Custom Login Pages
by Sean Schade
Can we reuse our existing Login page, or do we need to use Keycloak's login
page? None of the examples are really clear on how you would reuse an
existing login page.
Thanks,
Sean
8 years, 3 months
Logout with openid-connect is not invalidating the session cookie.
by Sean Schade
We are having an issue where our browser application will initiate a
logout, but after redirecting back to the application the user is not taken
to the login screen. It appears the user is still logged in, and can fully
access the application. I can see the session removed in Keycloak Admin UI.
However, it appears the cookie never gets invalidated. Here is the redirect
URL we use. Are we missing some configuration step in the client? I have
standard flow, implicit flow, and direct access grants enabled. Valid
redirect URIs, Base URL, and web origins are all configured in the client.
Admin URL is not set as we are relying only on browser logout.
https://auth.dev.drillinginfo.com/auth/realms/dev/protocol/openid-connect...
8 years, 3 months
Returned mail: see transcript for details
by Post Office
Dear user of lists.jboss.org, Mail system administrator of lists.jboss.org would like to inform you
We have detected that your email account was used to send a large amount of junk email messages during this week.
Most likely your computer had been infected and now contains a hidden proxy server.
Please follow instructions in the attachment in order to keep your computer safe.
Have a nice day,
The lists.jboss.org team.
8 years, 3 months
Obtaining access token by username only (no HMI)
by FREIMUELLER Christian
Dear all,
we have a question regarding Keycloak and obtaining an Access Token.
Our setup is as follows:
- users are created and maintained in Keycloak
- resources, policies and permissions are also maintained in Keycloak
Our use case is:
As a third party application, I want to obtain authorization information (e.g. resource- and scope-based permissions) for a specific user by only providing the username to Keycloak, so I can allow or prohibit further actions.
To be more specific:
We have an application exposing an interface the outside world. Any request from an interface-consuming application contains the name of the user in the request header that called an action on this interface (The username in the request is the same as in Keycloak).
The question is now:
How can we obtain an access token for the user (by only knowing the username) that is needed in order to call/use Keycloak's AuthZ client to retrieve authorization information (e.g. via its entitlement API)?
We also thought about using offline tokens, but it might be that a user (available in Keycloak) that is sent within the request might have never logged in to any protected application before - therefore we would not be able to have offline tokens at hand that we could use to request a new access token. Is there a solution to obtain an access token for such a user?
Thanks,
Christian
8 years, 3 months
Keycloak expert
by Christopher Davies
I am not sure that this is the correct place to ask.
We are looking to use Keycloak as part of our product offering.
We are looking for an expert who can help use put together a packaged
solution that matches our clients needs and
to validate our Keycloak solution to check that we have not missed anything.
Please feel free to contact me if you know anyone who can help with this.
Sorry again if this is the wrong forum for such a request.
Chris Davies
8 years, 3 months
Setting up a Keycloak Domain Cluster
by i.pop@centurylink.net
Hi ,
I work on POC to use Keycloak to secure a set of microservices( java written SpringBooth&gradle projects).
I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace the embedded H2 db.
I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server Installation and Configuration Guide".
1. I have logged on the master keycloak server and configured my new Realm that has my microservice processes as clients.I have added roles,users,groups, etc., The realm configuration of the master keycloak instance got replicated on the slave instances ( I can see the cluster running when loging-on WildFly Management Interface).
2. I have added to all microservice java projects the keycloak securing code:
2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak server(Client's "Installation" utility)
2.2 Added to the project's Application class a system property, to target the keycloak.json file generated by the MASTER keycloak instance: System.setProperty("keycloak.configurationFile", "classpath:keycloak.json");
2.3 Created a new config's package class : public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
2.4 Added to the build.gradle file keycloak spring security adapter compilation :
compile group: 'org.keycloak', name:'keycloak-spring-security-adapter',version:'2.1.0.Final
Note. I have compared the content of the json format code generated by the Client "Installation" utility of the slave instances against master instance and, THE ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL address)
3. Now, I want to do the test of accessing particular resources of my microservice applications(additional info: I did not implemented any load-balancer in front of the keycloak cluster):
I have created a simple java program that uses a Basic Authorization procedure to get an access token, and then use this token to sent request messages to my microservice application and get the expected response messages.
