JavaScript client, iframe and IE
by Thomas Raehalme
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
7 years, 11 months
External Username, Password, Email... dataset with Keycloak
by Reed Lewis
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
8 years
Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy
by Guy Bowdler
hi all,
We have the following set up with two DMZ boxes, one running a single
KeyCloak security proxy and sending requests to a local NGINX proxy
which farms out requests to internal applications. This should allow us
to maintain a single namespace for all applications (<hostname>/appname
redirects to appname.local) and gives authenticated visibility of who's
accessing what at the front end proxy.
DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various
---> TRUST: [Various
Keycloak runs on its own server and is published via an NGINX proxy in
the DMZ
DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
and then after logging in, we get an "invalid Redirect URI" error from
Keycloak. We've found that for some reason, the redirect URL from
KeyCloak is appending the :8080 port value from the KeyCloak Security
proxy (verified as if we change this port number, the value changes in
the redirect URL). It's like KeyCloak is redirecting back to the
NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
which is what we were expecting. This is possibly by design, or
possibly a bug, or possibly a side effect of our configuration.
Has anyone tried using the KeyCloak security proxy in this manner? It's
clear that the intended use is as a single instance adapter for a single
local application, whereas our application happens to be an nginx proxy
redirecting to different applications using location directives.
8 years, 3 months
Allow google login without reauthentication
by Harits Elfahmi
Currently we use google login using the identity provider in keycloak. The
first broker login states that we must verify existing account and then
reauthenticate using user password form. Is it possible to use the already
available executions/flows and skip the reauthentication part?
So if the google email already exist in a keycloak account, we allow them
to login without the form.
Or must we create a custom execution? Is it possible using custom execution?
*Harits* Elfahmi
8 years, 5 months
Getting 401 if trying to access app via loadbalancer
by KASALA Štefan
we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks.
Stefan Kasala
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
8 years, 5 months
Token generation: possibilities to improve performance
by Matuszak, Eduard
Motivated by considerations on how to improve the performance of the token generation process I have two questions:
- I noticed that Keycloak's token generation via endpoint "auth/realms/ccp/protocol/openid-connect/token" generates a triple of tokens (access-, refresh- and id-token). Is there any possibility to dispense with the id-token generation?
- Is there a possibility to cause Keycloak to generate more "simple" bearer tokens then complex jwt-tokens?
Best regards, Eduard Matuszak
8 years, 7 months
Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
by Marek Posolda
||Adding list back again for tracking (Ray, please use "Reply all" when
reply to the mails).
From my googling, it seems that DefectiveTokenDetected can happen for
NTLM requests as well. Btv. I found some tips on StackOverflow how to
prevent use NTLM instead of Kerberos5
. Maybe something from those will help:
- Use different machines for client (browser) and keycloak server
- Ensure both machines are in windows domain
- Use some different encryptions in kerberos client file. ( krb5.ini )
file. The post mentions "arcfour-hmac-md5" however the post is 6 years
old :) Still it might help to add/remove some encryptions from krb5.ini
file and check if client machine and IE will use krb5 ticket instead of NTLM
- Fix DNS records or "SPN records" (I don't have a clue what it is :) So
see post for more details)
On 29/06/16 16:41, Zhou, Limin (Ray) wrote:
> Marek
> I sent you two log files yesterday via two emails, I am able to see
> your analysis(such OID etc.) from the first log, but not the second
> logs, in the second log we were getting GSSException instead of the
> hand shake message, I am wondering why it likes this, and are they
> the same thing regarding my issues?
> Sorry to disturb you again
> Raymond
> P.S I have attached the two logs again for you to reference
> *From:*Zhou, Limin (Ray)
> *Sent:* Wednesday, June 29, 2016 10:18 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
> Marek
> Thank you so much for your analysis, I am wondering whether you can
> tell me how you mapped your diagnose with the server.log line#? I
> think this will help us more when we tuning either our bowser and
> domain setting, because I cannot see any 401 heading, first OID, the
> KRB5 OLD from the log file
> Really appreciate your help
> Raymond
> *From:*Marek Posolda []
> *Sent:* Wednesday, June 29, 2016 4:01 AM
> *To:* Zhou, Limin (Ray)
> *Cc:* keycloak-user(a) <>
> *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
> Hi Raymond,
> returning keycloak-user list back for tracking purposes.
> What I can see in the server.log is happening is that:
> - Keycloak ask browser to send SPNEGO token (by sending 401 with
> "WWW-Authenticate: Negotiate" header). So far everything as expected
> - Browser replies with SPNEGO token, however it uses NTLM as the
> preferred choice ( First OID is ) together with
> NTLM token. The KRB5 OID ( 1.2.840.113554.1.2.2 ) is in the supported
> mechanisms too.
