Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy
by Matt McShea
Hello,
I am running into the exact issue described in a previous thread, and was wondering if there have been any updates made in the recent releases that fix this issue.
http://lists.jboss.org/pipermail/keycloak-user/2017-September/011905.html
Like Thomas in that thread, everything works with the ngninx reverse proxy, but when I go through the proxy I'm unable to login.
If I use the following line in my proxy configuration" proxy_set_header X-SSL-CERT $ssl_client_raw_cert", I just get a blank page with no html codes or anything.
If I use $ssl_client_cert instead, I get redirected to the username/password login as if there wasn't a client certificate.
I am currently using 3.1.0, but upgraded to Wildfly 11.
Thanks,
Matt McShea
7 years
Re: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter?
by Ariel Carrera
Ok, It's solved now. After submit multiple times the file to Microsoft
Windows Defender (from UI and Web Page), it is solved.
The file appears to be clean now for MS.
I updated virus definition to last version and I could checked that file is
OK now.
[image: Imágenes integradas 1]
[image: Imágenes integradas 2]
Thanks.
2018-01-09 16:20 GMT-03:00 Stian Thorgersen <sthorger(a)redhat.com>:
> I'm going to reject the issue. Unless someone else reports it there's
> nothing we can do. Thanks for reporting.
>
> On 9 January 2018 at 20:10, Bruno Oliveira <bruno(a)abstractj.org> wrote:
>
>> Yes, everything is up to date. Like mentioned in my previous e-mail, I'm
>> running Windows 10 VM from https://developer.microso
>> ft.com/en-us/microsoft-edge/tools/vms/.
>>
>> I strongly recommend you to do the same. It's always better to test
>> things in a clean environment.
>>
>>
>> On Tue, Jan 9, 2018 at 1:47 PM Ariel Carrera <carreraariel(a)gmail.com>
>> wrote:
>>
>>> I don't know why we have differents Windows Defender results... but it's
>>> Microsoft...
>>>
>>> Bruno, Is your Windows (inside VM) updated? What version is? Do you
>>> updated virus definitions too?
>>>
>>> I updated definitions but problem persists... Here is another screenshot:
>>> [image: image.png]
>>>
>>>
>>> [image: image.png]
>>>
>>>
>>> You can check my windows version in second screenshot. It is version
>>> 10.0.16299.192 (and it was tested in another machine with version (
>>> 10.0.16299.125)).
>>>
>>> Recently, It was tested again with a third machine (at home) in another
>>> network / location / and installation. Same problem, virus detected.
>>>
>>> Maybe Microsoft has differents versions by location... I don't know...
>>> after update to last version, Windows Defender asked me to send the file to
>>> improve detection (I had not asked for this before).
>>>
>>>
>>>
>>> 2018-01-09 11:50 GMT-03:00 Bruno Oliveira <bruno(a)abstractj.org>:
>>>
>>>> So I don't have Windows 10, but I managed to run a VM from
>>>> https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/.
>>>>
>>>> After that I cloned the whole Keycloak repository https://github.com/
>>>> keycloak/keycloak-js-bower. Nothing was found, please see the
>>>> screenshot: https://i.imgur.com/1NbFGrn.png.
>>>>
>>>> On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen <sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Please create an issue with the details. We'll need to figure out how
>>>>> to
>>>>> reproduce the issue though. Seemed like Ramunas had tried, but that
>>>>> Defender wasn't reporting anything for him.
>>>>>
>>>>> On 8 January 2018 at 21:18, Ariel Carrera <carreraariel(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>> > "when your somebody get's a keycloak's distribution to be
>>>>> installed" read
>>>>> > like: "when someone gets Keycloak to be installed" xD
>>>>> >
>>>>> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera <carreraariel(a)gmail.com>:
>>>>> >
>>>>> >> Hi Stian, I checked differences in keycloak.min.js comparing version
>>>>> >> 3.4.1 to 3.4.2.
>>>>> >> I can't see a problem at first sight... but It's still a problem to
>>>>> see
>>>>> >> your antivirus alerting for a threat when your browser access to a
>>>>> page
>>>>> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's
>>>>> >> distribution to be installed.
>>>>> >>
>>>>> >> Maybe this issue must to be in Jira.
>>>>> >>
>>>>> >> Last changes in javascript file can be the problem.
>>>>> >>
>>>>> >> Maybe function "processInit()" needs some changes.
>>>>> >>
>>>>> >> Regards,
>>>>> >>
>>>>> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera <carreraariel(a)gmail.com>:
>>>>> >>
>>>>> >>> Checked with other computer (windows 10 + windows defender).
>>>>> >>>
>>>>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3
>>>>> >>>
>>>>> >>>
>>>>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas <ramunask(a)gmail.com>:
>>>>> >>>
>>>>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file
>>>>> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final"
>>>>> folder
>>>>> >>>> with Windows Defender on Windows 10 - no issues found
>>>>> >>>> * checked for Windows updates. New update "Definition Update for
>>>>> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)"
>>>>> was found
>>>>> >>>> and installed.
>>>>> >>>> * scanned again. No issues found.
>>>>> >>>>
>>>>> >>>> Ramūnas
>>>>> >>>>
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>> --
>>>>> >>> Ariel Carrera
>>>>> >>>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> Ariel Carrera
>>>>> >>
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Ariel Carrera
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>>
>>> --
>>> Ariel Carrera
>>>
>>
>
--
Ariel Carrera
7 years
Re: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter?
by Ariel Carrera
Checked with other computer (windows 10 + windows defender).
keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3
2018-01-03 17:44 GMT-03:00 Ramunas <ramunask(a)gmail.com>:
> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file
> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder
> with Windows Defender on Windows 10 - no issues found
> * checked for Windows updates. New update "Definition Update for Windows
> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and
> installed.
