October 2017 - keycloak-user - Jboss List Archives

by Knurr, Michael

In the documentation I can see that the whole domain configuration and all user information can be exported by the "startup" export functionality. http://www.keycloak.org/docs/latest/server_admin/topics/export-import.html Unfortunately this method requires us to stop the server to do the export. What is the recommended procedure to export domain configuration and users in an actively running keycloak instance?

8 years, 1 month

3
5
0 / 0

Keycloak Spring Boot Adapter does not populate security context principal

by Niels Bertram

Hi Keycloak Users, I tried to configure a dead simple Spring Boot CXF REST endpoint with Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It appears the Keycloak Tomcat Valve fails authorization even before the keycloak adapter ever gets a chance to parse the Bearer token and setup the session. I would have thought that with AutoConfig it would just be that ... auto config. I added the below keycloak adapter configuration to the application.yml file and made sure all required jars are on the classpath. Does anyone have any suggestions or a link to a working example that shows how to use Spring Boot with Keycloak *AND* CXF ? Many thanks, Niels Example: https://github.com/bertramn/keycloak-secured-rest-endpoint application.yml configuration: keycloak: realm: demo authServerUrl: 'http://localhost:8080/auth' realmKey: 'MIIBIjANBgDAQAB' sslRequired: external resource: test-client bearerOnly: true securityConstraints: - authRoles: [ '*' ] securityCollections: - name: authed patterns: [ '/v1/secured' ]

8 years, 1 month

3
4
0 / 0

Keycloak 3.0.0 Final and Google IDP

by Joe Strathern

Hello Keycloak Community, I am trying to configure my Keycloak 3.0.0.Final install with Google as an Identity Provider, and hit an issue. After configuring my Google Dev account, including enabling the Google+ API, as well as setting up the provider in Keycloak, the Google+ login appears when i access my application. However, upon successfully logging into Google, I get the following error from Keycloak: "Unexpected error when authenticating with identity provider". Reviewing my Keycloak logs, i can see Keycloak is failing to make an oauth callback to google, and the connection is refused. I've attached the full log of the error for reference. Intiially thinking it was due to a network proxy, i configured http.proxy settings (host, port, user, and password) through standalone.conf.bat, however the issue still occurs. Is there an additional step i am missing to ensure Keycloak can communicate successfully with Google? Or is there another location i should be setting the proxy information for Keycloak? Thanks, Joe

8 years, 1 month

1
0
0 / 0

How to pass an arbitrary user name into the access token granted by Keycloak?

by Gunter Zeilinger

Our RESTful services configured with bearer-only access-type are used also by third-party application with their own user realm - only proprietary accessible by the third-party application. There is the requirement, to audit the user of the third-party application, invoking our RESTful services by the RESTful service itself - so it would need to be passed into the JWT bearer token which granted by Keycloak to the third-party application. Is there another way as importing the user-realm of the third-party application into the Keycloak realm associated with our RESTful service and the third-party application as client, so the third-party application can pass the user id by a resource owner password credentials authorization grant to obtain the access token - which relies on keeping our copy of the user-realm in sync with the third-party application, and that the third-party application has access to the user password. Particularly, is it possible to use a Bearer JWT as an authorization grant according RFC 7523, Section 2.1 to pass the user id from the third-party application to Keycloak, and to configure Keycloak to pass the user id also in the returned JWT Access Token? Thanks, Gunter

8 years, 1 month

1
0
0 / 0

Keycloak 3.3.0.Final Released

by Marek Posolda

We've just released Keycloak 3.3.0.Final. The release contains upgrade of Keycloak server to Wildfly 11.0.0.Final. There are also few bugfixes there. To download the release go to the Keycloak homepage - http://www.keycloak.org/downloads The full list of resolved issues is available in JIRA - https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix... Before you upgrade remember to backup your database and check the Migration guide - https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF... . Marek

