Logout to the external IDP
by Xiao Ma
Hi,
I configured a OIDC identity provider by selecting the OpenID Connect
v1.0 identity
provider from the drop-down box on the top right corner of the identity
providers table in Keycloak's Admin Console. During the configuration
process, I also configure "Logout Url" for the IDP logout url.
When I try to logout to the external IDP, the browser is redirected to the
external IDP to perform the logout. I can see some URL as follows:
https://*keycloakdev.xxxxxxx.com <http://keycloakdev.xxxxxxx.com>*
/auth/realms/*Internal*/protocol/openid-connect/logout?*state=*
a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0raAz-YPOcwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA
:
"keycloakdev.xxxxxxx.com" is where the externalIDP is located. "Internal"
is the name of the realm. The parameters "state" and "id_token_hint" are
appended to the endpoint logout URL automatically during the logout
process.
However, this process failed because I got "Session Not Active" error in
the UI. After some investigations, I found this "Session Not Active" error
seems to be related to the value of Realm Setting —> Tokens —> Access Token
Lifespan I configured. The default value is 5 minutes, if I trigger the
logout within 5 minutes, I can logout to the external IDP successfully. If
I do the logout after 5 minutes, I will get this ""Session Not Active"
error. Is this the expected behavior? Do I have to bump up the value
of "Access
Token Lifespan" to get a longer session for the logout purpose?
Thanks a lot for the help!
Xiao
8 years, 9 months
Keycloak Clustering, other instance logs me out
by Sarp Kaya
I have tried using standalone-ha.xml with shared database. I thought that would be enough but it seems like it's not. The problem is
I log into kc1 instance, and subsequent requests are authenticated.
Then I try viewing
host:8080/auth/realms/master/account
Which is also authenticated.
Then I try to view this on kc1 by changing port like:
host:8081/auth/realms/master/account
At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point.
So now I have switched to using keycloak-ha-postgres because it seemed to me that it comes clustering enabled out of box. So I nearly did exactly what this page:
https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqo...
told me to so. The only difference that I have done is adding ports (with -p 8080:8080 to one instance and -p 8081:8080 to the another one) and adding a new user.
Once I start the I get this log:
05:28:49,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel keycloak
05:28:49,893 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel server
05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24]
05:28:49,907 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, physical addresses are [127.0.0.1:55200]
05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24]
05:28:49,914 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, physical addresses are [127.0.0.1:55200]
05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final
05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final
05:28:49,978 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web
05:28:49,982 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24]
05:28:49,984 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical addresses are [127.0.0.1:55200]
05:28:49,985 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel hibernate
05:28:49,986 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24]
05:28:49,987 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, physical addresses are [127.0.0.1:55200]
05:28:50,028 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
05:28:50,030 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24]
05:28:50,031 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical addresses are [127.0.0.1:55200]
05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak container
05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container
05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak container
05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak container
05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak container
05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak container
05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container
However I still have the same issue as above (I get logged out). Also I don't get any new logs for the entire log-in, log-out processes.
Am I doing something wrong?
Thanks,
Sarp
8 years, 9 months
Cannot change the user's username in AD...
by Adrian Matei
Hi everyone,
Following situation:
- Keycloak 1.7.0.Final
- Login settings
- Email as username ON
- Edit username ON
- AD Configuration
- Edit mode : WRITABLE
- Username LDAP attribute: cn (standard as all other attributes)
I've been trying in vain to change the username/email of a user (via the
account application or via the admin console) - only the mail gets changed
in AD and not common name? Is there is a particular setting I need to
configure?
Thanks,
Adrian
8 years, 9 months
Can we change the default realm on Keycloak?
by Kevin Thorpe
Hi,
just wondering if we could hide the default page
https://keycloak.mydomain.com/auth because tat prompts you to log in to the
master realm which we don't want visible.
I could block that page outright but sometimes we might need to log in to
the master realm for user admin.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
8 years, 9 months
Guidelines for protecting Keycloak Endpoints
by Thomas Darimont
Hello group,
I'm about to configure our Web Application Firewall for Keycloak where I
want to implement
the following scenario:
CLIENT_ENDPOINTS:
All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as well as
the account and
login/totp/registration/forgot password pages should be accessible from the
public internet.
ADMIN_ENDPOINTS:
Admin endpoints like the Admin Console, Admin REST API etc. should only be
accessible
from the internal network.
Are there any guidelines for which URL pattern applies to which category
(CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
To me, it seems that:
- "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
- "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
Have I missed anything else?
