Renaming a user in Keycloak does not change the user's DN when using LDAP federation provider
by Edgar Vonk - Info.nl
Hi,
Just checking if I have got this right. Our scenario is that we have set up an LDAP user federation from Keycloak to Active Directory. We map the username in Keycloak to the userPrincipalName attribute in MSAD.
As is common the full DN in MSAD starts with the username. E.g. CN=edgar(a)info.nl,OU=Users,OU=Customers,DC=hf,DC=info,DC=nl
Now when I change the username from Keycloak I see that the userPrincipalName attribute is updated, however the DN remains the same. If I look in the Keycloak source code it seems indeed that a user DN is only set once on creation of the user (LDAPUtils#addUserToLDAP).
We would like renaming of the user in Keycloak to result in a renaming of the DN in MSAD/LDAP as well. Shall I create a JIRA feature request for this?
cheers
Edgar
9 years
Infinispan not working on HA environment with dockers.
by Nicolás Pozo
Hello all,
I'm trying to set a Keycloak HA environment up with dockers. I tried with
jboss/keycloak-ha-postgres:1.8.0.Final image.
I can't make infinispan work when I run 2 instances of my docker images. I
get the following log in every node:
Received new cluster view for channel ejb: [f9032dc82244|0] (1)
[f9032dc82244]
Received new cluster view for channel hibernate: [f9032dc82244|0] (1)
[f9032dc82244]
Received new cluster view for channel keycloak: [f9032dc82244|0] (1)
[f9032dc82244]
Received new cluster view for channel web: [f9032dc82244|0] (1)
[f9032dc82244]
Channel hibernate local address is f9032dc82244, physical addresses are [
127.0.0.1:55200]
Channel keycloak local address is f9032dc82244, physical addresses are [
127.0.0.1:55200]
Channel ejb local address is f9032dc82244, physical addresses are [
127.0.0.1:55200]
Channel web local address is f9032dc82244, physical addresses are [
127.0.0.1:55200]
Received new cluster view for channel server: [f9032dc82244|0] (1)
[f9032dc82244]
Channel server local address is f9032dc82244, physical addresses are [
127.0.0.1:55200]
This is causing my user sessions are not shared between instances and it's
not working properly.
When I run 2 instances of keycloak without dockers, they work properly.
Am I missing something? Is there any extra configuration that I need to
change?
Thanks,
Nicolas.-
9 years
No kid in token headers
by Raghu Prabhala
Revisited keycloak 1.9 cr1 after a long time. While the basic and implicit flows work properly, noticed that the token validation is failing due to the lack of kid in token header. Did anyone come across the same problem or am I missing something?
Btw we use our own oidc client libraries to interact with KC, which were tested against commercial products
Thanks,
Raghu
Sent from my iPhone
9 years
Re: [keycloak-user] SAML attribute mapping debugging
by Jason Axley
Bump.
I saw someone had a previous question in October about IdP mappings but the thread died without clear resolution. I didn’t see any general information on enabling DEBUG mode in keycloak to help with troubleshooting.
When I log into the “account” client application via SAML, I’m presented with a screen to enter in my login, email, first name and last name so I can see that none of the values in the SAML assertion are being picked up by the mappers.
-Jason
From: <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Jason Axley <jaxley(a)expedia.com<mailto:jaxley@expedia.com>>
Date: Thursday, February 18, 2016 at 1:49 PM
To: "keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] SAML attribute mapping debugging
I’ve set up incoming SAML authentication using Microsoft ADFS as the IdP. However, the attribute mappings I’ve configured are not picking up the data. A couple things are not clear:
1. How can one debug the mappings to find out why they did not find the data?
2. Where is the “user model” documented to know which fields are available to map to? I pulled out some things from existing LDAP mappings but would be nice to know what else is there to map (e.g. AD or other LDAP Groups)
For example, I’ve set up an email mapper that is configured:
Mapper Type: Attribute Importer
Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Friendly Name: emailaddress
User Attribute Name: email
Doesn’t work…
-Jason
9 years
Create client in master realm with API
by Christian Bauer
Hi
I'm trying to implement a multi-tenant system that should use Keycloak, from its Docker image. I'd like to use the Keycloak admin API from another container. My first goal is to create a new client in the master realm for my tenant administration app, then create realms for each tenant, etc.
To do this I'm using the admin-cli client in the master realm with public direct grant authentication, and I can get an authentication token with superuser roles for the admin user.
Next I tried to POST /auth/realms/master/clients/default with a client representation and the admin-cli bearer token. This is forbidden, because though I have superuser roles, I don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in ClientRegistrationAuth:177.
I'm not sure I'm doing this right. The console web UI probably has the same roles if I'm logged in as admin and it's able to create users.
I guess I could step further through the code to find the difference. Other options I've considered:
- Don't create a new client in the master realm and continue using the admin-cli client for superuser tasks.
- Adjust the Docker image bootstrap so it exports the initial database, then manipulate the exported files with some JSON transformer, then import again.
- Hacking the themes/Angular frontend of the security-admin-console and use this to implement my tenant/user administration app.
Thoughts?
