Tomcat 8 mod_proxy authentication error
by Jim Tyrrell
Team,
Javascript via a bearer token in a react app works fine to hit a URL that is configured in Tomcat to be protected. tomcat.server/somepath/somepath/test.jsp
The issue comes in when I try to login to the same URL that a bearer token works for, and I get in the tomcat log an error message of:25-Aug-2017 13:12:03.253 ERROR [ajp-nio-8009-exec-10] org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode status from server: 404
If I am logged into the react app and try to hit the protected URL, I get a browser error of too many redirects when hitting the protected Tomcat URL.
Googling around seems like I am practically the first one to see this issue.
Nothing in the server server.log of the keycloak server.
Configs are in tomcat:keycloak.json{
"realm": "myapp", "realm-public-key":"${truncated}" "auth-server-url": "https://someurl/auth",
"ssl-required": "external",
"resource": "customer-portal","enable-basic-auth": "true", "credentials": {
"secret": "some secret"
},
"use-resource-role-mappings": "false"
}
In the server.xml of key cloak I have from the docs made the following changes..
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/><https-listener name="default-ssl" socket-binding="https" security-realm="UndertowRealm"/>
<ajp-listener name="ajpListener" socket-binding="ajp"/>
<socket-binding name="proxy-https" port="443"/>
In my ajp.conf for mod_proxy I have this setup:RequestHeader set X-Forwarded-Proto "https" env=HTTPSProxyPass /auth ajp://auth.someurl.com:8009/authProxyPassReverse /auth ajp://auth.someurl.com:8009/auth
I assume something isn't right in this setup, but who knows.
Thank YouJim
8 years, 2 months
RV: Keycloak security cuestion.
by Jose Carlos Moral Cuevas
Hi!!
I'm a new Keycloak user. I have a question about security configuration in keycloak.
My keycloak server is on the Internet, it must authenticate to the users to access to my applications, which are on the Internet too. My problem is that keycloak server public by default the URL https://[domainserver]:8443/auth/version/ on the Internet without authentication, this fact could be an information loss for me and could be used for hackers to exploit vulnerabilities.
The same problem is with the URLs:
· https://[domainserver]:8443/auth/realms/master/
· https://[domainserver]:8443/auth/js/3.2.0.cr1
· https://[domainserver]:8443/auth/js/3.2.0.cr1/keycloak.js
The question is: Could I configure keycloak to avoid this pages are publics by default? I need block the access to this pages.
On the other hand, I need to change the main page redirection: "/" or "/auth" --> Welcome-page. I need to change this main page, because I would like only access to "/auth/admin" interface, and block the others.
I hope you can help me.
Regards,
José Carlos Moral.
________________________________
AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
8 years, 2 months
move the authenticator setup from the user profile to the administration
by Antoine Delaunay
Hello,
How to prevent an intruder, once knowing the user password, resetting the user's authenticator secret and capture the new value? It seems allowing this negates the added value of the 2FA system.
Is my understanding of the system incorrect?
If not I could go for a solution where once the authenticator is setup it cannot be deleted without an admin action.
I could also envision the 2FA setup to be a face-to-face operation involving the user going over to the admin desk with his phone.
I thought I would ask here before hacking away at the source code.
Sincerely,
--
Antoine Delaunay
8 years, 2 months
Problems when trying to retrieve access token using nodejs oidc adapter
by Robert Parker
Hi,
I am facing an issue using the keycloak-nodejs-connect adapter in my project.
The issue surfaces after the adapter authenticates my user account I have setup, so receives a code, and then attempts to exchange this code for an access token.
The adapter sends back an 'access denied' response and in the keycloak logs I see an error as follows:
09:55:44,116 WARN [org.keycloak.events] (default task-28) type=CODE_TO_TOKEN_ERROR, realmId=Actora, clientId=actora-test, userId=null, ipAddress=192.168.132.45, error=invalid_code, grant_type=authorization_code, code_id=c454ec60-6f07-4229-8a48-f0fa126609e4, client_auth_method=client-secret
Watching the browser calls that are made, after initial login to get the user's code value, I see the redirect back to my main web application along with callback query param:
http://localhost:5001/?auth_callback=1&state=cd0dd57d-59b6-45e4-a51e-22f4...
So for the code I can see the code param in the callback contains the code_id value referenced in my keycloak error log mentioned further above - c454ec60-6f07-4229-8a48-f0fa126609e4
I am assuming the long code value prefixed with the 'uss.' part gets decoded by keycloak to extract the value it needs?
I have debugged through the adapter library locally to see how it's performing the calls and oddly I have found in the keycloak-auth-utils\lib\grant-manager.js a fetch function is called but with options set for a POST request. The promise in this fetch function gets rejected as the status code returned from keycloak server is a 400 Bad Request.
I don't know what else to do here, I have re-read the getting started section on the keycloak documentation and I can't see any obvious setup steps I have missed.
Can someone offer any clues as to what may be going on here please?
Thanks
Rob
________________________________
Robert Parker - Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
Robert.Parker(a)weareACT.com
www.weareACT.com<http://www.weareact.com>
Registered in England : 04476799
________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales).
The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.
[http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email.
________________________________
8 years, 2 months
Bookmarking keycloak login pages
by Matt Evans
We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected.
