Lookup user by ID in more than one Identity provider (ID is not unique)
by Dominik Guhr
Hi there,
so I have the following scenario and hope you folks could help me out here:
I've got a webapp and we're switching from old db-based login to
keycloak. In our realm, we're federating the "old" userDB via an
implementation of the User Federation SPI, and we're using
spnego/kerberos authentication via federation of an Active Directory.
Lookup is:
1. userDB
2. AD
Now, use-case is as follows:
0. With kerberos-login, always use AD-login.
=> This works. :)
But: there may be the same ID ("john.doe") in AD and userDB, but with
different passwords. So, we want to achieve this:
1. When you use manual login (non-domain-pc or something), it should
make no difference which password you enter, you get logged in, as the
application itself don't care where you're from, it just needs the userdata.
So, one might argue "why are you using the old userDB at all, then -
you've got your AD, just use their data" - good question. But the userDB
aggregates another AD, which is out of "political reasons" not
accessible to us via keycloak identity federating / identity provider.
We're trying to change this, but as you might know, these processes cost
time.. time we do not have at the moment.
So to get concrete: I implemented the Federation SPI and I think my
starting point should be to change the overridden "getUserBy..."-
methods which I pasted here: https://pastebin.com/ddZTYMD4
Now, instead of just returning null when isEmpty(), entity == null etc.
is checked, my SPI impl. should be capable of calling the AD (possibly
more than one in future) and check the same credentials against the AD
database. And only if the user is not found in every provider, it should
return null.
So to be honest, I have no clue if this is
a) the correct part I should start my call. May be isValid, though, for
the User ("john.doe") itself IS found, but the password doesn't match
b) where the correct point is '(if any) where to change this and
c) how to make the call with my credentials to the AD, then.
Would be super happy if anyone could help me out here!
Best regards,
Dominik
6 years, 11 months
Credential Reset Update Password | using secondary email address
by lists
Hi,
Keycloak 3.4.1, with federated ldap accounts.
The "Credential Reset" action "Update password" in keycloak admin sends
a password reset link to the users primary email address.
But the reason for the Credential Reset, usually *IS* (of course) the
fact that the user can no knows his/her password, and therefore can no
longer can access his/her email.
Therefore we would like this reset link to go a seconday email address,
or perhaps be asked which emailaddress to send to reset link to, perhaps
defaulting to the usual primary address, but with the option to send it
to another address.
Would this not be a useful enhancement for others as well? Would it be
worth submitting a feature request for? (or are we alone with this
'problem'?)
MJ
6 years, 11 months
Autologin with access token
by Domenico Briganti
Hi folks,
I have a question about access token. I've admit that I didn't read in
toto the openidc spec :(
I have a mobile app that has an access token used for API invocation
and I need to open a webview to show a private page.
I've read that I need to set the state cookie ( http://lists.jboss.org/
pipermail/keycloak-user/2016-October/007911.html ) with a redirect, and
I can do it. But how can I get a code parameter from an access token?
Maybe is there another way to do it?
Thanks,
Domenico Briganti
6 years, 11 months
Load custom theme from module
by Marvin Oßwald
Hello,
if i’m registering my custom theme like this:
./keycloak/bin/jboss-cli.sh --command="module add --name=de.svg.keycloak.modules.keycloak-svg-theme --resources=keycloak-svg-theme-1.0.0.jar”
6 years, 11 months
Authentication fails for OTP user with kerberos
by Jochen Hein
I'm running FreeIPA and have users with and without OTP. OTP users
authenticate with RADIUS (Privacyidea manages the tokens). My final goal
is that users with a kerberos ticket can authenticate without password
and users without ticket get asked for password+OTP (when configured).
In FreeIPA a user is defined with password and radius authentication:
$ ipa user-show jochen
User login: jochen
...
Kerberos principal: jochen(a)EXAMPLE.ORG
...
User authentication types: password, radius
According to the FreeIPA docs LDAP bind works with password only, but
kerberos needs password+OTP. That works fine with sssd and other
applications.
I'm now running keycloak 3.4.2 and played with it. I've added a User
Federation with LDAP to my FreeIPA server and enabled "Allow Kerberos
Authentication". After that I can log in with my Kerberos ticket
without further authentication. If I don't have a Kerberos ticket
keycloak asks me for username and password - authentication works with
LDAP bind as long as "Use Kerberos For Password Authentication" is
disabled.
For a regular (non-OTP) user I can authenticate with a Kerberos ticket.
If the user does not have a Kerberos ticket, he is asked for username
and password as expected, and authentication is successful.
Another user with OTP-authentication in FreeIPA can also authenticate
with his Kerberos ticket.
If the OTP-user does not have a Kerberos ticket, keycloak asks for
username and password (as expected). If the user federation has "Use
Kerberos for Password Authentication" not selected, the user in
FreeIPA needs to have password+OTP (or password+RADIUS) allowed and
can authenticate against FreeIPA-LDAP with password only - that's not
what I want[1].
When I enable "Use Kerberos For Password Authentication" non-OTP users
can still authenticate, but OTP users can't. According to
https://www.freeipa.org/page/V4/OTP#How_to_Test
"Kerberos FAST is required for OTP operations." - and that's true.
