running multiple instances without clustering
by Sam Davis
Hi,
I understand that Keycloak supports clustering, but I am wondering if it is
possible to run multiple instances of Keycloak using the same configuration
database *without* using clustering, i.e. using the standalone
<https://keycloak.gitbooks.io/documentation/server_installation/topics/ope...>
operating mode.
It looks like the only difference between this and using the standalone
clustered mode is that the caches will not be synchronized between the
instances. I understand that it could cause some weird behaviour with user
sessions (e.g. a user logs out on one instance but is still logged in on
another, or vice versa). Would it cause any more serious problems (e.g.
corrupt configuration database) or create security vulnerabilities?
The use case is that my application bundles Keycloak and the application
and Keycloak run on the same server. If the server goes down, another
instance of the application on another server will take over, and that
instance will redirect users to another keycloak instance running on that
server. So I don't really need clustering, since normally only a single
Keycloak instance will actually be used at a time and will only be used by
a single application.
Thanks,
Sam
7 years, 7 months
E-mail as username with LDAP federation
by Plank Martin
Hello,
I have a realm with this configuration:
- User registration allowed, E-mail as username enabled
- LDAP user federation with Kerberos enabled, sAMAccountName attribute mapped to username, mail attribute mapped to user's e-mail
The problem is that when user updates his profile through account form, username is rewritten and the value of e-mail address is set to the username attribute.
User is then invalidated and deleted, because the usernames in Keycloak and LDAP do not match.
Is my realm configuration supposed to work correctly? Or I must have mail attribute from LDAP mapped to both username and e-mail in Keycloak to keep it consistent?
Thanks
Martin
7 years, 7 months
Allowing multiple JWT issuers in a devel environment
by Jonathan Little
I'm trying to set up a devel environment with Keycloak in a Docker
container, a back-end service in a separate linked Docker container, and a
front end web app that authenticates against Keycloak and then uses a
bearer token with the back end service. Bearer token validation is failing
in this case due to the JWT's iss field not matching the realm URL: the
realm URL is based on a hostname in the Docker network but the login
occurred against localhost from the browser running outside Docker via a
host port mapping.
This is obviously a devel specific scenario and I'd like to be able to opt
in to multiple allowed issuers, an issuer regex, skipping issuer
verification, or some other workaround. AFAIKT there is no mechanism for
this and the options are:
1) Add an entry to the devel machine's hosts file so that the browser can
use the same hostname as the Keycloak container has in the Docker network.
This is simple but undesirable because I'd rather not have to globally
modify the devel machine configuration for this.
2) Run the devel Keycloak server outside of Docker at a known externally
accessible hostname. This is potentially the cleanest solution (although it
may have redirect issues with locally hosted devel websites -- I haven't
tried yet) but I'd really like to be able to run Keycloak locally.
3) Somehow hack or customize the token validation code. The issuer check is
fairly deep and I don't see any convenient or palatable hacks though.
This seems to me like it'd be a common situation but is it legitimate or am
I thinking about this wrong? Does anyone else have any ideas or think this
would be a worthwhile addition to the library? Seems to me that multiple
issuers or an issuer regex would be clean solutions.
If this makes sense I will file a feature request (not sure if PRs are
accepted on this project), but it seems like such an ordinary situation
that I feel like I must be missing something!
7 years, 7 months
How to store "UserPassword" in LDAP through Keycloak Admin Client?
by Celso Agra
Hi all,
Please, need some help! I'm trying to create an user through Keycloak Admin
Client.
So, When I add an user from Keycloak register page my LDAP stores a tag
called "userPassword" with the password stored.
But When I add an user from Keycloak Admin Client, all informations are
stored in LDAP, except "userPassword". Am I doing something wrong?
Here is my code below:
public Response createUserKeycloak(UserKeycloak userKeycloak) {
> CredentialRepresentation credential = new CredentialRepresentation();
> credential.setType(CredentialRepresentation.PASSWORD);
> credential.setValue(userKeycloak.getPassword());
> credential.setTemporary(false);
> UserRepresentation user = new UserRepresentation();
> user.setUsername(userKeycloak.getUsername());
> user.setFirstName(userKeycloak.getFirstName());
> user.setLastName(userKeycloak.getLastName());
> user.setEnabled(true);
> if (userKeycloak.getEmail() != null)
> user.setEmail(userKeycloak.getEmail());
> user.setCredentials(Arrays.asList(credential));
>
> RealmResource realmResource = keycloak.realm(realmProperties.getRealm());
> UsersResource userRessource = realmResource.users();
> return userRessource.create(user);
> }
Best Regards,
--
---
*Celso Agra*
7 years, 7 months
User sessions not ending upon automatic logout
by Kyle Swensson
Hello,
I am having an issue with refresh tokens while using keycloak with the
Tomcat adapter. I'm using Keycloak 2.3.0 and Tomcat 7
The issue arises when I authenticate with keycloak as a basic user using
tomcat. When this happens a session is started for my basic user, which I
believe means that I am given a refresh token. Then, I navigate to the
Keycloak Admin Console page on a different window. Since I am authenticated
as a basic user, since Keycloak uses SSO it will try to automatically log
my current user into the Admin Console, but it will fail since my basic
user is not configured to be able to use the admin console. After it fails,
Keycloak "logs out" my current user because I don't have permissions to
access the admin console.