> - Keycloak replies with NegTokenTarg token when it's asking for
> sending SPNEGO token backed by KRB5 instead of NTLM (as Keycloak
> doesn't understant NTLM atm. There is related discussion on
> keycloak-user
> )
> - Browser doesn't respond to NegTokenTarg with SPNEGO+KRB5 token anymore
> Not sure what are your possibilities TBH. Either somehow setup browser
> to reply to second request with NegTokenTarg and send SPNEGO+KRB5
> token. Or re-configure your Windows domain (or client machines +
> browser) to skip using NTLM. Right now, I don't have any clue how to
> do that TBH.
> Marek
> On 28/06/16 21:58, Zhou, Limin (Ray) wrote:
> Hi Marek
> If you haven’t looked at my previous server.log, then use this one
> instead, in this log we were getting an exception
> *GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)*
> When we hit the url, maybe this will make things easier
> Please let me know if you need anything more
> Thanks a lot
> Raymond
> *From:*Zhou, Limin (Ray)
> *Sent:* Tuesday, June 28, 2016 10:00 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
> Hi Marek
> I have attached my keycloak server log to you, after adding the
> two properties, we can see an exception shows up when I hitting
> my url, after the exception, I think the default keycloak login
> page shows up, and rest of the log were generated by my manual login
> Hope this can give us some clue
> Thanks a lot
> Raymond
> *From:*Marek Posolda []
> *Sent:* Tuesday, June 28, 2016 1:43 AM
> *To:* Zhou, Limin (Ray)
> *Subject:* Re: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
> Thanks Raymond,
> is it possible to also enable the system properties
> || and
> | and see if there are some more
> details in the log? You can add system properties either directly
> to standalone/configuration/standalone.xml file or by adding them
> to java opts in bin/standalone.conf|
> |Thanks,|
> |Marek|
> On 27/06/16 23:18, Zhou, Limin (Ray) wrote:
> Hello Marek
> Thanks for answering my post, following are the log piece
> after hitting the first page, hope this helps.
> Please let me know if you need anything more
> Thank you so much
> Raymond
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Debug
> is true storeKey true useTicketCache false useKeyTab true
> doNotPrompt true ticketCache is null isInitiator false KeyTab
> is C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false
> principal is
> <mailto:HTTP/>
> tryFirstPass is false useFirstPass is false storePass is false
> clearPass is false
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
> principal is
> <mailto:HTTP/>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Will
> use keytab
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
> Commit Succeeded
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
> 2016-06-27 17:11:13,454 INFO [stdout] (default task-24)
> [Krb5LoginModule]: Entering logout
> 2016-06-27 17:11:13,454 INFO [stdout] (default task-24)
> [Krb5LoginModule]: logged out
> Subject
> *From:*Marek Posolda []
> *Sent:* Monday, June 27, 2016 5:55 AM
> *To:* Zhou, Limin (Ray); keycloak-user(a)
> <>
> *Subject:* Re: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
> It may help if you enable all the possible debug/trace logging
> and post the log here. This may give more info what is the
> issue. See docs how to enable logging :
> Try to send the log from the point once you trigger the
> authentication request (or from the point when you hit your
> app URL)
> Thanks,
> Marek
> On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
> Hello everyone
> I am new to Keycloak and new to here
> Our web application is running on Jboss EAP 7, We have
> configured KeyCloak standalone server 1.9.7 running on
> different port(same server box) to manage the user
> authentication and authorization, behind KeyCloak we have
> configured Keberos in User Federation to talk our company
> AD server, we are able to login by using our AD account,
> but not in single sign on way, each time when we hitting
> the our app URL, the Keycloak login page will show up.
> It looks like the TGT or ST hand shake was not successful,
> is there any document I can reference it to debug the issue?
> Any comments or suggestion would be very welcome
> thanks in advance
> raymond
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West |
> Toronto | Ontario | M8X 2X2 | Canada
> <> 1-866-319-7450
> If you wish to unsubscribe from future updates from
> Moneris, please click here
> <>.
> Please see the Moneris Privacy Policy here
> <>.
> This e-mail may be privileged and/or confidential, and the
> sender does not waive any related rights and obligations.
> Any distribution, use or copying of this e-mail or the
> information it contains by other than an intended
> recipient is unauthorized. If you received this e-mail in
> error, please advise me (by return e-mail or otherwise)
> immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest |
> Toronto | Ontario | M8X 2X2 | Canada
> <> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de
> Moneris, veuillez cliquer ici
> <>.
