Legacy none email username updated when editing account and "Email as username" is enabled
by Bart Lievens
Hello,
I noticed the following behaviour using Keycloak 4.6.0.Final and not sure it’s a bug or the intended behaviour.
I am migrating a legacy application user database to keycloak (using User Storage SPI and Import strategy)
The legacy user database has old usernames that are not emails and at some point in time the choice was made to only allow emails addresses for logins.
As a result I end up with still active usernames that are no emails, but I turned on the "Email as username” which I was expecting to only influence new users as tooltip says :
"If enabled then username field is hidden from registration form and email is used as username for new user.”
With this setup I encountered the case where a legacy user (without email username) goes to his account page and wants to update for example his First name but also his username gets changed to the email field.
The user might not even see this because the username is no longer displayed.
But because of the username being changed, the next time he/she tries log with the usual username and password this is no longer possible as username being used is no longer valdi.
This seems like a bug, but I found this was requested in https://issues.jboss.org/browse/KEYCLOAK-3685 <https://issues.jboss.org/browse/KEYCLOAK-3685>
Any thoughts on how I can work around this or if there is already a issue related to this or should I create a new JIRA issue to fix the problem/bug ?
Thanks
6 years
Play framework and Keycloak
by Bojan Milosavljević
Hello,
I am having some doubts - namely I have a Play framework project,
Controllers represent my backend, views my frontend. Now I want to enable
only some users (with specific role) to access one of my views (html page).
For now, whole communication works like this: JS sends request to Keycloak
to login, if login is successful -> go to page, if not ->return error.
1. Do you think it would be better to somehow secure this frontend using my
backend (written in Java) and how would I do it, since I really don't
understand Java adapters....?
2. If it is OK to leave communication as it is, how would I forbid certain
users to access some pages, since I can't find how to set necessary
restrictions through code and on server.
Thank you very much.
6 years
StackOverflowError when listing federated identities
by Wyllys Ingersoll
Using Keycloak 4.6.0.Final, when I query for all users in a realm which is
federated to an AD domain (only about 25 users in the domain), it pretty
consistently throws exceptions (see below).
Oddly enough, if I add the parameter "briefRepresentation=true", the list
is returned successfully. I can query for individual users just fine
(brief or full).
This was not an issue in 4.5.0, Im only seeing now that I upgraded to 4.6.0.
Possibly a memory issue, but its hard to tell.
Any ideas?
thanks,
Wyllys Ingersoll
21:32:11,324 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-112) Uncaught server error: java.lang.StackOverflowError
at sun.reflect.GeneratedMethodAccessor378.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
at com.sun.proxy.$Proxy92.find(Unknown Source)
at
org.keycloak.models.jpa.JpaUserProvider.getUserById(JpaUserProvider.java:520)
at
org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:369)
at
org.keycloak.models.cache.infinispan.UserAdapter.getUserModel(UserAdapter.java:399)
at
org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:42)
at
org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111)
at
org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305)
at
org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43)
at
org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111)
at
org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99)
at
org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305)
at
org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43)
at
org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111)
...
6 years
group federation?
by Wyllys Ingersoll
We have a realm configured to get federated users from our Active Directory
domain server. Is there a way to also get the list of federated group
information for each user (i.e. include the AD groups that the AD user is a
member of in the federated user information) ?
thanks...
6 years
NotSerializableException: org.keycloak.adapters.elytron.ElytronAccount
by Andrew Murphy
I've installed the keycloak-wildfly-adapter-dist-4.6.0.Final.zip adapter in
a clean version of WildFly Full 14.0.1.Final, running on Windows 8.1. The
keycloak server is running on a separate port.
When I configure the adapter subsystem (server not running) with the newer
Elytron adapter using
> cd bin
> jboss-cli.bat --file=adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml
and thereafter attempt to sign into a basic war application I get the
keycloak login page, followed by an error page once credentials are posted.
The server.log reports the following (abbreviated) error stacktrace
2018-11-21 20:17:37,654 ERROR [io.undertow.request] (default task-1)
UT005023: Exception handling request to /curo-crm/:
java.lang.IllegalArgumentException:
org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.adapters.elytron.ElytronAccount
at
org.wildfly.clustering.web.infinispan.session.coarse.CoarseSessionAttributes.setAttribute(CoarseSessionAttributes.java:71)
[snip]
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.adapters.elytron.ElytronAccount
Now, if I configure the adapter subsystem with the legacy non-Elytron
adapter on WildFly using
> cd bin
> jboss-cli.bat --file=adapter-install-offline.cli -Dserver.config=standalone-full.xml
everything works without errors i.e. I can access the protected web app on
login success.
Question 1: Have I missed something in the server configuration that is
causing the NotSerializableException?
Question 2: The keycloak config documentation recommends the use of the
newer Elytron adapter over the legacy non-Elytron adapter, but gives no
reasoning. Are there drawbacks to using the legacy version?
