keycloak.js: sending cookies with keycloak.updateToken()?
by Michael Clayton
Hi all,
We have multiple keycloak nodes clustered behind a load balancer. On
first request, the load balancer sticks users to a node by handing a
cookie to the browser. Currently, when keycloak.js sends the
updateToken() POST to the load balancer, it's a cross-origin call and
thus the browser omits cookies. As a result, the load balancer doesn't
know which keycloak node to route the request to.
Here's my patch:
https://github.com/mwcz/keycloak/commit/ec5289b5c8e6a8378167d4f14da682ef3...
By setting withCredentials = true, the browser will send cookies to our
keycloak load balancer so we can be routed properly.
I would be surprised if this was desired behavior in *all* cases, so a
blanket "always send cookies". I'd be happy to create alternate patch
where a configuration parameter dictates whether to send cookies.
Thoughts/warnings/alternatives/pitfalls?
Thanks!
--
Michael Clayton
Senior Software Engineer
Red Hat Customer Portal
9 years, 2 months
Fwd: Question about LDAP Rol
by Zeus Arias Lucero | BEEVA
I have a keycloak server which has the LDAP configuration. This LDAP server
has different roles than my application. So I would like to know if its
possible and how I have to do for the keycloak server maps or translates
the rol A to rol B. The rol B is used by my application.
Greetings!
9 years, 2 months
Returned mail: Data format error
by Mail Administrator
This message was not delivered due to the following reason:
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message could not be delivered within 7 days:
Server 31.29.182.151 is not responding.
The following recipients could not receive this message:
<keycloak-user(a)lists.jboss.org>
Please reply to postmaster(a)lists.jboss.org
if you feel this message to be in error.
9 years, 2 months
Re: [keycloak-user] SAML IdP automatically link account
by Glenn Campbell
I still haven't gotten anywhere with this. Here's what I've tried so far:
1) modifying First Broker Login flow as follows -
Review Profile - disabled
Create User If Unique - alternative
Handle Existing Account - alternative
everything under Handle Existing Account that can be disabled I have
disabled
Result: I authenticate with the remote SAML server but my local Keycloak
server displays an error screen saying "Invalid username or password".
2) created a custom authentication flow containing the following -
Create User If Unique - alternative
A custom authenticator class with an authenticate method that just calls
the success method of the AuthenticationFlowContext.
Result: I authenticate with the remote SAML server but my local Keycloak
server displays an error screen saying "Invalid username or password".
As always, any suggestions would be greatly appreciated.
On Tue, Aug 23, 2016 at 9:49 AM, Glenn Campbell <campbellg(a)teds.com> wrote:
> I have a SAML IdP that is used only for authentication and a separate
> database that contains information about the users, including roles. I've
> set up the database in User Federation and the SAML IdP in Identity
> Providers.
>
> The problem I have is that when users log in they are prompted to link to
> an existing account. This is confusing for them because from their
> perspective the only account they know about is the one on the SAML IdP.
>
> Is it possible to configure this Identity Provider to be "trusted" so that
> the accounts are linked automatically? I started looking into creating a
> custom authenticator based on the documentation and the custom
> authenticator in the example code but I don't see what the necessary steps
> are to cause the automatic account linking.
>
> Any suggestions would be greatly appreciated.
>
9 years, 2 months
Returned mail: Data format error
by Automatic Email Delivery Software
The message was not delivered due to the following reason:
Your message was not delivered because the destination server was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within 1 days:
Host 6.201.127.239 is not responding.
The following recipients could not receive this message:
<keycloak-user(a)lists.jboss.org>
Please reply to postmaster(a)lists.jboss.org
if you feel this message to be in error.
9 years, 2 months
Keycloak thick clients
by Floodeenjr, Thomas
Greetings,
It seems like Keycloak can solve many problems for web applications when authenticating from various sources. We are currently trying to authenticate using Kerberos with a thick client using remoting to a Wildfly server. Is there a Keycloak solution for Java applications that are thick (standalone) applications authenticating with a Wildlfy server? If there is not a Keycloak solution, do you know of another solution? We seem to find little or no information about non-web applications.
Thanks,
-Tom
9 years, 2 months
Help - Remote EJB Security Context
by Christian Hebert
Hello everyone!
We have a few applications protected by keycloak deployed on two jboss servers (EAP 7). I'm trying to access an EJB from an application deployed on server A to an application deployed on server B.
Following the basic example that comes with JBoss I've been able to do it by simply using the ApplicationRealm. My problem is that i have no identity on the remote server and I need to propagate the identity (and security context) from server A to server B.
I can't figure the way to configure my EJBReceiver to use another realm.
I keep receiving the following error :
java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:RemoteApp, moduleName:RemoteAppEJB, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@717cef09 at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255)
Is there anybody who can help me with this?
Thanks alot !
Christian Hebert
9 years, 2 months
granting role to a user to add users
by hasane has
Hi,
I'm trying to add users pro grammatically, but Iget Forbidden error, what
role(s) should a user have to do that and how to grant to a user that role,
since ,for a realm and a client, its up to me to create roles
(I read in the ref guide that user should have manage-users role to do that
but how to grant that role)
Cordially
9 years, 2 months
