Possibility to set new Provider in authentication flow for non-unique usernames
by Dominik Guhr
Hi everyone,
I'm implementing an authentication SPI execution on top of the "normal"
username/password form of kc 3.4.3.Final. ->
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
Sadly, usernames are not unique atm, so I need to change the execution,
so that it doesn't stop with "invalid credentials" for a user who was
found in one Provider.
Instead of giving the "invalid credentials"-error, I want my execution
to first check all other providers for the same username, and then check
the credentials against all matches. And just in case of no credentials
matching, it should fail, or login a new session for this user when one
is found in any of my (3) Providers, which are added by user federation
feature (2 ADs, one by a custom user storage SPI).
So I drilled it down to the method validatePassword(...) in
AbstractUsernameFormAuthenticator.java ->
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
line 191, which I want to change accordingly. Sadly, I can't find a
method to get all Providers of the realm and check accordingly. The code
I want to change is:
if (password != null && !password.isEmpty() &&
context.getSession().userCredentialManager().isValid(context.getRealm(),
user, credentials)) {
return true;
} else {...}
instead of just checking isValid() for one provider, which is what this
does atm, I want to check all Providers. Like this pseudocode:
if (password != null && !password.isEmpty() &&
context.getSession().userCredentialManager().isValid(context.getRealm(),
user, credentials)) {
boolean isValid = false;
List<Provider> realmProviders = context.getAllProviders();
for(Provider provider : realmProviders){
isValid = provider.isValid(...);
}
return isValid;
} else {...}
Could anyone perhaps give me a hint in how to achieve this? I haven't
found a method yet to get all Providers and check for isValid in any of
the given ones.
Best regards,
Dominik
p.s. I created a stackoverflow question here:
https://stackoverflow.com/questions/48399622/keycloak-check-password-in-m...
feel free to comment/answer there :)
6 years, 11 months
How to configure keycloak with NGINX for J2EE web applicaton?
by subodhomjoshi82
How previously my web-application setup with keycloak?
Installed keycloak in server machine
Deployed the web-application in Jboss server
Added the keycloak certificate into the Java Keytool in the machine
where web-app running.
Made following changes in Standalone.xml file of JBOSS ES6.4
*
Added Extension*
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
*
Added security-domain*
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
*
Added Connector*
<connector name="https" protocol="HTTP/1.1" scheme="https"
socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ssl" key-alias="initcert" password="keycloak"
certificate-key-file="C:\Code_Base\keycloak_certificates\keycloak_server\keycloak.jks"
protocol="TLSv1,SSLv3,SSLv2" verify-client="false"/>
</connector>
*
Add SubSystem*
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="MyApp.war">
<realm>MYRealm</realm>
<resource>MyApp</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<auth-server-url>https://<Server
IP>/auth/</auth-server-url>
<ssl-required>NONE</ssl-required>
<credential
name="secret">5c9f6ea3-3448-4569-b6c4-a9e62de4db52</credential>
</secure-deployment>
</subsystem>
So above changes working fine and my web application showing keycloak login
page and after successful login its showing my web app Home page.
Now my requirement to run Keycloak in HA mode with load balancer NGINX So
NGINX will be in front end and NGINX will decide which keycloak to point
when hitting https://<NGINX IP ADDRESS>/auth and below things already done .
*What already done?*
Installed HA Keycloak in Node1 and Running.
Installed HA Keycloak in Node2 and Running.
Installed common Database(Used by above keycloak) in Node3 and Running.
Installed NGINX in Node4 and Running.
Configure Both keycloak(Step1 and Step2) with NGINX
Now NGINX url (https://<IP ADDRESS>/auth) showing login page of Keycloak
and login also working.
Now can someone please tell me what changes i have to do in Jboss so it will
work with new setup
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 11 months
Fwd: Question : VUEJS + keycloak-js
by Christophe Lehingue
Hello everyone,
I have a malfunction concerning keycloak-js with the ecosystem 'vujs'.
I can connect: but I have to make another connection to access USER
information
Let me explain :
1) firts connexion
[image: Images intégrées 1]
At this stage: the connection is good, but I can not access the user info
(and others) : i have theses errors
[image: Images intégrées 2]
I have to click again on my button "se connecter": to be able to recover
the desired infos
Do you have a solution ?
sorry for my english but unfortunately i am french.
Regards,
Christophe
6 years, 11 months
Keycloak 1.7's static resources broken after :reload
by Andrea Scarpino
Hi there,
I know 1.7 is really really really old, but I would like to know the
reason behind this behaviour.
Inoking ":reload", to restart the application server, breaks Keycloak
static resources. A second ":reload" in row solves that. A third time
will break it again and so on :-)
To reproduce, download and unzip 1.7.0.Final, setup HTTPS, start the
application server and try to fetch a static resource (e.g.
https://localhost:8443/auth/welcome-content/keycloak_logo.png). Now
:reload the application server (jboss-cli.sh --connect
--command=:reload) and try to fetch the same resource (or any other);
the request returns 404 and an exceptions is logged:
ERROR [io.undertow.request] (default task-25) UT005023: Exception
handling request to /auth/welcome-content/keycloak_logo.png:
java.lang.RuntimeException: request path:
/auth/welcome-content/keycloak_logo.png
To me, it looks like the request output stream is closed before the
data is sent to the client.
Stacktrace is attached.
Did you ever saw something like that?
Thank you in advance for your help.
