KeycloakInstalled adapter: Using public client token from keycloak installed adapter to access confidential client
by Bruce Wings
I have created a confidential client - "*server-app"* that secures my Jetty
app through Keycloak jetty adapter and a public client - "*web-app*" that
is provided to all clients of my server app. Both *web-app* and *server-app*
exist under same realm.
In *web-app* client, I have created a *token mapper for 'aud' claim:*
*new java.util.ArrayList(["server-app","web-app"]);*
When I generate a token through keycloak JS adapter or through postman for
web-app client, *I am able* to use the same token to access my jetty app(
that is secured with confidential client).
But when launching *keycloakinstalled *adapter (*.loginDesktop() api*) with
public client(json of web-app client), after successful login , while
trying to access the same Jetty app(secured with confidential client) I
get:
*type=CODE_TO_TOKEN_ERROR, realmId=myRealm, clientId=null, userId=null,
ipAddress=10.252.70.71, error=invalid_client_credentials,
grant_type=authorization_code*
Is the same kind of access not supported in KeycloakInstalled adapter ?
Also, if I launch KeycloakInstalled adapter with confidential client json,
everything works fine i.e I am allowed access to jetty app.
6 years
Admin With Restricted User Management
by chapani
Good Afternoon!
Can I create an admin that can ONLY do these:
- Create/Manage a user who is automatically assigned a specific group or a role
- View/Manage users that belong to a specific group or a role
When this admin logs into Keycloak server, he should only see one tab, "Users", that belong to a specific group or a role and shouldn't see any other users or other menu items.
Thanks,
- chapani
Sent with [ProtonMail](https://protonmail.com) Secure Email.
6 years
Bind user to another
by Stefan Meschke
Hello,
is there a way to bind one user to another (e.g. for impersonation, query, …)?
Example:
4 users in one realm: user-a, user-b, user-c, user-d
* user-c should be able to impersonate into user-a, but not into user-b.
* user-d should be able to impersonate and query all users
It would be also very cool, if one user is able to remove the binding.
Thanks in advance!
Cheers
Stefan
6 years
verify client roles in web.xml (JBoss adapter)
by Adrian Matei
Hello everyone,
How can I check in web.xml a client role? It seems that only REALM roles
can be checked there. I tried also the nodejs adapter convention
"client-id:CLIENT_ROLE" but still nothing...
thanks
6 years
Group Role Mapping
by Τζέκος Νικόλαος
Hello all,
Congratulation for this great product. We are using it to provide authentication for a new web-app we are deploying. In the feature we may use it for authorization also. I have read many articles and posts on this list but I am still not sure if my problem is considered a problem/bug or I have done something wrong. I have this situation:LDAP GROUP group1, mapped to Keycloak group1user1, user2 and user3 members of group1, All this work ok as I used group-ldap-mapper.Now, let's say that in my realm I have 3 clients: client1, client2 and client3. All of these clients have some similar needs, so to support all of them I am using Realm roles and not client roles.
So, I created role1 for my realm. Afterwards I wanted to assigned role1 to all members of the group1, so I went to Groups->group1->Edit->Role Mappings and from the available Realm Roles I selected role1 and I assigned it. Now, what I would expect is two things:
1) If I go to Roles->role1->Users In Role, to see all the members of group1. This doesn't happen!
2) If I go to users->user1->Role Mappings I would expect to see the role1 as an Assigned Role but I see it as an Effective Role. Now this causes me the problem that if for any reason I want to remove the role1 form a single user i.e., user1 I cannot since it is only in the Effective Roles list.
However, if I go specifically and assign role1 to a user from Users->Role Mappings then both those cases mentioned above work ok.
Am I doing something wrong here? How this should work? Do you have any suggestion? I am pretty sure that this scenario makes sense for an administrator where he/she wants to assign some roles to existing groups coming from LDAP/Active Directory and also have the flexibility to remove roles from specific users of a Group. Otherwise administrator should go and assign the role to each user separately.I forgot to mention that we are using Keycloak 4.6.
I also have some questions about some calls of the Rest API but I think it's better not to write them here and send another mail.
6 years
Group attribute lookup via NodeJS
by Tom Barber
Hello folks
I’ve got Keycloak hooked up to the NodeJS connector and I saw the info
about getting the username and stuff back via:
console.log(req.kauth.grant.access_token.content)
I’d also like to assign users to groups and store some metadata with those
groups that the application can access. Is that possible using NodeJS
either using the adapter or by some other mechanism?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
6 years
How to get access access token with SPNEGOAuthenticator?
by ola rob
Hi,
For some legacy reasons, we are using keycloak API/services for
authentication but not redirecting our application to keycloak. We are able
to get access token and refresh token (AccessTokenResponse.class) when we
authenticate using login API by sending username and password. But we are
unable to get them when authenticating using spnego token.
The SPNEGOAuthenticator class doesn't return any access token after
successful authentication. We need these tokens to manage our application
session internally. So, how can we get access and refresh token or response
similar to username password authentication?
SPNEGOAuthenticator spnegoAuthenticator = new
SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken);
spnegoAuthenticator.authenticate();
if (spnegoAuthenticator.isAuthenticated()) {
String username = spnegoAuthenticator.getAuthenticatedUsername(); //
returning the username correctly.
}
Thanks in advance!
6 years
keycloak version change Custom SPI not backward compatible
by Manisha Nandal
Hi,
We are facing issues while working with new version of keycloak. The jar
we created using the old version of keycloak are not compatible with the
new version. Some of the classes we extended to make custom spi's have been
changes. For example:
IdentityProviderBean
KeycloakContext
*Old version: 3.4.3*
*New Version: 4.6.0*
Does anyone has any idea as to why keycloak does not supports backward
compatibility?.
Thanks,
Manisha
6 years
deployment issue for custom SPI in keycloak
by Manisha Nandal
Hi,
We are facing issues with custom spi deployment in keycloak. There are two
different strategy that can be used for custom development
1. place jar in module directory and make an entry in standalone.xml ,
say *<provider>module:module_name</provider>
*
2. place jar in providers directory, no change needed in standalone.xml (we
already have * <provider>classpath:${jboss.home.dir}/providers/*</provider>*
)
first strategy works fine but modification in standalone.xml needed. We
want to use the second strategy but it gives us errors for some of the
classes
like
[*0m[31m04:35:56,275 ERROR
[org.keycloak.services.error.KeycloakErrorHandler] (default task-59)
Uncaught server error: java.lang.NoClassDefFoundError: org/infinispan/Cache
*
Any idea , how can we fix this?
Thanks,
'Manisha
6 years
