User defined password policies
by Krishna Kuntala
We have following requirements w.r.t. password policies. I am not sure
whether we would be able to add custom password policies. If yes, how to
define custom policies?
1. Password max length should be 16
2. Only allow 2 repeating characters
3. Satisfy 3 out of 4 password criterias mentioned in
"Authentication->Password Policy"
4. Lock account for 1 hour after 3 failed login attempts
Please let me know whether these requirements can be configured from the UI
or do I need to implement some code to achieve this?
Thanks and Regards,
Krishna Kuntala
7 years, 4 months
Release of version 3.3.0.Final
by Eriksson Fabian
Hello!
We are in dire need of a bugfix that is included in the 3.3.0.Final version of Keycloak, could you give me a "guesstimation" of when this will be released? :)
BR
Fabian Eriksson
7 years, 4 months
Failed account updates via REST API due to StaleStateException
by Thomas Darimont
Hello,
in the log [0] of our Keycloak [1] instances we see sporadic exceptions
indicating that an account update operation (e.g. reset-password) failed,
presumably <http://dict.leo.org/englisch-deutsch/presumably> due to
optimistic locking failure.
The keycloak server returns a HTTP 500 internal server error when that
occurs.
Looks like it is similar to KEYCLOAK-3296 [2].
The user did not do anything besides logging in and try to change the
password
in the account application.
Is this an indicator that our infinispan clustering configuration is wrong?
We plan to upgrade to KC 3.3.0.Final once it is released, any chance that
this will get rid of those exceptions?
Cheers,
Thomas
[1] 2.5.5.Final, standalone-ha, 2-Instances behind load-balancer,
clustering works fine for now
[2] https://issues.jboss.org/browse/KEYCLOAK-3296
[0] Log:
UT005023: Exception handling request to
/auth/admin/realms/acme/users/xxxxxx-xxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxx/reset-password
StackTrace
Exception: org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: org.hibernate.StaleStateException:
Batch update returned unexpected row count from update [0]; actual row
count: 0; expected: 1 Caused by: org.keycloak.models.ModelException:
org.hibernate.StaleStateException: Batch update returned unexpected row
count from update [0]; actual row count: 0; expected: 1 Caused by:
org.hibernate.StaleStateException: Batch update returned unexpected row
count from update [0]; actual row count: 0; expected: 1 at
org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67)
24 lines skipped for [org.hibernate, com.arjuna] at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
at
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:126)
at
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
9 lines skipped for [javax.servlet, org.jboss] at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
7 years, 4 months
Fwd: LDAP Registration user sync
by Kevin VAN DEN ELSHOUT
Hi,
I have an ldap user federation configured with sync registrations ON.
Now when I register a new user, this user is synced to ldap but not saved
into local DB (synced back from ldap).
[org.keycloak.storage.ldap.LDAPStorageProvider] (default task-21) LDAP User
invalid. ID doesn't match. ID from LDAP [test(a)mailinator.com], LDAP ID from
local DB: [ ]
Any idea what I am doing wrong?
CODE_TO_TOKEN_ERROR
Error user_not_found
Details
grant_type authorization_code
code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92
client_auth_method client-secret
LOGIN
auth_method openid-connect
auth_type code
redirect_uri ***/sso/login
consent no_consent_required
code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92
username ***
REGISTER
auth_method openid-connect
auth_type code
register_method form
redirect_uri ***/sso/login
code_id 7ac8c3c7-c9d3-413a-bb83-401047925b92
email ***
username ***
7 years, 4 months
Why does KeycloakRestTemplate Bean needs to be Prototype scoped?
by Dominik Guhr
Hi all,
I hope I am right here. I am doing a blog-series in german about
Keycloak (3.2.1 Final) and its integration in Spring Boot and Spring
Security.
Everything is good so far, but there's one Thing that bothers me.
As the subject states: Why does KeycloakRestTemplate Bean needs to be
Prototype scoped?
