Error in resource
by Corentin Dupont
Hi,
after creating a resource through the API, the "resources" panel on the UI
will not open anymore:
*Error!* An unexpected server error has occurred
In the keycloak traces there is:
keycloak_1 | 16:15:00,037 ERROR [io.undertow.request] (default
task-27) UT005023: Exception handling request to
/auth/admin/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-s
erver/resource: org.jboss.resteasy.spi.UnhandledException:
java.lang.RuntimeException: Could not find the user [guest] who owns the
Resource [062e4b4f-d931-42c1-8c88-117766797ecd].
The user guest exists...
I created the resource with something similar to:
curl -X POST "
http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H
"Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{
"name": "My house",
"uri": "/houses/123",
"scopes": ["view"],
"owner": "guest"
}'
Thanks
Corentin
7 years, 1 month
Corrupted policies
by Corentin Dupont
I guys,
I encountered this bug:
https://issues.jboss.org/browse/KEYCLOAK-4340
Basically after exporting, my policies are inaccessible.
My keycloak version is 3.1.0.Final.
Is there a workaround?
Can I delete the policies via API?
Should I edit the database?
I connected to H2 database but there is no tables.
What is the login/password when logging to H2?
Cheers
7 years, 1 month
org.keycloak.keys.FailsafeAesKeyProvider] errors.
by Maurice Mahieu
Hello,
Since I upgraded my cluster consisting of 2 instances from 3.2.0 to
3.4.0 I get the following messages in the log.
2017-11-23 13:31:09,460 ERROR [org.keycloak.keys.FailsafeAesKeyProvider]
(default task-6) No active keys found, using failsafe provider, please
login to admin console to add keys. Clustering is not supported.
2017-11-23 13:31:09,460 ERROR [org.keycloak.keys.FailsafeAesKeyProvider]
(default task-59) No active keys found, using failsafe provider, please
login to admin console to add keys. Clustering is not supported.
2017-11-23 13:31:27,239 ERROR [org.keycloak.keys.FailsafeAesKeyProvider]
(default task-10) No active keys found, using failsafe provider, please
login to admin console to add keys. Clustering is not supported.
etc.
On the admin console of both serves there are 2 active keys. One RSA and
on Hmac and the servers seem to be in sync if I compare the user
sessions on both servers.
Does anybody know how I can I resolve this / get rid of the messages ?
Regards,
--
Met vriendelijke groet,
Maurice Mahieu
system engineer
maurice(a)info.nl <mailto:maurice@info.nl> | LinkedIn
<http://www.linkedin.com/in/maurice-mahieu-224a1821> | +31 (0)20 530
9111 <tel:+31205309111>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100
<tel:+31205309100>
7 years, 1 month
spring-social-keycloak
by ali akbar
Hi
I have more than 20 application that launch in private cloud with spring
security framework,after some search i decide to create IAM (SSO) for these
application
after search in google ,i found Keycloak project that one of best project
for do that .
all my apps in organization have own user management and do not want to
change that . my idea is to launch Keycloak in our organization and each
user in organization have account in Keycloak,but both user have same
email . when user want to login in app can login with app user and
Keycloak user .in this way Keycloak is like google for Github or Facebook
that each user can login with Github user or google account.
after read Keycloak documentation i do not see library that make this for
combining local authentication and keycloak authentication.i want when
kecloak authentication do success i setAuthentication with app
authentication . after some google i found spring social project and i
decide to create spring-social-keycloak .but i do not see good
documentation for request response . or any sample for curl that i know how
can use that in my project
https://github.com/azizkhani/spring-social-keycloak
it is my idea is correct?
is any sample that show curl for authorization code flow and get user info ?
is keycloak is active in gitter.im for online question ?
7 years, 1 month
Using Rest Services managed by another Realm and account linking issue
by Gael THIABAUD
Dear Keycloak team,
Please find below :
• Use case description
• GOALS
• What I tried
• Question and Proposals
Is the approach described the good one?
Does-it exists another one?
What is your preferred proposal?
Do you have another ?
Use case description :
All applications and rest services secured by OpenID (Keycloak)
User (Realm A) → Web application Front end 1 (Realm A) --> Application Back End 1 (Realm A)→ Rest Service 1 (Realm B)
→ Rest Service 2 (Realm C)
GOALS:
The solution must permit to identify the user himself into each component.
The User in Realm B must be linked to the User in Realm A.
What I tried:
By using the "Internal Token to External Token Exchange" features of Keycloak it works if the user is existing in all the realms and if the account(s) are linked between them.
And it works, thank you for the job !
The current issue is that I want that the application back end 1 creates the account(s) into the required realms when it try to use the Rest Service in the other realm.
I try to implement the following use case:
User (Realm A) → Web application Front end 1 (Realm A) --> Application Back End 1 (Realm A) -- Request account creation and linking → Keycloak Realm B
-- Internal Token to External Token Exchange → Keycloak Realm B
→ Rest Service 1 (Realm B)
-- Request account creation and linking → Keycloak Realm C
-- Internal Token to External Token Exchange → Keycloak Realm C
→ Rest Service 2 (Realm C)
I take a look into the chapter 5.2. Client Initiated Account Linking but it involve that it must be the user browser that trigger the http request.
