OIDC access_token URL parameter rather than Bearer Authentication header
by Gabriel Lavoie
Hi,
we have one use case where we want to use a access_token URL parameter
rather than the Authorization: Bearer header, to allow SSO from a mobile
app to Safari.
KeycloakAuthenticationProcessingFilter.java (
https://github.com/keycloak/keycloak/blob/2cadf0a2602065c32140de5c1c73949...),
the authentication flow is different when using the query param vs the
Authorization header. Any reason for this?
- Header: Upon successful authentication, the filter chain is processed to
the requested page.
- Query param: Upon successful authentication, default success handler is
called and user is redirected to a target page (/ by default) (first
condition of
KeycloakAuthenticationProcessingFilter.successfulAuthentication():
if (!(this.isBearerTokenRequest(request) ||
this.isBasicAuthRequest(request))) {
super.successfulAuthentication(request, response, chain, authResult);
return;
}
Thanks,
Gabriel
--
Gabriel Lavoie
glavoie(a)gmail.com
8 years, 1 month
OIDC Client dynamic registration
by Виталий Ищенко
Hi
I was playing with example from openid-client nodejs package, it has
examples with custom keys and key signing/encryption algorithms
Some registration requests fail with NPE exception like this
Caused by: java.lang.NullPointerException
at org.keycloak.util.JWKSUtils.getKeyForUse(JWKSUtils.java:49)
at
org.keycloak.services.clientregistration.oidc.DescriptionConverter.setPublicKey(DescriptionConverter.java:135)
at
org.keycloak.services.clientregistration.oidc.DescriptionConverter.toInternal(DescriptionConverter.java:102)
at
org.keycloak.services.clientregistration.oidc.OIDCClientRegistrationProvider.createOIDC(OIDCClientRegistrationProvider.java:74)
Registration request was following
{
"post_logout_redirect_uris": [
"http://localhost:3000/"
],
"redirect_uris": [
"http://localhost:3000/cb"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"userinfo_encrypted_response_alg": "ECDH-ES+A128KW",
"jwks": {
"keys": [
{
"kty": "EC",
"kid": "pZtihA2ZjNh3qrPg3OUSZdpWatODXiUw_6ThWYqJ7gw",
"crv": "P-256",
"x": "qoBR4Zhj1RlMIF4TVfibVkApY1j2J1NdPUWTx_gKFlQ",
"y": "cbZ3J1Y_OZXF0YhOerMVoqq5hRoe6G3xw21va5drqf0"
}
]
}
}
I overcome this issue by patching library and adding use: sig attribute to
jwks key, but it seems that this attribute is not required by spec
https://tools.ietf.org/html/rfc7517#section-4.2, and even if it is required
from app perspective, NPE should be replaced with something more meaningful
Other issues that I've faced after bypassing NPE -- registrations, that use
unsupported algorithms like above doesn't fail, is it correct behaviour?
8 years, 1 month
Determine users roles using the JavaScript adapter
by Robert Parker
After authenticating a user using the JavaScript adapter, how can I determine what roles a user has?
Robert Parker- Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
robert.parker(a)weareact.com
www.weareACT.com
Registered in England : 04476799
8 years, 1 month
How to disable Tomcat JSESSIONID
by shimin q
Hi,
I have several apps deployed in Tomcat 7, and use Keycloak to manage user login and logout of these apps. Clicking on the Logout link does not log the user out and redirect to Keycloak's login page. Then I found the JSESSIONID cookie is still present, once I deleted the JSESSIONID cookie, the logout link works as expected. So I tried to disable Tomcat's session by putting
<%@ page session="false" %>
in the header of my app's JSP page. Unfortunately, this still does not disable Tomcat's session. I am wondering if anyone has a solution to this problem? I believe the presence of the Tomcat session interferes with the Keycloak's SSO session, and causes Keycloak logout link to not work. This has to be a common problem Keycloak users encounter, Tomcat is so widely used for web apps. How does Keycloak resolve the issue when its session conflict with Tomcat session?
Would appreciate any tips on how we should handle this!
8 years, 1 month
How to change email and send a verification in the Keycloak Admin Client?
by Celso Agra
Hi all,
I have an question about Keycloak Admin Client and email verification.
I'd like to know if would be possible to create a feature to change email
with a verification url. So, I need change the email, and then send a
verification to complete this feature. Does anyone know if Keycloak Admin
Client has this feature?
Best Regards,
--
---
*Celso Agra*
8 years, 1 month
OTP Policy updates not reflects at Google Authenticator
by Eswara Akurathi
Dear all,
We are running into a weird problem i.e., updates to OTP policy does not
reflect at google authenticator app. We wonder is there any special
instructions needed to get this working.
A sequence of steps :
1) create realm, create user
2) enable OTP
3) login with the newly created user
4) system asks you to configure OTP
5) update OTP policy such as number of digits from 6 to 8
6) try login again
7) system asks you to enter OTP but authentication fails
We expect the system should route the user to configure OTP page rather
than prompting to enter OTP which anyways fails.
Your response is highly appreciated !!!
Thanks in advance
Regards
Krishna Kumar Akurathi
8 years, 1 month
SAML Identiy broker mode bypasses any authentication after logout
by Pieter Lukasse
Hi,
I have a spring-security based application that connects to keycloak via
SAML. Keycloak itself is configured to connect via SAML to another external
identity provider (so Keycloak is just the identity broker in this case).
When I logout from my web application by going to
https://<app_url>/saml/logout?local=false,
a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the
external IDP. There is *no* LogoutResponse. Strangely, when I try to access
my web application again, I am not asked to login and can access it as if
the session is still valid. No AuthnRequest is seen in this case.
What could be wrong? It seems that either the web application or the
Keycloak is caching the session and not invalidating it upon a
LogoutRequest. Maybe someone can help shed some light on this.
Thanks,
Pieter
We empower scientists by building on open source software
8 years, 1 month
