How to create the same client (same id) for multiple realms programmatically
by Haim Vana
Hi,
I am trying to create the same client for many realms, however it creates it only once, probably because they have the same id, however in UI I am able to create it.
Any idea how I can create the same client for different realms programmatically with the same id ?
This is my code sample:
ClientRepresentation clientRepresentation = new ClientRepresentation();
clientRepresentation.setId(clientId); // Same clientId for all reamls
realm.clients().create(clientRepresentation); // Client is created only for first realm
Any advice will be appreciated,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
How to get user id programmatically
by Haim Vana
Hi,
How can I get the user id programmatically ? I am trying to user the search API as below, however I am not getting any results although the user exist within the realm.
keyCloakClient.realms().realm(realmName).users().search(user.getUserName(), user.getFirstName(), user.getLastName(), user.getEmail(), 1/*pagination offset*/, 1/*max results*/);
Any advice will be appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
Disabling unique email restriction in Keycloak
by Nidhi Rachora
Hi Keycloak Team,
I am working on migrating an existing application to Keycloak. In the
existing application, unique ‘member_ids’ are used as usernames and the
‘email’ field can be duplicate. However on logging into Keycloak, members
with duplicate emails are not allowed. So I have identified two areas to
work on:
Task I) Allow members with unique member ids (who may/ maynot have unique
email) to login.
Task II) Disable login using email.
Solution:
So as a solution to the first task, in my CustomUserFederation, I have made
the following changes:
//Code snippet 1 CustomFederationProvider implements
UserFederationProvider{
. .
@Override
public UserModel getUserByUsername(RealmModel realm, String username) {
. .
if (apiCustomer.getEmailAddresses() != null &&
apiCustomer.getEmailAddresses().size() > 0) {
// Changed to handle duplicate emails using: Sub-addressing, so email:
mailid@domain is saved as mailid+member_id@domain
userModel.setEmail(
subaddress(apiCustomer.getEmailAddresses().get(0).getEmail(),
userModel.getMember_id()));
}
. .
}
}
//Code snippet 2
CustomUserModelDelegate extends UserModelDelegate {
. .
@Override
public String getEmail() {
String email = super.getEmail(); try {
// Changed to handle duplicate emails using: Sub-addressing, so while
retrieving email: mailid+member_id@domain is processed as mailid@domain
email = removeSubaddress(email);
} catch (Exception e) {
...
}
return email;
}
. .
}
Now my queries are:
1.) Will my solution of sub-addressing the email resolve the first issue
without any side-effects?
2.) How do I disable logging in using emails from Keycloak?
Regards,
Nidhi Rachora
10 years
Kc_idp_hint problems
by Kristiaan Jansen
Hi all
I am trying to get the automatically select an identity provider working but having no succes.
What I have tried:
https://myurl.com?kc_<https://myurl.com/?kc_>idp_hint=idpalias1
https://myurl.com/index.kees?kc_idp_hint=idpalias1
I am using key cloak 1.9.2
Authenticate by default is off for all identity providers
I have 3 identity providers.
The effect I am seeing is that I always get the idp selection page.
If I enable Authenticate by default for all identity providers it always redirects to the top idp.
Has anybody seen this feature work?
Thanks,
Kris
10 years
Management of compromising bug tickets
by Brian Watson
Hey all,
I love the fact that your backlog is very transparent, and that I can see a
list of all tasks completed for a given release.
However, I was wondering how you handle tasks for compromising bugs? For
instance, one could look in the backlog for a bug that states "If you send
'123' to the master realm token endpoint at precisely 6:59am on a Tuesday,
and you will be granted an admin token! Please Fix!", and use that
information to gain access to the systems of those using Keycloak.
Thank you in advance.
