every client - for
which I already have 10 (trend: upwards)...
It would make thinks a lot easier if it were possible to specify those
mappers realm wide...
PS: I'm currently using Keycloak 1.9.0.CR1
Cheers,
Thomas
9 years, 11 months
KeyCloak Admin Client :
by PAA KOJO KONDUAH AMOS
Hello, I have tried out KeyCloak Admin Client. In fact, I have done a standalone application which works nicely with KeyCloak Server.
What I don’t get is, when I port a similar thing into a web application context and deploy same on wildfly fly I keep getting the Exception below:
Caused by: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"])
Any lead on how to resolve all these maven dependency issues?
Thanks.
Sent from Mail for Windows 10
9 years, 11 months
invalid code errormessage
by Mark Hayen
Hi all,
We have a problem with the link in the reset password email.
Sometimes, but not always we get an error saying invalid code.
This is the log entry:
type=RESET_PASSWORD_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=xxx.xxx.xxx.xxx, error=invalid_code
Has anybody seen this error too?
Is it maybe fixed in a newer version? We are running keycloak 1.4.0.Final.
Thank you
Mark Hayen
First8
9 years, 11 months
Retrieving Logged In User Information.
by PAA KOJO KONDUAH AMOS
Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following;
@SecurityDomain("keycloak")
@Context
SecurityContext sc;
And
KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal();
But the above line is returning a NullPointerException.
I must say, I have already done the required configuration; as in enabling the Keycloak Subsystem within my app server's server configuration: standalone.xml.
Please any lead on how to retrieve the logged in User via KeyCloak?
Sent from Mail for Windows 10
9 years, 11 months
turning on Direct Grant API in keycloak 1.8.0.CR1
by Anuj Garg
Can't find where is the option to turn on Direct Grant API in keycloack
1.8.0.CR
it was written somewhere "switch in the admin console under
Settings->General, specifically the "Direct Grant API" switch."
But cant find this in admin console.
I know It is not good to use it but i need to
Please tell how to turn it on or it have been removed from this release?
9 years, 11 months
Size of keyclaok_access_token
by Nangunoori, Srinivas
Hi,
We are seeing some strange behavior with access token size. Some keycloak servers are generating with 1308 character size and some others are generating with 2055 character size.
May I know what would be the correct size?
Environment details,
Server Version : 1.6.1.Final
Current working directory: /opt/jboss
Java Version: 1.7.0_85
Java Vendor: Oracle Corporation
Java Runtime: OpenJDK Runtime Environment
Java VM: OpenJDK 64-Bit Server VM
Java VM Version: 24.85-b03
Java Home: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
System Encoding: ANSI_X3.4-1968
Operating System: Linux 3.10.0-123.9.3.el7.x86_64
OS Architecture: amd64
Regards,
Srinivas N
HPE, Bengaluru
9 years, 11 months