The problem is that this "logout" that Keycloak just did doesn't end the
basic user's session for some reason, and thus it doesn't invalidate their
refresh token. This is a problem because it means that if I go back to my
basic user's application, even though keycloak supposedly logged me out, I
can still use the refresh token to get more access tokens for the
application, and thus continue using the application as normal even though
I'm not technically logged in. Worse still, the logout functionality ceases
to work because since Keycloak thinks my user isn't logged in, telling
Keycloak to log my user out doesn't work. This makes it so that the only
way to actually invalidate my current refresh token is by going to "My
Account" as the basic user, and ending all current sessions for them.
It's worth noting that this *only *happens when the basic user is
automatically logged out when Keycloak tries to sign it in to the admin
console automatically. For example, if I have the admin console window open
before I log my basic user in, and then while I am logged in with my basic
user I log in normally to the admin console with a different user, Keycloak
will successfully log out my basic user and end their session, invalidating
their refresh token, like it should.
I'm wondering if this is an actual bug with Keycloak, or if this is just
being caused by some user error on my side, because I can't really figure
out a workaround for this issue. One potential workaround that I have found
is enabling "Revoke Refresh Token" in the "Tokens" tab of the "Realm
Settings" section of the Keycloak admin console, however this is making my
application run quite strangely, and I'm not certain why.
If upgrading to Keycloak 3.0 would fix the problem I can do that, however
it will likely be a fair bit of work so I don't really want to upgrade
unless I'm certain it will fix the problem.
7 years, 7 months
Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services
by Nirmal Kumar
Hello Keycloak,
I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.
I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
FLOW:
-------
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.
GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?
Many Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
7 years, 7 months
Understanding Offline Tokens
by Mike Hills
Hi All,
I need to implement offline tokens (
https://keycloak.gitbooks.io/documentation/content/server_admin/topics/se...)
for a number of our REST services.
I followed the instructions provided and it seems to work well. I do have a
couple of questions to confirm my approach please.
1. The generated offline refresh token is used to return a valid token
using the grant_type of refresh_token. Does this mean that the
refresh_token call must be made each time (assuming previous token has
timed out)?
2. Is it best practice to hand out the same token for each client that
needs to authenticate against the service or create a new client for each
client service?
Any help is appreciated,
Regards,
mike
--
Michael J. Hills
Sr. CRM Architect
Mobile: 603.475.5093
Email : mike.hills(a)sematree.com
Skype : mhills_sematree
7 years, 7 months
backchannel logout, Logout-all-sessions as user
by Jan Bartosz
Hi,
My concern is about logging 'logout-all-sessions' action as a user. I see
AdminEvent is raised in case admin invokes it.
I assume it was done by purpose - is there some rule/specification behind,
like "backchannel logouts shouldn't be exposed to the outside world"?
Is there a way I can create some provider/broker/... maybe aspect, or
extend some behaviour to catch this backchannel-logout?
Many Thanks in advance!
7 years, 7 months
Multiple tenants in a single realm
by Shanon Levenherz
Hi there,
I’m looking to leverage Keycloak as the primary IdP for our SaaS platform. We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc). Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms. My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant.
Something like this:
REALM
|
|- User 1 (user-admin role)
|
|- Tenant 1 Group
| |
| |- User 1.1 (user-admin role)
| |- User 1.2
| |- …
| |- User 1.n
|
|- Tenant 2 Group
| |
| |- User 2.1 (user-admin role)
| |- User 2.1
| |- …
| |- User 2.n
| |
| |- Tenant 3 Group
| |
| |- User 3.1 (user-admin role)
| |- User 3.2
| |- …
| |- User 3.n
From the above we’re looking for:
* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3
I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke:
>I like that idea. A better alternative might be that each group has an
>"user-admin" role. If a user has the "user-admin" role of the group, it
>can administer users in that group and assign roles defined in that
>group. One thing to really think about is, what about sub-groups. Can
>an admin of the parent group administer sub groups?
This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all? I can’t find anything about it in the docs. I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing.
Disclaimer: I’m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly… please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help.
Thank you!
Best,
Shanon
7 years, 7 months
