June 2017 - keycloak-user - Jboss List Archives

Password policy for the last used passwords

by Sarp Kaya

Hello, My keycloak configuration has password policy enabled for all users and it also has the Not Recently Used part specified to some number. I have a simple use case: 1. I create user 2. I set a password for this user 3. I delete this user I repeat this step again, with the same username and password and I get an error on 2nd step which is "Invalid password: must not be equal to any of last x passwords.” The problem is, I can only have this error on admin API, if I do it on the admin UI then I don’t get it. Now obviously if it was the same “user” it would make sense, but since I delete this username and create a new user, which has different user ID; then I would expect it to behave differently. I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The below are the code 1. Creating user: keycloak.realm(usersRealm).users().create(someUserRepresentation); 2. Resetting password of the user: CredentialRepresentation passwordCredRepresentation = new CredentialRepresentation(); representation.setTemporary(false); representation.setType(PASSWORD); representation.setValue(password); UserResource userResource = keycloak.realm(usersRealm).users().get(keycloakId); userResource.resetPassword(passwordCredRepresentation); 3. Deleting the user: keycloak.realm(usersRealm).users().delete(keycloakId)) I definitely know that delete user works because once I run this, I don’t see any user and when I run create user code, I can see a user account with different ID. My question is, is this intentional or a bug? If it is intentional, then how can I clear user’s password history? I tried looking that up in admin api but could not find any call. Thanks, Sarp

9 years

2
1
0 / 0

Implementing Keycloak on Android

by Raquel Júdez Bello

Hi everyone, I am having trouble finding libraries to implement a Keycloak client for Android. So far, I have found AppAuth and Androgear in keycloak.org, but I am not convinced about their simplicity. Has anyone implemented a simple client for Android? Thank you very much. -- Raquel Júdez.

9 years

6
6
0 / 0

Same user with multiple sessions/tokens?

by rafterjiang

Hello, I am using Keycloak openID endpoint to retrieve access token from keycloak server using Direct Access Grant mode. I found each time a NEW request is made using SAME user account/credential, Keycloak returns a *NEW *access token. (So I can see the same user with multiple sessions) In this way, I am not sure if a refresh token is still needed, because we can basically get a new token for each request and NOT care about the expiration? Is this expected? Is same user supposed to have many access tokens? Is there any potential issues to work in this way? thanks, R -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Same-user-with-multiple-sessions... Sent from the keycloak-user mailing list archive at Nabble.com.

9 years

2
1
0 / 0

Kerberos Credential Delegation : Using GSSCredential to call other kerberos-secured services

by Nirmal Kumar

Hello Keycloak, I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end. I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great. FLOW: ------- Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app. GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential); // Create GSSContext to call other kerberos-secured services GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME); As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS. Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS? Many Thanks, -Nirmal ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

9 years

1
0
0 / 0

Key Rotation for SAML client

by Muein Muzamil

Hi all, We have a business use case, where we'll have a realm with 50+ SAML clients configured and we want to update the SAML key for the realm (either for security reason or the certificate got expired), I was reading following section but it seems mostly focused on OIDC.Can someone please share how does KeyCloak handle this for SAML? Important thing to realize is, we cannot imagine our customer to update realm certificate in all 50+ service providers at the same time. https://keycloak.gitbooks.io/documentation/server_admin/topics/realms/key... Regards, Muein

9 years

3
3
0 / 0

Re: [keycloak-user] Questions about OpenID Connect Identity Provider

by Christie, Marcus Aaron

Hi Sebastian, Thanks, this looks perfect for my use case. Thanks again, Marcus On Jun 1, 2017 2:25 AM, "Schuster Sebastian (INST/ESY1)" <Sebastian.Schuster(a)bosch-si.com> wrote: Hi Marcus, Both should be possible. For 1) have a look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id... and for 2) look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id... Best regards, Sebastian Mit freundlichen Grüßen / Best regards Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn > -----Original Message----- > From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user- > bounces(a)lists.jboss.org] On Behalf Of Christie, Marcus Aaron > Sent: Mittwoch, 31. Mai 2017 21:19 > To: keycloak-user(a)lists.jboss.org > Subject: [keycloak-user] Questions about OpenID Connect Identity Provider > > Hello, > > I have two questions about Identity Provider configuration in Keycloak. > > 1) I would like to add an Identity Provider and then have this be the only option > available to the user for authentication. Is there a way to disable the > username/password authentication and not show it on the login screen? > > 2) Is there a way to redirect to Keycloak and have it immediately redirect to an > Identity Provider? As an example, let’s say I have two Identity Providers, Google > and Facebook. In my web application I know that the user wants to log in via > Google so I want to redirect to Keycloak and tell Keycloak to select the Google > Identity Provider and redirect to it immediately. Maybe something like my web > application redirects to keycloak like so: > > https://mykeycloak.org/auth/realms/myrealm/protocol/openid- > connect/auth?response_type=code&client_id=...&redirect_uri=...&scope=openid&s > elected_identity_provider=google > > and then mykeycloak.org<http://mykeycloak.org> immediately redirects to > Google. For the user they don’t see the Keycloak page. > > Is there any functionality like the in Keycloak? > > > Thanks, > > Marcus > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

9 years

1
0
0 / 0

How to assign a role at registration?

by mark

I have a number of client roles - how can I programmatically set/assign a particular role when a user registers with Keycloak?

9 years

2
1
0 / 0

Questions about OpenID Connect Identity Provider

by Christie, Marcus Aaron

Hello, I have two questions about Identity Provider configuration in Keycloak. 1) I would like to add an Identity Provider and then have this be the only option available to the user for authentication. Is there a way to disable the username/password authentication and not show it on the login screen? 2) Is there a way to redirect to Keycloak and have it immediately redirect to an Identity Provider? As an example, let’s say I have two Identity Providers, Google and Facebook. In my web application I know that the user wants to log in via Google so I want to redirect to Keycloak and tell Keycloak to select the Google Identity Provider and redirect to it immediately. Maybe something like my web application redirects to keycloak like so: https://mykeycloak.org/auth/realms/myrealm/protocol/openid-connect/auth?r... and then mykeycloak.org<http://mykeycloak.org> immediately redirects to Google. For the user they don’t see the Keycloak page. Is there any functionality like the in Keycloak? Thanks, Marcus

9 years

3
3
0 / 0

How does a bearer only client validate

by Pulkit Gupta

Hi All, I have two keycloak client one is a public client using implicit flow and authenticating the user via a redirect and then once the user is authenticate the client receives a token. This token is then passed to a REST based backend service which validate it before providing access to the API data. I am looking for more information on how does a bearer only client validates the token which it receives from the JavaScript based public client. I will also be interested to understand more about the relationship of these two clients based on scope to make this setup work -- PULKIT

9 years

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2017