February 2017 - keycloak-user - Jboss List Archives

Angular2 app with non-authenticated pages

by Plunkett McGurk

Hi Guys, In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...) I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages Many thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.

7 years, 10 months

2
1
0 / 0

Scopes auto complete on Resources gets only limited records.

by Ushanas Shastri

Hello, In the resources screen, when we add new resource, and want to select some Scopes, the auto complete gets limited records, which look like page size chunks from the Scopes screen. If I have say 50 Scopes, all of which have parts of the word Search, then beyond the initial list, the other scopes don't show up. Regards, Ushanas.

7 years, 10 months

2
3
0 / 0

keycloak user store provider and modules logic

by Giordano, Antonio

Hi all, We are moving from keycloak 1.7 to 2.5.1 and we have some troubles in the deployment of a jar relative to our user storage provider. In the old version we deploy all jars and properties with jboss modules logic but in new version there is a specific folder "providers" where we have to deploy our user storage provider. Unfortunately seems that our jar can't use resources loaded in modules section of wildfly (other jars or props) and needs all resources in his package. My question is: which is the correct way in 2.5.1 to deploy a keycloak provider that use resources defined in wildfly classpath via modules logic? Thanks for your help agi

7 years, 10 months

2
1
0 / 0

keycloak.js updateToken does not validate refresh token expiration date

by adam.michalski＠aol.com

keycloak.js updateToken does not validate refresh token expiration date in example https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a... when i call getToken() method after refresh token expires i get console.info('[KEYCLOAK] Refreshing token: token expired'); from keycloak.js:400 with /auth/realms/InfiniteBirEUmowy/protocol/openid-connect/token 400 (Bad Request) [KEYCLOAK] Failed to refresh token I need to check if refresh token does not expired and if it is call KeycloakService.auth.authz.login(); Why this token refresh expiration check is not handled by updateToken inside keycloak.js updateToken()?

7 years, 10 months

2
1
0 / 0

Group / Subgroup Creation in Java

by Rodel Talampas

Hi All, Need help on the following scenario. Been doing some POC for our keycloak user management project and having problems passing my unit test as when I create 3 level subgroups, my Keycloak Server hangs. Sample Junit Test code: ====================================================== createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_2"); createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_2"); ==================================== private static void createSubGroups(Keycloak keycloak, String realmName, String groupName, String realmClient){ GroupRepresentation parentSub = null; boolean found = false; for (GroupRepresentation group: keycloak.realm(realmName).groups().groups()){ for (GroupRepresentation sub: group.getSubGroups()){ if (sub.getName().equals(groupName)) { parentSub = sub; found = true; break; } } if (found) break; } GroupResource parentSubResource = keycloak.realm(realmName).groups().group(parentSub.getId()); GroupRepresentation subGroup1 = new GroupRepresentation(); subGroup1.setName(groupName + "-" + realmClient); subGroup1.setPath("/Group_1/" + groupName); parentSubResource.subGroup(subGroup1); } ========== Target Output Below ====== Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 DUTY_MANAGER_Client_2 CASHIER CASHIER_Client_1 CASHIER_Client_2 ================================= My code will only work properly for the first 2 calls of the method. On the 3rd call, it will somehow hang on the loop. Am not able to debug nor step through in Junit. It will only produce the following: Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 CASHIER CASHIER_Client_1 I also tried of instead using a loop I use the getGroupByPath from the realmResource but still the same issue. The only thing left for me is to call the Restful Service directly from my code. Any suggestions will be very much appreciated. Thanks Rodel

7 years, 10 months

2
2
0 / 0

Getting Access token over REST API

by akash agrawal

Hi, I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect. I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option. Appreciate your help. Thanks. Akash

7 years, 10 months

2
3
0 / 0

Email Templates

by Serhii Morunov

Hello. I meet some issue with using keycloack Admin API and client. When im trying to send email-verification email via /send-verify-email i recieving template for "Update user account". Is it known issue or i doing something wrong? Im trying with Keycloak 2.5.1.Final server version. Best Regards, Serhii

7 years, 10 months

2
1
0 / 0

Keycloak admin-panel. Infinite loop.

by keijo.korte＠kvak.net

Hi, Setup: OS: Centos 6.8 Keycloak version, 2.5.1-FINAL httpd version 2.2.15 I have configured httpd as a SSL off loading reverse proxy for Keycloak server. The proxy and the Keycloak are on different servers. Basically everything works fine, but I can't log in because I am been redirected back to the square one all the time. Here is the flow: GET https://idp.xxx.net/auth/admin/ GET https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... POST https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH... GET https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8... GET lots of resources: /config, login-status-iframe.html, /token, /messages.json and so on GET https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... and the same thing from the start. Forever. httpd configuration for SSL: ***** <VirtualHost *:443> ServerName idp.xxx.net ServerAdmin webmaster(a)xxx.net DocumentRoot /var/www/html/ <Directory /> Order deny,allow Allow from all Options FollowSymLinks AllowOverride None </Directory> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests Off RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" ProxyPreserveHost on ProxyPass / http://172.16.22.12:8080/ keepalive=On ProxyPassReverse / http://172.16.22.12:8080/ + lots of cipher suite setting and so on. ***** WildFly configuration: ***** <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> <host name="default-host" alias="localhost idp.xxx.net"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> .... <socket-binding-group name="standard-sockets" default-interface="any" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" port="${jboss.http.port:8080}"/> <socket-binding name="proxy-https" port="443"/> <socket-binding name="https" port="${jboss.https.port:8443}"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <outbound-socket-binding name="mail-smtp"> <remote-destination host="localhost" port="25"/> </outbound-socket-binding> </socket-binding-group> ***** Does someone has some kind of clue why I am been redirected? First I think that this was some kind of http/https redirect problem, but when I enabled requestdumper @ wildfly I can see that everything is HTTPS. ***** ----------------------------REQUEST--------------------------- URI=/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=en-US,en;q=0.5 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=idp.xxx.net header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 header=Connection=Keep-Alive header=X-Forwarded-Proto=https header=X-Forwarded-Port=443 header=X-Forwarded-For=88.12.13.14 header=Upgrade-Insecure-Requests=1 header=Host=idp.xxx.net header=X-Forwarded-Host=idp.xxx.net locale=[en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=88.12.13.14:0 remoteHost=88.12.13.14 scheme=https host=idp.xxx.net serverPort=443 ***** -Keijo

7 years, 10 months

3
4
0 / 0

k_query_bearer_token, is there a way to query the associated public key?

by Scott Stark

So I can query the current access token via the myapp-root/k_query_bearer_token when expose-token is set to true, but is there a way to query the public key associated with the signature portion of the token?

7 years, 10 months

2
3
0 / 0

How explicitly enable session management in Keycloak?

by Known Michael

Hey, I use mod_auth_openidc version "2.1.2", Keycloak version “2.4.0” I was not able to implement the session management using OP and RP frames as described here: https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management I see in mod_auth_openidc logs the following: [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): [client 192.168.111.33] oidc_save_in_session: session management disabled: session_state ((null)) and/or check_session_iframe ( https://localhost/auth/realms/realm/protocol/openid-connect/login-status-...) is not provided, referer: https://192.168.110.2/auth/realms/realm/protocol/openid-connect/auth?resp... It looks like the session management is disabled because the Provider did not return a session_state parameter in the authentication response (which in its turn can be verified via the referer URL in the same log entry) as the spec dictates: https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdating... How should I configure explicitly enable session management in Keycloak? It should starts returning session_state in the authentication responses. I see that it is implemented already https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss something.

7 years, 10 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2017