Help using Keycloak for Mobile apps
by Sam McCollum
Hi All,
I'm working on a project with some fellow students and we are attempting to
use Keycloak to manage the authentication and authorization for our java
backend running on Wildfly. We've managed to retrieve a token which we
believe to be an offline token by opening the following URL on the mobile
client and intercepting a custom URL schema: http://keycloak.cs.westmont.ed
u/auth/realms/Westmont/protocol/openid-connect/auth?redirect
_uri=app.test://login&response_type=code&client_id=TestApp&s
cope=offline_access
We hope that this doesn't bother you, but we are really struggling to
figure out how to request the access token from the refresh token using the
REST API as we haven't found any documentation or tutorials covering this
use case.
We are also hoping to open source our efforts at building a library for
mobile apps to use with Keycloak.
Please let us know if there is anything else you need to understand from us.
Thanks in advance,
Sam
8 years, 4 months
Re: [keycloak-user] Single transaction OTP
by Bill Burke
Are you familiar with SSO protocols? The client (application) requests
a token (OIDC) or assertion (SAML). The token/assertion is built
specifically for the client and can contain information about the user,
i.e. role/group mappings. Clients can force that the user has to log in
again, that's about it...
You'll have to be more specific of what you're looking for.
On 9/11/16 6:42 AM, Uli Schulze-Eyssing wrote:
>
> Not really a one-use-token, but a second factor (like TOTP) for
> specific transactions (eg. oder confirmation).
>
>
> Am 10.09.2016 um 13:31 schrieb Bill Burke:
>>
>> You mean a one-use token? We don't support that.
>>
>>
>> On 9/10/16 7:27 AM, Uli SE wrote:
>>>
>>> Hi,
>>>
>>> is it possible ( done in a sample ) to secure a single transaction
>>> using keycloaks OTP fearture?
>>>
>>> I currently use angularjs/wildfly with keycloak sso.
>>>
>>> Many Thanks,
>>>
>>> Uli
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8 years, 4 months
Single transaction OTP
by Uli SE
Hi,
is it possible ( done in a sample ) to secure a single transaction using
keycloaks OTP fearture?
I currently use angularjs/wildfly with keycloak sso.
Many Thanks,
Uli
8 years, 4 months
bearer token payload
by Uli SE
Hi,
Can I add fields from keycloak profile to the bearer token to get them
in a Wildfly-based webservice?
8 years, 4 months
Keycloak integrated with Google Apps
by Marcelo Barbosa
Hi all,
I really would like create a documentation and study case using Keycloak
totally integrated with Google Apps, but in two months using Keycloak I
didn't have success.
I think the major for the Keycloak project take I person with time and this
resources for a complete testing the project.
I sent some errors in another emails and don't receive any help, if someone
help me will good, otherwise I will be forced to go to the simpleSAMLphp
project that works seamlessly with AD and Google Apps.
Cheers,
8 years, 4 months
Keycloak 2.2.0.CR1 Released
by Stian Thorgersen
Keycloak 2.2.0.CR1 has just been released. The final release will follow
next week if no major issues are reported. Few highlights of this release:
- *OpenID Connect certification* - We've continued to work on our OpenID
Connect implementation and we're now passing the basic, implicit, hybrid
and config profiles. We'll get the dynamic profile sorted in the 2.3
release.
- *Server config moved to standalone/domain.xml* - In the past some
server configuration was done in keycloak-server.json and some in
standalone/domain.xml. We've now moved all config to standalone/domain.xml
and keycloak-server.json is now deprecated. This brings the option to use
jboss-cli including offline scripts to automate configuration.
- *Manual DB migration* - We've had automatic migration of the database
for a long time, but we now have an option to have Keycloak write a SQL
migration file instead of applying the changes directly.
- *Fuse adapter download* - There is now a Fuse adapter download that
makes it possible to install Keycloak support in Fuse without access to
external Maven repository.
- *Hot deployment of providers* - It's now possible to hot deploy custom
providers from within a JEE deployment. We've not had the chance to write
documentation around this yet and it could do with a bit more testing so
consider it a preview feature. Take a look at the user-storage-jpa provider
example though, it's great stuff!
- *Identity Provider Authenticator* - In the past redirecting to
identity providers was hardcoded in the Keycloak code, we've now refactored
this into a new authenticator.
- *Norwegian, Japanese and Lituanian translations* - Keycloak now comes
with 11 translations. 10 of them contributed and maintained by our
excellent community.
