How to register new users without using admin API
by Eickhold Johannes (e)
Does Keycloak provide a public REST API to create new users besides the admin API (http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource)?
I know about the Keycloak registration form that is part of the OpenID Connect flow, but I don't want to use the redirects required during the OpenID Connect flows.
We considered using OpenID Connect using the implicit flow and "Resource Owner Password Credential Grant" from within an Angular SPA but do not see a possibility to let users create their own accounts in this scenario. What would be the recommended way to let users register themselves here?
In the previous mentioned scenario, I know that it's possible to authenticate a user using the "authorization_endpoint" which can be retrieved from the following endpoint:
/auth/realms/<real-name>/.well-known/openid-configuration
Is there an equivalent endpoint to register respectively to create a new user?
Other question:
How does Keycloak prevent attackers from excessively creating user accounts using the OpenID Connect flows if captchas are not activated?
Thanks in advance,
Johannes.
------------------------------------------------
[cid:image001.jpg@01D369E9.31D42700] Leading Business IT Solutions
Bison Schweiz AG
Allee 1A
CH-6210 Sursee
Phone direct
+41 58 226 02 31
Phone
+41 58 226 00 00
Fax
+41 58 226 00 50
johannes.eickhold(a)bison-group.com <mailto:johannes.eickhold@bison-group.com>
www.bison-group.com<http://www.bison-group.com/>
7 years, 1 month
Setting up KC 3.1.0 in a HA cluster
by Gavin Howard
KC group,
I am currently in the process of deploying Keycloak (KC) at my firm in a
highly available cluster and I have been following your documentation here:
http://www.keycloak.org/docs/3.1/server_installation/topics/clustering.html
My setup is that I am using HAproxy (HAP) to provide the reverse proxy and
balancing component and two KC nodes behind it connecting to an Oracle
database. Previously I had KC working correctly as a single standalone node.
I have followed your documentation to ensure the client IP address is
forwarded correctly from HAP to my backend servers and confirmed this by
following the steps mentioned under "Verify Connection" here:
http://www.keycloak.org/docs/3.1/server_installation/topics/clustering/lo...
and also that the domain is correctly rendered in my equivalent of :
https://acme.com/auth/realms/master/.well-known/openid-configuration
Upon testing my cluster get some quite strange behavior upon entering valid
login credentials that I get either a message that either my session has
been restarted as I was taking too long to login or I get passed around a
redirect loop. Either way the setup is not working as I expected.
The documentation goes on to describe multicast settings:
http://www.keycloak.org/docs/3.1/server_installation/topics/clustering/mu...
but it is not quite clear if this is needed in my setup.
Is it a requirement of ALL of the possible clustering configurations that
multicast is set and working between the nodes?
Or is it possible to setup the KC nodes as their own instances, without
knowledge of the other nodes, and have the load balancer stick the user
session to an individual node whilst authentication takes place? If so, how
can this be achieved?
Many thanks,
Gavin
7 years, 1 month
Using keycloak-spring-boot-starter throws NullPointerException when “keycloak.enabled = false” in spring boot application.properties
by Pharande Rahul
Hi,
While using “keycloak-spring-boot-starter v3.4.0.Final” with “spring-boot-starter-security V1.5.8.RELEASE”, I’m getting NullPointerException as described below.
Please let me know if anyone has suggestion on this, OR this is really defect in keycloak adapter.
Precondition –
· Application configured to use spring-security with KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig in Example section (A).
· Disable keycloak in spring boot’s Application property as “keycloak.enabled = false”
Expected Result –
· When Keycloak is disabled, spring security should handle authentication OR should not perform authentication.
Actual Result –
java.lang.NullPointerException: null
at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final]
at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final]
at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4.
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.jar!/:4.3.12.RELEASE]
What can be done here:
· Ideal Option: Keycloak adapter classes like “KeycloakWebSecurityConfigurerAdapter” should avoid registering it’s filters when “keycloak.enabled” property is false.
· Temporary Option: we can handle this at application config level by defining on SecurityConfig class
o @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true")
Example Section A:
@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider();
keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
auth.authenticationProvider(keyCloakAuthProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.authorizeRequests()
.antMatchers("/test*").hasRole("ADMIN")
.anyRequest().permitAll();
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Bean
public KeycloakConfigResolver KeyCloakConfigResolver(){
return new KeycloakSpringBootConfigResolver();
}
}
Thanks and Regards.
