I disabled "master" realm...now I'm stuck
by Pieter Lukasse
I disabled "master" realm...now I'm stuck. I can't find any documentation
that helps me out of this.
I already tried to enable it again, but because it is disabled it won't
allow me to enable it again(!?):
running:
./kcadm.sh update realms/master -s enabled=true --user admin
--password=admin --realm master
results in:
Logging into http://localhost:8080/auth as user admin of realm master
Realm not enabled [access_denied]
www.thehyve.nl
E pieter(a)thehyve.nl
T +31(0)30 700 9713
M +31(0)6 28 18 9540
Skype pieter.lukasse
We empower scientists by building on open source software
7 years, 4 months
Question: Resource Owner Password Credentials Flow and Kerberos
by felix.straub@kaufland.com
Hello together,
my question is, if there is a possibility to use the Kerberos config from
keycloak while using the ROPC-Flow.
Because in this flow you just send the credentials to keycloak and keycloak
is validating them or authenticates them against an LDAP federation.
So here keycloak can't use kerberos when the client is already sending his
credentials right?
Thank you for your answers.
Felix
Mit freundlichen Grüßen
Felix Straub
KIS-Ausbildung
+49 7132 94 920297
Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74172 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Stuttgart HRA 104163
7 years, 4 months
KC upgrade of Infinispan to 9.1.0?
by Thomas Connolly
Hi All
Is there a plan to upgrade KC 3.X.X to infinispan 9.1.x in the near future?
We're currently running a large KC cluster in a production environment.
I would really like to add infinispan health checks as outlined in the following article, initially to ensure that all servers are participating in the cluster.
embeddedCacheManager .getHealth() .getClusterHealth() .getNumberOfNodes() // Those two methods allow to control if .getNodeNames() // proper number of nodes joined the cluster
Example here...http://blog.infinispan.org/2017/03/checking-infinispan-cluster-hea...
We've had production issues, i.e. split brain, with the default udp multicast due to running across multiple vlans (sys admin errors).
RegardsTom.
7 years, 4 months
invalid_code when redirecting back from identity provider
by Scheinmann, Jonathan
When setting up a second keycloak as identity provider I am forwarded correctly to the identity provider and back to the initial keycloak instance. So far so good, but as soon as I am forwarded back to the initial instance I receive an error page with the following log entry:
06:42:40,715 WARN [org.keycloak.events] (default task-25) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=<myrealm>, clientId=null, userId=null, ipAddress=<my ip>, error=invalid_code
It is not really clear what the error is in this case. It seems that the second keycloak instance (the id. provider) generates a wrong authorization code, which is not accepted by the first keycloak instance. But as a user I do not really see how I could change that behaviour. It is not really clear what to do with this error. What ever is causing this error (which is obviously just a warning?) it has to be clearer.
I attached the screenshots of the first keycloak instance id. provider configuration and the client configuration in the second keycloak instance.
When using direct grant for the identity provider instance I can successfully fetch an access token. It is therefore no authorization issue itself (as I was successfully authenticated) but maybe rather related to the generation or parsing of the authorization code.
Environment:
Official docker image jboss/keycloak 3.3.0.CR1 for both instances
Steps to reproduce:
1.setup 2 keycloak instances whereas one instance acts as identity provider (with the options set similar to the screenshots attached)
1.1 Use /auth/realms/myrealm/.well-known/openid-configuration to export the client config of the identity provider to import it as identity provider configuration
2. create a user in the identity provider instance
3. call /auth/realms/<myrealm>/protocol/openid-connect/auth?client_id=token-exchange&login=true&redirect_uri=<redirect-uri>&response_type=token&nonce=123 in the first keycloak instance and click on the identity provider button.
4. login with the user created
7 years, 4 months
Adding properties during token generation
by Kilian DEVOUASSOUX
Hello,
We are using Keycloak (v2.1.0.Final) in our micro-service architecture.
We are currently facing a problem : We imagined adding dynamic properties
on the go, into the JWT token, during its generation
We already use mappers to put user attributes into token for non dynamic
properties.
But we would like to avoid putting those dynamic properties into user
attributes, or other cold data in Keycloak data models. We really want to
avoid duplicating them in Keycloak.
Those data are exposed by one of our API, and can be retrieved via a REST
call.
Is there any mechanism which will allow us to do that ?
Thanks in advance for any response.
Kilian D
7 years, 4 months
Zuul (Gateway) -> Keycloak Adapters Missing pieces
by Mauricio Salatino
Hi everyone,
We using Keycloak behind a gateway (Zuul) and we are having issues with
keycloak adapters not being able to validate the JWT token issued on behalf
of an external client. Our Gateway is forwarding all the X-FORWARDED-*
headers correctly so the token is issued correctly but the problem is that
our adapters (in our services) contains the following configuration:
keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*
Now the problem that we are facing is that the token will not be able to be
validated by the adapter, because it was issued for the external IP and the
adapter is pointing to the local ip, so the token validation fails.
I've seen several threads and jira issues about this problem without a
clear solution and it sounds like the adapter's code can be easily extended
to support this scenario. Now the question is where that information should
live:
1) It can be set to the realm configuration so the adapter picks that up on
start up and then use that information for the token validation
2) I can be picked up by the service that is getting the external IP in the
X-FORWARDED-* headers (this might cause a security issue ??? )
We can provide the code for the solution but before start coding we want to
know what are your opinions on the matter and if this have been solved
before.
Cheers
Mauricio
--
- MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
- Co-Founder @ http://www.jugargentina.org
- Co-Founder @ http://www.jbug.com.ar
- Salatino "Salaboy" Mauricio -
7 years, 4 months
Unable to update user account
by Krishna Kuntala
In realm settings, I have enabled email as username and registered a user.
However on "/auth/realms/master/account" page when I am trying to update
any details of the user, it's throwing an error "Please specify username."
Please note this is not displaying the username field on page when I enable
email as username.
Is it some kind of a bug in keycloak 3.2.1?
Thanks and Regards,
Krishna Kuntala
7 years, 4 months
Configure fine-grained authorization with SAML.
by Elvira Ramondino
Hi,
I'm working on Keycloak 3.2 to realize an authentication and authorization
system for client applications that use SAML.
I need to enable fine-grained authorization for a client application that
uses SAML protocol, but I have find this feature only with OIDC.
How can I configure and use fine-grained permissions also with SAML in
Keycloak??
Thanks in advance.
7 years, 4 months
Examples of server that implements OIDC Protocol? Questions about Linking accounts
by Anton
Hello
I'm looking to build an application ( identity provider) that will have
user accounts.
Users then should then be able to link their account to a parent account,
and I would like to use keycloak for this.
I have been reading
http://www.keycloak.org/docs/3.1/server_development/topics/identity-broke...
and see that this is possible.
I have a few questions. On the docs it says:
> The application must already be logged in as an existing user via the OIDC
> protocol
>
How does an application login as a user?
Does this mean the user must be logged into the Identity provider
application?
Am I correct in assuming the Identity Provider application needs to
implement the OIDC Protocol? Is this something Keycloak can do? Are there
any examples of this?
Thanks and regards
Anton
7 years, 4 months
