Provider + Entity SPI + hot redeploy = exception
by Dmitry Telegin
Hi,
I've got a provider using Entity SPI. If I hot redeploy it, I've got
the following exception upon the first access to my custom entity:
20:37:54,227 ERROR [io.undertow.request] (default task-10) UT005023:
Exception handling request to /auth/realms/master/beer:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: java.lang.IllegalArgumentException:
Type specified for TypedQuery
[beercloak.models.jpa.entities.BeerEntity] is incompatible with query
return type [class beercloak.models.jpa.entities.BeerEntity]
Full stacktrace: https://pastebin.com/i6jXfQMY
Seems like upon redeployment JPA entity classes are not unloaded, and
Hibernate keeps using them, while the reloaded provider code uses newly
loaded classes. Is there anything we can do about it?
Dmitry
7 years, 4 months
Problems logging out using JEE to keycloak to SAML (ADFS) (better formatted)
by Jason Spittel
Apparently my formatting was lost. So I'm reposting this in a more readable format:
Hello,
I'm having difficulty completing a logout.
SETUP:
JEE webapp to keycloak to IdP (ADFS (SAML))
WORKFLOW:
1) On logout in the webapp
externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true");
2) User is sent to ADFS letting them know they have successfully logged out.
3) However, there is still a keycloak user session alive (seen in the admin console)
4) Hitting a protected resource in the webapp lets user in without having to log back in.
Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262:
String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
if (brokerId != null) {
IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
if (response != null) return response;
}
return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers);
I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session.
But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly?
Thanks,
Jason
7 years, 4 months
Automatically logging in after performing an Update Password
by John D. Ament
Hi,
Based on the Required Actions guide (
https://keycloak.gitbooks.io/documentation/server_admin/topics/users/requ...)
we've implemented a custom required action that acts a lot like Update
Password (it performs a few other sync items for us). One of our needs is
to automatically log the user in to their destination application upon
setting this password. This was working for us in 3.1 by creating a custom
template that was rendered upon the completion of the Update Password
action that forwarded the user to our application and set the necessary
cookies.
This no longer works in 3.2. We believe it has to do with the ability to
reuse required action links. Before, the link was one time use so it was
only working once, however our need is to make those links work unlimited
times until consumed. By setting a new challenge to the user after
updating their password, the token is no longer being marked as consumed
and the link remains working.
So I was wondering, what other ways could we achieve this behavior? It
sounds like a challenge isn't the right approach.
John
7 years, 4 months
Widget For Embedding in Single Page App
by Brandon Dale Koepke
Hello,
I was hoping to duplicate this functionality with Keycloak: https://auth0.com/docs/libraries/lock/v10/ui-customization#primarycolor-s.... (I want a single-page app ideally where the user can register without being forwarded to a separate page.)
Auth0 has a nice API for both logging in **and** registering users so everything can be done from a single page app on the client side. Login seems to be supported fully and easily from an API with Keycloak using frontend only code but registering users doesn’t seem to be so simple.
In order to do this with Keycloak, it seem that I have a few options.
(1) Embed the Keycloak login/register page in an iframe and theme the login/registration page. (I’m certain there are vulnerabilities I’m introducing by taking this route, CSRF?)(2) Create another separate backend API that has an admin token for registering users. Then you post a JSON describing to the user to a ‘/register’ endpoint. (Secure I think but wasteful of resources… Also introduces an additional failure point).(3) Capture the required fields and POST them using the same format as a client would when using the regular Keycloak registration page. (Seems like I have to do some interesting fetching in order to get an authorization token for the login here as well, at least according to the pcap I generated. Would really like to avoid doing this if possible.)(4) Create a limited admin user (or client?) that can only create users and nothing more. Pass login information for this user through the frontend and use that user on the frontend to make the admin API calls for registering users. (Difficult to make secure? Seems strange that I would be exposing an admin/client secret to the frontend but as long as it is possible to lock it down enough that the user can’t be used for anything else then I think the is roughly equivalent to how the key cloak page works anyway. Unless I’m missing something important? )(5) Variant of (2), create a new plugin for key cloak that has the required ‘/register’ api without authenticating users. (Seems like this would already exist if it was possible to do securely.)(6) Have keycloak resolve to a subdomain on my main server, that way even though it isn’t seamless users won’t be redirected to a different domain entirely. (If possible I would like to avoid this since auth0 seems to have solved it.)
Is there something better than any of these? If not, which options are still secure and which would you recommend?
At the end of the day I would like something similar to the login/registration page for Buffer: https://www.buxfer.com[1]. A modal window opens with a create account option, my ideal login/registration flow would be similar.
Any word on this would be greatly appreciated.
