web and mobile behavior with logout/pw change
by Seann Ives
Hello,
Our web application has a standard keycloak integration. Our mobile app is
currently using keycloak direct access grants. I've got a few questions
about expected behavior when a user has overlapping usage of both web and
mobile which I'm hoping somewhere here can kindly answer.
1. A user logs in to the mobile app and gets a JWT and a refresh token.
The user then logs in to the web app (via KC) and then logs out of the web
app (via KC). Should the mobile refresh token then be able to successfully
refresh the mobile JWT access token against KC, or does the web logout
'invalidate' the mobile refresh token?
2. Similar scenario but the web user changes their password instead of
logging out:
A user logs in to the mobile app and gets a JWT and a refresh token. The
user then logs in to the web app and then changes their password (through
KC). Should the mobile refresh token (created with the old password) then
be able to successfully refresh the mobile JWT access token, or does the
web logout 'invalidate' the mobile refresh token?
Would the behavior in either of those cases be different if our mobile app
used a webview redirecting to the KC server instead of using direct access
grants?
Thanks very much!
Seann Ives
8 years, 9 months
Change expiration time of Forget Password Link.
by Revanth Ayalasomayajula
Hi,
I am using keycloak1.5.0 and I want to change the expiration time of the
link present in Forget Password email. Any idea how I can accomplish this??
Thanks.
8 years, 9 months
Invalid parameter: redirect_uri
by Chris Raiskin
Hello
I'm following The Basic Part 2 tutorial<https://www.youtube.com/watch?v=NMj4avFLMJ0> with keycloak 1.9.0 with the purpose of demo'ing keycloak to the team.
The only difference in my set up is that I have the keycloak server on a separate host from the wildfly server running the demo apps.
When I hit "Customer Listing" link, I get
WE'RE SORRY...
Invalid parameter: redirect_uri
displayed by the keycloak server.
http://keycloak.blah.com:8080/auth/realms/demo/protocol/openid-connect/au...
I can see that the redirect_uri is referencing "localhost" both from the URL above and the keycloak log entry:
11:21:52,483 WARN [org.keycloak.events] (default task-75) type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, redirect_uri=http://localhost:8080/customer-portal/customers/view.jsp, response_mode=query
but I'm not sure where "localhost" is coming from b/c the "valid redirect uri" for this Client/Application is configured like this:
* Valid Redirect URIs http://wildfly.blah.com:8080/customer-portal/*
Any help would be appreciated.
Thanks
8 years, 9 months
User Attributes -> User Attribute Mapper, Client Attributes -> no mapper?
by Bram Vonk
Hi,
We're adding specific User Attributes to Users, and use the User Attribute
protocol mapper to add those attributes to the JWT bearer tokens the user
gets when logging in.
This works fine for keycloak Users (natural persons) using our secured
endpoints (APIs).
We'd like to use the same concept for Clients (internal applications, so no
natural person is involved) that use our secured endpoints. These Clients
use client credentials to get a bearer token from Keycloak. Clients can
have Client Attributes, so that's half the problem fixed. The other half is
the protocol mapper: there is no Client Attribute protocol mapper.
Is there a specific reason there is no Client Attribute protocol mapper? Are
we doing something we shouldn't do? ;)
Thanks,
Bram Vonk
8 years, 9 months
Cache related exception gets thrown when updating user
by Lohitha Chiranjeewa
Hi,
We were executing the 'Update User' API call when the following exception
got thrown:
[2016-03-17 07:50:36.0590], DEBUG,
org.jboss.resteasy.core.SynchronousDispatcher default task-13 -
RESTEASY002315: PathInfo:
/admin/realms/xxxx/users/e503cb04-3080-4e90-a4b4-80adcd46b81c
[2016-03-17 07:50:36.0590], DEBUG,
org.keycloak.services.managers.AuthenticationManager default task-13 -
token active - active: true, issued-at: 1,458,201,036, not-before: 0
[2016-03-17 07:50:36.0590], DEBUG,
org.keycloak.services.resources.admin.AdminRoot default task-13 -
authenticated admin access for: superuser
[2016-03-17 07:50:36.0591], DEBUG,
org.keycloak.services.resources.Cors default task-13 - No origin
returning
[2016-03-17 07:50:36.0636], DEBUG,
org.infinispan.interceptors.InvalidationInterceptor default task-13 -
Cache [localhost] replicating
InvalidateCommand{keys=[e503cb04-3080-4e90-a4b4-80adcd46b81c]}
[2016-03-17 07:50:36.0637], ERROR,
org.keycloak.services.resources.ModelExceptionMapper default task-13 -
javax.persistence.OptimisticLockException: Batch update returned
unexpected row count from update [0]; actual row count: 0; expected:
1: org.keycloak.models.ModelException:
javax.persistence.OptimisticLockException: Batch update returned
unexpected row count from update [0]; actual row count: 0; expected: 1
at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:47)
at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:95)
at org.keycloak.services.resources.admin.UsersResource.updateUser(UsersResource.java:170)
at sun.reflect.GeneratedMethodAccessor435.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
We're using a clustered Infinispan system as our cache. This error doesn't
get thrown often, nor can we point out a specific scenario. However, we
have now seen this a few times. What could be the reason for this?
Regards,
Lohitha.
8 years, 9 months
Guidelines for user attribute protocol mappers - when to add to IDToken vs. to AccessToken?
by Thomas Darimont
Hello group,
Keycloak allows specifying custom "protocol mappers" for a
particular client or for multiple clients via client templates.
With these "protocol mappers", one can add custom information to the
JWT token, e.g. based on a user attribute, user property etc.
One has the option to add the attribute to the IDToken and / or to the
AccessToken.
What would be a good guideline for developers to follow when choosing which
one (or both) to use?
Is it correct to say that the IDToken is just provided "once" after login,
whereas the AccessToken may be periodically renewed and is thus more
dynamic
(in the sense that user attribute changes are propagated "sooner")?
When would it make sense to add information to the IDToken AND the
AccessToken?
Cheers,
Thomas
8 years, 9 months
manage user session
by daniele.capasso@dnshosting.it
Hello,
can i manage a user's session with jar like keycloak-admin-client?
thanx
8 years, 9 months
error in keycloak-admin-client
by daniele.capasso@dnshosting.it
Hello,
i update a keycloak installation from 1.7 to 1.9.1, i upgrade a pom
dependency for keycloak-admin-client, bat
when i call org.keycloak.admin.client.token.TokenManager.grantToken();
i receive a error
org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized
field "access_token" (Class
org.keycloak.representations.AccessTokenResponse), not marked as
ignorable
at [Source: org.apache.http.conn.EofSensorInputStream@23b73091; line:
1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
I used in my project the resteasy-client ver. 3.0.11.Final, is it
possible that this library does not match with keycloak-admin-client
1.9.1-final?
8 years, 9 months
Not using keycloak in development
by Martijn Claus
Hi,
I've been setting up Keycloak and liking it thus far. We are using it in an angular / Spring / REST context. For development there are cases where I don't want to run the Keycloak application (war) but only my own application. I assume this is a valid usecase. But if I turn the Keycloak off, the angular frontend will redirect me to an offline url and the application fails. I will not have a token and the backend will rightfully throw back some AccessDeniedExceptions. Is there a way to use some kind of (magic/permanent/development) token that will be accepted by the backend and the Keycloak application will never have to be contacted? Or is there some other feature that my backend spring keycloak adapter will accept anything and work with a default user?
8 years, 10 months
