Issue with public client and javascript adapter
by Gaétan Collaud
Hi,
I'm unable to connect to my public client using the javascript adapter.
I configured a public client (access-type=public).
I used the customer-app-js
<https://github.com/keycloak/keycloak/tree/3.3.x/examples/demo-template/cu...>
demo template. When I try to use my public client, I'm redirected to the
login page, nothing wrong with that. Then when I'm back to the js app I
receive a HTTP 400 bad request on this call:
/auth/realms/PortalRealm/protocol/openid-connect/token. The content is:
{"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT:
Client was not identified by any client authenticator"}
In the logs I can see:
vpdev-keycloak | 11:50:00,767 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-60)
AUTHENTICATE CLIENT
vpdev-keycloak | 11:50:00,767 TRACE
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-60)
Using executions for client authentication:
[424c67b0-60b3-4063-a1b7-7ae7cbd4c90a, 6ec7a8eb-6fa2-4307-8f70-fbc845205210]
vpdev-keycloak | 11:50:00,767 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-60)
client authenticator: client-secret
vpdev-keycloak | 11:50:00,767 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-60)
client authenticator: client-jwt
vpdev-keycloak | 11:50:00,768 WARN [org.keycloak.events] (default task-60)
type=CODE_TO_TOKEN_ERROR, realmId=ea8dbfe4-21c1-4af5-8ec0-488317b62ccf,
clientId=morphean-public, userId=null, ipAddress=172.19.0.4,
error=invalid_client_credentials, grant_type=authorization_code
I searched for this CODE_TO_TOKEN_ERROR message on the web but no luck so
far.
Has somebody experienced the same issue ? Am I missing something ? I use
kecloak 3.2.1-FINAL.
Best regards,
Gaetan
PS: I tried with a confidential client and it works, but it's says
everywhere that secret should be kept hidden (this is why I wanted to use a
public client).
7 years, 3 months
Logout error ("Success" + HTTP 500!?)
by Pieter Lukasse
Hi,
I am currently getting a strange error when trying logout from my
application. The logout request is as follows (HTTP 200 code):
<*saml2p:LogoutRequest* xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="http://localhost:8081/auth/realms/test/protocol/saml"
ID="a370b54ee2i7g6j9275jbg40185b154"
IssueInstant="2017-09-13T11:22:04.100Z"
Version="2.0"
>
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">cbioportal</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#a370b54ee2i7g6j9275jbg40185b154">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>nKZrPGrsLZeR6xSgg0+xQ3dCg90=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>pieter(a)thehyve.nl</saml2:NameID>
<saml2p:SessionIndex>2ce54b83-67c1-40fd-850d-947b29c721be</saml2p:SessionIndex>
</saml2p:LogoutRequest>
Which is replied with (HTTP 500 code!?):
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://localhost:8081/auth/realms/test/protocol/saml"
ID="ID_1a5b931f-05b2-4b69-a32b-93cb7631fc98"
InResponseTo="a370b54ee2i7g6j9275jbg40185b154"
IssueInstant="2017-09-13T11:22:04.156Z"
Version="2.0"
>
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8081/auth/realms/test</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_1a5b931f-05b2-4b69-a32b-93cb7631fc98">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>HMgEFe5f6mGdIlCwg8BRHif4JW8k7MLs+5V8j9BUwuE=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>...</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>Yp3AF_Lz-EdxjwDdCJGk3dmvU9ZsWQE3SfV8pdT9OOQ</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>...</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>...</dsig:Modulus>
<dsig:Exponent>...</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status> <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
</samlp:LogoutResponse>
So the reply states "Success" while at the same time it returns HTTP
500 (Internal Server Error). Is this a known bug? Or am I doing
something wrong?
This is the log on the server side:
13:21:19,378 WARN [org.keycloak.protocol.saml.SamlService] (default
task-13) Unknown saml response.
