Custom set password page and email
by Attila Bara
Hi All,
I just started to work with Keycloak and I would appreciate a brief help to get on the track.
I need to create a separate page that allows newly added users initially set their own password.
Users bulk added by admin, and a general link should be provided for every user to this page.
There they enter their username/email and receive a custom email with link to set the password.
Basically it is a copy of reset-password function, but it needs to be on a different url with different page content, and also using a separate email template than reset-password.ftl
Could you get me an overview how this could be achieved?
Kind regards,
Tawura
8 years, 5 months
Keycloak Installation on fabric8
by Mike Hills
Hi
Could anyone suggest best practice to install keycloak on fabric8/openshift
3? it looks like apiMan uses Keycloak to secure REST services??. I also
need to configure keycloak configured to use SQL Server database.
Thanks
Mike
--
Michael J. Hills
Sr. CRM Architect
Mobile: 603.475.5093
Email : mike.hills(a)sematree.com
Skype : mhills_sematree
8 years, 5 months
Client secret for openid connect?
by Marc Boorshtein
KCers,
I've got KC 2.1 up and running and integrated with my virtual
directory. I'm trying to connect an OpenID connect client with it but
I think I'm missing something. I created a realm and created an OIDC
client. I see the client id, but how do I get the client secret? The
client works with Google's OIDC implementation as a point of
reference.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
8 years, 5 months
KeyCloak customization
by Amit Arora
Hi
Can any suggest
I am looking to customize /token service for password grant..so when i call
/token service from my client,keycloak calls my authentication service to
authenticate the user and take the response from my auth service and then
tie this response with the access token..
And when i call the secured service with the access token..keycloak can
fetch specific user information from my db using access token (which we
tied with auth response earlier) and stuff it in request before sending it
to secured api..
Can i achieve this and what hooks or customizations i need to do for this
Thanks
Amit
8 years, 5 months
2 Keycloak instance using the same DB.
by Subhrajyoti Moitra
Hello,
We are trying to load balance keycloak servers to accommodate more traffic
and as a failover. We are pointing 2 instances of keycloak servers(running
on 2 different machines) to the same DB. Could there be a problem with that
setup?
If so what kind of issues are expected to come? Do we have to setup
something special on the load balancer so that the sessions are maintained
properly?
The keycloak servers also integrates with our organization's Active
Directory to defer the authentication process. Should we disable sync on
one and allow ldap sync from only one server? Is there a potential problem
with the same, ie 2 keycloak instance pointing to the same DB?
How are other people doing loadbalancing and failover for keycloak server.
Please guide.
Thanks,
Subhro.
8 years, 5 months
Keycloak Competitors
by John D. Ament
Hey,
I'm not sure if anyone on this list has some insight, I'm trying to do a
format tech evaluation. I was wondering if anyone had some competitors of
keycloak in the same space, self hosted etc.
John
8 years, 5 months
Firstname and Lastname are null when REGISTER event
by Jairo Henao
Hello community:
I have a listener for REGISTER event and it works well, but when I try to get the first and last names of the user are null, but all other fields are filled as mail, telephone, etc.
@Override
public void onEvent(Event event) {
if (includedEvents.contains(event.getType())) {
if (event.getRealmId() != null && event.getUserId() != null) {
RealmModel realm = model.getRealm(event.getRealmId());
UserModel user = session.users().getUserById(event.getUserId(), realm);
if (user != null) {
if(isUserEnroledForClients(user, realm)){
//Cheking the event type
if(EventType.REGISTER.equals(event.getType())){
//Sending the new data to hubspot
log.infov("Registering the new user {0} in Hubspot...", user.getEmail());
user.getEmail(); //IS FILLED
user.getFirstName (); //IS NULL
user.getLastName (); //IS NULL
After the registration process ends if I check the table, the new user has a firstName and lastName.
Jairo Henao Rojas
IT ROI Solutions
8 years, 5 months
Authorization services: Trying to model authz for a typical application.
by Ushanas Shastri
Classification: INTERNAL
Hello,
I've been looking at all the Authz examples with 2.1.0 CR1, and I've been trying to fit/model them for my application.
Let's say there's a feature in an application to process loan applications. Possible actions on a loan application are to view, edit, approve or reject them. However, users can take specific actions on applications based on the geographical zone in which requests are raised.
For e.g.
User A can view applications across all Zones, but approve or reject applications only if they are from Zone A.
User B can only view applications from Zone B, and cannot do anything else.
User C can do all actions for all Zones.
In the authorization tab, Loan Application is created as a resource, with scopes created for each action (view/edit/approve/reject).
Scope based Permissions are created for each scope, and are attached to a policy. Now the policy is where I'd to implement the check on the zone.
I could create each Zone as a group or as a client role. I chose to create a client role for each Zone.
Now, if user A logs in to the application, I have a screen where they can search for applications to view/process. User A should get to see a list of all applications, since he has view access to all, but only process
When I request for an authorization through the entitlement API, the response tells me that Zone A and Zone B are the client roles, and view and approve and reject are allowed scopes, but does *not* say that Zone B scope is only view, and Zone A scopes are view, approve and reject. The response is a list of client roles and scopes (with resources), but does not link the client role to a resource-scope combination. I couldn't find a way to make individual requests (like tell me what scopes are allowed for this resource, for this particular client role/group?)
As a result, I cannot use the idea of creating zones as either client roles or groups.
How then do I model this in KeyCloak? Thank you for reading the long example, and looking forward to a response!
Regards, Ushanas.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity
8 years, 5 months
HTML injection on registration page
by Adrian Matei
Hi everyone,
After a security audit we've found out that by user registration one can do
HTML injection by inserting for example the following code in the Name
field: Victim<p><a href=www.google.ch>Konto aktivieren</a>
The victim receives the validation email with the malicious link right
after their name. Therefore the injected html is rendered instead of
escaped by the email service. Is there any way we can avoid this
declaratively or what would be an alternative solution?
Best regards,
Adrian
8 years, 5 months
SAML Subsequent login fails with Account disabled error
by Kamal Jagadevan
Hello, We are using Keycloak 1.9.2 for our Authentication flow and SAML interactions (not using SAML adapters) and they are working well in DEV/QA instances.But in Integration environment we are seeing a strange issue of ONLY FIRST TIME login works fine. Further login fails with the following error even though user is enabled.
"Account is disabled, contact admin." Is there anything obvious that we have missed please advise. Enabling debug log didnt reveal anything other than fetching entities from db.Any inputs to debug further is also welcome.
Setting in Federated Identity - First login flow is set to First Broker Login flow
Settings in First login flow - Disabled Review profile page, rest of the properties was set to default values altering rest of the fields didnt change the behavior.
Following are the sequence of steps
- With the help of static login URL to Keycloak with suffixed by the KC_IDP_HINT, Keycloak redirects to External IDP
- Verified for the SAML request being sent using SAML Tracer.
- External IDP login prompts for username and password.
- After entering credentials, redirected back to Keycloak for getting token but THROWS error "Account is disabled, contact admin"
- Verified the SAML response with Assertion status as success using SAML tracer.
- Verified the user is enabled from the Admin console.
- Verified the user_entity table for the status.
BestKamal
8 years, 5 months