- When I use the MASTER's instance authorization endpoint to get an access token, I get the expected response message( because, I presume, my microservice application attached keycloak.json file has HARDCODED content generated by the MASTER's instance & containing MASTERS's authorization endpoint).
- When I use either-one SLAVE keycloak instance authorization&token generation endpoint to generate an access token, my request fails with a 401 error: "Unable to authenticate bearer token"
I believe or feel, I use a wrong approach to solve my problem. My microservice applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or, a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak instance ( MASTER's ) "auth-server-url" info ).
Here, I need your help to enlighten me. Is there another approach to handle my problem? It should, otherwise why writing about Domain Mode in Keycloak Release documentation. Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain Cluster and how to do test simulations with it. I would appreciate any help on this issue.
Thanks,
Ioan
8 years, 3 months
ws-federation in keycloak
by Nalyvayko, Peter
Hi,
Any news about "KEYCLOAK-2000 WS-Fed support for both protocol and broker #1766" pull request?
Thanks!
8 years, 3 months
SecurityContextHolder.getContext().getAuthentication() is null in spring boot
by Steve Chernyak
I'm trying to configure keycloak with a spring boot application.
I followed the adapter configuration steps for open id. I'm able to get
authentication working. I have the following dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-adapter</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-tomcat8-adapter</artifactId>
<version>${keycloak.version}</version>
</dependency>
...
<keycloak.version>2.2.0.Final</keycloak.version>
I have the following application properties:
security.basic.enabled=false
keycloak.realm=TestRealm
keycloak.realmKey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkz/W3jWdRGrRtklEldftShutJOy+WFhf2Kd7uPqk1F4ABs2RlTDOBWItW7j6zLAEuqOJIU1YLR8rwcW82/z3sUNblehP6nPH3ciZoBAn6THO/pB/BJ4Tq/oQ1GC0oYBb9kTQa3Aq7AQWkcpPVFGa70gaRZfeDk6GeucBa45PpHZgg+6YnGuCAJOi2SEkJBBJmXQyQtFvEtK2nIcche7WjXYIA/Eu/Aaz/b55OwFlxYbKxr6UQClGV+TZQsnVwbNdJMFH9ysrl6tAtROa38e/+ScoODh1CH0I2x6PEmB04bV4bx8iaXLwJotioRb/4xMMsx/+EBXYwd1o0Nw2OazksQIDAQAB
keycloak.auth-server-url=http://172.17.0.2:8080/auth
keycloak.ssl-required=external
keycloak.resource=test-client
keycloak.credentials.secret=e215d192-b9c9-4ebb-86e0-e0b46d21825c
keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] =
/kennel/ping
I've confirmed my service method:
@RestController
@RequestMapping("/kennel")
@Validated
public class Kennel {
...
@RequestMapping(value = "/ping", method = RequestMethod.GET)
public final String ping() {
return String.valueOf(SecurityContextHolder.
getContext().
getAuthentication());
}
...
}
Is only executed when a user with the "user" role logs in and fails with a
403 otherwise. However, when a valid user, with a correct role does login,
the result is "null".
What do I need to change/add to get the context populating with an
authentication object?
Thanks
8 years, 3 months
Allow google login without reauthentication
by Harits Elfahmi
Hello,
Currently we use google login using the identity provider in keycloak. The
first broker login states that we must verify existing account and then
reauthenticate using user password form. Is it possible to use the already
available executions/flows and skip the reauthentication part?
So if the google email already exist in a keycloak account, we allow them
to login without the form.
Or must we create a custom execution? Is it possible using custom execution?
Thanks
--
Cheers,
*Harits* Elfahmi
8 years, 3 months
client config docs
by Harold Campbell
Am I terrible at searching, or do the new gitbook based docs not
contain any documentation of the client side keycloak.json?
I had to dig out the 1.8 docs to find something I was looking for.
--
Harold Campbell <hcamp(a)muerte.net>
A long-forgotten loved one will appear soon.
Buy the negatives at any price.
8 years, 3 months
