KeyCloak pose no login challenge
by shimin q
I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7. I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app.
1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
<?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" > <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:
{ "realm": "rtna", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", "auth-server-url": "https://135.112.180.27:8666/auth", "ssl-required": "external", "resource": "rtna2", "public-client": true}
5. modify rtna2/WEB-INF/web.xml:
<?xml version="1.0" encoding="UTF-8"?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" >
<!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>rtna2</web-resource-name> <url-pattern>/rtna2/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>
<login-config> <auth-method>BASIC</auth-method> <realm-name>rtna</realm-name> </login-config>
<security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>sudo</role-name> </security-role></web-app>
I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
6. in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
client id: rtna2Access type: public (tried "confidential" also)Authorization enabled: on ("off" also)Root URL: https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/*
I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error. But once I put the absolute paths, it took me right to the web app without posing the login challenge!
What could possibly be wrong? Please advise! Thanks!!
7 years, 6 months
User Attributes value length
by Matt Evans
Hi
We're using keycloak with postgresql and we've just hit a problem where one of our user attribute values is long, and it's longer than the max of the fed_user_attribute.value column, which is varchar(2024).
Was there a reason it's set to 2024? Is there a reason for me not to alter the column to a text type (or unbound varchar)?
Thanks
Matt
7 years, 6 months
Fwd: Error when session expired and ajax request execute in Keycloak?
by Adam Daduev
After login, i get in my app, and for all my ajax request from page to
backing bean, i receive response 401 even if the session is still alive.
If removed autodetect-bearer-only option, all work fine, but going back to
the old error.
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
---------- Forwarded message ---------
From: Adam Daduev <daduev.ad(a)gmail.com>
Date: вт, 10 янв. 2017 г. в 14:08
Subject: Re: [keycloak-user] Error when session expired and ajax request
execute in Keycloak?
To: <stian(a)redhat.com>
I tried, but does not work.
Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
not started, he not know autodetect-bearer-only option, then, i added via
json, wildfly started and app was deployed.
Secondly, on my ajax request to backing bean, i receive response 401 and
does not happend.
This is my keycloak.json
{
"realm": "azovstal",
"auth-server-url": "http://dc09-apps-06:8090/auth",
"ssl-required": "none",
"resource": "web-test",
"public-client": true,
"use-resource-role-mappings": true,
"autodetect-bearer-only": true
}
вт, 10 янв. 2017 г. в 10:19, <daduev.ad(a)gmail.com>:
Ok, I try, thanks.
10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
In that case take a look at the new autodetect-bearer-only option. You'll
need 2.5.0.Final for that.
On 9 January 2017 at 19:18, <daduev.ad(a)gmail.com> wrote:
No, I have jsf 2 app with richfaces framework, which deploy on wildfly
10.1.
9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
[Adding list back]
A web app redirects the user to a login page if not authenticated, while a
service should return a 401.
It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.
On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Thanks for the answer.
Yes i have confidential client, i have web application, that asks
Keycloak server
to authenticate a user for them. As I understand, bearer-only is for web
services clients.
I probably something do not understand?
2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
Looks like your services are configured as confidential clients rather than
bearer-only and hence is sending a login request back rather than a 401.
You should either swap your service war to be a bearer-only client or use
the new autodetect-bearer-only option in adapters if you have both web
pages and services in the same war.
On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 6 months
How to create a Camel Route with Keycloak Admin Client in JBoss Fuse 6.3.0?
by Celso Agra
Hi all,
I'm trying to use the keycloak admin client in JBoss Fuse 6.3.0. Everything
works fine when I run the java main class, but when I put this in the JBoss
Fuse (with Karaf) I got an error, because the keycloak are using the
resteasy, and the OSGI is totally different. So, does anyone knows how to
do the same keycloak admin client configuration using this environment?