10 years
Schedule background jobs as user
by Jesse Chahal
So we've done a lot of work on our migration to keycloak but still
have a few holes that are using another authentication system. We are
using Wildfly10 along with the keycloak subsystem. The last real
blocking issues is trying to schedule background tasks on behalf of a
user using quartz. We've tried using impersonation role and mocking
out the impersonation workflow that a browser does, it was fairly
complicated and did not work very well. Service accounts don't seem to
fit this scenario either as service accounts seem to be for performing
client specific actions. We considered storing offline token's on
behalf of users but the thing is users might not log in for years
after scheduling their job. We need to set the Context and Principle
to be the user who we are performing background tasks on behalf of. Is
there a recommended way of doing this that has been tested by others?
I'm sure we aren't the only company who schedule tasks on behalf of
users.
10 years
Keycloak, Multitenancy and Dynamic Configuration
by John D. Ament
Hey,
So far, Keycloak seems awesome. Kudos to you guys for getting something
working so well.
I'm curious about using Keycloak for multienancy. It seems like in theory
what I'm looking for should work, but wanted to confirm. I have a
multitenant app. The app will dynamically create tenants at runtime, so
not configuration pre-deployment. If I'm reading correctly, I just need to
build a dynamic KeycloakDeployment at runtime. Is it possible to configure
this not off of JSON files? Do I just have to call the setter on the
various KeycloakDeployment methods?
John
10 years
Retrieve Roles-Groups association from LDAP
by Harits Elfahmi
Hello guys,
We're trying to sync roles and groups from LDAP to Keycloak and vice versa.
If we attach some keycloak roles to a group, can this association be synced
back to LDAP? How should I config my User Federation Mapper for Group
mapper?
>From what I understand we can set the Membership LDAP Attribute, but I
think this is to associate between groups and users, not groups and roles.
Is it possible to do this, or is the group-roles association can only be
configured from keycloak?
Thanks
--
Cheers,
*Harits* Elfahmi
10 years
Kerberos token
by Gareth Healy
I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2. I am
trying to get a token from key cloak using the following URL:
curl -X POST
http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d "username=admin"
-d 'password=Secret123' -d 'grant_type=password' -d 'client_id=mapper' -d
'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
But, get an exception back:
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
AUTHENTICATE CLIENT
2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default task-51)
Using executions for client authentication:
[de08b32a-a4a5-469c-91cc-0fbca51e1c2f, de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
client authenticator: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
client authenticator SUCCESS: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
Client mapper authenticated by client-secret
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: ADD on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
AUTHENTICATE ONLY
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
processFlow
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
check execution: direct-grant-validate-username requirement: REQUIRED
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
authenticator: direct-grant-validate-username
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
invoke authenticator.authenticate
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,677 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-51) Using filter for LDAP search: (&(uid=admin)(objectclass=person)) .
Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-05-23 14:22:25,682 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-51) Found ldap object and populated with the attributes. LDAP Object:
LDAP Object [ dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
gecos=[Administrator], sn=[Administrator], cn=[Administrator],
createTimestamp=[20160520102908Z], modifyTimestamp=[20160523142225Z]},
readOnly attribute names: [createtimestamp, modifytimestamp] ]
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
authenticator SUCCESS: direct-grant-validate-username
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
check execution: direct-grant-validate-password requirement: DISABLED
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
execution is processed
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
check execution: auth-spnego requirement: ALTERNATIVE
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
authenticator: auth-spnego
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
invoke authenticator.authenticate
2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default task-51)
Sending back WWW-Authenticate: Negotiate
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default task-51)
UT005023: Exception handling request to
/auth/realms/freeipa/protocol/openid-connect/token:
org.jboss.resteasy.spi.UnhandledException:
java.lang.IllegalArgumentException: RESTEASY003715: path was null
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: RESTEASY003715: path was null
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
at
org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Looking in the code, i can see i am missing the "flowPath", but not sure
where this should be set.
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
Can anyone point me in the right direction please.
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy(a)redhat.com
Registered in England and Wales under Company Registration No. 03798903
10 years
