February 2017 - keycloak-user - Jboss List Archives

Need any advice on issue KEYCLOAK-3923 (LDAP FEDERATION ISSUE)

by Sumit Das

Hi I saw a few comments on the url below:- https://issues.jboss.org/browse/KEYCLOAK-3923 We are also facing the same issue where we want to *delete Roles and Groups from the LDAP(Active Directory)*, which is federating a Keycloak instance, once we *delete the same from the Keycloak instance*. We *want to have this feature* for our convenience. I read about a flag being introduced to facilitate the same. Has the feature been already developed?? Can you provide me with any update about it?? I would *highly appreciate any help* regarding this. Please do respond and shed some light on the issue. Regards *Sumit Das*

7 years, 9 months

2
1
0 / 0

Realm Keys

by Jason B

Hi, I am wondering where does Keycloak stores realm keys and how they are replicated across servers when deployed multiple Keycloak servers as a single cluster. Is it in database or some local keystore? Are there any special considerations we need to take for realm keys while we deploying it as a cluster? Thanks!

7 years, 9 months

2
1
0 / 0

Delete Roles on Active Directory when deleted from Keycloak

by Sumit Das

Hi I have done an integration of Keycloak Realm with an Active Directory instance. The realm roles that have been created are mapped with the help of a role-mapper. When I delete any roles from the Realm, the role still persists in the AD instance, even after using the synchronization of "Keycloak Roles to LDAP". How do i ensure that when i delete any role on the Keycloak, it also gets deleted from the AD as well? Please do respond. Regards *Sumit Das* *Mobile No.- +91-9986872466 *

7 years, 9 months

1
0
0 / 0

Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization

by Andreea Ciuprina

Hi Sebasien, Thank you for your answer. After adding your suggestion to the security constrainst, I get the following error: Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' from 'applicationConfig: [classpath:/application.properties]' to 'securityConstraints[0].securityCollections[0].http-method' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$SecurityConstraint' My configuration looks like this: keycloak.securityConstraints[0].securityCollections[0].name = secured end points keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/v1/hello/* keycloak.securityConstraints[0].securityCollections[0].http-method = GET Do you know what could the problem be? Thank you! Best, Andreea -----Original message----- From: Sebastien Blanc <sblanc(a)redhat.com> Sent: Tuesday 21st February 2017 17:43 To: Andreea Ciuprina <aciuprin(a)mpi-bremen.de> Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead of just policy-enforcer). Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty). But even without using the authorization layer, you should be able to achieve this by configuring the security constraints. keycloak.securityConstraints[1].securityCollections[0].http-method = GET etc ... On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina <aciuprin(a)mpi-bremen.de <mailto:aciuprin@mpi-bremen.de> > wrote: Hello! We are building an online application for which we are using Keycloak for authentification and authorization, connected to our Spring Boot backend using the Spring Boot adapter. We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc. I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is not keycloak.json file used for configuration. Therefore, my questions are: 1. Can HTTP verb based authorization be achieved using the Spring Boot adapter? 2. If the answer to question 1 is yes, then could you please provide a minimal configuration example? Thank you! Best regards, Andreea --------------------------------------------------------- Andreea Ciuprina Bioinformatics Group Max Planck Institute for Marine Microbiology Celsiusstraße 1 28359 Bremen Germany Phone: +49(0) 421 2028 982 Email: aciuprin@mpi-bremen.de <mailto:aciuprin@mpi-bremen.de> & Jacobs University Bremen, 28759 Bremen, Germany Email: a.ciuprina@jacobs-university.de <mailto:a.ciuprina@jacobs-university.de> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

7 years, 9 months

2
2
0 / 0

Re: [keycloak-user] how to decode RPT from entitlement API

by Sven Thoms

Hi Bruno Wow, I totally missed that part. Thanks for the hint. I have not yet tried, but it will be ok, I am sure. Am 22.02.2017 8:42 vorm. schrieb "Bruno Oliveira" <bruno(a)abstractj.org>: Hi Sven, did you get the chance to look at this http://www.keycloak.org/ docs/2.5/authorization_services_guide/topics/service/protection/token- introspection.html ? On Mon, Feb 20, 2017 at 3:21 PM Sven Thoms <sven.thoms(a)gmail.com> wrote: > http://www.keycloak.org/docs/2.5/authorization_services_ > guide/topics/service/entitlement/entitlement-api-aapi.html > > How can I decode the RPT from the entitlement API in e.g. Java or Scala? > Is there a quick way to do it? > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