13:21:19,380 WARN [org.keycloak.events] (default task-13)
type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_token
13:22:04,205 WARN [org.keycloak.protocol.saml.SamlService] (default
task-20) Unknown saml response.
13:22:04,206 WARN [org.keycloak.events] (default task-20)
type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_token
Thanks,
PIeter
www.thehyve.nl
We empower scientists by building on open source software
7 years, 3 months
Creating a federated user via REST API creates an incorrect entry in the CREDENTIAL table
by Rainer-Harbach Marian
Hi everyone,
about two weeks ago I stumbled upon a phenomenon which I believe to be a
bug in Keycloak. The error occurs when creating a new user via the REST
API in a realm configured with LDAP user federation: The user is created
in LDAP, but without a password -- instead, Keycloak creates an entry
for the user in its internal CREDENTIAL database table.
When the user later changes their password, Keycloak writes the new
password to LDAP, but keeps the old entry in the CREDENTIAL table. The
user can then still only login with the old password.
I created a Jira ticket for this problem:
https://issues.jboss.org/browse/KEYCLOAK-5383
It would be very helpful to us if someone could check if they can
reproduce the problem (maybe we are doing something wrong?) and if it's
indeed a bug in Keycloak to give an estimate when it might be fixed.
The bug is a blocker in our project to deploy Keycloak for about 100k users.
Thanks,
Marian
7 years, 3 months
Consent Page -- OIDC/OAuth2
by Mailvaganam, Hari
Hi List:
Have a bit of flow question --- hopefully succinctly described below.
Workflow: Triggered by 3rd party application (Service Provider) --- User will be authenticating via KeyCloak ---- and consent page displayed with list of attributes to be released to Service Provider (however, the data is served by API on another application --- MuleSoft).
Question: Can KeyCloak generate consent page --- with list of attributes – based on APIs that the Service Provider has access on MuleSoft (APIs protected by KeyCloak's OAuth2)?
Best regards,
Hari
7 years, 4 months
Re: [keycloak-user] Please suggest [keycloak help]
by Pedro Igor Silva
Marek is probably the best person to answer your questions :)
On Tue, Sep 12, 2017 at 11:24 AM, Priyadarshan Cindula <
priyadarshan.cindula(a)qolsys.com> wrote:
>
> Hi Silva,
>
>
> Please suggest us how to do session replication or failover mechanism for
> our domain cluster setup of keycloak.
>
>
> Its highly urgent.
>
>
> Please help.
>
>
> Also for the users forum:
>
>
> Anyone let us know the following things:
>
>
>
> 1) We have domain cluster setup - master and slaves - all sharing a
> master DB postgresql
>
> 2) Can we have session replication strategies that will work if any slave
> is down and session continuation shall happen
>
> 3) Can we know about how to handle session management dynamically
>
>
>
> Thanks and Regards,
>
>
> Priyadarshan
>
7 years, 4 months
OTP Policy updates not reflects at Google Authenticator
by Eswara Akurathi
Dear all,
We are running into a weird problem i.e., updates to OTP policy does not
reflect at google authenticator app. We wonder is there any special
instructions needed to get this working.
A sequence of steps :
1) create realm, create user
2) enable OTP
3) login with the newly created user
4) system asks you to configure OTP
5) update OTP policy such as number of digits from 6 to 8
6) try login again
7) system asks you to enter OTP but authentication fails
We expect the system should route the user to configure OTP page rather
than prompting to enter OTP which anyways fails.
Your response is highly appreciated !!!
Thanks in advance
Regards
Krishna Kumar Akurathi
7 years, 4 months
Password related features for federated users
by Ilya Korol
Hi. I've got some questions about enabling password-related features
(policies, OTP ...) for users, that come from UserStorageProviders.
Currently we integrated custom UserStorageProvider:
- read-only
- ability to update password via implementing CredentialUpdater
- existing realm roles population to user during extraction from
federated storage
I've dig into keycloak sources and find out that some policies (password
history for example) rely on special SPI which holds persistent data for
mentioned features. So the question is: Is it possible to somehow
utilize this features for federated users? Is there any examples? What
about OTP for federated users?
