Looking for a company with expertise with keycloak
by Ricardo Chu
We have been using Keycloak and the User Storage Federation functionality on a small scale with good results. Now we would like to implement Keycloak's Identity Broker and User Storage Federation functionality with 50 institutions. These institutions have a variety of IDPs such as SAML, Shibboleth, CAS, LDAP, AD etc.
Does anyone have good recommendations for companies that have experience with implementing Keycloak and the Identity Broker functionality?
Rick
8 years
Jetty 503 when secured with confidential client+env vars, works with public
by cen
I am using embedded Jetty 9.2. If I use a public client with env vars in
JSON everything works, if I use env vars for confidential client it
breaks with "503 service unavailable".
Works:
{
"realm": "${env.KC_REALM}",
"realm-public-key": "${env.KC_PUBLIC_KEY}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Fails:
{
"realm": "${env.KC_REALM}",
"realm-public-key": "${env.KC_PUBLIC_KEY}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_CLIENT}",
"credentials": {
"secret": "${env.KC_CLIENT_SECRET}"
},
"use-resource-mappings": true
}
Confidential client works if I copy-paste the JSON from "Installation"
tab directly (without env vars).
I checked at least 10 times that my env vars are correct and that I
don't have a typo somewhere.
Unfortunately there are zero logs from Jetty or Keycloak adapter about
the problem. How would I go troubleshooting this?
8 years
Feature Request: Better ECP Support for Service Provider
by Mark Schäfer
Recently I tried to use SAML ECP (Enhanced Client Profile) with KeyCloak
2.3.0.Final and the Tomcat 7 Adapter for a REST-Service. I am aware that
the ECP Support on the SP side is not officially supported and was only
implemented for Openstack integration.
Nevertheless I managed to receive a SAML authorization request from the
SP, forwarding it to the single configured IP resulting in a SAML
assertion. (With KeyCloak 2.5.0.Final the latter did not work anymore
and I will post this bug? separately).
The biggest missing feature right now is the missing support for
multiple IPs in the SP adapter configuration. ECP allows for multiple
IPs in the first response containing the SAML authorization request.
I suggest to either enhance the SP adapter configuration to allow
multiple IP elements and to enhance the adapter itself to handle SAML
responses from either one of theese IPs.
Alternatively, It might be better to enhance KeyCloak itself to redirect
the ECP SAML authorisation request to the configured IPs in the
brokering section. This seems to be more complicated and I am not sure
if SAML or ECP provide this workflow.
Background: the setup of my customer has a REST service as SP providing
services for the users of 18+ different IPs, a default client
implementation for this service and about 100 different REST client
implementations by third party companies. All this takes places in the
German public healthcare system. SAML is a given since a couple of years
and the IPs have ample experience with SAML web applications. ECP will
become mandantory in the coming months. As a consequence we need a solid
ECP support on the SP side.
8 years
how to intercept/flow: VerificationException: Token is not active
by java_os
Hi
I have 2 bearer rest layers (A,B): A calls B. In front I have an angular
web layer calling A -> B.
What is the best practices to handle "Token is not active" when user sits
in front idle and token becomes inactive, http session still valid but KC
token expired? If B reaches token not active, on the call from A to B -
how would I propagate this to the front layer?
A has to consume the ValidationException from B and notify front layer to
auto logout or prompt the user with a message saying 'your session
expired, please login' or automatically throw the user into the login
prompt in front.
For this scenario above, anyone share some thoughts?
Thanks
8 years
Flow supported by keycloak for openId connect and jboss
by Pulkit Gupta
Hi Team,
I have a basic question which I searched through the documentation but was
not able to find.
Can you please let me know which flow is supported by keycloak for OpenId
on jboss platform.
I am exploring openID connect as a way to secure my Java applications using
keycloak.
These applications are hosted on jboss.
--
Thanks,
Pulkit
AMS
8 years
Log out server sessions when using bearer authentication
by Dan Østerberg
Hi,
How can we make single sign out work when passing bearer tokens to a server guarded by a «traditional» session based Oauth2 client / adapter?
Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created – either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won’t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.
One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I’m just missing or misunderstanding something...
~Dan
8 years
COMPOSITE_ROLE table duplicate rows issue
by Haim Vana
Hi,
We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel.
We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE.
Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows.
Deleting the duplicate rows solved the issue.
Any idea what might have caused the duplicated rows ? or how to prevent it ?
Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup)
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years
Setting up webapplication to accept both bearer and openid redirect login
by David Delbecq
I have a wildlfy application where i need this behaviour:
1) If user provides a token during request and try to access a secure area,
use it (typically soap ant rest requests)
2) If user has no credentials to show, issue interactive web login
So far I managed to get either 1) or 2) on the application, depending on
using bearer-only accesstype or not. But i can't seem to find out how to
have both behaviour. Below is json export of my current realm config. I am
currently doing this in wildfly
<secure-deployment name="shipping.war">
<realm>Shipping</realm>
<auth-server-url>${authURL}</auth-server-url>
<public-client>true</public-client>
<ssl-required>EXTERNAL</ssl-required>
<resource>shipping-soap</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>
using this code to get a token from the WS client
Keycloak keycloak =
Keycloak.getInstance(System.getProperty("keycloak.url"), "Shipping",
username, password, "shipping-soap");
customHeaders.put("Authorization", Arrays.asList("Bearer:
"+keycloak.tokenManager().getAccessTokenString()));
but when i issue the ws request, i get a redirect to keycloak (see below).
I suspect i misunderstood some parts of the keycloak configuration and it's
behaviour, but i am not sure what i did wrong. Can somebody explain me how
to integrate both webservice and webpages with a single client id?
POST /shipping/service/1.0/shipping HTTP/1.1
Content-Type: text/xml; charset=UTF-8
Accept: */*
Authorization: Bearer:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZNjlCMm1aT2NuX0tnMTVEVC03MU5tUTNVN3NhdG1BLTJsc3BCM2VNRFNRIn0.eyJqdGkiOiI2ZGRmMjMxYy01YjY4LTQ4MDUtOWU4YS0zNWQ5YjQ2YzYwZDciLCJleHAiOjE0ODMwMjY0NzQsIm5iZiI6MCwiaWF0IjoxNDgzMDI2MTc0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjEzMDgwL2F1dGgvcmVhbG1zL1NoaXBwaW5nIiwiYXVkIjoic2hpcHBpbmctc29hcCIsInN1YiI6ImZiNjJlN2Y2LTIzMjAtNDc5YS04NTEwLWM4OTg0MzZiZmJlMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNoaXBwaW5nLXNvYXAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJkMWFhMTE1OS00Y2JiLTRkMDItOTcxNC0zNGQwMWJjZjYwYWYiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJmZWZkODg3Ni1lZWUyLTRiOWYtOWNkZS1kZGZhNWZkZjAyNjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJzaGlwcGluZy1zb2FwIjp7InJvbGVzIjpbImF1dGhlbnRpY2F0ZWQiLCJST0xFX2F1dGhlbnRpY2F0ZWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibG9naW5AbHNwNCJ9.d_mRQaUIrxW0poRS3cxZt37IWoRusLKq5OG9_zSd5YAjzQS1sRZgHEvK7yF1aQy_kqebrN4xT67QVYCwqMZzsjIYC0_QBGm6vddCgFXuPLADjVXZJ5UHwHig7aoLRWB511AvpFwCQQuTkYaWD7neGKh4TWOqAkMqTvhzUZPD1GrxyzdBTqCQEKlWgkvBUousKoYd6x4Ua6ofbFgYi5H-1GlSXCHVyqXv3zlDwujhtiZWoAWdoKgEDkQ_dV4SZFZFigGwwYwqKViXm0HIQMOT9QwkN_Yjrhc5eeOgeOKr_YxQ_GkIjPuD4-5C-oM4tp8ikMC-kqsPmaXstlZTM3z5kA
SOAPAction: ""
User-Agent: Apache CXF 3.0.5
Cache-Control: no-cache
Pragma: no-cache
Host: localhost:18080
Connection: keep-alive
Content-Length: 1784
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:createShipments
xmlns:ns2="urn:trimbletl:eshipco:shipping:1_0"><ShipmentData><id>shipmentid</id><type>full-truckload</type><freightCarryingUnitType>none</freightCarryingUnitType><freightCarryingUnitSubType>box-dry-van</freightCarryingUnitSubType><freightCarryingUnitDimension>standard</freightCarryingUnitDimension><cargoType>break-bulk</cargoType><name>shipment
name</name><consignor><id>consignorid</id><name>consignor
name</name><address><street>street1</street><number>1</number><city>city1</city><zipcode>zipcode1</zipcode><area>area1</area><country>AE</country></address><coordinate><latitude>1</latitude><longitude>2</longitude></coordinate><contact><name>name1</name><company>company1</company><phone>phone1</phone></contact><timewindow><startTime>1970-01-01T01:00:01+01:00</startTime><endTime>1970-01-01T01:00:02+01:00</endTime></timewindow></consignor><consignee><id>consigneeid</id><name>consignee
name</name><address><street>street3</street><number>3</number><city>city3</city><zipcode>zipcode3</zipcode><area>area3</area><country>AG</country></address><coordinate><latitude>3</latitude><longitude>4</longitude></coordinate><contact><name>name3</name><company>company3</company><phone>phone3</phone></contact><timewindow><startTime>1970-01-01T01:00:03+01:00</startTime><endTime>1970-01-01T01:00:04+01:00</endTime></timewindow></consignee><goods><id>box</id><amount>1</amount><volume>100.0</volume><weight>1000.0</weight><loadingMeter>10.0</loadingMeter><length>6</length><width>4</width><height>5</height><ref>testref</ref><desc>some
description</desc></goods><property><key>type.goods</key><value>1000</value></property></ShipmentData></ns2:createShipments></soap:Body></soap:Envelope>HTTP/1.1
302 Found
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
X-Powered-By: Undertow/1
Set-Cookie:
JSESSIONID=9XhPxotKq3r_uuhaVAya8iavBVSyqQ9Ibf1h2Emu.ddelbecq-precision;
path=/shipping
Set-Cookie:
OAuth_Token_Request_State=916/8084d5f9-fd05-4267-9d72-026acf016857; HttpOnly
Server: WildFly/9
Pragma: no-cache
Location:
http://localhost:13080/auth/realms/Shipping/protocol/openid-connect/auth?...