The docs say in 4.2.1.8:
"To simplify communication between clients, Keycloak provides an
extension of Spring’s RestTemplate that handles bearer token
authentication for you. To enable this feature your security
configuration must add the KeycloakRestTemplate bean. Note that it must
be scoped as a prototype to function correctly."
So, I don't just want to give my readers something they could read out
of the docs, so I looked for the standard Scope of RestTemplate, which
seems to be Singleton, for RestTemplate seems to be threadsafe and
creation of resttemplates is somewhat costly (source:
https://stackoverflow.com/questions/22989500/is-resttemplate-thread-safe
and links/comments)
I hope someone could give me more insights here.
Best regards,
Dominik
7 years, 4 months
Java admin clients
by James Green
In the absence of a Swagger endpoint (which would be so useful!) I've been
trying to use the admin-client in my client, but I cannot get even this to
work.
It seems it requires an older version of Resteasy, which I downgrade to,
then find I need to upgrade Jackson, then discover there are binary API
changes preventing it's use presumably with keycloak-3.
So I switched to OpenFeign and hooked in the JAXRS contracts feature, but
this blows up because various methods of the various interfaces lack HTTP
methods see UsersResource#get()
So all-in-all, I'm not having any luck with something that looks like an
off-the-shelf dependency to just "use" :(
I've followed through a number of the example gists on Github but they all
seem to pre-date Keycloak-3 and don't work.
The keycloak-admin-client doesn't seem to have any tests to confirm it
actually works, either. So does anyone have a way forward without me having
to re-implement the interfaces?
What I'd *really* like to see is a Swagger endpoint that I can point
swagger-codegen at as we've had success though this means with other
software in the past, but I can't find anything other than requests for
Swagger in past emails to this list.
Yours rather frustrated,
James
7 years, 4 months
Keycloak as LDAP Identity Provider
by Min Han Lee
Hello all,
I was wondering if Keycloak is available as a default LDAP Identity
Provider? I got a requirement which we need to retire all of the LDAP and
use Keycloak only.
Can we, therefore, connect to Keycloak's built-in LDAP (realm native users)
by using ldap://keycloakhostaddress? We tried that, but it doesn't work
because we don't have the Keycloak's directory attribute information....
Please, if anyone can point me in the right direction
Thanks for help guys!
Kind Regards
7 years, 4 months
Keycloak-user@lists.jboss.org
by Post Office
L���_��������%�����}FL�k�'�G��b.����mC��l�A7TM�e�}e�"�?������RC������,����RCA^����.��n��|�\B�������%�N��
J$�,1���r�4����2F):�w������U�9*�N�m;��r���'����1�h>���N��������[_�V�P��#d���w?�]}���P|�].�:�I2��� T5q��M/�*�w��j�7�v��s��X/I�9��#2���a]�����.��yQgN��l
fE�CbE��s�`���B�S���
��h H�������t/|X�%EkiH
�r}��e��m�4w�#��>Rc�xA�
_���6���_�0�Y��"�4��i�������x��
��9��z�V����t�M>�&�����~Jo�L�!N%�����?y���M2�m���t�l��d2,DK��B��}�Q�����M|#�l�[���l\�'X�)mqz^,���4����&�n�U�Ao��)�X�����;`n������ZOx�\sY�����_���)���,�~��
������b�L�k���g4���T�9���Y�s�����������l�b�l�D^��P�
z3
�mX�P
X9��6f��`o����4��9k�����au��X��!��v���f����PXO���"z'*��
!�qW�E�p�p������)��Np/Yw� ����/p{V����2� N�������62f5����5�p�������D��9�f�DJ��]��WG�z(��c�5�;���Mu�
e����D���A������3�?u4g#�?�g^p����[^(.���/��E��8��u0�����?> �~H���
�����>�;k�}����s�Z��>2_����aT��t�'�������En�����G�y_]����X1�W��3&��p!�7���������S�2��A�����?�V� :�~c1�|��;*2c'��S��L�:���|��[c�6d:O6�vT���-��P&����OoHy��q�����
�U�_�
����|��b�g��zC!�sA�f��OgBij�
���
L����H��d���� ���s��[
�}L�0:������J�1���u���<�I2<dG��D��iRz���X�[�$
C����4�#�y��H��09��CU�z�}��B��\?w�^�Yp����������� d�_w�n�c����t^%���%�GDj�XG(�b�c�bs�l�����VO��p)��#�����h.����!��`���I�F����1��Y��/�N����AO�*9�N�H%��Qig;cI.���������7!