Links:
1. https://www.buxfer.com/
7 years, 4 months
Unexpected ForbiddenException on createClient with 3.2.0.Final
by Stephane Granger
Hi,
since upgrading to 3.2.0.Final, my client is not able to create clients in
a realm it just created. This was working before with 3.1.0.Final and
earlier versions as well.
I wrote a small program to demonstrate the problem.
Before running the program, you'll need to add the "testClient" to the
master realm,
Protocol: openid-connect
Access type: confidential
You will need to modify the code to change the CLIENT_SECRET constant to
match your environment. You'll also need to change the keycloak.version
property in the pom.xml to match the version you're testing against.
When running with 3.2.0.Final, we get the following:
14:50:28,552 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-48) RESTEASY002005: Failed executing POST
/admin/realms/testRealm/clients: org.keycloak.services.ForbiddenException
at
org.keycloak.services.resources.admin.permissions.ClientPermissions.requireManage(ClientPermissions.java:248)
at
org.keycloak.services.resources.admin.ClientsResource.createClient(ClientsResource.java:164)
With 3.1.0.Final, the "testClient" is created successfully in the new
testRealm.
Stephane
7 years, 4 months
Upgrading from 2.5.4 to 3.2.0
by Matt Evans
Hi
We're looking to upgrade keycloak from 2.5.4 to 3.2.0, but I noticed in the liquibase changesets that one of the changes in 3.2.0 jpa changelog the column OFFLINE_CLIENT_SESSION has been deleted in the OFFLINE_CLIENT_SESSION table.
My question is how will 2.5.4 handle that column missing if we update the schema first? I've tested this scenario in our environment and it seems to work, but we don't request offline tokens. Will that be enough to ensure that we won't get failures because of the missing column?
Thanks
Matt
7 years, 4 months
Problem with email verification expiration time
by Antonia Nicolaou
Hello,
I am using single sign on service from redhat v7.1 and I need to change the
email verification expiration time from 5 minutes to 24 hours. I did it by
changing the 'Login action timeout' to 1 day.The text in the email
verification was changed to '1440 minutes' , but the link still expires in
5 minutes.
Could anyone help me?
Thank you in advanced
7 years, 4 months
where does the tomcat client adapter save the session
by Yizhou Jiang(Yizhou)
Hi,
I have two questions:
1 Where does the tomcat client adapter store the user session ?
when a user logged into a application procted by a tomcat client adapter . there is only “JSESSIONID=E1EAC81E52C97DD64FFB4C13A1231996” in the cookie。
But when I restart the tomcat , the user use the cookie still can login into the application. obviously , the session isn’t store in the memory of tomcat , Where does the tomcat client adapter store the user session?
2 Is there any settings about policy enforcer that can make unauthenticated user access some resources in a application protected by a tomcat client adapter?
Set the enforcement-mode with value “DISABLED” still require the user be authenticated.
"policy-enforcer": {
"enforcement-mode": "PERMISSIVE",
"paths": [
{
"path": "/public/*",
"enforcement-mode": "DISABLED"
}
]
}
thanks ,
yizhou
7 years, 4 months
Is there a way to tell which protocolMappers are active for a client using kcadm.bat/sh?
by Adrian Madaras
Hi everyone,
I am using the kcadm.bat to create clients. Everything works well until the part with the "protocolMappers". Is there a command in kcadm.bat which can assign and activate the "protocolMappers" ("Mappers" in the client tab of the U.I.) for my specific client?
I couldn't find any reference to this point online. Theoretically there should be a variable in the protocolMapper, like isActive=true, that tells the client to send the following mappers in the response, but currently there is none.
This is what a current protocolMapper contains (this is active in the U.I. by the way):"protocolMappers" : [ { "id" : "e41c6882-da3f-4f95-b5e4-9c584615fb1e", "name" : "X500 givenName", "protocol" : "saml", "protocolMapper" : "saml-user-property-mapper", "consentRequired" : true, "consentText" : "${givenName}", "config" : { "attribute.nameformat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", "user.attribute" : "firstName", "friendly.name" : "givenName", "attribute.name" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" } }, { ........... THE REST OF THE MAPPERS ...............} ]
As you can see there is no attribute which tells us that this mapper is active for this client. I think there is only a table in the DB that marks this but this is kind of odd being so that I can create a client but not attribute mappers to it.
Am I missing something?
Thanks,
Adrian
7 years, 4 months
New Event Type
by Geadah, Nicolas (VEC)
We are in the process of customizing the browser login and self-registration flows. As part of the customization, we will require new "events" to be created for audit purposes. Is it possible to create new event types that can be retrieved in keycloak's built-in admin console - or is the list of events supported by keycloak a predefined set that cannot be extended?
Thank you!
7 years, 4 months
