January 2018 - keycloak-user - Jboss List Archives

by trmadhu＠tafe.com

Dear All We have configured the AD Authentication in Keycloak using the User Federation. Currently we are configured the Username LDAP Attribute as "cn", but in our of the application, we need to send the sAMAccountName as the login parameter So kindly support in configuring the sAMAccountName as Protocol Mapper. Regards Madhu T R Above email is subject to 'Disclaimer' as per <a href="http://tafe.co.in/email-disclaimer.htm">http://tafe.co.in/email-disclaimer.htm</a>

6 years, 11 months

1
0
0 / 0

Collaboration of Impersonate and Javascript-Adapter

by SW

I got an application which is secured by the Keycloak-Javascript-Adapter. I need some admins which can impersonate as the user, and I was thinking to do this with.., you guessed it right: impersonate. I saw that impersonate is setting some cookies like KEYCLOAK_IDENTITY. What changes need to be made to make both collaborate: impersonate and the javascript adapter. Thx for any attempt to solve that puzzle, Sebastian -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 11 months

1
0
0 / 0

Version 2.5.0 Java client cannot handshake with SSL SAN certificates?

by Bill Burton

Hello, I'm having an issue where after a user successfully logs in to the application, the Java client tries to connect to the Keycloak server to get the token verified and fails with the user seeing the text, "Forbidden" in the browser. In the server.log is the following: 2017-12-14 23:48:17,671 WARN [org.keycloak.events] (default task-18) type=CODE_TO_TOKEN_ERROR, realmId=MyRealm, clientId=my-client-1, userId=5d019b47-59dd-46f4 -8c31-8c280c5ba31a, ipAddress=10.65.15.22, error=invalid_code, grant_type=authorization_code, code_id=dc589b79-7ebc-4a73-a842-0ac988eb4cec, client_auth_method= client-secret 2017-12-14 23:48:17,674 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper commit 2017-12-14 23:48:17,676 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper end 2017-12-14 23:48:17,685 INFO [stdout] (default task-18) default task-18, WRITE: TLSv1.2 Application Data, length = 316 2017-12-14 23:48:17,794 INFO [stdout] (default task-12) default task-12, READ: TLSv1.2 Application Data, length = 552 2017-12-14 23:48:17,806 INFO [stdout] (default task-12) default task-12, called close() 2017-12-14 23:48:17,806 INFO [stdout] (default task-12) default task-12, called closeInternal(true) 2017-12-14 23:48:17,806 INFO [stdout] (default task-12) default task-12, SEND TLSv1.2 ALERT: warning, description = close_notify 2017-12-14 23:48:17,807 INFO [stdout] (default task-12) default task-12, WRITE: TLSv1.2 Alert, length = 26 2017-12-14 23:48:17,807 INFO [stdout] (default task-12) default task-12, called closeSocket(true) 2017-12-14 23:48:17,807 INFO [stdout] (default task-12) default task-12, called close() 2017-12-14 23:48:17,807 INFO [stdout] (default task-12) default task-12, called closeInternal(true) 2017-12-14 23:48:17,807 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-12) failed to turn code into token 2017-12-14 23:48:17,807 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-12) status from server: 400 2017-12-14 23:48:17,807 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-12) [unintelligible garbage] It's my understanding this is happening when the Java client attempts to connect to the Keycloak server via SSL and always fails in a manner similar to the above. Sometimes an exception is thrown with: 017-12-14 11:00:50,865 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Both the Java client and Keycloak server are at version 2.5.0 and deployed into Wildfly 10.0. The Oracle server JDK 1.8.0 build 144 is used all around running on RedHat Linux 6.5. The best I can tell is the SSL handshake is failing due to a certificate name mismatch even though I have the certificate and CA of the Keycloak server imported into the truststore used by the Java client. The SSL certificate used has SAN (Subject Alternative Name) entries for many DNS entries. It's defined something like: CN=abc.com dnsName=abc.com dnsName=def.com dnsName=ghi.com [ about 40 DNS entries in total] For the purpose of this example, the Keycloak server is deployed to def.com which is different than what's defined with the CN. When the Java Keycloak client in the same LAN attempts to connect to https://def.com/auth passing the token, this results in a *CODE_TO_TOKEN_ERROR* with the error, *invalid_code*. However, when using a regular non-SAN self-signed certificate in a testing environment where CN=def.com matches the DNS of the Keycloak server, the SSL handshake works successfully and there is no issue. The certificate was created using the letsencrypt.org CA - not that it would make any difference who the CA was. Due to limitations of the production environment I'm constrained to, using a non-SAN or dedicated certificate is not an option so I need to find a way get Keycloak to work with SAN certificates. I've spent a bit of time looking through all the current and past issues filed for Keycloak and have not found any issues that appear to be related to this issue. Have also looked through the Git commit history on github.com in the master branch back to 2.5.0 and not found much of anything that could be related to this issue. Upgrading to a newer version of the Keycloak client is not so simple as the application software vendor ships their product based on Wildfly 10.0, Keycloak client and server 2.5.0 plus their own integration support already configured in a single archive. Depending on how the archive is deployed and configured, it takes on different roles. In any case, I've tried to upgrade the client first to 2.5.5 and then to 3.4.3 but was unsuccessful in executing the .cli scripts either online or offline. Probably my mistake was I didn't remove the existing Keycloak client configuration in standalone.xml. However, if any of the vendor code that integrates with the Keycloak client has to be updated to work with the 3.x releases I don't have access to it. Thank you for any input, -Bill

