Keycloak admin role to group not working
by Jason Axley
I have an LDAP user who is definitely listed as being in a given LDAP group in Keycloak admin console.
If I grant the User the admin Realm Role in the master realm, they can login and access the admin console for the master realm.
However, if I remove the direct role grant from the user and add it to the LDAP group, keycloak doesn’t think the user has the role and gives an error that the user “You don't have access to the requested resource.” with the below exception:
2016-05-02 20:25:37,677 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/serverinfo: org.keycloak.services.ForbiddenException
at org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:231)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Is there something magical that needs to be configured for this to work? Or does this look like a bug?
I also did a quick test where I created a new local group and did the same role assignment to the group, and assigned the group to the same LDAP user and it did not grant access.
-Jason
Jason Axley
Sr. Security Engineer, Expedia Worldwide Engineering Team
425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
333 108th Ave NE, 9S-282, Bellevue, WA 98004
EWE Security Wiki<https://confluence/display/POS/EWE+Security>
8 years, 8 months
Nothing works to enable https
by Dean Peterson
I upgraded to the latest version (1.9.3). I followed all the steps in
chapter 3 of the documentation for wildfly. When I go to the login page it
is https; but when I log in as admin to the admin console, it immediately
switches back to http!? Why is the redirect-uri http instead of https?
8 years, 8 months
Fallback to secondary federation provider possible?
by Josh Cain
Hi all,
We're attempting to stack a number of FederationProviders, and I was
wondering if Keycloak currently does, or plans to support falling back to a
secondary provider *after* another provider has already been used.
For example, consider a realm with two providers configured:
1. ProviderA, Priority 0
2. ProviderB, Priority1
Where ProviderB is a fall-back mechanism containing the same logical
userbase as ProviderA.
If *user1* logs into Keycloak and is associated with ProviderA, then
ProviderA goes down, we'd ideally like for ProviderB to be able to
authenticate the user. Right now, all our Keycloak instance does is
attempt to authenticate *user1* with ProviderA, then fails if the provider
is unsuccessful. Is there a way to failover to ProviderB should ProviderA
become unavailable?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
8 years, 8 months
Example of the oles manipulation via Rest API?
by Hristo Stoyanov
Hi,
Can someone show me a working example of changing the realm set of roles
for a user?
Here is an example that does not appear to work in KC1.9.3 - after the
execution, there is no effect in the console, the user roles remain
unchanged. No error whatsoever???
private static void updateRoles(Plan newPlan, UserResource user,
RealmResource realm) {
//Get all realm roles
RolesResource realmRoles = realm.roles();
//Get the user's realm level roles
RoleScopeResource userRoles = user.roles().realmLevel();
//Get all existing plan roles to be removed
List<RoleRepresentation> rolesToRemove = userRoles.listEffective()
.stream()
.filter((RoleRepresentation r) ->
!Roles.isPlanRole(r.getName()) && !Roles.isExpiredPlanRole(r.getName()))
.collect(Collectors.toList());
//Add the new plan role
List<RoleRepresentation> rolesToAdd = new ArrayList<>(1);
realmRoles
.list()
.stream()
.filter(r -> r.getName().equals(newPlan.role.getName()))
.findFirst().ifPresent((RoleRepresentation r) ->
rolesToAdd.add(r));
//Perform remove
userRoles.remove(rolesToRemove);
//Perform add
userRoles.add(rolesToAdd);
//Go check the admin console - Surprise .. nothing really changed???
}
And here is another example that does nothing:
...
RealmResource realm = admin.realm(RealmAdmin.REALM_NAME);
UserResource userResource = realm.users().get(userId);
UserRepresentation userRepresentation =
userResource.toRepresentation();
...
//Assign new plan role
updateRoles(request.plan, userResource);
userResource.update(userRepresentation);
private static void updateRoles(Plan newPlan, UserRepresentation
userRepresentation) {
List<String> newRoles = userRepresentation.getRealmRoles();
if(newRoles!=null){
newRoles.stream()
.filter(r -> !Roles.isPlanRole(r) &&
!Roles.isExpiredPlanRole(r))
.collect(Collectors.toList());
}else{
newRoles = new ArrayList<>(1);
}
newRoles.add(newPlan.role.getName());
userRepresentation.setRealmRoles(newRoles);
}
/Hristo Stoyanov
8 years, 8 months
custom user federation syncAllUsers
by Juan Diego
I was checking the example for federation-properties-example. In both
examples when you sync all users, it just checks for the users in the
properties file and adds it to keycloak if it doesnt exist.
If I want to do it both ways, so it adds users from keycloak to my
database, and users from my database to keycloak. Should I add them here?
I am not managing any password on my database, so i just need user id and
username and maybe email.
Also when I add a new user I can tell that syncronizeRegistrations() is
being called but it is null. In order to create a new user in my database,
should I call a create user function to my database here.
Thanks,
8 years, 8 months
Re: [keycloak-user] custom user federation syncAllUsers
by Stian Thorgersen
Adding list back
For your use-case user federation is not the way to go. As I said it's been
designed to pull users from an external datasource into Keycloak, not to
sync users into your application.