Here is my log:
javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request
at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:289)
at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:454)
at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy85.grantToken(Unknown Source)
at
> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
at
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
at
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
at
> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy88.create(Unknown Source)
at
> pe.gov.br.ati.service.KeycloakAdminManager.createUserKeycloak(KeycloakAdminManager.java:64)
at
> pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:20)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
> org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)
at
> org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279)
at
> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)
at
> org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177)
at
> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
at
> org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163)
at
> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)
at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
at
> org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)
at
> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)
at
> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
at
> org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163)
at
> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)
at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)
at
> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109)
at
> org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:91)
at
> org.apache.camel.component.restlet.RestletConsumer$1.handle(RestletConsumer.java:68)
at
> org.apache.camel.component.restlet.MethodBasedRouter.handle(MethodBasedRouter.java:54)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Router.doHandle(Router.java:422)
at org.restlet.routing.Router.handle(Router.java:639)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at
> org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.routing.Filter.doHandle(Filter.java:150)
at org.restlet.routing.Filter.handle(Filter.java:197)
at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
at org.restlet.Component.handle(Component.java:408)
at org.restlet.Server.handle(Server.java:507)
at
> org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
at
> org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
at
> org.restlet.engine.connector.HttpServerHelper$1.handle(HttpServerHelper.java:64)
at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
at
> sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)
at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.ws.rs.ProcessingException: RESTEASY003215: could not find
> writer for content-type application/x-www-form-urlencoded type:
> javax.ws.rs.core.Form$1
at
> org.jboss.resteasy.core.interception.jaxrs.ClientWriterInterceptorContext.throwWriterNotFoundException(ClientWriterInterceptorContext.java:40)
at
> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.getWriter(AbstractWriterInterceptorContext.java:146)
at
> org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:121)
at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.writeRequestBody(ClientInvocation.java:388)
at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:589)
at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.buildEntity(ApacheHttpClient4Engine.java:557)
at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.loadHttpMethod(ApacheHttpClient4Engine.java:456)
at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
... 70 more
Thanks for the attention.
--
---
*Celso Agra*
7 years, 6 months
Unicast
by Marc Tempelmeier
Hi,
does someone here use unicast instead of multicast to form a cluster?
If yes, I would be interested in the config :)
Best regards
Marc
7 years, 6 months
Re: [keycloak-user] clientSecret passing upon Client creation
by Marko Strukelj
While nobody can give any guarantees about the future of a community
project (as opposed to a commercial product like RH-SSO), it is reasonable
to expect that "secret" field will remain for as long as there is Admin
REST API.
There will most likely be another version of Admin REST API in the future,
but that would almost certainly be parallel to the current one.
On Wed, Jun 21, 2017 at 4:26 PM, Adam Lis <adam.lis(a)gmail.com> wrote:
> Hi!
>
> Thanks for your response.
>
> This is indeed what I needed.
>
> As far as I understand, since 'secret' field name is present in
> ClientRepresentation in http://www.keycloak.org/
> docs-api/3.1/rest-api/index.html#_clientrepresentation - I can be sure
> that support of that field remain in e.g. next versions of KeyCloak?
>
> AdamLis;
>
>
>
> 2017-06-21 15:58 GMT+02:00 Marko Strukelj <mstrukel(a)redhat.com>:
>
>> Your use case is indeed rather poorly documented, and requires some
>> exploration, especially when using kcadm.sh or Admin Client API you need to
>> also consult Admin REST API documentation (http://www.keycloak.org/docs-
>> api/3.1/rest-api/index.html#_clientrepresentation) or directly explore
>> the code for Admin REST endpoint (https://github.com/keycloak/k
>> eycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak
>> /services/resources/admin/ClientsResource.java#L146).
>>
>> Here's how you can set the secret for the client:
>>
>> $ cat > client.json << EOF
>> {
>> "clientId" : "test-cli",
>> "enabled" : true,
>> "clientAuthenticatorType" : "client-secret",
>> "secret" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d000"
>> }
>>
>> The key here are the properties "clientAuthenticatorType", and "secret".
>> You can safely get away by only setting "secret" since "client-secret' is
>> default for "clientAuthenticatorType".
>>
>> $ kcadm.sh create clients -r REALM_NAME -f client.json -i
>>
>> If you want to check the value of secret you need to perform another REST
>> call as it's not returned as part of client GET.
>>
>> $ kcadm.sh get clients/$CID/client-secret
>>
>> Which will return CredentialRepresentation (http://www.keycloak.org/docs-
>> api/3.1/rest-api/index.html#_getclientsecret):
>> {
>> "type" : "secret",
>> "value" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d737"
>> }
>>
>> Hopefully that addresses your problem.
>>
>>
>> On Tue, Jun 20, 2017 at 5:07 PM, Adam Lis <adam.lis(a)gmail.com> wrote:
>>
>>> Hi!
>>>
>>> Thanks for response.
>>>
>>> Re what I'd like to achieve: I'd like to give some people pair
>>> Client/ClientSecret so they could use my Keycloak instance. Since this
>>> instance gets recreated using config management utility very often (e.g.
>>> 5
>>> times a day), I need a functionality to be able to specify ClientSecret
>>> when "provisioning" Keycloak instance.
>>>
>>> So for my needs - export-import is not good solution - since my server is
>>> started using standalone.sh script as PID=1 inside docker container. Also
>>> it would be hard to execute Export in my case, since docker container
>>> shutdown is also done by config management system - and I'd need to start
>>> standalone.sh again with export set. BTW: when export/import is involved
>>> by
>>> migration.action - it seems strange that main server thread is also
>>> starting.