If I just use kinit I get "Generic preauthentication failure while
getting initial credentials". The kerberos log has:
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NEEDED_PREAUTH: jochen(a)EXAMPLE.ORG for krbtgt/JOCHEN.ORG(a)EXAMPLE.ORG, Additional pre-authentication required
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): preauth (encrypted_timestamp) verify failure: No matching key in entry
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23}) x.x.x.127: PREAUTH_FAILED: jochen(a)EXAMPLE.ORG for krbtgt/JOCHEN.ORG(a)EXAMPLE.ORG, Preauthentication failed
debg log fom keycloak:
2017-08-08 21:24:17,473 INFO [stdout] (default task-1) Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-08-08 21:24:17,473 INFO [stdout] (default task-1) [Krb5LoginModule] user entered username: jochen(a)EXAMPLE.ORG
2017-08-08 21:24:17,473 INFO [stdout] (default task-1)
2017-08-08 21:24:17,605 INFO [stdout] (default task-1) [Krb5LoginModule] authentication failed
2017-08-08 21:24:17,605 INFO [stdout] (default task-1) Pre-authentication information was invalid (24) - PREAUTH_FAILED
2017-08-08 21:24:17,606 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=jochen.org, clientId=account, userId=3ebc8518-a488-4dce-bd94-4a72c03a5ed9, ipAddress=192.168.yy.xx, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://saml.jochen.org/auth/realms/jochen.org/account/login..., code_id=eefbcc3e-f581-465c-bc28-7e37fc939ae6, username=jochen(a)example.org
That look's like there is no FAST implemented, but that or Anonymous PKINIT
seems to be needed for OTP authentication through Kerberos:
https://www.freeipa.org/page/V4/OTP
https://www.freeipa.org/page/V4/Kerberos_PKINIT
On my systems the OTP-user can't kinit directly, but needs to "kinit -n"
first:
$ kinit otpuser
kinit: Pre-authentication failed: invalid argument while getting initial credentials
$ kinit -n
$ klist
Ticket cache: KEYRING:persistent:1004:1004
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
04.11.2017 18:31:20 05.11.2017 18:31:20 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
$ kinit -T KEYRING:persistent:1004:1004 otpuser
Enter OTP Token Value:
$ klist
Ticket cache: KEYRING:persistent:1004:krb_ccache_ZKhNrfE
Default principal: otpuser(a)EXAMPLE.ORG
Valid starting Expires Service principal
04.11.2017 18:31:48 05.11.2017 18:31:37 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
After some research I think that JDK doesn't implement FAST for now and
the tickets/messages I found looked like it will be some time until that
might be implemented (if ever).
Would it be possible to implement that in keycloak?
https://blog-ftweedal.rhcloud.com/2014/07/otp-authentication-in-freeipa/
has some python code that is implementing that for FreeIPA.
I've looked at
https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/...
but don't see how that might be implemented there...
I've already tried to add two providers to my user federation, LDAP and sssd.
sssd can authentication my otpuser with password+OTP fine. But I couldn't
get authentication with Kerberos ticket to work when I have both providers
active. Is that something that should work?
Any ideas?
Thanks,
Jochen
[1] password allows authentication to LDAP (no OTP). RADIUS or OTP
authentications against Kerberos, which handles OTP and RADIUS
and needs password+OTP.
--
This space is intentionally left blank.
6 years, 11 months
Book on Keycloak?
by Thomas Isaksen
Hi
I found some good resources online but I'm a book guy, is there a book on Keycloak?
./t
6 years, 11 months
ejb getCallerPrincipal() returning anonymous en Wildfly11
by JOSE INACIO DA SILVA JUNIOR
Hi,
I'm following the GettingStarted in the Keycloak documentation and everything works fine with Wildfly-10.1.0.
But in Wildfly-11.0.0, the following code prints: USER: anonymous in the console.
@Stateless
public class TesteService {
@Resource private SessionContext sessionContext;
public void run() {
System.out.println("USER: "+sessionContext.getCallerPrincipal());
}
}
What can I do to get my code working as expected with Wildfly11?
Thanks in advance!
Inacio
6 years, 11 months
kubernetes
by Simon Payne
Hi all,
i'm trying to get keycloak clustered on google cloud using KUBE_PING.
i have a starting keycloak server using docker based on the latest keycloak
and using kubernetes-0.9.3
however, i get the message:
[org.jgroups.protocols.kubernetes.KUBE_PING] (ServerService Thread Pool --
51) namespace not set; clustering disabled
i cant figure out how to add the namespace - all example are using
infinispan which uses different markup to keycloak.
my standalone-ha uses <protocol type="kubernetes.KUBE_PING"/>
if i add any additional attributes on this tag then keycloak fails to start
any help would be appreciated.
thanks
Simon.
6 years, 11 months
Keycloak, OpenShift and custom themes
by Anton
Hello
I'm trying to figure how best to deploy Keycloak in OpenShift - and deploy
one or more themes into keycloak.
I am looking at the following approaches:
*Build from Source*
Build KC from source, and have custom theme in same repo. If I fork
https://github.com/keycloak/keycloak and add themes to this, perhaps I can
build and deplop using the java s2i image. So far I have not been able to
get this to work. And the resulting image is much bigger than it needs - as
it builds everything in the repo.
*Chained Builds*
It is possible to do a Chained Build (
https://blog.openshift.com/chaining-builds/) however, if I use an existing
KC docker image, for example
https://hub.docker.com/r/jboss/keycloak-openshift/tags/, Im not clear on
how I can have another step in the build process that will fetch, build and
deploy a theme.
Any help and suggestions are greatly appreciated.
-Anton
6 years, 11 months
infinite redirect with KeycloakOIDCFilter
by Thomas Isaksen
I have this in web.xml but I am getting an infinite redirect after logon:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.servlet.KeycloakOIDCFilter</filter-class>
<init-param>
<param-name>keycloak.config.skipPattern</param-name>
<param-value>^(example1|example2|whatever).*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/keycloak/*</url-pattern>
<url-pattern>/protected/*</url-pattern>
<url-pattern>/*</url-pattern>
</filter-mapping>
Fiddler:
I have attached a fiddler archive if anyone could have a look at it and figure out what's going on it would be great.
Thanks
--
Thomas Isaksen
6 years, 11 months