For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and
to download the release go to the Keycloak homepage
<http://blog.keycloak.org/www.keycloak.org/downloads>.
8 years, 4 months
Get user's roles from groups using POST
by Eric Matte
What is specifically that GET request?
Is there a way to just confirm user authentication on the backend with a POST/GET method?
Something that would return the parsed token of the user for his current session.
With the parsed token, the backend server could validate the user, but could also get directly all of the user’s roles.
Eric
From: Thomas Darimont [mailto:thomas.darimont@googlemail.com]
Sent: September 9, 2016 3:37 AM
To: Marek Posolda <mposolda(a)redhat.com>
Cc: Eric Matte <eric.matte(a)bionxinternational.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get user's roles from groups using POST
Hello,
with the changes from this PR: https://github.com/keycloak/keycloak/pull/3120
the realm roles and client roles would also be available with a single GET request.
Cheers,
Thomas
2016-09-09 9:21 GMT+02:00 Marek Posolda <mposolda(a)redhat.com<mailto:mposolda@redhat.com>>:
Yep. You can take a look at our testsuite for inspiration : https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar... .
Especially see last test "roleMappings"
Marek
On 08/09/16 20:30, Eric Matte wrote:
Hi, I need to get all user roles from a specified user ID from all assigned groups for this particular user.
I have searched into the API documentation and found no link that could returns me all roles of the authenticated user.
Currently, I have the user id, the realm name, the client id, and an admin token.
I need to send a POST method from my backend in order for it the properly set all the session’s variables.
http://www.keycloak.org/docs/rest-api/#_userrepresentation<http://www.keycloak.org/docs/rest-api/%23_userrepresentation>
From this link, UserRepresentation seems to have everything I need, but while checking the code on GitHub, the function for “GET /admin/realms/{realm}/users/{id}” only returns the few first variables (name, email, id, etc.). But, clientRoles, for instance, is not returned.
Thank you
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 4 months
keycloak.js - page reloads itself when logged in
by Andy Yar
Hello,
I've created a template of a Angular based app using keycloak.js lib. After
a successful login the app/page periodically reloads itself. I guess it's
because of the iFrame session check being set to 5sec interval (requesting
url: <base_url>/#state=<hash>&code=<hash>).
This happens in latest Firefox and Edge. Chrome seems to handle these
reloads quietly.
Is this intended?
Thanks
8 years, 4 months
Example for decoding JWT Token in Shell
by Thomas Darimont
Hello group,
just found an interesting example for decoding a JWT token in the shell.
Perhaps some of you might find that handy... see below.
Cheers,
Thomas
KC_REALM=acme-test
KC_USERNAME=tester
KC_PASSWORD=test
KC_CLIENT=app1
KC_CLIENT_SECRET=aa937217-a566-49e4-b46e-97866bad8032
KC_URL="http://localhost:8081/auth"
# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v \
-d "username=$KC_USERNAME" \
-d "password=$KC_PASSWORD" \
-d 'grant_type=password' \
-d "client_id=$KC_CLIENT" \
-d "client_secret=$KC_CLIENT_SECRET" \
"$KC_URL/realms/$KC_REALM/protocol/openid-connect/token" \
| jq .
)
KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
KC_ID_TOKEN=$(echo $KC_RESPONSE| jq -r .id_token)
KC_REFRESH_TOKEN=$(echo $KC_RESPONSE| jq -r .refresh_token)
# one-liner to decode access token
echo -n $KC_ACCESS_TOKEN | cut -d "." -f 2 | base64 -d | jq .
{
"jti": "c5ed8525-f0c6-433f-9a88-ef92645582dd",
"exp": 1473348085,
"nbf": 0,
"iat": 1473347785,
"iss": "http://localhost:8081/auth/realms/acme-test",
"aud": "app1",
"sub": "c88e9053-89cf-4a4b-af09-c34d91d083af",
"typ": "Bearer",
"azp": "app1",
"auth_time": 0,
"session_state": "bfb1e6dd-b8c6-4379-bc47-e86c5396b06b",
"acr": "1",
"client_session": "db292d8b-263e-4030-9b93-a1d37e5ee5eb",
"allowed-origins": [],
"resource_access": {
"app-js-demo-client": {
"roles": [
"user"
]
},
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "Theo Tester",
"preferred_username": "tester",
"given_name": "Theo",
"family_name": "Tester",
"email": "tom+tester@localhost"
}
8 years, 4 months
