Reverse proxy calling admin API
by Christian Bauer
Hi
I'm trying to call the /admin/* API endpoints through a reverse proxy. The access token is granted to a JavaScript application, and the issuer of the token is therefore the reverse proxy. (This is actually a regular app that just happens to forward/create some requests to Keycloak.)
The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
The request is authenticated in Keycloak with this line in AuthenticationManager.java:
AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive, checkTokenType);
This assumes that the "configured issuer" of a token is the JAX-RS UriInfo#getBaseUri() and fails with:
2016-05-21 23:52:37,109 DEBUG [org.keycloak.services] (default task-16) Failed to verify identity token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://localhost:8080/auth/realms/master, but URL from configuration is http://192.168.99.100:8081/auth/realms/master
The UriInfo#getBaseUri() does not take the X-Forwarded-* headers into account.
How can I call the API with a token obtained through a reverse proxy?
Thanks,
Christian
10 years
Keycloak API Integration/JAR
by John D. Ament
Hi,
I was wondering, is there an API JAR that would allow me to interact with
Keycloak in a more type safe way? I've been through the REST api and I
suspect it will do everything I need, but the work to actually build out
the client seems pretty heavy, so having an existing client sounds pretty
useful.
John
10 years
How to assign client roles to realm admin user programmatically
by Haim Vana
Hi,
I am trying to create admin user for a specific realm programmatically, I am able to create the user, however I can't assign the realm client roles to it.
For example in the UI I would go to the user 'Role Mappings' choose the realm client role and move the required roles from the Available section to the Assigned.
When I try to it programmatically I am getting 404, my code is below, note that I am getting 404 on the last line - adminUserClientRole.listAvailable())
createUserAndPsw(keyCloakClient, "master", user);
RealmResource realm = keyCloakClient.realm("master");
UserResource userResource = realm.users().get(user.getKeyCloakId());
RoleMappingResource roles = userResource.roles();
RoleScopeResource adminUserClientRole = roles.clientLevel(tenantId + "-realm");
adminUserClientRole.add(adminUserClientRole.listAvailable());
Any advice will be appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
LazyInitializationException on Partial import
by Vincent Sluijter
During a partial import and selecting OVERWRITE , Keycloak throws the following error:
UT005023: Exception handling request to /auth/admin/realms/test/partialImport: org.jboss.resteasy.spi.UnhandledException: org.hibernate.LazyInitializationException: failed to lazily initialize a collection, could not initialize proxy - no Session
Is this feature broken in keycloak 1.9.1.FINAL?
I'm trying to change a parameter in an identity provider? Is this possible through this method?
I also get the error when I try to import the full identity provider, for which the partial import works when It does not exists.
This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050.
10 years
Jetty Maven Plugin
by LEONARDO NUNES
Hi, is it possible to configure Keycloak to run with Jetty Maven Plugin? Have anyone done this?
I didn't find an equivalent way to do the steps below at the pom file.
java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
or
OPTIONS=Server,jsp,jmx,resources,websocket,ext,plus,annotations,keycloak
I was able to configure Keycloak to run with Tomcat Maven Plugin.
If anyone needs help with that, let me know.
--
Leonardo
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
10 years
Redirect_url is not supported anymore since 1.9.4.Final
by Charles Moulliard
Hi
I have configured Openshift + Keycloak as Identity Provider
This request which was working with version 1.9.2.Final
https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/a...
doesn't work anymore with 1.9.4.Final --> Invalid parameter: redirect_uri
is displayed within the web browser
The server reports this error :
19:09:34,964 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR,
realmId=openshift, clientId=openshift, userId=null, ipAddress=192.168.1.80,
error=invalid_redirect_uri, response_type=code, redirect_uri=
https://192.168.99.100:8443/oauth2callback/keycloak, response_mode=query
Do we have to change something within the config (clientId, ...) ?
Regards,
Charles
10 years
Validating JWT tokens
by Aikeaguinea
I have a client with a service account and credentials using Signed Jwt.
Authentication works fine. The service uses
org.keycloak.adapters.authentication.ClientCredentialsProviderUtils#setClientCredentials
to create the JWT token and set the headers, and I get back a JWT
containing an access token from Keycloak.
However, when I use jwt.io to look at the access token, I can't validate
the signature. This is true whether I use the client Certificate (from
the client's Credentials tab), the Realm public key, or the Realm
Certificate. In addition, I have generated the client's public key from
the certificate using
keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
client-keystore.jks | openssl x509 -inform pem -pubkey
on the jks file supplied when I generated the client credentials, and
that doesn't work either.
We've also been having trouble validating the signature programmatically
using Java.
Any idea why I might be seeing this?
--
http://www.fastmail.com - Or how I learned to stop worrying and
love email again
10 years
Checkbox in User Attributes
by Chris Hairfield
Hello,
We're running into an issue unchecking a checkbox in our account theme and
came across the following post with no answer. As Libor asks the question
elegantly, I'll copy his text verbatim and hope someone now has an answer.
Hi,
I’d like to use user attributes to store information like “Subscribe
to newsletter” which is obviously checkbox.
How should I implement it in my account.ftl?
I have in account.flt:
<div class="form-group">
<div class="checkbox">
<label for="user.attributes.newsletter" class="control-label">
<input type="checkbox" class="form-control"
id="user.attributes.newsletter" name="user.attributes.newsletter" <#if
account.attributes.newsletter??>checked</#if>/>
${msg("newsletter")}
</label>
</div>
</div>
When I tick it and submit form everything is OK but when untick it and
submit then checkbox is still checked.
I guess it’s because checkbox state is included in HTTP Form Data only
when it’s checked.
How to handle this in KC UI ?
I remember that other frameworks used some hidden fields to post the
information either if checkbox was ticked or not. But I’m not sure how
KC GUI framework handle this use case.
Thanks,
Libor Krzyžanekjboss.org <http://jboss.org/> Development Team
10 years