>>>
>>> So I've read
>>> https://keycloak.gitbooks.io/documentation/server_admin/topi
>>> cs/admin-cli.html
>>> and
>>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>>> ics/client-registration/client-registration-cli.html
>>>
>>> In above documents there is describes process of e.g. defining new
>>> Clients.
>>> But it does not answer my question at all.
>>>
>>> So maybe once again my question: >>> Is specifying 'secret' parameter
>>> into
>>> JSON creating new Client using e.g. "kcadm.sh create clients -r
>>> REALM_NAME
>>> -f JSON_FILE.json -i" proper and supported way of passing ClientSecret
>>> value to newly created Client? <<<
>>>
>>> AdamLis;
>>>
>>>
>>> 2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel(a)redhat.com>:
>>>
>>> > You can find doumentation for kcadm.sh at: https://keycloak.gitbooks.
>>> > io/documentation/server_admin/topics/admin-cli.html
>>> >
>>> > Maybe for your usecase you might also want to use kcreg.sh,
>>> documentation
>>> > for which you can find at: https://keycloak.gitbooks.
>>> > io/documentation/securing_apps/topics/client-registration/client-
>>> > registration-cli.html
>>> >
>>> > kcreg.sh is meant for use by application developers to self-provision
>>> > clients in order to integrate their apps with a Keycloak Server.
>>> >
>>> > There is also a boot time import functionality which you can use to
>>> import
>>> > the whole realm: https://keycloak.gitbooks.io/documentation/
>>> > server_admin/topics/export-import.html
>>> >
>>> > As to your question whether you can base realm / client creation on
>>> > Keycloak's export / import functionality or CLI tools the answer is -
>>> yes,
>>> > that's the idea. If you can't achieve something basic and obvious then
>>> the
>>> > tools have to be improved.
>>> >
>>> > If you can be more specific what you are trying to achieve and what
>>> > exactly you do, then I can give you more specific advice.
>>> >
>>> > Also, if you can be more specific what you were not able to find in the
>>> > documentation, we can add it or make it easier to find.
>>> >
>>> > On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis(a)gmail.com> wrote:
>>> >
>>> >> Hi!
>>> >>
>>> >> I've tried to search for this information in documentation, but not
>>> >> succeeded.
>>> >>
>>> >> Let's assume I'm using keycloak docker container.
>>> >>
>>> >> Inside running instance I'm willing to add new Client like this:
>>> >>
>>> >> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
>>> >> FILE_CONTAINING_DEFINITION.json -i
>>> >>
>>> >> So I'm getting actual contents of JSON file for example by exporting
>>> >> existing Client (since I see no example in documentation as well)
>>> >>
>>> >> But in the export software is not setting 'secret' value in case
>>> >> 'clientAuthenticatorType' is set to 'client-secret'.
>>> >>
>>> >> I've anyway tried to add 'secret' field to JSON and it has been
>>> accepted
>>> >> by
>>> >> Keycloak - so Keycloak has created Client with ClientSecret value
>>> passed
>>> >> by
>>> >> JSON file in field named 'secret'.
>>> >>
>>> >> My question and concern is: does this functionality (setting desired
>>> >> ClientSecret on Client creation from JSON) work intended way? Can I
>>> base
>>> >> my
>>> >> whole Realm/Client creation solution on that functionality?
>>> >>
>>> >> A little background: I'm willing to run Keycloak deployment with
>>> docker
>>> >> container as part of configuration management - so I'm storing Realm
>>> and
>>> >> Client data in outside storage and I'm willing to pass these
>>> configuration
>>> >> pieces into newly started Keycloak inside docker container.
>>> >>
>>> >> Thanks;
>>> >> AdamLis;
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user(a)lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
7 years, 6 months
clientSecret passing upon Client creation
by Adam Lis
Hi!
I've tried to search for this information in documentation, but not
succeeded.
Let's assume I'm using keycloak docker container.
Inside running instance I'm willing to add new Client like this:
/opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f
FILE_CONTAINING_DEFINITION.json -i
So I'm getting actual contents of JSON file for example by exporting
existing Client (since I see no example in documentation as well)
But in the export software is not setting 'secret' value in case
'clientAuthenticatorType' is set to 'client-secret'.
I've anyway tried to add 'secret' field to JSON and it has been accepted by
Keycloak - so Keycloak has created Client with ClientSecret value passed by
JSON file in field named 'secret'.