Note: I cannot reproduce this with >= 1.8.0.Final, so this have
already been fixed somewhere, but I would like to know where. I cannot
reproduce it with WildFly 9.0.2.Final neither.
6 years, 11 months
Re: [keycloak-user] [keycloak-dev] WG: How to generate a token string in a custom keycloak extension?
by Thomas Darimont
Moving this discussion to keycloak-user.
The functionality you are trying to build is also known as "magic-link",
e.g. as used by services like slack.
There is an open feature request for that in JIRA:
https://issues.jboss.org/browse/KEYCLOAK-1942
Note that while this is very convenient to use it can be exploited quite
badly, as mentioned in the JIRA issue.
Cheers,
Thomas
2018-01-23 16:46 GMT+01:00 Felix Peters <peters(a)develop4edu.de>:
> Thanks for your quick response.
>
>
>
> I try to implement a prototype of a password-free authenticator like it
> was mentioned in this thread: http://lists.jboss.org/
> pipermail/keycloak-user/2015-October/003387.html
>
>
>
> My current approach is to create a token on a rest endpoint and validate
> this token in an custom authenticator.
>
> It’s just a POV, but I think a ActionToken can do the job.
>
>
>
> I was googleing around for an existing solution for password-free login
> with Keycloak, but could not found something like that.
>
>
>
> Greeting,
> Felix
>
>
>
> *Von:* Thomas Darimont [mailto:thomas.darimont@googlemail.com]
> *Gesendet:* Dienstag, 23. Januar 2018 15:48
> *An:* Felix Peters <peters(a)develop4edu.de>
> *Cc:* keycloak-dev(a)lists.jboss.org
> *Betreff:* Re: [keycloak-dev] WG: How to generate a token string in a
> custom keycloak extension?
>
>
>
> Hello Felix,
>
>
>
> What's your use case?
>
>
>
> Keycloak provides action tokens that permits its bearer to perform some
> actions, e. g. to reset a password or validate e-mail address.
>
>
>
> Perhaps you could have a look at the action tokens SPI:
>
> http://www.keycloak.org/docs/3.3/server_development/topics/
> action-token-spi.html
>
>
>
> Keycloaks OIDC Tokens (AccessToken, RefreshToken, IDToken) are generated
> within org.keycloak.protocol.oidc.TokenManager and exposed
>
> via the org.keycloak.protocol.oidc.endpoints.TokenEndpoint. Tokens can be
> verified via the org.keycloak.RSATokenVerifier.
>
>
>
> Cheers,
>
> Thomas
>
>
>
> 2018-01-23 15:29 GMT+01:00 Felix Peters <peters(a)develop4edu.de>:
>
> Hi,
>
> I'm pretty new to Keycloak development and at the moment I'm trying to
> develop some demo extensions to learn how SPI's an stuff like that work in
> Keycloak.
>
> My Question is:
> Is there a util- or helper-class which I can use to generate an secure
> token string in my extension code (pretty much the same as an oauth access
> or refresh token)?
> I was not able to find something In the Keycloak code, but maybe there is
> something like that.
> Thank you in advance,
> Felix Peters
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
6 years, 11 months
Pre-delete event (again)
by Hammarberg, Daniel
Hello all,
We are using Keycloak’s event mechanism to listen to create/update/delete events in Keycloak and pass them on to an MQ bus that is consumed by Siebel. Now, we have stumbled upon the problem described in the post below, namely that the delete event is passed after the user is deleted, making it impossible to read the user’s attributes from KC.
The only thing that got fixed in the referenced bug report was that email was added to the delete event headers, which is not enough for us: The integration we have with Siebel is requiring the Siebel ID, which we have as an attribute on the user.
My question is: Is it in any way possible to hook into the Keycloak delete event before the user is deleted or to read user attributes after receiving the delete event?
Regards
/Daniel
The post I reference to above is:
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006626.html
________________________________
Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
6 years, 11 months
Session Configuration Per Client
by Scott Finlay
Hi,
We're currently using Keycloak 2.5.5.Final, and in this version the token lifetimes and session max and idle times can only be configured per realm. We have clients accessing the same user base via apps and via a website, and it would be nice if we could handle these different channels differently. Is it possible in the latest version of Keycloak to configure these on a client basis rather than per realm? Or if not, would it be possible to introduce this functionality?
Regards,
Scott
6 years, 11 months
Login on behalf
by Michael Hunziker
Hi!
I'm struggling with the following problem:
I am developing two apps (an iOS phone app for teachers and a web app for
students running on tablets).
Obviously the teacher (role TEACHER) is the master. I don't want the
students (role STUDENT) to login on their tablets, the teacher should login
on the tablet "as" the student.
Here's what I came up with so far:
- realm role "TEACHER"
- user "testTeacher" with realm role "TEACHER"
- client "teacher-ios-app"
- client "student-web-app"
I'm not sure how to handle the students. In one way they are "users" but
they are not really allowed to login themselves on their devices, only a
teacher should be allowed to do this.
Have you ever done something like this?
Cheers Michael
6 years, 11 months
Keycloak and Timesten DB integration
by Upananda Singha
Hi,
I have been experimenting with Keycloak version 3.4 for our OIDC related
use cases.
Would like to know if Keycloak supports integration with Timesten Database
(Oracle Timesten).
It would be great if some one can provide some details on it.
Thanks & Regds,
Upananda
6 years, 11 months
