November 2017 - keycloak-user - Jboss List Archives

Re: [keycloak-user] Impersonate user feature stop working after 3.2.0.Final

by Diego Diez

After clicking the button I can see the account of the impersonated user, but the SSO doesn't seem to work. When I go to another app, the login form is prompt again instead of a new redirect with the user logged in to the app automatically. That's the issue I meant in the first place. Sorry for the lack of details. PD: the app I used to reproduce the problem was secured using the spring security adapter for spring boot El 29 nov. 2017 9:33 p. m., "Stian Thorgersen" <sthorger(a)redhat.com> escribió: Oh and we do have tests as well for it ;) On 29 November 2017 at 21:33, Stian Thorgersen <sthorger(a)redhat.com> wrote: > Just tried it here and works just fine for me. > > On 29 November 2017 at 18:24, Diego Diez <diegodiez.ddr(a)gmail.com> wrote: > >> Hi Keycloak Community, >> >> >> After successfully upgrade our servers from keycloak 2.5.4.Final to >> 3.4.0.Final, we have notice that the impersonation feature isn't >> working anymore. >> >> We have tested other versions with a vanilla install and the first >> version with this problem is 3.2.0.Final. >> >> Are you experiencing this problem? Impersonation is a quite useful >> feature to us, so any workaround until next release would be great. >> >> >> Regards, >> >> Diego Díez >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >

7 years, 1 month

3
4
0 / 0

sessions are lost after restart - 3.3.0.CR2

by shop24＠wolke7.net

Hi, as we plan to update to 3.3.0.Final, I already started to play with the current CR2 and check the features we use. We save our sessions in the file based infinispan cache <local-cache name="sessions" xmlns="urn:jboss:domain:infinispan:4.0"> <file-store passivation="false" fetch-state="true" purge="false" relative-to="jboss.home.dir" path="/infinistate/session" /> </local-cache> I can see the session.dat file there growing on the amount of sessions, and as long as the server stays alive, the sessions can be counted. But when I restart the server, no sessions are visible on the admin console neither by the REST API. Those things worked at least until 3.1.0.Final. Is this a bug or can I configure this some how different now? Are you working on it and it is one of the point, that are not final? Regards, Marie

7 years, 1 month

3
3
0 / 0

session timeout behavior when using the Spring Security adapter

by Sud Ramasamy

It looks like when using Keycloak and Spring Security with the OIDC Client protocol there is a way to hose the application session unintentionally when the Keycloak SSO session timeout setting is lower than the application (ie. Client) session timeout value. If the user accesses any parts of the application which are protected by the Keycloak adapter after the access token has expired (configured for 5 minutes) without first ending the application session, Spring Security still has the authentication object. But as part of the authentication flow in the application, the Keycloak adapter checks to see if the Access token is active which it won't be at this point. So the Keycloak adapter (RefreshableKeycloakSecurityContext.java) attempts to get a new Access token using the refresh token it has. Since the refresh token has been invalidated in Keycloak the adapter receives a "Stale refresh token" error response from Keycloak. The "no access token" is propagated to the Keycloak adapter's OAuthRequestAuthenticator.java which proceeds to trigger a login redirect to Keycloak. Once the user is successfully authenticated in Keycloak and control is returned to the KeycloakAuthenticationProcessingFilter.java as a final step it attempts to store the KeycloakAuthenticationToken in the Spring SecurityContextHolder (see SpringSecurityTokenStore.saveAccountInfo). Here the code throws an exception because there is already an existing KeycloakAuthenticationToken in the SecurityContextHolder from the earlier login that wasn't cleared. At this point SSO login into the application is hosed. A potential fix is to trigger a call to the application’s logout endpoint which will clear the Spring SecurityContextHolder object prior to fetching a new access token. I was wondering if anyone has run into this behavior. It seems like when using the OIDC Client protocol by it’s very nature of using short lived Access tokens and Refresh tokens that are tied to the Keycloak session we will have to set the Keycloak Session timeout to be the same or higher than the Client session timeout. But we do not necessarily have control over the clients. So we will have to set the Keycloak session timeout to the highest session timeout across all Clients since this is realm level setting and not a per Client setting. But this breaks another use case since we are using Identity Brokering. We want the user to be bounced to the external Identity Provider when their application session timeouts. If the Keycloak session timeout is higher than their application session timeout then they wouldn’t be bounced to the external Identity Provider for authentication. Looks like we might need to force Keycloak to initiate the authentication when we detect an application timeout. -sud

7 years, 1 month

2
3
0 / 0

Services behind a Proxy that offloads SSL

by Malte Finsterwalder

Hi there, I have a service running in a JBoss server, that I want to secure via the keycloak adapter. The server is behind a proxy, that offloads SSL, so the server itself gets traffic as http. When the server redirects to keycloak for authentication, the redirect URL supplied to keycloak is http, not https. How can I ensure, that a redirect URL is an https URL? Greetings, Malte