7 years, 9 months

1
0
0 / 0

Invinity loop while proxy angular2 devserver

by Okie Othsam

Hi, I try to prepare a development environment and got a strange loop behavior. I have build a docker scenario with a keycloak/postgresql container that is behind a web server proxy container (tested Apache and nginx). The webserver container proxy also to a local running node.js instance with angualar2 devserver. My sample angular app uses the javascript keycloak adapter and wrapped it with a service. If I run Angular devserver and keycloak without any proxy all works fine. When I use the same servers (modified keycloak.json) behind the proxy, the angular app runs after successful keycloak login in an endless loop. Every second the site is reloaded - without any new login. When I build a release from my angular app and deploy it to the webserver all works fine. But this is not really an alternative because I want setup an universal dev environment :-/ After days of debugging, imo there is a good chance for some race conditions in Javascript adapter between the dynamic iframe and the angular app or I do something essential wrong. My question is now, have anyone here run a similar setup and use it without any problems? Currently my containers run with keycloak version 2.4.0.Final. As next step I will update my setup to 2.5.1.Final and try to reproduce the behavior. Kind regards Eiko

7 years, 9 months

1
0
0 / 0

how to decode RPT from entitlement API

by Sven Thoms

http://www.keycloak.org/docs/2.5/authorization_services_guide/topics/serv... How can I decode the RPT from the entitlement API in e.g. Java or Scala? Is there a quick way to do it?

7 years, 9 months

2
1
0 / 0

Configuring event logging in Keycloak

by Thomas Darimont

Hello group, I needed to configure Keycloak to also show success events in the logs in order to to be able to show the login count over time in a graylog dashboard. For this to work I needed to change the log level for the "success-level" within the keycloak jboss-logging event-listener configuration. As some other folks might want to do that as well I'd like to share my jboss-cli config snippet with you. Cheers, Thomas cd $KEYCLOAK_HOME bin/jboss-cli.sh # Start keycloak in embedded mode for configuration embed-server --server-config=standalone-ha.xml --std-out=echo # Configure jboss-logging event listener /subsystem=keycloak-server/spi=eventsListener:add(default-provider=jboss-logging) /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true) # Propgate success events to INFO instead of DEBUG # This allows to track successful logins in log analysis /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info) /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn)

7 years, 9 months

2
1
0 / 0

User SPI and connection management

by Istvan Orban

Hi Guys, I managed to implement User SPI for legacy user migration. Can someone shed some light how User SPIs are called in the system? Are they reused among threads or is it threadsafe ? The reason I am asking is that I used RestEasy to migrate user from the legacy platform and resteasy by default uses SingleClientConnManager. I am wondering if I need to implement connection management in the SPI or it is thrown awat between requests so there is no need for connection management. Thanks a lot -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *

7 years, 9 months

2
1
0 / 0

New authenticator with CompletableFuture as the only authenticating factor

by Daniel Radzikowski

Hi, I'm trying to implement new authenticator for Mobile Connect. It is a bit unusual flow, where the first method *void authenticate(AuthenticationFlowContext context)* before returning a challenge, calls a REST API, which prompts user mobile phone with 'Click OK' button. This API call waits until the user clicks OK (or timeouts), so in order not to block the request, it is wrapped in CompletableFuture and the login page (with no inputs) is immediately returned to the browser. (browser should't wait for the API call result). The problem is when the CompletableFuture is completed and calls a callback. It's the place where the authentication should occur, but I don't have any idea how to do it. The only authenticating factor is OK response from this API. Can I set the authentication somehow bypassing the whole processor (calling method *action(AuthenticationFlowContext context)* on its way)? I thought I will eventually call the *action *from the browser (with ajax) and only check if the session is already created. The only thing that I can pass to the callback is an AuthenticationFlowContext data obtained from the first *action(AuthenticationFlowContext context)* call. Is there any way to do it? -- Pozdrawiam, Daniel Radzikowski.

7 years, 9 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2017