Manage VerifyEmail outside Keycloak?
by Alex Berg
Is anyone else managing email verification outside Keycloak? I'm
considering doing it, so I'd like past experience reports.
It seems like I could
- Create a user in Keycloak using the Admin REST API when a user registers
in my app's UI, then immediately craft a "verify email" email to send to
them with a key I craft and a link back to my app.
- My app later receives this key, gets the associated email ownership
claim, and updates the user's record in Keycloak to remove the "Verify
Email" required action and set the "Email Verified" field to true.
Should work, right?
7 years, 7 months
Global vs per realm SMTP
by John D. Ament
Hi
I was wondering if the SMTP configuration can be done on a global basis,
instead of a per realm?
John
7 years, 7 months
XML parsing issues after upgrading RH_SSO from 7.0 to 7.1
by Pulkit Gupta
Hi Team, We have a bunch of application working with RH_SSO. The
applications were using SAML adapter 7.0 for EAP6 and all was working fine.
However we upgraded the SAML adapter to 7.1 at out SP side. Soon after the
upgrade we are now seeing XML parsing exceptions in the /wapps/xxx/saml
endpoint created by the adapter. These are also not consistent and most of
the applications works fine most of the time however we get this mostly
with one of our SP. Please find the stack trace below 2017-06-09
03:17:42,370 [wapps-external-exec-threads - 161] ERROR
[org.keycloak.saml.common] Error in base64 decoding saml message:
java.lang.RuntimeException: javax.xml.stream.XMLStreamException:
java.net.MalformedURLException 2017-06-09 03:17:42,370
[wapps-external-exec-threads - 161] ERROR [org.apache.catalina.connector]
JBWEB001018: An exception or error occurred in the container during the
request processing: java.lang.NullPointerException at
org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:179)
at
org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44)
at
org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:224)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:174)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
at
org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:356)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
at
com.redhat.container.redirect.RedirectToInternalValve.invoke(RedirectToInternalValve.java:61)
at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:511)
at
org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)
at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808) at
org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45) at
org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:849) at
java.lang.Thread.run(Thread.java:745) at
org.jboss.threads.JBossThread.run(JBossThread.java:122)
--
PULKIT GUPTA
SENIOR SOFTWARE APPLICATIONS ENGINEER
Red Hat IN IT GBD <https://www.redhat.com/>
Pune - India
pulgupta(a)redhat.com T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/> IM: pulgupta
<https://red.ht/sig>
7 years, 7 months
Exception in Kerberos Credential Delegation example
by Nirmal Kumar
Hi Keycloak,
I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/ and the login page is bypassed as expected.
However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.
2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx(a)IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is HTTP/192.168.xx.xx(a)IMPETUS.CO.IN
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab
2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded
2017-06-07 10:46:04,335 INFO [stdout] (default task-42)
*2017-06-07 10:46:04,337 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
2017-06-07 10:46:04,337 INFO [stdout] (default task-42) [Krb5LoginModule]: Entering logout
2017-06-07 10:46:04,338 INFO [stdout] (default task-42) [Krb5LoginModule]: logged out Subject
I troubles hooted for quite a long time but cannot understand where the problem is.
Can you please give me some pointers to look for?
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
7 years, 7 months
Get Access Token to service account using Java code
by Hylton Peimer
I have written a provider which implements the UserStorageProviderFactory
to connect Keycloak to a legacy system.
I need to get an AccessToken (for a realm service account) in the Java code.
Is there a way to achieve this in Java, without a network call to
"/protocol/openid-connect/token"?
7 years, 7 months
Login to Admin REST API from client
by Cesar Salazar
Hi,
I'm trying to access the admin REST API from a microservice, in order to
create a realm. In the documentation says that I should get a an access
token in order to be able to make calls to the rest API.
The problem is: I wouldn't like to use a username and password to get it,
is it possible to get it from the clientId and clientSecret?
I mean, how do I make calls to the admin REST API using client credentials?
I couldn't find anything in the documentation.
https://keycloak.gitbooks.io/documentation/server_development/topics/admi...
Or is the documentation somewhere else?
Thanks!
--
*Cesar Salazar*
Development Manager
DEVSU | www.devsu.com
7 years, 7 months
"Verify Email" email isn't sent on initial login when using OIC
by Alex Berg
I create a new user via the Admin REST API, then I immediately try to login
as that use via OpenID Connect protocol. I get a login error, saying
"invalid_grant" and "Account is not fully set up", which I expect, but
Keycloak doesn't perform the "Verify Email" required action.
If I login via the Keycloak-provided account login - "
http://localhost:8080/auth/realms/MyRealm/account/" - Keycloak *does* send
a "Verify Email" email with the appropriate email template.
Has anyone else experienced this issue?
7 years, 7 months
Keycloak Java adapter & ADFS
by Cat Mucius
Good day,
I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood from this article [1], ADFS expects to receive <KeyInfo>
element in <Signature> of SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."
But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
format [2]:
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?
Thanks,
Mucius.
Links:
[1]
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
[2] http://coheigea.blogspot.co.il/2013/03/signature-and-encryption-key.html
7 years, 7 months
Fwd: Login a Java Fat Client with Windows Kerberos Token agains Keycloak backed by AD?
by Malte Finsterwalder
Hi Marek,
thanks for the quick response.
Do you have an ID for the Jira bug? I couldn't find it.
I must say I'm completely new to Keycloak and Kerberos etc.
I noticed, that the keycloak-authz-client uses an http-client under the
hood. Do I understand correctly, that the server still recognizes this type
of client as something different and uses the "Direct Grant" Authentication
flow and not the "Browser" flow?
So I would have to create a new Authenticator SPI implementation, that is
then deployed on the Keycloak server and integrated into the "Direct
Grant"-Flow to integrate Kerberos Authentication into this flow?
And do I also have to program something into the client?
Would it also be feasible to access Keycloak like a browser instead? Since
then Keycloak already supports Kerberos SSO, as far as I know.
Or why is the Fat Client using a completely different flow in the first
place?
Greetings,
Malte
On 7 June 2017 at 22:04, Marek Posolda <mposolda(a)redhat.com> wrote:
> It's not yet supported OOTB. There is already JIRA opened for the long
> time. Feel free to add a vote :)
>
> However it should be already possible to implement it if you write custom
> authenticator and put it into the "Direct Grant Flow" authentication flow
> for the realm. Then your Java Fat Client will be able to send the token in
> the "Authorization: Negotiate token" header and your authenticator can then
> authenticate this request. Feel free to send PR if you manage to have it
> working.
>
> See our docs and examples for Authentication SPI for more details.
>
> Marek
>
>
> On 07/06/17 15:13, Malte Finsterwalder wrote:
>
>> Hi,
>>
>> I have the following setup:
>>
>> I'm programming a Java Fat Client application. I want to integrate it into
>> SSO with Keycloak.
>> Our Keycloak is connected to our Windows Active Directory (AD).
>>
>> So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and
>> sends that to Keycloak. Keycloak should authorize the token agains the AD
>> and send back an authorization token to the Fat Client, so I can later use
>> this Keycloak token to access other Rest-Services.
>>
>> Fat Client (with Kerberos Token) -> Keycloak -> AD
>> Fat Client (with Keycloak Token) -> REST-Service
>>
>> I can't find anything in the documentation regarding this szenario.
>> Is this possible? And if so, how?
>>
>> Greetings,
>> Malte
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
7 years, 7 months
