Prevent federated users from setting a password
by Rens Verhage
Hi all,
We’re implementing Keycloak in an existing multi-tenant application and have to make a choice: 1 realm for all our tenants or each tenant its own realm?
>From an administrator’s point of view, one single realm for all user accounts seems a good choice. However, there is one important requirement that until now, we haven’t been able to fulfil this way:
A tenant might choose to let their users log in through an external identity provider, ADFS will be fairly common. Users that will log in this way will be required to always do so and therefore are not allowed to set a password in Keycloak. Deleting a user will be as easy as removing the user from the Active Directory.
However, not all tenants will have their own identity provider. For these tenants, users must be able to log in with a username and password. They also get a forgot password link, so they can reset their password once forgotten. Now that raises a problem. Users that log in through their identity provider can use this link to set a password and thus bypass their identity provider. Should such a user be removed from the AD, he or she can still log in using this password.
Can we somehow prevent federated identities from ever setting a password? Or is this not possible and are we forced to setup multiple realms?
Rens
7 years
Custom domain extension for user creation
by Mark Hammond
Hi,
I am working on a custom extension to Keycloak using the domain-extension
example as a reference, As part of this extension we need to add to the
create user functionality. We are adding two new tables which are linked to
a UserEntity. We require our custom data to be added in the same
transaction as creating a new user. Do you have a recommended way of
achieving this?
Regards,
Mark
7 years
Get a list of resources per user/role
by Marco Salazar
Hi everyone!
Does anybody know if there is a way in Keycloak to get a list of resources
per user/role for auditing purposes?
Best Regards,
*Marco*
7 years
Multitenancy for SAML applications
by Pankaj Mahajan
Hi Team,
I am trying to verify multitenant keycloak support in SAML application. I have gone through example provided for OIDC application and it worked perfectly fine.
Based on SAML documentation available in Keycloak below is my understanding
1) Need to provide implementation for SamlConfigResolver's resolve() method in SAML application.
2) Mention above implementation in web.xml.
For this verification I am trying to customize post-with-signature example.
I have added keycloak-saml-adapter-core and keycloak-adapter-spi dependancies in pom.xml.
I just write an SOP statement in resolve method.
When I run, I get java.lang.NullPointerException
Please share your thoughts on following points:
1) Is my above understanding is correct? In case if I am missing something then please let me know.
2) Is there any other approach with which we can achieve this behavior?
Below is the stack trace for the reference:
Stack Trace
java.lang.NullPointerException
org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:102)
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
java.lang.Thread.run(Thread.java:745)
Thanks & Regards,
Pankaj Mahajan
7 years
keycloak CORS Headers in 401 Response
by Joao Costa
I have two keycloack clients,
Angular 4: with Access Type credentials authentication
A JAX RS Application (which will be the resource server): with bearer-only authentication! In this client we activate CORS, as shown by the following json.
> {
> "realm": "demo-realm",
> "bearer-only": true,
> "auth-server-url": "http://demo-keycloack-server:8080/auth <http://demo-keycloack-server:8080/auth>",
> "ssl-required": "external",
> "resource": "demo-server",
> "enable-cors": true
> }
The problem is that the requests to the JAX-RS Application when the response status is Unauthorized 401, this response do not brings the required CORS Headers to javascript client!
How can we add the respective CORS Header when the HTTP Status is 401 ?
7 years
Fake and trash email addresses
by a.stanik@avm.de
Dear keycloak community,
there are several fake and trash email provider which allow you to send
and receive emails with a fake acount (a list can be found here:
https://www.mogelmail.de/). Some of these websides provide inbox access
without any protection which is a point of attack for hackers (e.g.
https://www.byom.de/nachrichten/privatdetekteien?m=bla or
https://www.trash-mail.com/posteingang/).
We would like to secure our customers from using such fake accounts for
transaction email in keycloak. Therefore, we propose this as feature of
keycloak that could be managed in the email tab of realm settings (admin
console).
If this feature would be interesting, we could impletent this
functionality and create a pull request?
Best regards
Alex
Dr. Alexander Stanik
AVM GmbH
IT - Backend Services
Phone +49 30 39976-7510
Mobile +49 152 5259-7510
a.stanik(a)avm.de
avm.de
AVM Audiovisuelles Marketing und Computersysteme GmbH, Alt-Moabit 95,
10559 Berlin, Germany
HRB 23075 AG Charlottenburg, CEO (Geschäftsführer): Johannes Nill
7 years
Multitenancy for SAML application
by Pankaj Mahajan
Hi Team,
I have a task of achieving multitenancy in SAML application. I have gone through example provided for OIDC application.
Not getting any idea of how to achieve this.
As per my understanding I need to provide implememtation for SamlConfigResolver's resolve() method
and follow the implementation provided in OIDC application.
Is this a right approach?
Thanks & Regards,
Pankaj
7 years
LinkedIn identity provider fail
by Tim Dudgeon
I'm trying to use the LinkedIn social identity provider with Keycloak 2.5.5.
I set it up according to the docs and I get the Linked in authentication
prompt, but after accepting this I get an error: Unexpected error when
authenticating with identity provider.
The Keycloak logs show this:
16:26:26,257 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-60) Failed to make identity provider oauth callback:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
Keycloak is using self-signed certificates at present, but not sure if
that is relevant.
Any iddeas what's wrong?
7 years
Get Users by Permision
by Андрій Мартинюк
Hi,
How to get all users with certain permission?
Best Regards,
Andriy
7 years
