May 2016 - keycloak-user - Jboss List Archives

by Fabricio Milone

Hi everyone, I've been experiencing some random issues when trying to decode the returned idToken from the /protocol/openid-connect/token call. I've found that sometimes the returned idToken is not multiple of 4 and has no padding at the end of the payload section (where mappers are added). So the result is that I'm losing the last 2 characters of the last mapper value. This is one example of a failing token (payload only): eyJqdGkiOiI4NWNlOGVlZS00N2Y5LTQzOTMtODc4Yi1iMjRiNTA0YWIzMWYiLCJleHAiOjE0NjI3NjY3MjMsIm5iZiI6MCwiaWF0IjoxNDYyNzY2NDIzLCJpc3MiOiJodHRwczovL2lkbS1zMi5zYi5kZXYuc2JldGVudi5jb20vYXV0aC9yZWFsbXMvZWxlY3RyaWNzaGVlcCIsImF1ZCI6ImVzIiwic3ViIjoiMDNlZGMzNzQtYzgyMC00ZDFhLWJhN2YtM2Y0NzlmOGRiMmM4IiwidHlwIjoiSUQiLCJhenAiOiJlcyIsInNlc3Npb25fc3RhdGUiOiIxY2I0Mjk3Zi04ODA3LTQ4ZWUtODBhNS1hMTI5NzRhN2EyYmQiLCJuYW1lIjoiZm5hbWUgbG5hbWUiLCJjdXN0SWQiOiIyNTY3NTgxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYW50aHRlc3QiLCJnaXZlbl9uYW1lIjoiZm5hbWUiLCJmYW1pbHlfbmFtZSI6ImxuYW1lIiwiZW1haWwiOiJub2JvZGF5QHNwb3J0c2JldC5jb20uYXUiLCJ0b2tlbiI6Ims4Z3NaKzlsV0dlZUVob212d09ocFk5bXlmeXdOQi9CWE1GWXBEQjErZTdHREJRa0h1R1BSYjJHOE4xYjFRdzJyUHdOVitvTTJzUUlMVVlXYXUvSHFFZ3JWUVhGeGdQd2dTVXl6UUtxaEYydW9KN3JzTFJkSFcza3ZRRy9JMUc1WlFtRnlnRE1va2NUIn0 787 chars (should be 788) if you try to decode it, you'll get: {"jti":"85ce8eee-47f9-4393-878b-b24b504ab31f","exp":1462766723,"nbf":0,"iat":1462766423,"iss":" > https://idm-s2.sb.dev.sbetenv.com/auth/realms/electricsheep","aud":"es","sub":"03edc374-c820-4d1a-ba7f-3f479f8db2c8","typ":"ID","azp":"es","session_state":"1cb4297f-8807-48ee-80a5-a12974a7a2bd","name":"fname > lname","custId":"2567581","preferred_username":"anthtest","given_name":"fname","family_name":"lname","email":" > noboday(a)sportsbet.com.au > ","token":"k8gsZ+9lWGeeEhomvwOhpY9myfywNB/BXMFYpDB1+e7GDBQkHuGPRb2G8N1b1Qw2rPwNV+oM2sQILUYWau/HqEgrVQXFxgPwgSUyzQKqhF2uoJ7rsLRdHW3kvQG/I1G5ZQmFygDMokcT Which is incomplete. The last two chars (which are *"}*) are missing at the end. So now, if I take the correct complete json and try to encode using another library (as the one used here: https://www.base64encode.org/), I'll get: eyJqdGkiOiI4NWNlOGVlZS00N2Y5LTQzOTMtODc4Yi1iMjRiNTA0YWIzMWYiLCJleHAiOjE0NjI3NjY3MjMsIm5iZiI6MCwiaWF0IjoxNDYyNzY2NDIzLCJpc3MiOiJodHRwczovL2lkbS1zMi5zYi5kZXYuc2JldGVudi5jb20vYXV0aC9yZWFsbXMvZWxlY3RyaWNzaGVlcCIsImF1ZCI6ImVzIiwic3ViIjoiMDNlZGMzNzQtYzgyMC00ZDFhLWJhN2YtM2Y0NzlmOGRiMmM4IiwidHlwIjoiSUQiLCJhenAiOiJlcyIsInNlc3Npb25fc3RhdGUiOiIxY2I0Mjk3Zi04ODA3LTQ4ZWUtODBhNS1hMTI5NzRhN2EyYmQiLCJuYW1lIjoiZm5hbWUgbG5hbWUiLCJjdXN0SWQiOiIyNTY3NTgxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYW50aHRlc3QiLCJnaXZlbl9uYW1lIjoiZm5hbWUiLCJmYW1pbHlfbmFtZSI6ImxuYW1lIiwiZW1haWwiOiJub2JvZGF5QHNwb3J0c2JldC5jb20uYXUiLCJ0b2tlbiI6Ims4Z3NaKzlsV0dlZUVob212d09ocFk5bXlmeXdOQi9CWE1GWXBEQjErZTdHREJRa0h1R1BSYjJHOE4xYjFRdzJyUHdOVitvTTJzUUlMVVlXYXUvSHFFZ3JWUVhGeGdQd2dTVXl6UUtxaEYydW9KN3JzTFJkSFcza3ZRRy9JMUc1WlFtRnlnRE1va2NUIn0 > *=* (788 chars, which is ok) Note the equal sign at the end. I'm wondering why Keycloak is not adding those paddings, is that a bug on the lib you are using to encode the payload? As for now, I'm using a workaround that checks for the length of the token and adds the missing padding when needed before try to decode it. while (payload.length() % 4 != 0) payload += "="; That works but it is not ideal. *Should I create a bug on Keycloak's issue tracker?* Thanks in advance. Regards, Fab -- *Fabricio Milone* Developer *Shine Consulting * 30/600 Bourke Street Melbourne VIC 3000 T: 03 8488 9939 M: 04 3200 4006 www.shinetech.com *a* passion for excellence

