WARNING: breaking User API backward compatibility
by Bill Burke
FYI:
Starting in 2.3, there will be a number of user SPIs and APIs that will
be refactored or deprecated. UserModel, UserFederationProvider,
UserCredentialModel, PasswordHashProvider, and UserFederationManager are
being refactored. UserFederationProvider is also being @Deprecated.
Code will break, and you'll have to figure out how to start using the
new UserStorageProvider SPI, or update UserFederationProvider
implementation. You'll start seeing changes pop up in master over the
next few weeks.
Regards,
Bill
8 years, 3 months
No redirect to original URL after going to identity provider
by Sarah Phillips
I have a keycloak 1.9.8 install that I am trying to reconfigure.
I have a client that tries to authenticate requests to https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/*
I have a saml 2.0 identity provider configured against pingfederate. The redirect URI is http://lvpalgomi1d.ln.jefco.com:8180/auth/realms/Algomi/broker/pingfedera...
When I enter https://lvpalgomi1d.ln.jefco.com:8443/synchronicity/login.jsp into a web browser I end up at http://lvpalgomi1d.ln.jefco.com:8180/auth/realms/Algomi/broker/pingfedera... which is not what I intend - I would like to be validated and then redirected back to the original location.
Is there another step to redirect the browser back to the original URL?
I am picking up this task from a colleague who moved on. I have tried reading the server-administration-guide but it does not seem to be helping with this problem.
How do I diagnose the issue? What settings do I need to check?
There are also a couple of ldap providers set up under User Federation. I don't know whether they are needed - I think they were previously used to authenticate against ldap but the users are looking for silent/pass-through authentication.
Actually, while I'm here, will SAML 2.0 even support Integrated Windows Authentication that I am supposed to be implementing, or must I use Kerberos to achieve that?
Many thanks,
Sarah
Jefferies archives and monitors outgoing and incoming e-mail. The contents of this email, including any attachments, are confidential to the ordinary user of the email address to which it was addressed. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. This email may be produced at the request of regulators or in connection with civil litigation. Jefferies accepts no liability for any errors or omissions arising as a result of transmission. Use by other than intended recipients is prohibited. In the United Kingdom, Jefferies operates as Jefferies International Limited; registered in England: no. 1978621; registered office: Vintners Place, 68 Upper Thames Street, London EC4V 3BJ. Jefferies International Limited is authorized and regulated by the Financial Conduct Authority.
8 years, 3 months
Struggling with roles via groups
by Niko Köbler
Hi,
currently I’m struggling a bit with roles assigned directly to a user and indirectly via a group the user belongs to.
This is my scenario:
Role „admin“, which is a composite role and has from client „realm-management“ the roles „impersonation, manage-users, view-users“ assigned.
Group „admins“, which the role „admin“ is assigned to.
If I assign the „admin" role to a user in „myRealm“, the user is able to get a list of all users via HTTP REST call „/auth/admin/realms/myRealm/users“
If I now remove this role from the user and let it join the group „admins“, the user should have also the „impersonation, manage-users, view-users“ client roles - as far as I understand it correctly. The decoded access token also contains all the roles. But when the user now is calling the above mentioned HTTP REST call, a 403 Forbidden response is returned.
What am I missing?
Am I doing something wrong?
Or is Keycloak not evaluating the roles correctly?
Any help is appreciated!
regards,
- Niko
8 years, 3 months
Restrict user's access to a subset of realm's clients
by Andy Yar
Hello,
I'm wondering, is there a way how to restrict certain clients in a realm
for a given user?
Of course, I can map roles to user and check them in each application.
However, it seems like it might be easier to perform directly on Keycloak
side.
What is the correct way how to achieve that?
Thanks in advance.
8 years, 3 months
Need help in resolving error with authorizing our app using Keycloak
by Ganga Lakshmanasamy
Hi,
We have a web application which uses keycloak as its authentication server.
Currently, we have enabled keycloak only at our client side which is an
angular code. We would like to enable the keycloak security for our rest
services as well. So we did the following,
1. Created a new client in our realm for backend services with access type
"bearer-only".
2. Configured keycloak adapter in wildfly where our backend rest services
are deployed.
3. Added keycloak.json file of backend services client.
4. Logged into our application through our angular client and got the token.
5. Tried accessing the backend rest api with the access token sent as part
of header as below.
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJiMjc0ZTY3My0yOTg1LT
QwNmEtOWE0YS1...
Getting* 403 Forbidden access* error while invoking the rest service even
though the user has the required roles set. Please help us in resolving the
issue.
Regards,
Ganga Lakshmanasamy
8 years, 4 months
Re: [keycloak-user] Social login - need help
by Kiran patil
Kiran P
+91 9964558157
On Mon, Sep 12, 2016 at 12:39 PM, Kiran patil <kiranpatil(a)arvindinternet.com
> wrote:
> Hi All,
>
>
> I am implementing social login and facing following issues.
>
> 1. Getting *invalid_redirect_uri *for *http://example.com
> <http://example.com>. *Please suggest what should be the *Base URL* and Valid
> Redirect URIs so that I can redirect to my login success page on
> successful login.
>
> 2. If I don't specify any *Post Login Flow *getting error and it is
> redirecting to */forbidden *. I need to redirect to my app on *First
> Broker Login* and also successful login for existing user.
>
> Please help me modify the settings to solve the above issues.
>
>
>
>
> Kiran P
> +91 9964558157
>
8 years, 4 months
Vote for web-based forum
by Uli SE
Hi,
I´m voting for to change this exchange into some kind of a web-based forum.
It´s really hard do search for "already asked questions" and to track my
threads in this kind of mailing list.
Cheers,
Uli
8 years, 4 months
Getting 401 if trying to access app via loadbalancer
by KASALA Štefan
Hello,
we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks.
Stefan Kasala
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
8 years, 4 months
