Realm id in database : some are uuid, some are text
by Jean-François HEROUARD
Hi,
On an instance of Keycloak I have strange errors when browsing some realms
(Http 404 on some requests). After some invetigation, the root problem
seems to be in realm database table :
keycloak=# select id, name from realm;
id | name
--------------------------------------+-----------
master | master
5433f7c8-7420-428c-82bc-d96a76da1afe | demorealm
b1a5a9f6-5f85-489f-8656-25e5307088be | test
016cc42d-8f46-4007-8054-e8bd7a923fa5 | testrealm
test2 | test2
For example the groups REST resource expects a name in URL context, but
Angular admin GUI use the realm Id and so get a 404.
Realms were created from Keycloak v3.1.0 until last v3.4.1. Is there some
data migration to do manually (or has previously failed ?). Or is the
groups REST resource expecting the wrong parameter ?
Thanks.
7 years
"Test connection" in Realm Settings/Email fails
by Michael Kefeder
Hi List
I installed your official docker image 3.4.1.Final and sending emails
from GUI "Users/$user/Credentials/Credential reset" failed with an
exception, that can be seen in `docker logs` output:
ERROR [org.keycloak.services] (default task-37) KC-SERVICES0088: Failed
to send execute actions email: org.keycloak.email.EmailException:
org.keycloak.email.EmailException: Please provide a valid address
at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:145)
...
I provided and saved a from-address in the Realm-Settings of course, so
I started to play around a bit trying to find the actual problem. I
found another issue: Klicking on the "Test connection" button in the
Realm Settings/Email tab triggers a "Status Code 400 Bad Request". Seen
in my javascript console (using Chrome and Firefox browser). It is a
POST request, but the Request URL contains all posted data, looking
almost like a GET request would, and therefore it includes the SMTP
servers password(!?), not sure if that is intended as this could end up
in a web-servers logfile. Looks like this (given URL is shortened):
http://127.0.0.1:6789/auth/admin/realms/Multiwave/testSMTPConnection/%7B%....
Here is the data I am POSTing (actual server/usernames changed to
protect the innocent):
{"realm":"Multiwave","config":"{\"password\":\"**********\",\"starttls\":true,\"auth\":true,\"port\":587,\"host\":\"smtp.example.com\",\"replyTo\":\"\",\"from\":\"sso(a)example.com\",\"fromDisplayName\":\"Keycloak\",\"ssl\":\"\",\"user\":\"smtp_loginname\"}"}
any hints what I am doing wrong? Is this broken for somebody else using
docker? Not being able to send the reset-password emails is keeping me
from deploying keycloak for our users. Setting it up and implementing
the authentication clients against it worked really great so far, thanks
for your system!
br
mike
7 years
Fwd: KeyCloak OpenID Connect and SAML SP
by Vinay Mistry
Hi,
If I am running a local KeyCloak (OpenID Connect) IdP. Is it possible to
authenticate to external applications (Service Provider) that only support
SAML 2.0?
Would SP or IdP initiated SSO be supported with KeyCloak and SAML based
Service Providers.
Any documentation for setting this up would be great.
Thanks,
Vinay
7 years
Openshift SSO with Keycloak
by Lahari
Hi,
Issue is : I have secured multiple applications in my Keycloak. For example
I have secured Jira,Confluence,Openshift etc...with Keycloak. So when I
login into one application i.e Jira with user name "Murali"...other
applications that are configured are able to login into their applications
with the same uesr...But not "OPENSHIFT" (which should not be the expected
behaviour..). We have to again enter credentials for "openshift" login..
According to SSO policy since Openshift is also configured under the same
Realm it should also be logged in with user "Murali"....
How can this issue be solved???
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
7 years
How to determine in Keycloak JS adapter whether user has an active SSO session?
by Michal Chudy
Hi All,
To introduce my current setup, I have 3 components:
- Website with some static (CMS) and dynamic parts, a couple of Single
Page Applications, everything works on domain spa.com.
- REST API, which provides any dynamic functionality (user profile) and
is hosted on api.comand requires SSO tokens to work.
- SSO server is hosted under sso.com domain
I'd like to determine in my SPA whether user has an active SSO session. So
when I'm logged in but I do not have tokens, I can:
- do a redirection dance to get tokens
- do not allow user to use registration form
I'm using Keycloak JS adapter, which uses iframe mechanism and checks for
KEYCLOAK_SESSIONcookie and communicates with host window via some flags:
var cookie = getCookie('KEYCLOAK_SESSION');if (cookie) {
data.loggedIn = true;
data.session = cookie;}
The problem is that I can not rely on this cookie to check if user is
logged in because the cookie has 30 day expiration date, which is way more
than an actual Keycloak session lasts, let's say 15 minutes.
This cookie is being set when user gets authenticated and is not refreshed
on each token update. I do not understand then it's purpose and the purpose
of this flag.
I'm also thinking about relying on local storage and keeping refresh &
access token there to determine if user is logged in, either by checking
timeout or trying to refresh access token. BUT.. this also is not reliable,
because user might have already authenticated using some other application.
To add more context to the problem... one of my SPA applications is a
registration wizard, which uses REST API to register user and receives
login_hint in return. This login_hint can be used as a wildcard in SSO
redirect to pass the challenge and log in immediately.
However, if some other user is already logged in, we get in return session
of this other user, not the one that should be logged in because of used
login_hint.
Kind Regards,
Michał Chudy
7 years
Resource Server Quick-start
by Y Levine
Have had excellent success with quick-start examples here -
https://github.com/redhat-developer/redhat-sso-quickstarts
Looking for a quick-start example which mimics a resource server (APIs
only; no user auth); Keycloak is the authorization server.
Workflow:
1) Client contacts resource server to call API (client is a service/app;
not a user)
2) Resource serve says no token, talk with Resource Server (Keycloak)
3) Client contacts Keycloak for access to the Resource Server
4) Keycloak issues tken for Client to call Resource Servers API(s)
5) Client calls Resource Server with token
6) Resource Server validates token with Keycloak
7) Resource Server grants access to API for the client.
Any such quick-start exists?
7 years, 1 month
redirect_uri on a POST route
by O'Callaghan, John
Hi All
I am using the nodejs adapter keycloak.protect() to authenticate (using openid-connect) some of my http routes and have a problem that I hope someone out there can help with.
app.post(‘/foobar’, keycloak.protect(), doStuff);
The above works fine so long as the access token has not expired. But if its expired then I see it sending back a 302 to refresh the access token (with the redirect_uri=/foobar).
Which is fine. I then see my browser doing a GET to keycloak to refresh the access token, that succeeds and I get back a 302 to the original /foobar route. But the 302 method is now a GET. Where as the original was a call was a POST. The will obviously fail as I have not defined a get operation for the route.
What am I doing wrong here? Is there a way for me to tell keycloak that the redirect_uri is associated with a POST method? And what happens if the original call had a body? How is that handled?
Any help would be much appreciated.
Thanks!
John
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
7 years, 1 month
