JS adapter constantly refreshing page
by sesnor.silva@sapo.pt
Hello,
I'm trying to integrate keycloak's JS adapater into an application.
However for some reason the page keeps refreshing (every 5 seconds or
so?) after successfully logging in.
I managed to reproduce the problem with the following minimal code:
<!-- index.html FILE -->
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<script type="text/javascript"
src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script>
<script type="text/javascript" src="<MY KEYCLOAK
SERVER>/auth/js/keycloak.js"></script>
<script type="text/javascript">
angular.element(document).ready(function() {
var keycloakAuth = Keycloak('keycloak.json');
keycloakAuth.init({
onLoad: 'login-required'
}).success(function(authenticated) {
keycloakAuth.loadUserInfo().success(function (userInfo) {
console.log(userInfo)
});
}).error(function() {
var error = "There was an error initializing the
authentication module.";
console.error(error);
});
});
</script>
</body>
</html>
I tried searching around but I didn't find too many answers. I tried
to base my implementation around:
https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl...
and
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...
But I get the same behavior every time: The page just keeps refreshing.
It seems to be related to blocking third-party cookies on the
browser. I use Firefox 53. Since my Keycloak isn't on the same host
as the application, I think the browser rejects the keycloak's
cookies. If this is the case, what could be a workaround for this? Is
there any option on the adapter's side? I'm worried some browser might
block third-party cookies by default (Opera and Brave Browser come to
mind).
Thank you,
My best regards,
Silva
7 years
Update user account with API
by Loïc Lambrichts
Hi
I want to authorize a user to update his Keycloak data from my application thru the Keyclaok api.
By defaut my user can’t use the api to update his information.
If I set manager-users role to my user he is able to update his information but also the account information of other users.
How can my user be able to update only his account ?
Best regards
Loïc
7 years
GDPR requirements for Keycloak
by Tomás García
Hi,
I wonder if you're considering the GDPR requirements which will be active
in May 2018.
For example here's a list:
https://techblog.bozho.net/gdpr-practical-guide-developers/
There's stuff like specific consent for stuff (currently Keycloak have an
all-or-nothing consent screen, it should be per item and these need to be
configured) or allowing users to edit their profile (the account screen
can't be used from a website because there's no redirect to the website
after the user finishes as far as I know - or - at least, having a full API
to let users change their profile from a website without requiring Keycloak
admin rights, just using the bearer token of the user), and a myriad of
needs from this law.
Thanks!
7 years
Facebook - invalid_grant and "Code not valid"
by Anton
Hello
We are using KC with Facebook.
This is working fine when we integrate this into our mobile app.
However, on our website (drupal, using
https://www.drupal.org/project/openid_connect) we get the following error
(in drupal):
Could not retrieve tokens. Details: Client error: `POST
https://<url-to-keycloak>/auth/realms/myrealm/protocol/openid-connect/token`
resulted in a `400 Bad Request` response:
{"error":"invalid_grant","error_description":"Code not valid"}
Does anyone know what might be causing this?
Thanks
7 years
How to display user information from keycloak SAML adapter assertions/session?
by ken edward
Hello,
I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
I created a simple web app with a protected /saml directory. It seems
to work. BUT how can I display the logged in user information after
the user is authenticated?
org.keycloak.adapters.saml.SamlSession :
org.keycloak.adapters.saml.SamlSession@13a50bc9
Ken
7 years
Sync users or direct login failed even after succesfull connection with OpenLDAP
by Lahari
Hello,
We have been facing this Issue from long time..But Unable to figure out if
this is with Keycloak or OpenLdap..
Could you please help us by understanding the below scenario in Integrating
Keycloak with OpenLDAP
In user federation we have added an OpenLDAP server with the required
details and the "TestConnection" and "Test Authentication" got succeded.
But when we tried to sync users we are getting the below Exception:
12:22:21,866 ERROR
[org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default
task-23) Could not query server using DN [o=foo] and filter
[(&(ou=External,ou=People,o=foo)(objectclass=posixAccount)(objectclass=top)(objectclass=inetOrgPerson)(objectclass=organizationalPerson)(objectclass=person)(objectclass=shadowAccount))]:
javax.naming.OperationNotSupportedException: [LDAP: error code 12 - The
server is not configured to pass through control 1.2.840.113556.1.4.319];
remaining name 'o=foo'
After searching for above error..we found/suspected
(Link:https://kb.informatica.com/solution/21/Pages/136192.aspx) that it is
because of some pagination issue with both Keycloak and LDAP provider end.So
we disabled the pagination and tried to login directly.But here also we are
getting the Error like "User not found".
Erro log:
12:34:46,141 WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
realmId=Test, clientId=http://10.50.68.44:8080, userId=null,
ipAddress=10.125.155.49, error=user_not_found, auth_method=saml,
redirect_uri=http://10.50.68.44:8080/plugins/servlet/saml/auth,
code_id=6c3359b4-0c36-4b8e-9924-7acbd3439155, username=user1
The User we tried is the same user that was given in the "Bind Credentials"
field and the "Test Authentication" was succeded.
Please help us what extra information to be configured to achieve this.