> Veuillez consulter la Politique de confidentialité de
> Moneris ici
> <>.
> Ce courriel peut contenir des renseignements confidentiels
> ou privilégiés, et son expéditeur ne renonce à aucun droit
> ni à aucune obligation connexe. La distribution,
> l’utilisation ou la reproduction du présent courriel ou
> des renseignements qu’il contient par une personne autre
> que son destinataire prévu sont interdites. Si vous avez
> reçu ce courriel par erreur, veuillez m’en aviser
> immédiatement (par retour de courriel ou autrement).
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)
> <>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West |
> Toronto | Ontario | M8X 2X2 | Canada
> <> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
> <>.
> Please see the Moneris Privacy Policy here
> <>.
> This e-mail may be privileged and/or confidential, and the
> sender does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information
> it contains by other than an intended recipient is
> unauthorized. If you received this e-mail in error, please
> advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest |
> Toronto | Ontario | M8X 2X2 | Canada
> <> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de
> Moneris, veuillez cliquer ici
> <>.
> Veuillez consulter la Politique de confidentialité de Moneris
> ici
> <>.
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou
> la reproduction du présent courriel ou des renseignements
> qu’il contient par une personne autre que son destinataire
> prévu sont interdites. Si vous avez reçu ce courriel par
> erreur, veuillez m’en aviser immédiatement (par retour de
> courriel ou autrement).
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada
> <> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
> <>.
> Please see the Moneris Privacy Policy here
> <>.
> This e-mail may be privileged and/or confidential, and the sender
> does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. If
> you received this e-mail in error, please advise me (by return
> e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada
> <> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
> <>.
> Veuillez consulter la Politique de confidentialité de Moneris ici
> <>.
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou la
> reproduction du présent courriel ou des renseignements qu’il
> contient par une personne autre que son destinataire prévu sont
> interdites. Si vous avez reçu ce courriel par erreur, veuillez
> m’en aviser immédiatement (par retour de courriel ou autrement).
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please
> click here
> <>.
> Please see the Moneris Privacy Policy here
> <>.
> This e-mail may be privileged and/or confidential, and the sender does
> not waive any related rights and obligations. Any distribution, use or
> copying of this e-mail or the information it contains by other than an
> intended recipient is unauthorized. If you received this e-mail in
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
> <>.
> Veuillez consulter la Politique de confidentialité de Moneris ici
> <>.
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune
> obligation connexe. La distribution, l’utilisation ou la reproduction
> du présent courriel ou des renseignements qu’il contient par une
> personne autre que son destinataire prévu sont interdites. Si vous
> avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement
> (par retour de courriel ou autrement).
8 years, 7 months
Obtaining full profile from "userinfo" endpoint
by Brian Watson
Hi all,
Keycloak version: 1.9.8
Here is my use case: I want to keep the access token JWS as lean as
possible, only containing user roles and a few custom claims I have added.
I want no PII in the access token. However, I would like my internal
services to obtain the full user profile (name, email, etc...) from the
OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the
"sub" claim and the few custom claims that already exist in the access
token. I don't see any support for adding scope values to the request.
Is there any way to accomplish what I would like, or any other ways of
obtaining this info that I may be missing?
Thanks in advance
8 years, 7 months
MDC log messages not showing up
by Scott Rossillo
I’m trying to use a use the Mapped Diagnostic Context (MDC) on org.jboss.logging.MDC to register a custom header for logging. I’m populating the MDC from an Undertow HttpHandler. This part is working, however, the value set in the MDC is never logged. I’m using %X{MDC_KEY} in standalone.xml.
Does anyone know why MDC values aren’t logged?
Scott Rossillo
Smartling | Senior Software Engineer
8 years, 8 months
Keycloak and Salesforce IdP identity brokering
by Peter Nalyvayko
I am trying to integrate keycloak and Salesforce using Salesforce as an identity provider. It seems some of the information required to properly set up the Salesforce as SAML IdP is missing in the keycloak's SAML identity provider configuration. For example, "Entity Id", according to the Salesforce documentation, is "This value comes from the service provider. Each entity ID in an organization must be unique. If you’re accessing multiple apps from your service provider, you only need to define the service provider once, and then use the RelayState parameter to append the URL values to direct the user to the correct app after signing in." ( The SAML identity provider configuration in keycloak does not have a setting to specify "Entity Id". Another missing attribute is "ACS URL" (The ACS, or assertion consumer service, URL comes from the SAML service provider.). Has anyone been able to set up Salesforce as IdP and keycloak as SP using keycloak's SAML identity provider? Is this even possible given that some required parameters are missing?ThxPeter
8 years, 8 months