8 years, 1 month

2
1
0 / 0

Keycloak 2.5 service account permission

by Ryan Murfitt

Essentially I want lock down permissions on a new client that has the ability to create users (ie service account / client credentials flow) and authenticate them (ie, password flow), but little else. Now, this fine tuning on the existing roles for individual clients seems available for 3.3 but I'm wondering if there's a way to achieve the same thing in 2.5? http://www.keycloak.org/docs/3.3/server_admin/topics/admin-console-permis... Cheers

8 years, 1 month

1
0
0 / 0

[JBoss JIRA] (KEYCLOAK-4818) Undeclared namespace prefix "ds"

by Michael Mok

Hi Hynek Keycloak 3.3.0 Final is still broken for issue KEYCLOAK-4818. https://issues.jboss.org/browse/KEYCLOAK-4818 The SAML dsig error occurred in SAMLDataMarshaller.*deserialize()* method The fix for KEYCLOAK-4818 was added to SAMLDataMarshaller.*serialize()* method however the error occured in SAMLDataMarshaller.*deserialize()* method. Please refer to the change set report below. https://source.jboss.org/changelog/Keycloak?cs= d52d685161336d68413bc633a81b223c66886c7a I also notice in the change set, the new unit test methods only assert the serialize() method. The deserialize() test method (ie *testParseResponse() ) does not test *for any dsig namespace. Are you able to update your unit test and verify the fix? Thank you for your help. SAMLDataMarshaller.java line 85 Caused by: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "dsig" at [row,col {unknown-source}]: [1,914] at org.codehaus.stax2.ri.evt.Stax2FilteredEventReader.hasNext(Stax2FilteredEventReader.java:58) at org.keycloak.saml.processing.core.parsers.saml.SAMLAssertionParser.parse(SAMLAssertionParser.java:84) at org.keycloak.saml.processing.core.parsers.saml.SAMLResponseParser.parse(SAMLResponseParser.java:73) at org.keycloak.saml.processing.core.parsers.saml.SAMLParser.parse(SAMLParser.java:81) at org.keycloak.saml.common.parsers.AbstractParser.parse(AbstractParser.java:90) at org.keycloak.broker.saml.SAMLDataMarshaller.deserialize(SAMLDataMarshaller.java:85) at org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext.deserialize(SerializedBrokeredIdentityContext.java:277) Best Regards Michael Mok

8 years, 1 month

2
1
0 / 0

Username validation

by Richard

I'm trying to implement validation on the username. Specifically I'd like to validate a max length and characters that are allowed. I've found some checks in:*RegistrationUserCreation.java and *Validation.java. It looks like the first is used for signups, the latter for changing the account information of existing users. ** How should I go about adding checks? For the Registration I'm guessing that I should copy *RegistrationUserCreation, add the checks, and create a new Registration Flow with the new SPI. Is this correct? But what about the Validation for existing accounts? I could do the same. Make my own copy of Validation.java, but how do I plug it into the system? Any help much appreciated! *

8 years, 1 month

1
0
0 / 0

Re: [keycloak-user] Export Keycloak domain

by Tech

Hello, thanks for the support from everybody. The final string to export a realm is this: bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE_NAME> -Dkeycloak.migration.realmName=<REALM_NAME> On 26.10.17 22:49, Malte Finsterwalder wrote: > Export is done through command line parameters. Unfortunately there is > no UI for it yet. > > An example would be: > bin/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.usersExportStrategy=SKIP > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=exported.json > > More in the docs here: > http://www.keycloak.org/docs/latest/server_admin/topics/export-import.html > > Greetings, > Malte > > On 26 October 2017 at 19:04, Tech <tech(a)psynd.net > <mailto:tech@psynd.net>> wrote: > > Dear experts, > > I'm struggling about how to export a domain, while apparently import > could be easily done from the admin web-interface: might you help me? > > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > <https://lists.jboss.org/mailman/listinfo/keycloak-user> > >

8 years, 1 month

1
0
0 / 0

Export Keycloak domain

by Tech

Dear experts, I'm struggling about how to export a domain, while apparently import could be easily done from the admin web-interface: might you help me? Thanks!

8 years, 1 month

3
2
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2017