Please find the attachmnets for the configuration of OpenLDAP with Keyclaok:
<http://keycloak-user.88327.x6.nabble.com/file/t585/ldap2.png>
<http://keycloak-user.88327.x6.nabble.com/file/t585/ldap1.png>
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
7 years
Component Model for mere mortals
by Dmitry Telegin
(i.e. for non-Redhat guys who develop Keycloak extensions themselves)
Hi,
I'm trying to get a better understanding of what the Keycloak component
model is and whether it will suit my particular use case.
Is it true that components:
- are associated with providers;
- have lifecycle independent of that of the associated provider (i.e.
neither a component automatically instantiates a provider, nor vice
versa);
- allow providers to persist arbitrary configuration in the form of
String-valued MultivaluedHashmap;
- allow providers to establish parent-child relationship;
- are bound to realms?
Now for the use case; imagine there are several providers (e.g.
EntityProvider + RealmResourceProvider + Authenticator), and they all
should share a *global*, singleton config (i.e. not bound to any
realm). Can I achieve this with components? Will setting realm to null
work? Using master realm doesn't seem to be a good idea, since,
according to Stian, there were plans to deprecate and get rid of master
realm (is that still the case?)
If components are not the way to go, how else could I implement global,
runtime-modifiable and GUI-editable config? Obviously I could introduce
another custom JPA entity for that, but I'd like to avoid literally
"multiplying entities without necessity" (C).
Thanks in advance,
Dmitry
7 years
500 HTTP Response Code Usage
by Josh Cain
Hi all,
I'm having some issues in which Keycloak throws 500 responses for what,
IMHO, should be a non-500 HTTP status code. For instance, take the
following request:
http://localhost:8080/auth/realms/master/protocol/saml/clients/null
Keycloak returns a HTTP Status code of 500, with a text error message
that says "Client not found." Seems like a textbook case for a HTTP 404
response code.
The reason I ask is that we were hoping to use status codes for some
monitoring and even traffic shaping + health analysis type things and
have found them unreliable as an indicator of server function/health.
Instead, 500's are also used when clients behave poorly (as in the
example above) and do things like request non-existent clients, use bad
parameters, or the like. Shouldn't this classification of errors use
4XX response codes?
Is the team open to cleaning these up? Happy to help out with some PR's.
--
Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain(a)redhat.com IRC: jcain
7 years
Keycloak update password with your own user federation throws exception
by andreadonato54@yahoo.it
Hi,
Posting here a question I found on StackOverflow on one issue I'm experiencing too, on keycloak 4.3.0-Final.
Thanks for your helpAndrea
--https://stackoverflow.com/questions/47388978/keycloak-update-password-with-your-own-user-federation-throws-exception
So I have been trying to update password on my keycloak where we have created our own user federation connection. So it works to loggin, create user and all is good. But when I turned on update password, there were some troubles. First required action: "update password" had to be turned on, the exception did not suggest that. But when that was on and after submitting a new password, everything went through, until it failes with the attached exception.So the functions ar ran, and the federation is updated, so the new password is valid, but it failes with a internal sever error, and I cant really make sense of it.It starts here: https://github.com/keycloak/keycloak/blob/c9da02912e38ea50aa496ee29... on to this method and another method in that file, which is one method under: https://github.com/keycloak/keycloak/blob/c9da02912e38ea50aa496ee2... crashes in this method: https://github.com/keycloak/keycloak/blob/c5b01ca9cb17ec46d546519... by: java.lang.NumberFormatException: For input string: "edwin@gmail"at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)at java.lang.Integer.parseInt(Integer.java:580)at java.lang.Integer.parseInt(Integer.java:615)at org.keycloak.authentication.actiontoken.DefaultActionTokenKey.from(DefaultActionTokenKey.java:76)....×
7 years
Inefficient deletion execution schedule EVENT_ENTITY
by AOM Support
We have an issue similar to the one in the "deletion execution schedule EVENT_ENTITY" thread from Sep 2015.
Because of extensive tests our table event_entity (Oracle 12) is large - ~10M rows.
The scheduled task org.keycloak.services.scheduled.ClearExpiredEvents is run quite often by Keycloak and performs the following SQL:
delete from EVENT_ENTITY where REALM_ID=? and EVENT_TIME<?
The post "deletion execution schedule EVENT_ENTITY" from Sep 2015 states that this is run every 15 minutes but according to our observations it is run much more often:
In our 3 node Keycloak cluster the Oracle trace shows that this statement is run more than once per minute and causes Oracle to perform a full table scan each time wich takes ~ 1 minute.
This is completely counter-productive as at every single point in time there is at least one full table scan running - just for the sake of keeping the event_entity table "clean".
Compared to the purpose the resource consumption on the Oracle server (CPU, disks, ..) is very high and in our humble opinion completely out of proportion.
Another adverse consequence is that the table is permanently locked by these deletes making any DDLs on the table difficult.
Creating the following index
create index keycloak.some_index_name on keycloak.event_entity(event_time,realm_id) tablespace ...
works for us - it eliminates the full table scan. Of course there is a slight performance penalty as the index updates (both on inserts and on deletes) require a certain amount of resources.
Our question is: is this the optimal solution to the problem?
And: is it a "legal" solution? We have manipulated the keycloak database schema that was created by Keycloak and that is supposed to be under its exclusive control?
What if during a future upgrade Keycloak tries to create an equivalent index (which would lead to an error)?
Currently as created by Keycloak, the table event_entity has only a primary key, no other indexes.
Thanks in advance for your thougts
Peter
7 years
