Keycloak 1.9.4 custom authenticator reference
by Tech @ PSYND
Dear experts,
I'm working with keycloak 1.9.4.
We ran some customization with the Authenticators: we implemented a
couple of authenticators in sequence, like provide an OTP token, provide
an additional information etc.
We are facing several issues:
1) we create our custom Flow from the Authentication interface
2) we add our 4 form (Add Execution)
3) from the Flows Module we select the order in which they should be
selected
4) we define in the binding sour flow as Browser Flow
5) we register and enable our executions from the Required Actions
module.
About point 3): even if we change the order of the flows using the
priorities arrows, the forms doesn't show up in order.
We tried to delete and to re-create, but we don't understand if we
should do something else to impose the order we need.
After creation, we decided to remove each single "Execution" and then
remove the flow.
We set again the "Browser Flow" to the standard "Browser", we removed
the created jars from the provider/ directory, but every time that we
try to authenticate we get an error saying that there is still an
existing reference to the old deployment, although the provider/
directory is currently empty.
16:00:40,199 ERROR [io.undertow.request] (default task-4) UT005023:
Exception handling request to
/auth/realms/etatvs/login-actions/required-action:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
Unable to find factory for Required Action: renew_password_config did
you forget to declare it in a META-INF/services file?
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
Caused by: java.lang.RuntimeException: Unable to find factory for
Required Action: renew_password_config did you forget to declare it in a
META-INF/services file?
at
org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:569)
at
org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504)
at
org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426)
at
org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302)
at
org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856)
Could you support?
Thanks
10 years
custom role description not showing up on consent screen
by Brian Cook
I created a new role at the client level and in my link to start the openid
connect authorization code flow it is being pased in. I get the login
screen and login successfully, but when the consent screen shows up there
is no mention of this scope or its description. Is there something
additional I need to do?
Thanks,
Brian
10 years
Impersonate
by Daniele Bonetto
Hi all,
i've a question about impersonation.
As wrote before, we need to allow our operators to impersonate final users.
We need call impersonate API from our backoffice.
I searched in keycloak.js some function that does the magic, but nothing.
How can we manage it? We didn't want that our operators have to access
to keycloak admin-interface to impersonate users.
Thanks in advance,
regards.
Daniele Bonetto
10 years
Unique username across realms?
by Guus der Kinderen
Hi all,
Is it possible to have multiple realms, in which every username is unique
across all of the realms?
Regards,
Guus
10 years
Authorization question (maybe not keycloak?)
by Darren Hartford
Hi all,So, Keycloak has a lot of items around Authentication approaches, but I haven't seen anything specific around authorization - is that a different project?
My actual question is this - if you have java apps that have <security-role><role-name>role1</role-name></security-role> or are using @DeclareRoles, is there a mechanism where the application/SP can *register* with the PDP with those roles, rather than copy-pasting into those different IAM/PDP solutions?
thanky!-D
10 years
Keycloak as ID provider for large amount of devices
by Matuszak, Eduard
Hello
We are planning to get a lot of devices, identifyable by individual certificates, into an IOT-system being designed and developed at the moment. We choosed to authenticate all actors (users, software components and devices as well) by OIDC-tokens and (pre)decided to use Keycloak as ID provider. User and software components are quite straightforward to handle with Keycloak (as Keycloak users with the help of a user federation provider & id brokerage and for applications as Keycloak clients respectively). But I am not sure of how to represent our devices (we want to support hundreds of thousands of them later on!) by Keycloak means.
It seems that we essentially have 2 possiblities to register a device in Keycloak
- As a user
- As a client
By representing devices as Keycloak clients we might take advantage of the ServiceAccount (Oauth-Client Credential) flow and become able to implement it via (dynamic!) registration and it and seems, that we will even be able to authenticate our device by their certificates by choosing "Signed Jwt" as authenticator option.
My question is, if it would be a good idea to register a very big amount of devices as Keycloak clients with regards to performance and manageability. In principle I would prefer a user-representation (faciliting usage of user federation provider & id brokerage for instance), but as far as I understood, the appropriate flow would be Direct Access (ResourceOwnerPassword Credentials) and here we can only deal with username/password instead of certificates.
Do you have any suggestions or hints (even the conclusion, that Keycloak is not the suitable ID-provider-implementation for large-scale IOT-systems)?
Best regards, Eduard Matuszak
10 years
Manually Updating URL from Login Theme
by Chris Hairfield
Hello Keycloak friends,
I have an application with a custom login theme that shows/hides a user
input to make a 2-step flow on a single page; it's done this way to reduce
redrawing the page and to minimize code duplication. The problem here is
that the URL doesn't change between both steps; without a URL change, the
browser's back functionality doesn't know to step between the steps.
Do we have any control over the URL from within our login theme? My current
idea is to modify/increment the state parameter between steps, but I'm open
to any suggestions.
On the flip side, can we break our steps out into 2 separate pages in a way
that our theme doesn't redraw between page changes? It's pretty jerky when
it does so.
Thanks!
Chris
10 years
Error appear when change the servers to HTTPS
by Yasser El-ata
*Hello,When we change our server to work with https we start see the
following error "Missing parameters: response_type" , and i'am sure the
parameters is exist in the URLwhen the application was working on http this
error wasn't happenedplease find the attached screen shout *
*the following are my Realms , AngularJs and bearer JSON filesi paste them
to the ubuntu paste i also attache them in the email*
*My Realms: http://paste.ubuntu.com/16481701/
<http://paste.ubuntu.com/16481701/>AngularJs App Json File
: http://paste.ubuntu.com/16481216/
<http://paste.ubuntu.com/16481216/>Bearer Application (API) Json
File: http://paste.ubuntu.com/16481242/ <http://paste.ubuntu.com/16481242/>*
*please adviseThanks*
--
Yasser El-Ata
Java Developer
BluLogix
737 Walker Rd Ste 3, Great Falls, VA 22066
t: 443.333.4100 | f: 443.333.4101
*www.blulogix.com <http://www.blueoss.com/>*
The information transmitted is intended only for the person(s) to whom it
is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
10 years
Error appear when change the servers to HTTPS
by Yasser El-ata
*Hello,When we change our server to work with https we start see the
following error "Missing parameters: response_type" , and i'am sure the
parameters is exist in the URLwhen the application was working on http this
error wasn't happenedplease find the attached screen shoutplease
adviseThanks*
--
Yasser El-Ata
Java Developer
BluLogix
737 Walker Rd Ste 3, Great Falls, VA 22066
t: 443.333.4100 | f: 443.333.4101
*www.blulogix.com <http://www.blueoss.com/>*
The information transmitted is intended only for the person(s) to whom it
is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
10 years
Keycloak Proxy passing thorugh unauthenticated
by Guy Bowdler
Hi,
We've got the Keycloak Security Proxy (official one -
https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html)
running and passing to an nginx proxy which is in turn proxying out
different apps, ie:
[client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse Proxy]
------> [application]
Where [] denotes a different box, the ProxyBox is hostname.domain and
the apps are published as hostname.domain/appname
However, the client is able to access the application without
authentication, we have clients and roles set up in keycloak and the
config looks ok (although obviously isn't!)
Are there any KeyCloak Proxy logs we can look at, or debugging options?
I haven't found any as yet andnothing is jumping out of the config.
We can access the back end apps ok either from the Keycloak proxy
running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this
latter connection will be restricted to localhost when it's working!).
The keycloak proxy config is very similar to the default except the
values from the keycloak installation GUI have been pasted in.
Any troubleshooting tips would be much appreciated!
thanks in advance:)
Guy
10 years