Thanks
6 years
Using Keycloak to secure AWS API Gateway Lambda endpoints
by youcef belattaf
Hello everyone,
We'd like to use Keycloak in our new API managed by AWS Lambda / API
Gateway. Unfortunatly, we didn't find an adapter for AWS API Gateway /
Lambda. So we decided to write an adapter that consists of 2 lambdas :
1/ A Lambda that validates the JWT, and in case of a new public key,
requests the Keycloak to get the new public key. This lambda is used as an
Authorizer.
2/ A Lambda that deals with revocations. It exposes an endpoint
(k_push_not_before) in order to receive Admin Not Before Policy Pushes.
What do you think of this solution, your feedback and experiences on
Keyckoak and AWS Gateway / Lambda are welcome.
Regards,
Youcef
6 years
Keycloak-js with cordova-native
by Nivethika Mahasivam
I am trying to use the Keycloak-js(from 4.4.0.Final) library in my
ionic(4) cordova application.
I have followed the example
<https://github.com/keycloak/keycloak/tree/master/examples/cordova-native>
and instructions
<https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript...>
from the documentation.
I have installed cordova-plugin-browsertab, cordova-plugin-deeplinks,
cordova-plugin-inappbrowser.
Added <preference name="AndroidLaunchMode" value="singleTask" /> in my
config.xml
And
<widget id="org.phidatalab.radar_armt"....>
<plugin name="cordova-plugin-browsertab" spec="0.2.0" />
<plugin name="cordova-plugin-inappbrowser" spec="3.0.0" />
<plugin name="cordova-plugin-deeplinks" spec="1.1.0" />
<preference name="AndroidLaunchMode" value="singleTask" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<universal-links>
<host name="keycloak-cordova-example.mydomain.net" scheme="https">
<path event="keycloak" url="/login" />
</host>
</universal-links>
</widget>
and my service which uses Keycloak-js looks like below.
static init(): Promise<any> {
// Create a new Keycloak Client Instance
let keycloakAuth: any = new Keycloak({
url: 'https://mydomain.net/auth/',
realm: 'mighealth',
clientId: 'armt',
});
return new Promise((resolve, reject) => {
keycloakAuth.init({
onLoad: 'login-required',
adapter: 'cordova',
responseMode: 'query',
redirectUri:
'android-app://org.phidatalab.radar_armt/https/keycloak-cordova-example.github.io/login'
}).success(() => {
console.log("Success")
resolve();
}).error((err) => {
reject(err);
});
});
}
I can successfully build and run the application for android. However, it
doesn't work.
If I try to run it on browser, I get "universalLink is undefined".
I would really like some help to get this working. What am I missing? Any
kind of help is much appreciated.
Best, Nivethika
--
Nivethika Mahasivam | Software Engineer (Real World Data Team)
<http://www.thehyve.nl>
E. nivethika(a)thehyve.nl
T. +31(0)65 041 619 1
<https://twitter.com/nivemaham>Twitter <https://twitter.com/nivemaham>. |
LinkedIn <https://www.linkedin.com/in/nivemaham/>.
6 years
Login after registration fails when other user was logged in before
by Rainer-Harbach Marian
Hi,
we encountered a problem in a special use case (Keycloak 4.5.0.Final):
We'd like to display a registration button in our application even when
a user (user1) is logged in.
Directly calling the registration form seems to be supported according
to
http://lists.jboss.org/pipermail/keycloak-user/2016-August/007473.html
However, the login after the registration (of user2) fails when user1
was logged in before.
The problem can be reproduced by following these steps:
1. Log user1 into the account app
2. Open the registration form at https://<host>/auth/realms/<realm>/protocol/openid-connect/registrations?client_id=account&response_type=code&scope=openid+email&redirect_uri=<url_to_account_app>
3. Register user2
4. After registration, this message is shown: "We're sorry...
You are already authenticated as different user <user1> in this
session. Please logout first."
The message contains a link "Back to Application".
However, user1 is not logged in anymore and the link "Back to
Application" leads to the login form.
This situation is not straightforward for a user to resolve: user1 has
to log in again, then log out, and only then is user2 able to log in.
The reason appears to be that opening the registration form in step 2
deletes the cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. However,
the cookie AUTH_SESSION_ID remains unchanged.
To me it seems that opening the registration form should cause a new
AUTH_SESSION_ID to be generated (beside KEYCLOAK_IDENTITY and
KEYCLOAK_SESSION being cleared).
I'd appreciate any thoughts on that!
Best regards,
Marian
6 years
Keycloak token refresh when user session is logged out
by Himalaya Gupta
Hi,
My Client is ReactJS Application using keycloak javascript adaptor
I am trying the below scenario:
1. Login to client application via keyclock server and retrieve the
access-token in the client
2. Login to the Key-Clock Admin console and logout the active session
for the user for the given client.
3. On the client application i observe the following: The token is still
valid as it has not expired.When the token expires, the refresh token
request is stuck in refreshing the token (probably stuck as the user is
forcefully logged-out via AdminConsole)
Can you please let me know if there is a way to detect the Inactive session
and force the user to login even if the token is still valid via the
JavaScript API?
When trying to refresh the token and if the user session is logged out,
should the keycloak server just return an error instead of pending
response. Could this be a bug?
Any help would be appreciated in this regard. Thank you
--
Best regards,
Himalaya Gupta
6 years