9 years
Re: [keycloak-user] Create client in master realm with API
by Christian Bauer
Hi Bill, long time no see. Seems like we are both stuck with this Java thing. :)
I'm authenticating with the admin user/password which I've set as env variables when starting Docker container. Nothing else was changed on the default install. This is the access token:
{
"jti": "285d19a2-8ae3-4e0e-b05f-454d04c7812c",
"exp": 1.456140094E9,
"nbf": 0,
"iat": 1.456140034E9,
"iss": "http://192.168.99.100:8082/auth/realms/master",
"aud": "admin-cli",
"sub": "1219f695-bf7a-4496-a021-52586de58ed5",
"typ": "Bearer",
"azp": "admin-cli",
"session_state": "22d4dc19-e755-4ce0-9508-66ffad608215",
"client_session": "97f937f9-9fce-4441-9684-46d5daa262ce",
"allowed-origins": [
],
"realm_access": {
"roles": [
"create-realm",
"admin"
]
},
"resource_access": {
"master-realm": {
"roles": [
"view-identity-providers",
"manage-events",
"view-realm",
"manage-realm",
"manage-identity-providers",
"impersonation",
"view-events",
"create-client",
"manage-users",
"view-users",
"view-clients",
"manage-clients"
]
}
},
"name": "",
"preferred_username": "admin"
}
That looks like it should give me superuser access. But POSTing with that token on "/auth/realms/master/clients/default" is Forbidden, because ClientRegistrationAuth.java checks for "realm-management" resource claims and not "master-realm":
Map<String, List<String>> realmManagement = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
if (realmManagement == null) {
return false;
}
As I said, I might be doing something wrong but I don't know where else to look. I haven't figured out yet how the user/roles/client etc. mappings work.
> On 22.02.2016, at 16:10, keycloak-user-request(a)lists.jboss.org wrote:
>
> What do you mean when you say you have "super user" roles?
>
> * Your user is in the master realm?
> * Which exact roles are assigned to this user?
>
> BTW, is this THE Christian Bauer of Hibernate fame? If so, how's life?
>
> On 2/22/2016 9:02 AM, Christian Bauer wrote:
>> Hi
>>
>> I'm trying to implement a multi-tenant system that should use Keycloak, from its Docker image. I'd like to use the Keycloak admin API from another container. My first goal is to create a new client in the master realm for my tenant administration app, then create realms for each tenant, etc.
>>
>> To do this I'm using the admin-cli client in the master realm with public direct grant authentication, and I can get an authentication token with superuser roles for the admin user.
>>
>> Next I tried to POST /auth/realms/master/clients/default with a client representation and the admin-cli bearer token. This is forbidden, because though I have superuser roles, I don't have the Constants.REALM_MANAGEMENT_CLIENT_ID resource roles required in ClientRegistrationAuth:177.
>>
>> I'm not sure I'm doing this right. The console web UI probably has the same roles if I'm logged in as admin and it's able to create users.
>>
>> I guess I could step further through the code to find the difference. Other options I've considered:
>>
>> - Don't create a new client in the master realm and continue using the admin-cli client for superuser tasks.
>>
>> - Adjust the Docker image bootstrap so it exports the initial database, then manipulate the exported files with some JSON transformer, then import again.
>>
>> - Hacking the themes/Angular frontend of the security-admin-console and use this to implement my tenant/user administration app.
>>
>> Thoughts?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
9 years
Is it CSRF vulnerability?
by Baskin, Ilia
Hi,
I am experimenting with Keycloak to evaluate its suitability for our application. Here is one of my experiments, that got me warried:
I created a simple page (see attached), deployed it on Tomcat and registered it in Keycloak as confidential client. As you can see the page contains a button clicking on which executes simple XHR request. Notice that XHR request doesn't contain Authorization header. On submission of my page URL I am redirected to Keycloak for authentication. After authentication I can submit XHR requests at will.
Now I copied my page and deployed the copy on the same Tomcat as a different totally unsecured application. If I open this page in another browser tab and click on XHR button it will go through without any problem. It looks to me as a typical CSRF case. Am I missing something here?
Thanks.
Ilia
9 years
KeycloakSecurityContext returns NULL using Tomcat Adapter
by LEONARDO NUNES
Stian,
I have an application deployed on Tomcat 7 using the Tomcat Adapter.
When i'm logged in and I go to a non-secured URL, KeycloakSecurityContext returns null.
I deployed the same application to the Keycloak Standalone Server, there I don't have this problem.
At Tomcat the code below returns null when called from /movies/, and works when called from /article/
At Keycloak Standalone Server /movies/ and /article/ works fine.
(KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());
Why is this happening?
In my web.xml I have only one security-constraint securing /article/*
WEB.XML:
<security-constraint>
<web-resource-collection>
<web-resource-name>Articles</web-resource-name>
<url-pattern>/article/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
9 years
Recaptcha in registration flow not working
by Alessandro Segatto
When i enable recaptcha in registration flow , it doesn't work and the
following error appears in the chrome console :
>
> Refused to frame '
> https://www.google.com/recaptcha/api2/anchor?k=6LeM7RgTAAAAAMeBWtUVQ8rN5-...'
> because it violates the following Content Security Policy directive:
> "frame-src 'self'".
I'm using version 1.7.0.Final.
Am i doing something wrong or I found a bug ? Thanks in advance
Alessandro S
--
Ing. Alessandro Segatto
Software Engineer
Research and Development
*ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com
Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.
9 years