I take look into IdentityBrokerService.clientInitiatedAccountLinking and it seems that all the secure mechanism used is related to the cookie and the Keycloak user session.
The approach that I try cannot work with the current implementation of clientInitiatedAccountLinking.
Question and Proposals:
Is the call flow that I try the right approach for achieving the goals ?
If yes and assuming that:
1) the account creation and auto-linking must be included into the Keycloak solution in standard for managing the use case described (think about micro services)
2) the OIDC Tokens are enough for securing the creation of new account into other realms, if a trusted relation exists between the realms of course !
Proposal 1:
clientInitiatedAccountLinking proposes 2 mode of securization, the current one based on the cookie and a new one based onto the Bearer token.
Proposal 2:
A complete new HTTP request using the bearer token can be used for the account creation and linking.
Proposal 3:
Keycloak exposes a new Rest method permitting to create and link account by using the Token Bearer only
Proposal 4:
Keycloak exposes a new Rest method permitting to create an account into a realm by using the Token Bearer only.
Keycloak exposes a new Rest method permitting to link two accounts into a realm by using the Token Bearer only.
Comment:
For being able to create an account into an other realm without entering in conflict with an existing account we can propose to used the UUID of the account from the realm used for original authentication.
>From my point of view it could be a decision that must be done during the design of the security policy of the IT system. For example the administrator can decide to use the email like a common ID between the realms or the UUID or any value that he can apply onto the preferred_username like currently implemented for the account linking feature.
7 years, 1 month
How to escape dot symbol in Token Claim Name
by Alexander Ionov
Greetings,
When specifying Token Claim Name in a mapper, user can write claim name in
dot notation in order to create nested JSON objects.
The problem is, that I should do completley the opposite. I need a token
name that looks like "http://domain.name/claims/customer_number".
Keycloak sees the dot in the name and creates the following claim:
{
"http://domain": {
"name/claims/customer_number": "value"
}
}
Is there any way to escape this dot in the claim name?
I've tried the backslash character but it didn't work.
And I didn't find the information about this anywhere.
Thanks,
Alexander
7 years, 1 month
Authorization: proof of ownership
by Corentin Dupont
In my use case, the user can "claim" resources. But to do that, he need to
prove that he is the rightful owner.
In practice, the user possess objects called "sensor nodes". Those are just
little boxes with a tag on it.
The tag has a number that the user can transmit to prove that he is owning
physically the object.
So my idea was to provide an endpoint able to change the owner of the
resource, based on the tag number.
Using our example, the endpoint to claim a resource could look like:
curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{
"owner": "smith"
"proof": "XXXXXXX"
}'
A policy would check that the proof is valid, by matching it against a
database.
If accepted, then the resource owner should be changed.
Do you think this is a good protocol?
How to write the policy to authorize the owner change at Keycloak level?
I don't see how to transmit the proof number when performing the
authorization request (with the entitlement API).
7 years, 1 month
client certificate authentication using HAProxy and Keycloak
by Wei Li
Hi,
We are using HAProxy as the reverse proxy for the Keycloak server, and we
are terminating the SSL connection at HAProxy.
Now we want to enable client certificate authentication. Because the SSL is
terminated at HAProxy, we can't use the existing CCA feature provided by
Keycloak. But we can get the client cert info in HAProxy and pass them onto
Keycloak in headers. So is there a way to allow Keycloak to get the user
info from the headers and perform authentication?
Thanks for your help in advance!
--
WEI LI
SENIOR SOFTWARE ENGINEER
Red Hat Mobile <https://www.redhat.com/>
weil(a)redhat.com M: +353862393272
<https://red.ht/sig>
7 years, 1 month
BeerCloak update
by Dmitry Telegin
Hi everyone,
BeerCloak[1] has just got a substantial update. Highlights are:
- EAR packaging. This is probably the most important item, as I
remember people here asking many times how to package providers into an
EAR together with external dependencies, so finally here is a complete
working example;
- more reliable initial data population;
- update to Keycloak 3.4.0.Final;
- minor fixes & refactoring;
- doc updates, especially on the installation procedure.
It still lacks tests, so I'd appreciate much if someone more
experienced would recommend me what exactly to test and how, or
probably even would help me with writing tests.
BeerCloak is a comprehensive Keycloak extension example, which
comprises different techniques, sometimes undocumented, to build a
complete real-life Keycloak extension. From the technical point of
view, it includes a custom JPA entity, custom admin REST resource,
admin GUI extensions and everything else needed to glue that together.
I'd be happy to see it as a semi-official blueprint, or a starting
point for those interested in extending Keycloak.
Cheers,
Dmitry
[1] https://github.com/dteleguin/beercloak
7 years, 1 month
extend theme with some extra text
by mj
Hi,
We are trying to display some extra static text to the two pages where a
password can be changed:
- the login theme (sunrise)
- the account theme (address)
We're trying to add text, to inform the users of *all* configured
password requirements at once. Something like:
> Kindly be advised to use:
> - min. 8 characters
> - min. one lower case
> - min. one upper case
> - min. one special character
In the current situation during a password change, the user initially is
not informed about the minimum requirements, and 'learns' a new
requirement on each password rejection.
We know that this should be possible by editing the (in our case) themes
"sunrise" and "address". But could someone point out where and how we
can add some new extra text to these pages?
MJ
7 years, 1 month