Btw. it turns out that some endpoints (unnecessarily) expose internal links
like:
"admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
{
realm: "my-realm",
public_key: "...",
token-service: "
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
account-service: "http://localhost:8080/auth/realms/my-realm/account",
admin-api: "http://localhost:8080/auth/admin",
tokens-not-before: 0
}
Can this be disabled?
Cheers,
Thomas
8 years, 9 months
Need help for using KC REST API and service account
by Hristo Stoyanov
Hi all,
I am trying to apply KC for:
1. Authentication. So far KC works well and as expected!
2. Change the authenticated user roles as part of the application logic-
based on external credit card registration (by an external credit card
processor) and paid plan selection by the user, the web app need to move
the authenticated user from "free" role to "premium" realm role, which
correspond to the paid plan s/he selected.
Is there an example of how to use KC APIs to change the user's role from
within the app? I could not find anything specific in the examples or
documentation, but I see some things that go in that direction:
A.
It seems like I have to use the Admin REST API somehow, but I am not sure
which rest calls from the vast REST APIs I need to use? Is it "Add
realm-level role mappings to the user" and "Delete realm-level role
mappings"? What is "id" param then? Is this the "user id"? Can you please
categorize the REST APIs in groups - "user management", "role CRUDs", etc.,
to make it easier to navigate?
There seems to be an example "admin-access-app", but it is not clear where
it gets the app username/password. Are they just hard-coded "username" and
"password"? In the case of Wildfly adapter, the client secret is configured
inside the standalone.xml configuration file,
so *I expect to not have to configure it or read it from file
configurations*, but the container should provide it/inject it for me? Is
this correct assumption? Any example wildfly code?
B.
It seems like i also need to use a service account
<http://blog.keycloak.org/2015/08/service-accounts-support-in-keycloak.html>,
so
that the app can change user roles behind the scene on its own? Correct? This
blog post
<http://blog.keycloak.org/2015/08/service-accounts-support-in-keycloak.html>seems
obsolete as there is no more "Service accounts enabled" switch I could
find. I figured, one need to switch to "confidential" access type instead.
Is this correct? Unfortunately, the corresponding example, "Service Account
Example" does not show how one should proceed when the client secret is
configured in the Wildfly's standalone.xml file and the developer is not
expected to parse configuration files (either embedded in the WAR or
elsewhere). Any example of how to get configured objects? I tried to get
some clue from the *KeycloakDeploymentBuilderTest.java* file, but it is not
clear how one can get *KeycloakDeployment* injected by the container rather
than paring it from files. Any clue?
Thank you for the grate product! And thank you for any guidance you can
provide - that would save me a lot of time and questions!
/Hristo
8 years, 9 months
Example for using rest admin?
by Hristo Stoyanov
Hi all,
I am trying to do this:
1. Have a war deployed in wildfly10
2. Need to instantiate a kc rest admin service and use the app service
account
3. Need to manipulate user attributes and roles as the app runs via the
rest admin API.
I see some examples, but they are heavy on servlet configuration and low
level HTTP header manipulations. I need something that picks the
configuration from the adapter (not reading json conf) and use JEE client
jax-rs 2.0 to call KC. Any pointers/sample code will be appreciated! Thanks!
/Hristo Stoyanov
8 years, 9 months
How to obtain KeycloakDeployment instance in wf10?
by Hristo Stoyanov
Hi,
I configure KC via my WF10 standalone.xml
file rather than changing my war package. How do I obtain
KeycloakDeployment instance in my app, so I can place rest calls as my
service account, using the secret and app id?
Any code sample is appreciated!
/Hristo Stoyanov
8 years, 9 months
Token is not active, message shown after login
by LEONARDO NUNES
I have Keycloak 1.9.1 installed on a testing server and on our production server. Both server have the same operating system, java version and most of the configurations. Keycloak at both server also have the same configurations.
There's an application running on a Tomcat at my local machine that connects to the keycloak server.
When I connect my local application to the keycloak at the testing server everything works fine.
When I connect to the keycloak at the production server we are having the following problem:
- I open my local application and navigate to a restricted URL
- Keycloak login screen opens
- I enter the username and password and click Log in
The following error is returned to the browser:
HTTP Status 403 -
type Status report
message
description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.67
The following error shows at my Tomcat log:
mar 28, 2016 11:26:15 AM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed verification of token: Token is not active.
If I navigate to Sessions at the Keycloak admin console, there's an active session.
If I click Logout all the following error is shown:
Error! Failed to logout users under: http://10.10.3.191:8088/accounts-teste. Verify availability of failed hosts and try again
--
Leonardo
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 9 months