My question and concern is: does this functionality (setting desired
ClientSecret on Client creation from JSON) work intended way? Can I base my
whole Realm/Client creation solution on that functionality?
A little background: I'm willing to run Keycloak deployment with docker
container as part of configuration management - so I'm storing Realm and
Client data in outside storage and I'm willing to pass these configuration
pieces into newly started Keycloak inside docker container.
Thanks;
AdamLis;
7 years, 6 months
Re: [keycloak-user] Refesh token error
by Thomas Darimont
Hi Thomas,
Great you figured this out.
Would you mind elaborating a bit about what you did with respect to
session fixation prevention?
Cheers,
Thomas
Am 21.06.2017 2:55 nachm. schrieb "Göttlich, Thomas" <
thomas.goettlich(a)it-informatik.de>:
Never mind, I found the problem (at least I think I did):
- SSO session idle: 1 minute
- Access token lifespan: 1 minute
When the access token has timed out and the application needs to refresh it
the sso session has also timed out already, hence the error.
Setting SSO session idle to 2 minutes or more fixes the issue.
Mit freundlichen Grüßen
i. A. Thomas Göttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich(a)it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Straße 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Geschäftsführender Gesellschafter: Günter Nägele
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
lists.jboss.org] Im Auftrag von Göttlich, Thomas
Gesendet: Mittwoch, 21. Juni 2017 13:14
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Refesh token error
Hi there,
we're currently integrating two Java server applications via Keycloak and
use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded
from the database) as well as some adjustments on session fixation
prevention and login redirect handling.
It works well so far, with one exception: when the access token times out
and needs to be refreshed, we get the following error:
- Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext]
Refresh token failure status: 400
{"error":"invalid_grant","error_description":"Refresh
token expired"}
- Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR,
realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1,
error=invalid_token, grant_type=refresh_token, client_auth_method=client-
secret
So far I could verify that the refresh token is not null so it seems to
either be invalid or the request is faulty.
For testing purposes we have set the following timeouts:
- SSO session idle: 1 minute
- SSO session max: 10 hours
- Access token lifespan: 1 minute
- Access token lifespan for implicit flow: 1 minute
The client has the following settings:
- Only standard flow enabled
- Access type: confidential
- Client protocol: openid-connect
Any idea what could cause that error or where we should look at?
Thanks in advance,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 6 months
Refesh token error
by Göttlich, Thomas
Hi there,
we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling.
It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error:
- Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}
- Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty.
For testing purposes we have set the following timeouts:
- SSO session idle: 1 minute
- SSO session max: 10 hours
- Access token lifespan: 1 minute
- Access token lifespan for implicit flow: 1 minute
The client has the following settings:
- Only standard flow enabled
- Access type: confidential
- Client protocol: openid-connect
Any idea what could cause that error or where we should look at?
Thanks in advance,
Thomas
7 years, 6 months
IDP Broker (SAML) - add LDAP attributes from ReadOnly LDAP.
by Marc Jadoul
Hello,
I am trying to configure RH SSO 7.0 (available as container in Openshift
V3.2), to obtain attributes and roles from a read-only LDAP.
User are authenticated using SAML, but applications do need additional
attributes.
The LDAP server has those attributes but do not provide user
authentication, which is provided by Kerberos or SAML.
Kerberos + LDAP is not really an option as it authenticate only a part of
the users of the organization while SAML + LDAP could works for all.
I found a couple of related issues:
https://issues.jboss.org/browse/KEYCLOAK-4171
But solutions proposed does not work for me.... May be because my LDAP does
not allows authentication?
I get this error:
09:13:07,510 WARN [org.keycloak.events] (default task-320)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
http://testapp.example.corp/mellon/metadata, userId=null,
ipAddress=10.0.0.20, error=invalid_user_credentials,
identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
http://testapp.example.corp/mellon/postResponse,
identity_provider_identity=testuser,
code_id=...
Or this one (if in first login I allows user re-authentication) but then I
am prompted for a password which fail authenticating as the LDAP does not
know my password.
09:13:07,510 WARN [org.keycloak.events] (default task-320)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId=
http://testapp.example.corp/mellon/metadata,
userId=fa84a028-e28f-4d06-a72f-aad9c51d88f2,
ipAddress=10.0.0.20, error=invalid_user_credentials,
identity_provider=hub-i-saml2, auth_method=saml, redirect_uri=
http://testapp.example.corp/mellon/postResponse,
identity_provider_identity=testuser,
code_id=...
Is there a solution out of the box for my use case? Adding additional
information about users from an ldap connection, read-only and without
re-authentication?
Regards,
Marc
7 years, 6 months
