Keycloak Modules developed for the Cloudtrust project
by Doswald Alistair
Hello,
I just wanted to let this mailing list know that for the Cloudtrust project (https://github.com/cloudtrust), we have developed a certain number modules for Keycloak. These are currently compatible with the version 3.4.3.Final of Keycloak, but we will make them compatible with Keycloak 4.X (where X will be the latest sub-version of Keycloak when we start working on this) as soon as we can. These modules are:
* keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an implementation of the WS-Federation protocol for keycloak. This allows to select the WS-Federation protocol for Keycloak clients and for identity brokers.
* keycloak-authorization (https://github.com/cloudtrust/keycloak-authorization): this module allows the use of the client authorization system to prevent a user which is authenticated in a Keycloak realm to access a given client. It works no matter which protocol is used, and without the client having to support any extra protocol. Note: this solution is a bit hacky, but necessary for one of our use-cases.
* keycloak-client-mappers (https://github.com/cloudtrust/keycloak-client-mappers): a module for adding any mappers that we might need that are not yet part of Keycloak. Currently only contains a JavaScript mapper for SAML, analogous to the OIDC script mapper. I've noticed that there's an open issue for this feature (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could submit this code not as a module but a solution to the issue.
* keycloak-export (https://github.com/cloudtrust/keycloak-export): a module adding an endpoint to fully export a realm while Keycloak is still running (no need for restarts!).
Cheers,
Alistair
PS: I'm mailing this both dev and user mailing lists as I believe it may interest members of both mailing lists
6 years
How to get access access token with SPNEGOAuthenticator?
by ola rob
Hi,
For some legacy reasons, we are using keycloak API/services for
authentication but not redirecting our application to keycloak. We are able
to get access token and refresh token (AccessTokenResponse.class) when we
authenticate using login API by sending username and password. But we are
unable to get them when authenticating using spnego token.
The SPNEGOAuthenticator class doesn't return any access token after
successful authentication. We need these tokens to manage our application
session internally. So, how can we get access and refresh token or response
similar to username password authentication?
SPNEGOAuthenticator spnegoAuthenticator = new
SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken);
spnegoAuthenticator.authenticate();
if (spnegoAuthenticator.isAuthenticated()) {
String username = spnegoAuthenticator.getAuthenticatedUsername(); //
returning the username correctly.
}
Thanks in advance!
6 years
StackOverflowError when listing federated identities
by Wyllys Ingersoll
Using Keycloak 4.6.0.Final, when I query for all users in a realm which is
federated to an AD domain (only about 25 users in the domain), it pretty
consistently throws exceptions (see below).
Oddly enough, if I add the parameter "briefRepresentation=true", the list
is returned successfully. I can query for individual users just fine
(brief or full).
This was not an issue in 4.5.0, Im only seeing now that I upgraded to 4.6.0.
Possibly a memory issue, but its hard to tell.
Any ideas?
thanks,
Wyllys Ingersoll
21:32:11,324 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-112) Uncaught server error: java.lang.StackOverflowError
at sun.reflect.GeneratedMethodAccessor378.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
at com.sun.proxy.$Proxy92.find(Unknown Source)
at
org.keycloak.models.jpa.JpaUserProvider.getUserById(JpaUserProvider.java:520)
at
org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:369)
at
org.keycloak.models.cache.infinispan.UserAdapter.getUserModel(UserAdapter.java:399)
at
org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:42)
at
org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111)
at
org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305)
at
org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43)
at
org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111)
at
org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305)
at
org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43)
at
org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111)
...
6 years
group federation?
by Wyllys Ingersoll
We have a realm configured to get federated users from our Active Directory
domain server. Is there a way to also get the list of federated group
information for each user (i.e. include the AD groups that the AD user is a
member of in the federated user information) ?
thanks...
6 years
NotSerializableException: org.keycloak.adapters.elytron.ElytronAccount
by Andrew Murphy
I've installed the keycloak-wildfly-adapter-dist-4.6.0.Final.zip adapter in
a clean version of WildFly Full 14.0.1.Final, running on Windows 8.1. The
keycloak server is running on a separate port.
When I configure the adapter subsystem (server not running) with the newer
Elytron adapter using
> cd bin
> jboss-cli.bat --file=adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml
and thereafter attempt to sign into a basic war application I get the
keycloak login page, followed by an error page once credentials are posted.
The server.log reports the following (abbreviated) error stacktrace
2018-11-21 20:17:37,654 ERROR [io.undertow.request] (default task-1)
UT005023: Exception handling request to /curo-crm/:
java.lang.IllegalArgumentException:
org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.adapters.elytron.ElytronAccount
at
org.wildfly.clustering.web.infinispan.session.coarse.CoarseSessionAttributes.setAttribute(CoarseSessionAttributes.java:71)
[snip]
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.adapters.elytron.ElytronAccount
Now, if I configure the adapter subsystem with the legacy non-Elytron
adapter on WildFly using
> cd bin
> jboss-cli.bat --file=adapter-install-offline.cli -Dserver.config=standalone-full.xml
everything works without errors i.e. I can access the protected web app on
login success.
Question 1: Have I missed something in the server configuration that is
causing the NotSerializableException?
Question 2: The keycloak config documentation recommends the use of the
newer Elytron adapter over the legacy non-Elytron adapter, but gives no
reasoning. Are there drawbacks to using the legacy version?