Date: Thu, 29 Dec 2016 15:43:16 GMT
Connection: keep-alive
Content-Length: 0
{
"id" : "c3558938-fa2a-43c6-8de0-17d6ebbe9750",
"clientId" : "shipping-soap",
"description" : "Workbench, Adminbench and Administration",
"rootUrl" : "http://localhost:8080/",
"adminUrl" : "/shipping",
"baseUrl" : "/shipping",
"surrogateAuthRequired" : false,
"enabled" : true,
"clientAuthenticatorType" : "client-secret",
"secret" : "b556a2b8-bb1d-478e-97a0-14105556427f",
"defaultRoles" : [ "authenticated", "ROLE_authenticated" ],
"redirectUris" : [ "http://localhost:8080/shipping/*" ],
"webOrigins" : [ ],
"notBefore" : 0,
"bearerOnly" : false,
"consentRequired" : false,
"standardFlowEnabled" : true,
"implicitFlowEnabled" : false,
"directAccessGrantsEnabled" : true,
"serviceAccountsEnabled" : false,
"publicClient" : true,
"frontchannelLogout" : false,
"protocol" : "openid-connect",
"attributes" : {
"saml.assertion.signature" : "false",
"saml.force.post.binding" : "false",
"saml.multivalued.roles" : "false",
"saml.encrypt" : "false",
"saml_force_name_id_format" : "false",
"saml.client.signature" : "false",
"saml.authnstatement" : "false",
"saml.server.signature" : "false"
},
"fullScopeAllowed" : true,
"nodeReRegistrationTimeout" : -1,
"protocolMappers" : [ {
"id" : "b2eb4fed-68e3-4064-b0a8-f5926696a99f",
"name" : "username",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${username}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "username",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "preferred_username",
"jsonType.label" : "String"
}
}, {
"id" : "1b943ce9-b67b-4ce5-a5d8-3d795900555b",
"name" : "locale",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-attribute-mapper",
"consentRequired" : false,
"consentText" : "${locale}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "locale",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "locale",
"jsonType.label" : "String"
}
}, {
"id" : "f14bc53c-1d7b-480d-b2da-72b1e47e7f1e",
"name" : "email",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${email}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "email",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "email",
"jsonType.label" : "String"
}
}, {
"id" : "5429c06f-8b9b-4b33-bbb3-015117922910",
"name" : "role list",
"protocol" : "saml",
"protocolMapper" : "saml-role-list-mapper",
"consentRequired" : false,
"config" : {
"single" : "false",
"attribute.nameformat" : "Basic",
"attribute.name" : "Role"
}
}, {
"id" : "95315e0e-1136-4e06-9f04-8ccbb29d2c70",
"name" : "family name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${familyName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "lastName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "family_name",
"jsonType.label" : "String"
}
}, {
"id" : "a371b53c-5543-4188-a16f-005db9a73d7a",
"name" : "full name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-full-name-mapper",
"consentRequired" : true,
"consentText" : "${fullName}",
"config" : {
"id.token.claim" : "true",
"access.token.claim" : "true"
}
}, {
"id" : "e3ca3001-3f19-4654-b84c-7a352306cad1",
"name" : "given name",
"protocol" : "openid-connect",
"protocolMapper" : "oidc-usermodel-property-mapper",
"consentRequired" : true,
"consentText" : "${givenName}",
"config" : {
"userinfo.token.claim" : "true",
"user.attribute" : "firstName",
"id.token.claim" : "true",
"access.token.claim" : "true",
"claim.name" : "given_name",
"jsonType.label" : "String"
}
} ],
"useTemplateConfig" : false,
"useTemplateScope" : false,
"useTemplateMappers" : false
}
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
8 years
Keycloak token expiration and user script
by Haim Vana
Hi,
Currently when user execute a script (e.g. using selenium) he generates offline token, our application (selenium server) generates access token for the user from the given offline token.
The problem is that the access token is expired after 5 minutes (default configuration of Access Token Lifespan in the realm settings).
If we increase the default value it means that the UI tokens will also be affected, and it might be less secure.
What's the best way you recommend to solve it ? should the application (our selenium server) refresh the token every 5 minutes until the script is finished ? or there is another option ? some kind of different token for that purpose ?
Thanks for your help and time,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years