�����p&�l�y���
�����'[Z[k���2�(�j�T��Mr���*5(D��"��`>��Za��h�k>i����g����{~��}����8�r)B�Tm��.W
��$&�0? ���`
br�pC�u���1�?��q�n[Rkbr��5������R�i�c��3����D��m������?��H5���_����.�"������*q<�$F���Z��v�;V��8��5&�`�_#�3�T�J�������lep}5��v��8g�VSQ�u�����0\��q]�?�l���3g�[�1�09�?��w��t��u�����Dh�����Lv
��P��L�_N]f��V�[[#]���^$-`��p-"�p����]���!��`�Q�AX��?m����(��m�
�<g�M$���H���\*�K��%N*�T:"A�,��VE�Z�rJ��x�t�{r�}mQ
?
�A���X�{T4R!�p8�&�i��w}�
�'���3EL�����V��Nh�������s���#U1!(������4�a���5>t���?'�����v�TK�p������L�������r�X]�*P���$�������2Q�"�#?���f7&Fd�����~g��
}j����0�K�������D�5ZON����P�eA,�]O�b�����4��R)�B�A�u�\%��/f|��������������Hr����;��Wy��M��Z2�����0���i
a��.�E���5�;�y�\E�������"����0�����1���4v��E�?DPM���R>1WS�O"(Eu�#.
����zes�������i���r�m�S��-��%�e������~�m�,�����C� �������!�-�NV�#�I���d���)�r����T*�N��G�����f-����W5%���:�3�������V�����D��������
zo����9o`�C��Q8�m����y/c��v�<>Ia��fF8�Q������w��� �z���54'.4��M��,�������g|>�$!#�6g�5�8�V�ul��;t8��5���1r���X����D���/\�
����pl�r}���X^���������^B?\�����-�t l��:����H���
�x�������&},{,��FZ_`gJ�u)_���}|)8�}\����[�s��&�a�
l��A����;C��w������8�l1n�����K��Z��zl�DT��D�?���T�N�7��Ca�0�
(��7Ya��':���6G_1��h"��:�<�h��
�(3g�k�tc5���!MkXE�(�$�6�6^g�M��<��&]��d*�\M�|�tu�����l�t9����<Z����A
��
�Sv�G[;�/�����o�����T���([��t��P�$�(VB����L�z��C'o��9~�q�f����m$�����
�^��sh��R�i���V�w�c�w�c������������#�n��*���l�[���"6v���-���mz�x�N���Dl*�Y�yQZr�
7 years, 4 months
programmatic authentication flow
by Steve Favez
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
7 years, 4 months
Realm configuration under Version Control
by Christian Schneider
Hi,
we wan't to have our Keycloak-Realm configuration under Version Control.
The goal is that every stage (Development, Integration, Testing and
Production) should have an own configuration file for the realm (without
users of course, they should stay over time). When we want to change
something, it should be done over the configuration file.
My initial Idea was to user the migration import and export parameters for
that.
First export the current configuration on every stage, commit it, and then
import it on startup. But the problem is, that the realm is first dropped
(including the users) and then imported. After that, all existing users are
removed :(.
What is your strategy to have the keycloak configuration under version
control? So that every change is transparent and documented?
Best Regards,
Christian.
7 years, 4 months
