Token Claim Compression
by Muehlburger, Herbert
Hi,
does Keycloak compress the token claims before they are Base64 encoded, or do I have to handle compression by myself when I implement a custom claim?
Best,
Herbert
?
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
7 years, 3 months
Re: [keycloak-user] How to only protect specific paths (SPA)
by Marcel van Tongeren
Hi Mehdi Mehdi,
If I'm correct, keycloak.init( {onLoad: 'login-required'}) should only be used for sites that are completely behind authentication/authorization.
Check out other init options here: http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/javascript-...
To protect only certain paths, you should probably configure the router in your SPA framework by adding some sort of 'authenticate' flag to the private routes.
Then you can probably add an extra authentication step to your pipeline that checks that flag and if it is set, it should fire the keycloak.login() if the user is not authenticated yet.
If it is not set, then the authentication step can skip the login, because it would be a public path.
Good luck!
Marcel
7 years, 3 months
Users (related to LDAP) are gone when I change the username
by Celso Agra
Hi all,
I'm getting a strange behavior.
My LDAP (openldap) is configured as writable in my User Federation. So, I
can create user from my Keycloak, but when I change the username, the user
disappear from my user's list.
I check the LDAP and the user still there, with the 'old' username. So, is
there some way to change the username without disappear from the keycloak
user's list?
This occurs because in my case, username as the same of email. So, If the
user changes email, I have to change the username also.
I'm using version 3.0.0.Final
Best regards
--
---
*Celso Agra*
7 years, 3 months
How to only protect specific paths (SPA)
by Mehdi Mehdi
Hello everyone and thank you for sharing keycloak with the community.
I'm trying to use keycloak on my SPA (single page application with javascript in both front & back ends).
I only want to password protect specific paths and not all paths. The problem is that once I do require login
keycloak.init( {onLoad: 'login-required'})...
on some "sensitive path" all the other paths become protected. I suspected that would happen because I did not find a function to suspend "requiring a login".
Indeed, I did test this by going to the keycloak admin page and logged out the user (who was by then on a public/not-protected path). On my SPA the user got kikked out asking her for a password through keycloak even though she was on a 'public path'.
In short, is there a way to instruct keycloak not to require a login.
BTW, I'm only using keycloak on the front end right now.. Need to make it work before also using it on my API (back end).
Thank you in advance for your feedback.
7 years, 3 months
Fwd: 405 on importing a realm
by Kishan Sagathiya
---------- Forwarded message ----------
From: Kishan Sagathiya <ksagathi(a)redhat.com>
Date: Thu, Oct 12, 2017 at 8:05 AM
Subject: Re: 405 on importing a realm
To: Bruno Oliveira <bruno(a)abstractj.org>
The second curl results in a 502 bad gateway. Also take a note that I am
not running on localhost, but on a remote server without https
On Wed, Oct 11, 2017 at 5:56 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
> I'm moving this discussion to keycloak-user, the appropriate place to
> ask these questions. This should work:
>
> #!/bin/bash
>
> REALM="master"
>
> export TKN=$(curl -v -X POST "http://localhost:8080/auth/re
> alms/$REALM/protocol/openid-connect/token" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "username=admin" \
> -d 'password=admin' \
> -d 'grant_type=password' \
> -d 'client_id=admin-cli' | jq -r '.access_token')
>
> curl -v -X POST -H "Content-Type:application/json" -H "Authorization:
> Bearer $TKN" -d "@/path/of/your/realm/testrealm.json"
> http://localhost:8080/auth/admin/realms
>
> On 2017-10-11, Kishan Sagathiya wrote:
> > Hi,
> > I am getting '405 Method Not Allowed' on trying to create a realm using
> > keycloak's admin rest api.
> >
> > Following is the command that I am running
> >
> >
> > curl -H "Content-Type: application/json" -H "Authorization: bearer
> > $ACCESS_TOKEN" -d 'rep=$CONTENT_OF_THE_JSONFILE' -D- -X POST "
> > http://mykeycloakurl.com/auth/admin/realms/master"
> >
> > Is this the right way?
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
>
7 years, 3 months
Authentication & Registration from Android application
by Jérôme Blanchard
Hi all,
In order to include keycloak in a android app, I'd like to know if somebody
as a solution for this integration. We needs to handle authentication but
also account creation from the android app (or ios). We use Ionic for the
app to be available from web browser and native phone app.
In the native app, authentication open a browser page from the native app
but, as we could imagine, the authentication process is not able to go back
to the native app...
I know that it is possible to create a dedicated login page inside the app
using the Direct Grant Access mechanism but I'd like to know if there is
other solution (like an Intent but compatible with keycloak) ?
Second and major problem for integration is that we'd like users to be able
to start an account creation from the Android app directly. As I
understand, only admin API allows to perform user creation so I imagine
that I will have to create a dedicated 'proxy' webapp, acting as a keycloak
admin and relying android app backend calls for real keycloak account
creation...
Is anybody have a more confortable solution avoiding developing such
'proxy' ?
Thanks a lot for you support, best regards, Jerome.
7 years, 3 months
Cannot pass idpHint option to Keycloak
by Sumit Das
Hi
I am using *IDP provider for authentication and trying to bypass the
standard keycloak login screen *(so I need to go immediately to the IDP
specific authorization screen). According to this documentation (
http://www.keycloak.org/docs/latest/server_admin/topics/identity-broker/s...),
*we can simply provide idpHint* for this. Though that doesn't work.
Following is the piece of code:-
*var keycloakAuth = new Keycloak('keycloak.json');*
*keycloakAuth.createLoginUrl({idpHint: 'ad-oidc'});*
It failed with:-
*Unable to get property 'redirectUri' of undefined or null reference*
As far as I understand that's because* adapter is not created yet*. So
probably we need to pass this option sometimes later. But I am not sure
where exactly am I supposed to do that.
Your help and earliest response is awaited.
*Regards*
*Sumit Das*
*Mobile No.- +91-9986872466 *
7 years, 3 months
feature request: ldap protocol as authentication frontend
by Herrmann Hinz
hello all,
afaik at the moment its not possible to authenticate against an keycloak
installation via ldap/s protocol. is this correct?
if so: any plans on integrating it? is there any work done already?
would be very helpful to have this integrated into keycloak. would it even
complete more.
thanks for your answers in ahead,
tobias
7 years, 3 months
Keycloak (opening new tab) issue
by Paulraj, Helin
Hi All,
Clicking a link opens a new tab, but redirects the new tab to the homepage instead of displaying the link's content. Also keycloak token verification takes too long on this new tab. Sometimes the keycloak token refresh happens multiple times on the new tab, but never gets successful.
I want the link's content to be displayed on the new tab instead of being redirected to the homepage. Has someone faced a similar issue and got it fixed?
Thanks,
Helin
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the postmaster at postmaster(a)sothebys.com.
www.sothebys.com
**********************************************************************
7 years, 3 months