6 years, 11 months

1
0
0 / 0

Getting Permissions from RPT

by Chandran Soundrapandian

Hi, I am evaluating keycloak and trying out the following scenario: The system has a resource 1. "Contact" and two client roles 1. Admin 2. Trainee The "Admin role" can create, view, edit and delete the "contact resource" The "Trainee Role" can create and view "contact resource" Followed the following steps to setup the resource server: 1. Created a resource "Contact" 2. Created scopes "create, view, edit and delete" 3. Created role based policy with Admin Role - "Contact Admin Policy" 4. Created role based policy with Trainee Role - "Contact Trainee Policy" 4. Created Scope based permission "Contact Admin Permission" with all the scopes (Create, View, Edit, Delete) and associated it the "contact Admin policy" 5. Created Scope based permission "Contact Trainee Permission" with create and view scopes and associated it with the "Contact Trainee Policy" After this setup, using the following Authz client code, trying to display the permission associated with the user AuthzClient authzClient = AuthzClient.create(); String accessToken = authzClient.obtainAccessToken("UserName", "UserPassword").getToken(); EntitlementResponse response = authzClient.entitlement(accessToken).getAll("Client ID"); String rpt = response.getRpt(); TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt); System.out.println("Token status is: " + requestingPartyToken.getActive()); System.out.println("Permissions granted by the server: "); for (Permission granted : requestingPartyToken.getPermissions()) { System.out.println(granted); } For admin I get: Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Edit, Contact:Delete]} where as the expected is: Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Create, Contact:View, Contact:Edit, Contact:Delete]} For Trainee I get - Nothing where as the expected is: Permission {id=778e76d4-dc06-4e98-a213-fd7f22975ab7, name=Contact, scopes=[Contact:Create, Contact:View]} Would you please let me know what I am doing wrong or how to setup resource server to get the expected output. Thanks -Chandran

6 years, 11 months

1
1
0 / 0

Max no of realms + users suitable

by Dieter Dirkes

Hi there, I know that Stian once said Keycloak will probably work very well with more than 10 realms ( http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html). *My problem: *vendor is developing and operating callcenter software for ~800 customer companies. Their products are multi-tenant able, so each product could easily select the correct realm to use for authentication (based on email domain of user). I have added 500 realms with 50 users each to a single Keycloak instance and it gets really slow in the admin UI, even the OIDC calls itself are doing well (and yes: I´ve increased memory of the JVM already). Any suggestions how to handle this? (setting up 500 keycloaks on docker sounds not to be the best way). - Dieter --------------------- Dieter Dirkes codecentric AG | Wolbecker Windmühle 29j | 48167 Münster | Deutschland *ab 1.2.2018:* codecentric AG | dock14 | Am Mittelhafen 14 | 48155 Münster | Deutschland mailto:dieter.dirkes@codecentric.de | mobil: +49 (0) 173.7731855 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917| Amtsgericht Wuppertal Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

6 years, 11 months

1
0
0 / 0

Release cadence

by Stian Thorgersen

Up until now we've released Keycloak roughly every 6 weeks. We're now switching to 3 week sprints, which opens up the possibility to change how frequently we release Keycloak. We could keep it at 6 weeks (release every other sprint), do a release every 3 weeks or release less frequently (9 weeks perhaps). Thoughts?

6 years, 11 months

2
2
0 / 0

Getting my sessionId through REST?

by SW

How can I get the current sessionId that I am working on? For example, I am authenticating through a user admin in my keycloak-admin-library, now I can get the sessions that are linked to the user with GET /{realm}/users/{id}/sessions But I cannot determine, what the ID is, which I am currently using. Is there a way to archieve this? -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 11 months

1
0
0 / 0

Impersonate - Change of token?

by SW

When I am calling the function with the keycloak-admin-client I am getting a redirect-uri and sameRealm in the JSON-Object. When I am calling keycloak.tokenManager().getAccessToken(), I thought that my token should be changed, because, if I am impersonating the user? And for example I should get attributes of the user through the token. -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 11 months

1
0
0 / 0

Adding custom HTTP request attribute after successfull keycloak login in custom Authenticator or User Storage Provider?

by Juan Pablo Perata

Hi all, I developed a custom User Storage Provider which allows to federate users from a external database. I would like to know if it is possible to add a custom attribute to the HTTP request after successfull login, just in a similar way that KeycloakSecurityContext instance is set in attribute "KeycloakSecurityContext.class.getName()" (for example in keycloak class ServletRequestAuthenticator.java). It would be really good to do that in User Storage Provider or a custom authenticator. Context: I need to set up roles to the authenticated user after successfull login, but before entering to the application. Keycloak roles that not fit my needs. So it would be good to add this bunch of roles in a custom HTTP attribute. I appreciate if somebody faced this and have a cute solution to this :slightly_smiling_face: Thanks in advance,

6 years, 11 months

1
0
0 / 0

Adding custom HTTP request attribute after successfull keycloak login in custom Authenticator or User Storage Provider?

by Juan Pablo Perata

Hi all, I developed a custom User Storage Provider which allows to federate users from a external database. I would like to know if it is possible to add a custom attribute to the HTTP request after successfull login, just in a similar way that KeycloakSecurityContext instance is set in attribute "KeycloakSecurityContext.class.getName()" (for example in keycloak class ServletRequestAuthenticator.java). It would be really good to do that in User Storage Provider or a custom authenticator. Context: I need to set up roles to the authenticated user after successfull login, but before entering to the application. Keycloak roles that not fit my needs. So it would be good to add this bunch of roles in a custom HTTP attribute. I appreciate if somebody faced this and have a cute solution to this :slightly_smiling_face: Thanks in advance, Juan

6 years, 11 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user January 2018