7 years, 4 months
DataBase connectivity requirements
by Ilya Korol
Hi. Recently we were trying to move Keycloak storage from H2 to Oracle
on our test environment and faced some troubles. Our test DB instance is
situated in different office and is available over VPN connection with
ping about 200-400 ms. We made some preliminary actions (create schema,
populate it with keycloak-update.sql ...). So during startup everything
was ok except quite long db data initiation (master realm etc.). I
successfully logged as master realm admin. UI works with little freezes.
The problem was when i tried to create new realm. Page in browser was
showing loading, then UI showed timeout-error popup. Few seconds later i
tried to create new realm again and then got Exception in logs
(something related to "transaction was rolled back"). Seems that thats
all because of ping delays during DB requests. "New REALM operation" is
not single composite DB request but is sequence of small requests
created by Hibernate. Am i right?
So the question is: Is there any strong requirements on DB connectivity
for Keycloak? Or maybe we can do some customization for adopting to this
case?
7 years, 4 months
Getting complete SAML assertion without using private modules
by James .
Hello,
I'm using JBoss EAP 7.0.0 and I'm trying to access the complete SAML assertion XML. I used org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil and org.keycloak.dom.saml.v2.assertion.AssertionType, however the classes were not being found so I had to create a jboss-deployment-structure.xml with modules
org.keycloak.keycloak-saml-core-public and org.keycloak.keycloak-saml-core. Full source is in https://github.com/TownCube/keycloak/blob/towncube-adfs/examples/saml/red...
However in doing this I now have two warnings when I start the application:
WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.saml-redirect-signatures-adfs.war" is using a private module ("org.keycloak.keycloak-saml-core-public:main") which may be changed or removed in future versions without notice.
WARN [org.jboss.as.dependency.private] (MSC service thread 1-5) WFLYSRV0018: Deployment "deployment.saml-redirect-signatures-adfs.war" is using a private module ("org.keycloak.keycloak-saml-core:main") which may be changed or removed in future versions without notice.
Is there a better way to get the full assertion which doesn't require the use of private modules?
Thanks,
James.
7 years, 4 months
Nodejs adapter - session object not persisting redirect_uri
by Robert Parker
Hi,
I am trying to use the nodejs adapter with my express application and I am encountering issues when the adapter tries to exchange my user's authorization code for an access token.
I have been debugging the calls made from the adapter library, and can see after the user has been authorised, an obtainFromCode function is invoked in the grant-manager module (keycloak-auth-utils\lib\grant-manager.js) and in particular there is the following line of code present:
redirect_uri: request.session ? request.session.auth_redirect_uri : {}
Adding a breakpoint to this, I can see a session object is present on the request object, but there is no auth_redirect_uri property present.
This ends up sending an empty redirect_uri param in the POST request being made to my keycloak server, and I get back an invalid_code error. I can replicate the same behaviour if I make the requests using Postman, and can fix and get an access token back if I set to the correct redirect_uri as configured against my client in the keycloak admin portal.
I can see in the initial request sent out when first authorising the user that this contains a redirect_uri query string param also.
I have my node express application using a mongoDB session store (using express-session), so am using the same store when configuring keycloak with my express app instance. I followed the example in the keycloak-nodejs-connect library here<https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/i...>
Can anyone suggest what may be going on for me here, why this redirect_uri is not being set on the session object so it can be read in my the nodejs adapter library?
Thanks
* Rob
________________________________
Robert Parker - Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
Robert.Parker(a)weareACT.com
www.weareACT.com<http://www.weareact.com>
Registered in England : 04476799
________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales).
The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.
[http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email.
________________________________
7 years, 4 months
![http://www.weareact.com/media/11610/email_footer_tree.gif]Please](http://www.weareact.com/media/11610/email_footer_tree.gif]Please){kind=link}