This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails.
Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing...
Matt
8 years, 2 months
CODE_TO_TOKEN_ERROR - Could not obtain grant code error
by Robert Parker
Hi,
I have just started using keycloak and am using the nodejs adapter which I have configured and have my client application being redirected to the keycloak login screen.
When attempting to login I am seeing a 'Could not obtain grant code error' from my express server log and in our keycloak server log I see the following:
12:07:12,341 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=client-test, userId=xxx, ipAddress=xxx.xxx.xxx.xx, error=invalid_code, grant_type=authorization_code, code_id=13f4c40b-667c-4750-a19e-d21219736c12, client_auth_method=client-secret
We are making use of the authorization code flow, and I think I am correct in believing the first step of authenticating the user is completing as I see cookies are being set for AUTH_SESSION_ID, KEYCLOAK_SESSION and KEYCLOAK_IDENTITY.
The error I am seeing gets invoked when a GET request is made back to my client application with an auth_callback querystring:
http://localhost:5001/?auth_callback=1&state=05eda0dd-2a51-4b68-b87e-8777...
I can see a code param is present here, part of which contains the code_id referenced in the keycloak log - 13f4c40b-667c-4750-a19e-d21219736c12
I haven't come across anything in the docs when I started setting up my realm\client\users that mentions anything about these codes, have I possibly missed a configuration step?
Thanks
________________________________
Robert Parker - Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
Robert.Parker(a)weareACT.com
www.weareACT.com<http://www.weareact.com>
Registered in England : 04476799
________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales).
The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.
[http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email.
________________________________
8 years, 2 months
Avoiding creating a new session when doing a prompt=login
by John D. Ament
Hi
I have a use case where I need to prompt a user to enter credentials during
a sequence of events. In this case, we're using keycloak's login screen to
capture the information and triggering it via the javascript adapter.
Doing a prompt=login has an unfortunate side effect that the existing
session gets rewritten. This causes the adapter to begin failing, the
refresh token and access token are no longer valid. It seems that there's
no way to reinitialize the iframe after this occurs, and I'm not sure
that's the best way to do it.
Is there any way to have keycloak not create a new session in this flow?
John
8 years, 2 months
3.2.0 wont start if an LDAP is misconfigured
by Nathan Hoult
I am trying to start KC but the LDAP account password changed so it won't
start:
14:16:17,839 ERROR
[org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
(pool-6-thread-1) Could not query server using DN [not important] and
filter [not important]: javax.naming.AuthenticationException: [LDAP: error
code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
error, data 52e, v1db1]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at
org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:99)
at
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89)
at
org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:547)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:636)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:629)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:226)
at
org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:198)
at
org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:164)
at
org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:175)
at
org.keycloak.storage.ldap.LDAPStorageProvider.loadLDAPUserByUsername(LDAPStorageProvider.java:725)
at
org.keycloak.storage.ldap.LDAPStorageProvider.loadAndValidateUser(LDAPStorageProvider.java:429)
at
org.keycloak.storage.ldap.LDAPStorageProvider.validate(LDAPStorageProvider.java:153)
at
org.keycloak.storage.UserStorageManager.importValidation(UserStorageManager.java:245)
at
org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:301)
at
org.keycloak.models.jpa.session.JpaUserSessionPersisterProvider.loadUserSessions(JpaUserSessionPersisterProvider.java:208)
at
org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.loadSessions(OfflineUserSessionLoader.java:61)
at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70)
at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
I tried making the host resolve to 127.0.0.1 so it would fail to connect
but it still refused to start. So it seems if LDAP goes down or is
misconfigured then KC won't start even if I could log in locally or through
an identity provider?
I tried:
1) disabling user and Realm cache
2) looking on the internet for some way to disable LDAP or a Realm
temporarily
3) still looking in the code to see if there is a startup parameter I could
pass it to take another path
Any help to get my KC back up so I can update the password would be
appreciated.
Thanks,
- Nathan
8 years, 2 months
Regarding Keycloak IDP Initiated Logout for SAML client
by Jitendra Chouhan
Hi,
I am using Keycloak 3.1.0.Final version and configured HANA 2.0 system as a
SAML client. I want to test out Keycloak IDP initiated logout for the HANA
client but I am not seeing any option in Keycloak settings for it. I could
see only "IDP Initiated SSO URL Name" but same feature is not there for
SLO. I referred sample SAML examples provided as part of keycloak
distribution are not using SAML IDP initiated flow for login and logout.
How can I achieve SLO for the SAML client in case of idp initiated SAML?
Please let me know for any other information regarding this.
Thanks,
Jitendra Chouhan
8 years, 2 months
sso timeouts ??
by java_os
I am using Standard Flow Enabled with javascript adapter connecting to
rest bearer-only apis.
SSO Session idle set 2h. User is using the app, it redirects to login page
before 2h is reached.
Anyone here knows what is the right realm setting if I want to have a user
working on a sso session for a number of hours?
I guess not fully understand the Token lifespan vs SSO session timeout and
which one rules, etc.
8 years, 2 months
![http://www.weareact.com/media/11610/email_footer_tree.gif]Please](http://www.weareact.com/media/11610/email_footer_tree.gif]Please){kind=link}