Thanks
6 years
Login after registration fails when other user was logged in before
by Rainer-Harbach Marian
Hi,
we encountered a problem in a special use case (Keycloak 4.5.0.Final):
We'd like to display a registration button in our application even when
a user (user1) is logged in.
Directly calling the registration form seems to be supported according
to
http://lists.jboss.org/pipermail/keycloak-user/2016-August/007473.html
However, the login after the registration (of user2) fails when user1
was logged in before.
The problem can be reproduced by following these steps:
1. Log user1 into the account app
2. Open the registration form at https://<host>/auth/realms/<realm>/protocol/openid-connect/registrations?client_id=account&response_type=code&scope=openid+email&redirect_uri=<url_to_account_app>
3. Register user2
4. After registration, this message is shown: "We're sorry...
You are already authenticated as different user <user1> in this
session. Please logout first."
The message contains a link "Back to Application".
However, user1 is not logged in anymore and the link "Back to
Application" leads to the login form.
This situation is not straightforward for a user to resolve: user1 has
to log in again, then log out, and only then is user2 able to log in.
The reason appears to be that opening the registration form in step 2
deletes the cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. However,
the cookie AUTH_SESSION_ID remains unchanged.
To me it seems that opening the registration form should cause a new
AUTH_SESSION_ID to be generated (beside KEYCLOAK_IDENTITY and
KEYCLOAK_SESSION being cleared).
I'd appreciate any thoughts on that!
Best regards,
Marian
6 years
How to retrieve user ID from Keycloak to my web app
by Kunal Kumar
Before, my web app is has its own login form to authenticate users.
But since I have connected my web app to Keycloak to authenticate the users
now, my web app does not need to have the login form anymore, hence I need
to remove it.
This was roughly how I retrieved the users information before Keycloak:-
if (chkLogin(getUserID(), getUserPwd())) {
MaintainUser mu = new MaintainUser();
this.usrInfo = null;
String[] usr = mu.validatePassword(getUserID(), getUserPwd()); }
This is not the full coding, but basically I use the getUserID method to
retrieve the users info and check it for authentication before. How do I
perform this if I want to retrieve the user ID from the Keycloak admin
console?
Regards,
Kunal Kumar
6 years
Motivation behind the removal of client_id from "aud" in the JWT
by Cristian Schuszter
Hi!
We just updated from release 4.5.0 to 4.6.0 and discovered that the
"aud" field has been changed to "aud": "account", rather than the
client-id of the application.
After a bit of digging, we found the commit and associated pull request
for the change:
https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f...
Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't
find it on the Jira board.
We were counting on the "client_id" being present in the audiences, as
the Microsoft.NET core validators target specifically the audiences in
the JWT token, with no option of targeting the "azp" field.
Could anybody shed some light as to why the *client_id* was removed from
the audiences?
Best regards,
Cristian Schuszter
6 years
Temporary support for current sign-in flow
by Craig Setera
As everyone is probably painfully aware from all of my questions, we are in
the midst of replacing our proprietary login flow with a Keycloak
OpenID-based flow. The eventual goal is to use the standard Keycloak login
pages to allow for extra factors of authentication such as Google
Authenticator.
One option that we've allowed until now is for customers to host custom
login HTML forms (just username and password) on their sites. This is
something that we are (most likely) going to remove support for in the long
run, but in the short term, I think we are going to need to support this if
only to allow for a transition period. The login flow is:
Customer Site (HTML form) ->
Login Handler (JEE Session) ->
Redirect browser to SPA along with JSESSIONID
All API calls use JEE sessions for "authentication". What I'm hoping to do
somehow in the short term is:
Customer Site (HTML form) ->
Login Handler ->
Keycloak ->
Redirect browser to SPA with OAuth codes/tokens
What is the best/correct way to do something like this? Should I be using
the authorization code grant in this case?
Thanks for any insights.
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
6 years
LDAP role mapper loses client on client renaming
by Peemöller, Björn
Hi all,
in our Keycloak installation we have connected Keycloak to an internal AD using user federation and configured a role-ldap-mapper as described in https://www.keycloak.org/docs/latest/server_admin/index.html#_ldap_mappers .
We now discovered that if we rename a client, than the associated LDAP mapper loses the connection to the client, as it stores only the client name but not its internal id in the mapper configuration.
Currently, we therefore need to reconfigure all associated mappers once we rename a client.
Is it possible to avoid this problem (or wouldn't it be even better to store the internal UUID)?
Kind regards,
Björn
Björn Peemöller
IT & IT Operations
BERENBERG
Joh. Berenberg, Gossler & Co. KG
Neuer Jungfernstieg 20
20354 Hamburg
Telefon +49 40 350 60-8548
Telefax +49 40 350 60-900
E-Mail bjoern.peemoeller(a)berenberg.de<mailto:bjoern.peemoeller@berenberg.de>
www.berenberg.de<http://www.berenberg.de/>
Sitz: Hamburg - Amtsgericht Hamburg HRA 42659
Bei Berenberg hat der Schutz Ihrer Daten seit jeher höchste Priorität. Informationen zum Umgang mit personenbezogenen Daten finden Sie hier: https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundenin...
Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen.
Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info(a)berenberg.de. Please refer to https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundenin... for our confidentiality notice.
6 years