Rahul Pharande
7 years, 1 month
keycloak-spring-security-adapter : KeycloakAuthenticationProcessingFilter doesn’t skip user authentication if it's already authenticated
by Pharande Rahul
Hi,
While evaluating keycloak spring security adapter for one of my requirement (as below) I realized KeycloakAuthenticationProcessingFilter doesn’t skip
authentication if user is already authenticated in other/prev filters.
Requirement I’ve –
· Service-to-service authentication.
· Support multiple authentication schemes in fallback
o OAuth (Using keycloak)
o Basic (Application maintains username/password)
Problems I see –
· KeycloakAuthenticationProcessingFilter doesn’t have mechanism to skip authentication if user already authenticated. Like –
protected boolean requiresAuthentication(HttpServletRequest request,
HttpServletResponse response) {
Authentication existingAuth = SecurityContextHolder.getContext()
.getAuthentication();
if (existingAuth == null || !existingAuth.isAuthenticated()) {
return true;
}
return false;
}
Please suggest me If there is any configuration in keycloak to support it?
Thanks,
Rahul Pharande
7 years, 1 month
Notify application about
by Kevin Hirschmann
Hello,
when having a user federation with an active directory server I would like to trigger some logic in my application if a periodic synch has completed.
I hoped I could use the Event Listener SPI to do so. I have taken the example "sysout" to check if there is an event fired but I could only see an event for manually starting a user synch.
What is the recommended approach here? Have I missed something?
Thx
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
Telefon: +49 (0) 261 / 5 00 86 - 17
Telefax: +49 (0) 261 / 5 00 86 - 29
E-Mail: kevin.hirschmann(a)huebinet.de<mailto:kevin.hirschmann@huebinet.de>
Internet: www.huebinet.de<http://www.huebinet.de/>
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Dr. Carsten Schöpp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.
7 years, 1 month
nodejs keycloak connect
by Olivier Refalo
Hi everyone,
I am playing with KeyCloak in order to protect my nodeJS API.
Looking at the node connector, there are areas which I don't understand....
First and foremost, why does the connector creates a SessionStore???
I mean it makes perfect sense when it's a web application, but for a stateless API (protected by a BearerToken), it sounds overkill to think in terms of "session"
Directly related, I see a BearerStore, which I don't know how to use.. Should I use it as the store to protect an API?
Last but not least, and this is a broader question, How would you protect a GraphQL Schema?
FYI, a typical GraphQL API only has one endpoint. authorization would be defined in the data schema itself, using some @directives.
Thanks for the help,
Sincerely,
Olivier
7 years, 1 month
Impersonate user feature stop working after 3.2.0.Final
by Diego Diez
Hi Keycloak Community,
After successfully upgrade our servers from keycloak 2.5.4.Final to
3.4.0.Final, we have notice that the impersonation feature isn't
working anymore.
We have tested other versions with a vanilla install and the first
version with this problem is 3.2.0.Final.
Are you experiencing this problem? Impersonation is a quite useful
feature to us, so any workaround until next release would be great.
Regards,
Diego Díez
7 years, 1 month
Re: [keycloak-user] IDP initiated login redirect loop
by Drew Weirshousky
Hi Marek,
Thanks, I was just looking at the commits and see some fixes for issues I have run into. Is there a timeline for a 3.4.1 release yet?
Drew
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Drew Weirshousky" <d.weirshousky(a)xsb.com>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, November 29, 2017 8:36:55 AM
Subject: Re: [keycloak-user] IDP initiated login redirect loop
I think it's going to be fixed in 3.4.1 release. You can try with latest
Keycloak master, I think it's already fixed there (not 100% sure).
Marek
On 27/11/17 15:53, Drew Weirshousky wrote:
> Hi,
>
> I'm having issues trying to get IDP inititated login to work. I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also. The IDP is Okta and Keycloak is the SP. Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user. "An error occurred, please login again through your application." I suspect this is a configuration issue but I am not sure. 3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5.
>
> Thanks
> Drew
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 1 month
Migration to Keycloak from WSO2 IS
by Sinan Mustafov
Hi,
Has anyone migrated from WSO2 IS to Keycloak?
If yes, what actions did you take to migrate tenants, users, groups and
authentication?
I'd like to know if anyone done this or have some experience and whether
some major issues arised which introduced a lot of difficulties and even
stopped them from migrating to Keycloak*.*
Any advise and feedback would be very appreciated.
Regards,
Sinan.
7 years, 1 month