You have two options really:
a) Add users when the login to your application. All the details you need
about the user can be added to the token and you should only store what
your application needs when the user is not around, the rest you can
retrieve from the token. This is the simplest and I'd recommend this
b) Add an event listener that notifies your application when new users
register (if you have registration enabled) and when admins create users
On 4 May 2016 at 09:44, Juan Diego <juandiego83(a)gmail.com> wrote:
> It is more a question of design, I think. I have my app with its own
> database, it has a table users with a relation one to many to another
> table let's call it songs. The only reason I have the table users in my
> app is because I need a way to know which songs belong to my users. I am
> using keycloak to manage my login.
> I asked a while a long how people handle this and someone referred to
> custom federation providers.
> My question is really regarding how to handle the relations of your data
> when you have your users in a different database from the rest of your
> data.
>
> So far I can only think on 3 ways to solve this
> 1) providers syncing users from keycloak to my database replicating user
> ID. I managed to make this work on my provider at the end, before you told
> me providers are not meant for this.
> 2) managing users in my own app. By this I mean I wouldn't use keycloak
> web interface to create or delete users. I have a form to create users in
> my app, and when I save the data it connects to keycloak s rest api
> creates a user if it works it copies username email and the Id generated by
> keycloak to my local table users
> 3) adding users in keycloak first then if they logging for the first time
> add the user to the database
>
> So far I was doing the 2nd option, it seems the best suited. Is there
> another way to maintain data relation with keycloak
> El may. 4, 2016 1:08 AM, "Stian Thorgersen" <sthorger(a)redhat.com>
> escribió:
>
>> Not sure I'm following. Keycloak can sync users created from your
>> database, but it can't write users back. New users created in Keycloak
>> directly are only stored in Keycloaks database.
>>
>> On 29 April 2016 at 23:52, Juan Diego <juandiego83(a)gmail.com> wrote:
>>
>>> So The recommend way would be to create my own user administrator and
>>> when I create a user it will create a user on keycloak via keycloak s rest
>>> api.
>>>
>>>
>>>
>>> On Thu, Apr 28, 2016 at 11:21 PM, Stian Thorgersen <sthorger(a)redhat.com>
>>> wrote:
>>>
>>>> User federation isn't designed to push users created in Keycloak to the
>>>> database. It only supports syncing users that are created in the database.
>>>>
>>>> On 27 April 2016 at 18:55, Juan Diego <juandiego83(a)gmail.com> wrote:
>>>>
>>>>> I was checking the example for federation-properties-example. In both
>>>>> examples when you sync all users, it just checks for the users in the
>>>>> properties file and adds it to keycloak if it doesnt exist.
>>>>> If I want to do it both ways, so it adds users from keycloak to my
>>>>> database, and users from my database to keycloak. Should I add them here?
>>>>> I am not managing any password on my database, so i just need user id and
>>>>> username and maybe email.
>>>>>
>>>>> Also when I add a new user I can tell that syncronizeRegistrations()
>>>>> is being called but it is null. In order to create a new user in my
>>>>> database, should I call a create user function to my database here.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
8 years, 8 months
PubSub eventing on user management
by Guus der Kinderen
Hello all,
Can you suggest an approach (or better yet, an existing solution if one is
available) for the following?
We have an application that is interested in events regarding user
management. We would like it to be notified of user creation, modification
and deletion that occurs within Keycloak.
Is there some kind of publish/subscribe mechanism available for this?
Our initial thought was to create a module for Keycloak, that would somehow
register itself as an event listener, and subsequently transmit those
events via the XMPP pub/sub mechanism (our software is XMPP-capable).
Thoughts?
Regards,
Guus
8 years, 8 months
NPE after importing master realm/Keycloak 1.9.2
by Bystrik Horvath
Hi,
I'm facing NullPointerException when log-in to security admin console after
importing the master realm.
I just wanted to access to master realm by SSL only, so I changed in
security admin console 'Require SSL' -to 'all requests' in the master realm
settings, saved and exported the master realm. After successful import -
using overwriting the existing strategy - I'm getting NPE after log-in to
master like follows below.
Is it a bug or do I do anything wrong by manipulating the master realm?
Best regards,
Bystrik
12:35:12,820 ERROR [io.undertow.request] (default task-38) UT005023:
Exception handling request to /auth/admin/master/console/whoami:
org.jboss.resteasy.spi.UnhandledException: java.lang
.NullPointerException
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
at
org.keycloak.services.resources.admin.AdminConsole.addMasterRealmAccess(AdminConsole.java:239)
at
org.keycloak.services.resources.admin.AdminConsole.whoAmI(AdminConsole.java:212)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
8 years, 8 months
Token audience doesn't match domain
by Dean Peterson
I use openshift to apply a wildcard certificat to my routes to keycloak. I
can add https that way. However, even though I can apply https to the
route and hard code https into keycloak.json files for the auth-server-url,
I get the Token audience doesn't match domain errors because some auto
generated url by keycloak thinks everything is http. I really don't want
to have to go through the work of setting up a keystore and everything else
within wildfly when I really don't need it since my route in openshift
handles the https part. Is there a way around this?
8 years, 8 months