> * scanned again. No issues found.
>
> Ramūnas
>
--
Ariel Carrera
7 years
Inter realm authentication
by Pankaj Mahajan
Hi Team,
Is it possible to authenticate client from one realm with the IDP of other realm?
Like, we have a case where, we have Client-A in Realm-A and we have to authenticate it with IDP-I which is configured in Realm-B.
Is it possible in Keycloak or we need to change our approach to achieve this?
Thanks & regards,
Pankaj Mahajan
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
7 years
Issue in Chrome and FF
by Tony Harris
After logging in to the admin Console in either Chrome or FF we are presented with a blank white screen and the following error in the browser console
app.js:31 XHR failed loading: GET "https://xxxxxxxx.com/auth/admin/master/console/whoami". whoAmI @ app.js:31
app.js:31 GET https://xxxxxxxx.com/auth/admin/master/console/whoami net::ERR_CONNECTION_CLOSED
app.js:76 Uncaught TypeError: error is not a function
at app.js:76
at XMLHttpRequest.req.onreadystatechange (app.js:26)
It ends up in the error handler section because the attempt to connect to the keycloak whoami end point fails with a 500 response, there is nothing in the JBoss logs. It looks very similar to the following Jira issue, but we do not end up in a redirect loop and we are not seeing the 401 Unauthorised.
https://issues.jboss.org/browse/KEYCLOAK-4735
Interestingly, IE 11 gets a 200 response from the whoami end point.
If we delete a recently created Realm then Chrome goes back to working, however the same realm created on another instance, it's created by a script so we know it's the same in both, of Keycloak has no issues. Other realms in this same Keycloak instance created via the script do not cause any issues. Has anyone seen this before>
Server Info
Server Version
3.1.0.Final
Server Profile
Community
Server Time
Tue Jan 09 09:56:53 UTC 2018
Server Uptime
11 days, 1 hour, 22 minutes, 39 seconds
Memory
Total Memory
455 MB
Free Memory
251 MB (55%)
Used Memory
204 MB
System
Current Working Directory
/opt/jboss
Java Version
1.8.0_121
Java Vendor
Oracle Corporation
Java Runtime
OpenJDK Runtime Environment
Java VM
OpenJDK 64-Bit Server VM
Java VM Version
25.121-b13
Java Home
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre
User Name
jboss
User Timezone
UTC
User Locale
us_EN
System Encoding
ANSI_X3.4-1968
Operating System
Linux 4.9.62-21.56.amzn1.x86_64
OS Architecture
amd64
[cid:image012.png@01D17AF7.D972DF70]<http://www.advancedtogether.com/>
Tony Harris
Java Developer
> A Sunday Times Top Track 250 Company 2016
> Proud to be a Patron of The Prince's Trust
________________________
Advanced Computer Software Group
Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL
t:08451 606 162
www.oneadvanced.com<http://www.advancedtogether.com/>
[cid:image018.png@01D17AF7.D972DF70] <http://www.linkedin.com/company/2426258> [cid:image019.png@01D17AF7.D972DF70] <https://twitter.com/adv_group>
> A Sunday Times Top Track 250 Company 2015
> Ranked in UK's 50 fastest growing technology companies 2014
***** Email confidentiality *****
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.
***** Email monitoring *****
Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.
***** Email security *****
In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.
This email has been scanned for viruses by the Symantec Email Security.cloud service.
Advanced Computer Software Group Limited
Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK
Registered in England under number 5965280
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
7 years
Does Keycloak support a "Minimum password age"?
by Peter K. Boucher
We have a customer requirement that users not be able to change their
passwords more frequently than once per day.
We are currently using Keycloak 3.1. Does any later version of Keycloak
support (or plan to support) a "Minimum password age"?
Thanks!
7 years
CORS support
by Kevin Price
Hi everyone,
I’m on the support team with the 3scale product and I’m currently writing a JS client for our Developer Portal to be used with RH SSO & our interactive documentation tool. So I have a question around supporting CORS on the keycloak server.
I’m currently just running my key cloak instance as a native Java app server, is there any way to configure CORS either on the server level or realm level? Typically users would log into the portal to test their own application (client) credentials via the Swagger specification, however, this means every individual application stored in the Keycloak server needs to have the Web Origins field configured to allow requests from the developer portal domain. I would prefer to avoid this additional configuration.
Apologies in advance if this is already covered in your documentation but I did take a look and I couldn’t find anything relevant.
Appreciate any help on this.
Regards,
Kevin Price
7 years
security question
by Benjamin garcia
Hello,
I would like to use keycloack on my architechture, but I have (maybe) an issue in my design :
I have 3 applications :
- angularjs apps for the frontend
- a scalatra API to reponse to frontend throw http and which ask springboot app some datas,
- a springboot app for crud request on databases.
I would like to transfert bearer authentication from the front to springboot app throw scalatra API to ensure that request send on DB is from the right user. I don't really sure that's the right use case. Because, in my mind, If I use keycloack, it's to not modify some part of my code base with security knowledge. But in this use case, I'm mandatory to give jwt token on all my stak (which is not really cool).
Does somebody kown if I can do that or if it exist a better way?
Regards
Benjamin Garcia
7 years
