ENV in keycloak.json does not seem to be working, base64 errors
by cen
Hi
I am trying to use env vars in keycloak.json but I am getting base64 errors.
My keycloak.json:
{
"realm": "myrealm",
"realm-public-key": "${env.KC_REALM_PUBLIC_KEY}",
"auth-server-url": "${env.KC_AUTH_SERVER_URL}",
"ssl-required": "none",
"resource": "myrealm",
"public-client": true
}
I am deploying my ear to WildFly 10 using the following properties:
<property name="KC_REALM_PUBLIC_KEY" value="public key here"/>
<property name="KC_AUTH_SERVER_URL" value="http://localhost:8080/auth"/>
Error on deploy:
Bad Base64 input character decimal 36 in array position 0.. (char 36 is $)
It seems that KC wants to parse the value as string instead of trying to
resolve the env variable. Looking through the code and commits
(https://issues.jboss.org/browse/KEYCLOAK-1289) this should work. What
am I doing wrong?
10 years
Securing 3rd party APIs
by Pavel Maslov
Hi all,
Suppose we have a 3rd party REST API, which is not secured. How could we
integrate OAuth2.0 authentication using Keycloak? My first guess is to
create a mediation service (written in Java), which will use the Keycloak
Java adapter and will authenticate users based off the security_token
(passed to the mediation service with each request), and forward all
requests (including headers) to the 3rd party REST API (unsecured).
Does it make any sense? If so, has anyone written something similar?
Thanks.
Regards,
Pavel Maslov, MS
10 years
Using EAP 7 exclusively
by James Falkner
All,
I'm hoping to setup an environment using only EAP 7 as the container for
both Keycloak and my applications, on OpenShift 3. I noticed during the
Commons Briefing last month they were using several templates and images
that were EAP 7 based (although I never saw any log file output
verifying this).
Are there templates, imagestreams, and s2i builder images for Keycloak
applications on EAP 7 (not EAP 6.x)? I searched around for anything like
eap70-sso-s2i and found nothing except what was shown in the demo. I'd
like to not have to do any Docker-based builds, and only use OpenShift
objects, if they exist. Thanks!
-James
10 years
SQL Server 2014 DB throws error at time of user hetch
by Jitendra P Biswal
Hi All,
I am using keycloak-1.9.0.Final version and configured it to point SQL Server 2014.
I was able to create new realm and create user under the realm
But, when I am click on view all users getting error. Server log attached.
Anybody have any solution please help.
Thanks & Regards,
[Description: cid:image001.jpg@01D065A7.375670A0]<http://www.majesco.com/>
Jitendra Biswal / Software Specialist
Majesco, Majesco New Development Centre, MBP-P-136,136A, Mahape, Navi Mumbai - 400 710
Phone: +91 22 6150 1800 Ext 5698
http://www.majesco.com<http://www.majesco.com/>
10 years
(KC1.9.3) admin client issue
by Hristo Stoyanov
Hi all,
I am seeing some unpredicatble behavior from KC 1.9.3, leading to the
following exception (see line comment BOOM!) in the code. Do you see
anything that I am doing wrong?
The problem with this issue is that it sometimes work, sometimes not. It
almost feels like timing issue with the KC internals (cache?) and there is
no
guaranateed way to reproduce it. Usually restarting the WF10 server or
redeploying the app fixes it.
Also, can the exception be a bit more helpfull (like what resource is not
found?)
12:03:50,354 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-81) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
HTTP 404 Not Found
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:201)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:174)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:59)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
at com.sun.proxy.$Proxy296.toRepresentation(Unknown Source)
at
com.xxxxx.web.server.UserManagerService.updateKeycloakRoles(UserManagerService.java:86)
at
com.xxxxx.web.server.UserManagerService.changeSubscription(UserManagerService.java:67)
==========================RealmAdmin.java================================
@ApplicationScoped
public class RealmAdmin {
... //Use JNDI resources to inject adminUser, adminPassword into this
producer bean
@Produces
Keycloak getKeycloak() {
return Keycloak.getInstance(adminUrl, REALM_NAME, adminUser,
adminPassword, CLIENT_ID);
}
}
===========================UserManagerService.java===========================
@Stateless
@SecurityDomain("keycloak")
public class UserManagerService implements UserManager {
@Inject
private Keycloak admin; //Producer above is used
@Context
private HttpServletRequest httpRequest;
@Inject
private StripeService stripeService;
@Override
@RolesAllowed({Roles.ACTIVE})
public void changeSubscription(final UserPlanRequest request) {
final String userId = httpRequest.getUserPrincipal().getName();
RealmResource realm = admin.realm(RealmAdmin.REALM_NAME);
UserResource userResource = realm.users().get(userId);
UserRepresentation userRepresentation =
userResource.toRepresentation();
Map<String, List<String>> userAttributes =
userRepresentation.getAttributesAsListValues();
final String customerId = extractKeycloakAttribute(userAttributes,
StripeService.STRIPE_ID);
final String subscriptionId =
extractKeycloakAttribute(userAttributes,
StripeService.STRIPE_SUBSCRIPTION_ID);
stripeService.changeSubscription(customerId, subscriptionId,
JNDIUtils.getPlanStripeKey(request.plan));
updateKeycloakRoles(request.plan, userResource, realm);
}
private static void updateKeycloakRoles(Plan newPlan, UserResource
user, RealmResource realm) {
RoleRepresentation newPlanRole =
realm.roles().get(newPlan.role.getName()).toRepresentation();//BOOM!
RoleScopeResource userRoles = user.roles().realmLevel();
userRoles.remove(userRoles.listAll()
.stream()
.filter(r -> Roles.isActiveOrExpiredPlanRole(r.getName()))
.collect(Collectors.toList()));
userRoles.add(Collections.singletonList(newPlanRole));
}
}
/Hristo Stoyanov
10 years
Two realms; one LDAP; one namespace?
by Jason Axley
Just configured two different realms pointing to the same LDAP directory. Logged into master via LDAP the first time. The second time, logged into another realm with the same user and got an error “Email already exists.”
Shouldn’t the realms be independent of one another? It seems like there is a universal namespace for users that crosses realms. Is that intended? What is the “Keycloak way” to handle this situation if it’s by design?
-Jason
10 years
User information (Tomcat Application)
by Caitlyn Bishop
I have a tomcat application that I am securing using the standalone
Keycloak server. How can I pull out the current user's information? I am
assuming it is some sort of REST call to the Keycloak API but I am having
trouble to get something to work.
10 years
Export/Import Single Client 1.8
by Everson, David (MNIT)
Hi,
Our environment still has 1.8 of Keycloak. I understand that in 1.9 import/export features were added in the admin console.
Are there recommendations on how to perform an export/import with 1.8 to avoid having to rekey (and perhaps miskey) client configurations from one environment to the next. Any advice would be greatly appreciated.
Thanks,
Dave
Dave Everson | DIVISION OF ENVIRONMENTAL HEALTH
MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH
651-201-5146 (w) | david.everson(a)state.mn.us<mailto:david.everson@state.mn.us>
[cid:image001.jpg@01CE4005.70B223E0]<http://www.mn.gov/oet>
Information Technology for Minnesota Government | mn.gov/oet<http://www.mn.gov/oet>
10 years
Forgotten Pawword information
by Notarnicola, Mara
Dear all,
I'm using keycloak 1.7.0 final and I have enabled the "Forgotten Password" flow.
I would to know if there is a way to avoid the automatic login after the update of the password and redirect the user to the login page.
Thank you for reply
Mara
10 years