10 years

3
5
0 / 0

Keycloak Android OIDC example

by Thomas Darimont

Hello, I just played a bit with the oidc android example [0] here and made it work with keycloak see my branch [1]. I added a small gif that demonstrates the auth flow: https://github.com/thomasdarimont/android-openid-connect/blob/feature/key... Note I tested this with latest Keycloak 1.9.x branch (but should work as well with current master 2.0.x): If you want to play with the example app you need to setup your keycloak like so: # Keycloak Setup ## create new client for the android app: - clientid: android-app-1 - clientname: android-app-1 - access type: confidential - valid redirect url: app://oidcsample.lnikkila.com ## Create a demo user - username: demo - password: demo https://github.com/thomasdarimont/android-openid-connect/tree/feature/key... Note that I needed to use the AuthCode flow [2] since the Hybrid-Flow wasn't supported by Keycloak. Hope you find that interesting :) Cheers, Thomas [0] https://github.com/learning-layers/android-openid-connect [1] https://github.com/thomasdarimont/android-openid-connect/tree/feature/key... [2] https://github.com/thomasdarimont/android-openid-connect/blob/feature/key...

10 years

1
0
0 / 0

Forced password change for service accounts

by Kevin Thorpe

Hi, we've just hit an issue where Keycloak was requiring a password change on a service account. We have addressed this by changing the password and also on the client service. We do though need to handle this before it all falls over as we missed a reporting run last night and breached our SLA with our client. What would be best practice for this? I'm thinking best to enforce rollover but we need a report on which service passwords are going to require reset. Is there any way to do that? *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 <https://twitter.com/@PI_150> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

10 years

2
2
0 / 0

Keycloak JWT Extension

by Uli SE

Hi, in chapter 2.2 of the users guide is stated: "The format of these tokens is a Keycloak extension to theJSON Web Token <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14>specification" Is this extension specified anywhere? Didn´t find it. Many thanks, Uli

10 years

2
1
0 / 0

Integrate Keycloak as SP with ADFS 3.0 as IdP

by Sven Kiewidt

Hi all, i want to connect my Keycloak as ServiceProvider to an ADFS 3.0 Infrastructure as Identity Provider. Is there any documentation available on the net, how to setup the Relying Party Trust or which Claim Rules to set up? Thank you and best regards, Sven Kiewidt

10 years

1
0
0 / 0

Keycloak 1.9.4.Final Released

by Stian Thorgersen

We've just release 1.9.4.Final. This release only has two bug fixes, but comes with a fair bit more automated testing. For the full list of resolved issues check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> and to download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>.

10 years

1
0
0 / 0

Nginx auth-request-module with keycloak

by Guy Bowdler

Hi, Does anyone have any experience of getting keycloak working with nginx as a reverse proxy with auth-request-module? Want to try to terminate ssl and authentication at the proxy rather than forward unauthenticated requests to apps. Thanks Guy -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

10 years

3
3
0 / 0

Keykloak rest service

by Uli SE

Hi, after trying to secure a RestEasy app with keycloak i get an Responde Code 500. I tried to follow the advise of the user guide and the server (and I think the Wildfly adapter) is running. I expected to get a ResponseCode 401 and unauthorized using this code in my service @Path("/users") @Stateless @SecurityDomain("keycloak") public class UserRESTService { @Inject UserRepositoryrepo; @GET @RolesAllowed("admin") @Produces(MediaType.APPLICATION_JSON) public ResponselistAllUsers() { but I get the exyception at trhe bottom: Any idea? thanks, Uli Context Path: /management-service Servlet Path: /api Path Info: /users Query String: null *Stack Trace* org.jboss.resteasy.spi.UnhandledException: javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public javax.ws.rs.core.Response de.xy.rest.UserRESTService.listAllUsers() of bean: UserRESTService is not allowed org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:790) io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) java.lang.Thread.run(Thread.java:745)

10 years

1
0
0 / 0

Social media access tokens.

by JAYAPRIYA ATHEESAN

Hi, After social media login, we try to get access token from keycloak for social medias. For facebook and googleplus, we are able to get the token by hitting the rest endpoint url. Google : https://api.giggso.com:8444/auth/realms/giggzo/broker/google/token Facebook : https://api.giggso.com:8444/auth/realms/giggzo/broker/facebook/token But for twitter, we are not able to get that. Additionally when I checked the database, I was able to observe the below content as token. {"oauth_token":"3219633632-3n1tbcAQnA66jkmH9G555dhPLpsMJ7vzD6Q8Nvg","oauth_t oken_secret":"QNErayAQaMKAwxUfe7MsX1za340n0yGoH6AOGAUBezWUS","screen_name":" priya","user_id":"322632"} Can you please suggest us, how to go about this. I would like to get user information like feeds, post, friends and other details from twitter. Thanks, Jayapriya Atheesan

10 years

1
1
0 / 0

Impersonate

by Daniele Bonetto

Hi guys, i have a little confusion about how impersonate works in Keycloak. I saw there's a impersonate API that can be called with impersonate privileges. I expected when called the API in some ways changes current logged user session data with impersonated user informations, but seems nothing will change in keycloak sessions neither returns the changed tokens and the current user sessions seems still alive. I also checked keycloak.js to find some method that allows me to call impersonate API from my webapp to allow our operators to access as users. Can someone help me please? Best regards, Daniele Bonetto

10 years

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2016