7 years, 1 month

5
9
0 / 0

SAML login via python when using Keycloak as Identity broker

by Pieter Lukasse

Hi, I have Keycloak as an identity broker for the a SAML SSO service. Login via the browser works great. Now, I want to call the APIs of the SP's application directly using python or java. Are these steps documented somewhere? Should my python script send 2 authentication requests (e.g. first to Keycloak and then to the real IDP)? Thanks, Pieter www.thehyve.nl E pieter(a)thehyve.nl We empower scientists by building on open source software

7 years, 1 month

2
5
0 / 0

kc_idp_hint parameter is being ignored

by Jeremy Michael

Hello all, I’m trying to do something that looks like it should be very easy, but is not working for me. Hopefully someone can help me figure out what I’m doing wrong. We have an application secured by Keycloak and have two Identity Providers set up. Clicking the buttons on the standard Keycloak login screen works fine for both Identity Providers. We can also set up either provider as a default (in the browser Authentication flow) to bypass the login screen, and that works fine. However, in some cases, we want to bypass the login screen and use Identity Provider 1, and in others we want to bypass the login screen and use Identity Provider 2. It looks like we should be able to achieve what we want by using the kc_idp_hint parameter. But, when I try to test it out, the kc_idp_hint seems to be ignored. I tried the following, where the URL is the address of my app secured by Keycloak, and idp1alias is the alias of the Identity Provider I want to use: https://www.myapp.com?kc_idp_hint=idp1alias <https://www.myapp.com/?kc_idp_hint=idp1alias> However, instead of bypassing the login screen and automatically beginning the authentication process with Identity Provider 1, I am landing on the standard Keycloak login screen. As another test, I tried just going to the built in, “/auth/realms/<realm>/account” with the "kc_idp_hint" parameter added and I got the same behavior (i.e., I saw the Keycloak login screen): https://mykeycloakurl.com/auth/realms/myrealm/account?kc_idp_hint=idp1alias. I’m clearly missing something, or misunderstanding how this should work. Can someone help get me pointed in the right direction? Thanks! Jeremy

7 years, 1 month

2
5
0 / 0

Session state iframe doesn't work reliably

by Виталий Ищенко

Hello I'm trying to setup seamless logout flow for SPA, but falling into issue in the following scenario User is logged-in with a public client using code grant and check login iframe enabled. I see that KEYCLOAK_SESSION cookie is set during code exchange phase, and later used in iframe to validate user session Application refreshes token using refresh_token when access_token is close to expiration Now I log user out from application using Keycloak admin app I do not expect that user should be logged-out immediately. But what I do expect is to get error response from a token endpoint, when I will try to refresh token next time. Response, returned by OP, doesn't have Cors Headers, so application can't access any information from response that will allow distinguishing between network error and cors related errors Other option may be to clear cookie in response to token endpoint call Any help will be appreciated

7 years, 1 month

1
1
0 / 0

Idp thumbnail?

by Byte Flinger

When adding a new identity provider to Keycloak, such as a SAML IDP, is it possible to setup so the button you click to login with that provider has a nice icon/thumbnail instead of text (or both)? Regards Byte

7 years, 1 month

2
4
0 / 0

Keycloak 3.4.1.CR1 released

by Stian Thorgersen

We've just released Keycloak 3.4.1.CR1. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Highlights Cross DC A lot of work has gone into finishing the Cross DC support and it should now be ready to use. Database Replication We're now testing database replication with MySQL Galera and Oracle RAC. This is related to Cross DC support which requires a master node in each DC. Loads more.. - Loads and loads of fixes The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed. Release candidates are not recommended in production and we do not support upgrading from release candidates.

7 years, 1 month

1
0
0 / 0

wildfly-adapter install over wildfly 9

by philippe ventrillon

Hello every one, I am new to keycloak and I may have missed an obvious point but, as i don't see any other search to perform, I am going to ask. I am simply trying to make a keycloak quickstart j2ee vanilla equivalent for wildfly 9. I have been able to make the keycloak provided quickstart work ontop of WF10. But I don't manage with WF 9. Following section 2.1.2 of "Securing Apps" i have : - installed a brand new wildfly 9 - unzipped |keycloak-wildfly-adapter-dist-3.4.0.Final.zip | into WF9 install directory - Executed the offline cli From WF9\bin directory C:\java\wildfly-9.0.2.Final-withKC\bin>.\jboss-cli.bat --file=adapter-install-offline.cli {"outcome" => "success"} {"outcome" => "success"} { "outcome" => "failed", "failure-description" => "WFLYCTL0158: Operation handler failed: org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main", "rolled-back" => true } Press any key to continue . . . Is there something I am missing ? Please point me to the piece of information i am lacking. Thanks in advance for help and advises. -- Philippe Ventrillon / Software architect Actility ---

7 years, 1 month

2
5
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2017