December 2018 - keycloak-user - Jboss List Archives

by Tuqire Hussain

Hi all, We are currently using the 'keycloak-nodejs-connect' in our node layer and it is mostly working great. However, our production cluster requires an outbound proxy to make requests. Is there a recommended way to set an outbound proxy using the 'keycloak-nodejs-connect' library? Any help would be extremely appreciated. Thank you. -- Kind regards Tuqire www.tuqire.com

6 years

1
0
0 / 0

Permission with multiple scopes - what does it mean exactly?

by cen

Hi. in UMA authorization, when adding a scope Permission you can specify a set of scopes. What a "set" means exactly is not very well documented. By trial and error I figured out that: 1. Resource with single scope and corresponding permission with same (single) scope works as expected. 2. Resource with single scope and permission with multiple scopes, of which one of them is the resource scope does not work (auth not granted). Scope set on resource to me means: this is all the things the resource owner is allowed to do with it. Scope set on permission to me means: apply this policies if either of these scopes is needed. That does not seem to be the case tho, according to point #2. Can someone shed some light how scope set on resource resolves against permission scope set? Best regards, cen

6 years

2
2
0 / 0

How to retrieve user ID from Keycloak to my web app

by Kunal Kumar

Before, my web app is has its own login form to authenticate users. But since I have connected my web app to Keycloak to authenticate the users now, my web app does not need to have the login form anymore, hence I need to remove it. This was roughly how I retrieved the users information before Keycloak:- if (chkLogin(getUserID(), getUserPwd())) { MaintainUser mu = new MaintainUser(); this.usrInfo = null; String[] usr = mu.validatePassword(getUserID(), getUserPwd()); } This is not the full coding, but basically I use the getUserID method to retrieve the users info and check it for authentication before. How do I perform this if I want to retrieve the user ID from the Keycloak admin console? Regards, Kunal Kumar

6 years

2
1
0 / 0

Motivation behind the removal of client_id from "aud" in the JWT

by Cristian Schuszter

Hi! We just updated from release 4.5.0 to 4.6.0 and discovered that the "aud" field has been changed to "aud": "account", rather than the client-id of the application. After a bit of digging, we found the commit and associated pull request for the change: https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f... Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't find it on the Jira board. We were counting on the "client_id" being present in the audiences, as the Microsoft.NET core validators target specifically the audiences in the JWT token, with no option of targeting the "azp" field. Could anybody shed some light as to why the *client_id* was removed from the audiences? Best regards, Cristian Schuszter

6 years

4
3
0 / 0

Temporary support for current sign-in flow

by Craig Setera

As everyone is probably painfully aware from all of my questions, we are in the midst of replacing our proprietary login flow with a Keycloak OpenID-based flow. The eventual goal is to use the standard Keycloak login pages to allow for extra factors of authentication such as Google Authenticator. One option that we've allowed until now is for customers to host custom login HTML forms (just username and password) on their sites. This is something that we are (most likely) going to remove support for in the long run, but in the short term, I think we are going to need to support this if only to allow for a transition period. The login flow is: Customer Site (HTML form) -> Login Handler (JEE Session) -> Redirect browser to SPA along with JSESSIONID All API calls use JEE sessions for "authentication". What I'm hoping to do somehow in the short term is: Customer Site (HTML form) -> Login Handler -> Keycloak -> Redirect browser to SPA with OAuth codes/tokens What is the best/correct way to do something like this? Should I be using the authorization code grant in this case? Thanks for any insights. Craig ================================= *Craig Setera* *Chief Technology Officer*

6 years

2
1
0 / 0

Keycloak and Wildfly in docker

by Kevin Hoarau

Hi, I'm running my wildfly app with a docker and keycloak too. There are in the same docker network. The problem is when I go in my application ( http://127.0.0.1:8080/akatsuki-javaee-webapp/) the keycloak auth appear, I'm connecting and then I got a Forbidden. I'm trying to solve it since 1 week :/ Please find below some configurations file : *docker-compose.yml :* version: '2' services: wildfly: build: context: WildFly/ container_name: "wildfly" volumes: - /tmp/images:/opt/jboss/images ports: - "8080:8080" networks: - netaka filemanager: build: context: FileManager/ container_name: "filemanager" volumes: - /tmp/images:/usr/local/apache2/htdocs/ ports: - "8082:80" networks: - netaka keycloak: build: context: KeyCloak/ container_name: "keycloak" ports: - "8180:8080" environment: KEYCLOAK_USER: "admin" KEYCLOAK_PASSWORD: "admin" networks: - netaka networks: netaka: driver: bridge *Dockerfile (wildfly) :* FROM jboss/wildfly ADD target/akatsuki-javaee-webapp.war /opt/jboss/wildfly/standalone/deployments/ ENV KEYCLOAK_VERSION 4.6.0.Final WORKDIR /opt/jboss/wildfly/ RUN curl -L https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/adapters/keycloak-... | tar zx RUN ./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli WORKDIR /opt/jboss # Standalone.xml modifications COPY standalone.xml /opt/jboss/wildfly/standalone/configuration/ RUN mkdir -p /opt/jboss/images ## Attempt fix permissions error ## # Attepmt to fix for Error: Could not rename /opt/jboss/wildfly/standalone/configuration/standalone_xml_history/current # See https://stackoverflow.com/questions/20965737/docker-jboss7-war-commit-ser... RUN rm -rf /opt/jboss/wildfly/standalone/configuration/standalone_xml_history/current *I'm modifying standalone.xml in order to change this :* <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="akatsuki-javaee-webapp.war"> <realm>akatsukiRealm</realm> <auth-server-url>http://127.0.0.1:8180/auth</auth-server-url> <public-client>true</public-client> <ssl-required>EXTERNAL</ssl-required> <resource>akatsukiClient</resource> </secure-deployment> </subsystem> *Dockerfile (keycloak) :* FROM jboss/keycloak COPY standalone.xml /opt/jboss/keycloak/standalone/configuration/ *I'm modifying standalone.xml in order to change this line :* "<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:100}">" *web.xml (in my wildfly app) :* <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <module-name>akatsuki-javaee-webapp</module-name> <security-constraint> <web-resource-collection> <web-resource-name>Index</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role> </web-app> *And when I'm trying to connect, I got this error :* wildfly | 18:26:46,931 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.ConnectException: Connection refused (Connection refused) wildfly | at java.net.PlainSocketImpl.socketConnect(Native Method) wildfly | at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) wildfly | at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) wildfly | at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) wildfly | at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) wildfly | at java.net.Socket.connect(Socket.java:589) wildfly | at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:120) wildfly | at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179) wildfly | at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) wildfly | at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) wildfly | at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612) wildfly | at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447) wildfly | at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884) wildfly | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) wildfly | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) wildfly | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) wildfly | at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111) wildfly | at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:335) wildfly | at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:280) wildfly | at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139) wildfly | at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) wildfly | at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) wildfly | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) wildfly | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268) wildfly | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) wildfly | at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) wildfly | at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99) wildfly | at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) wildfly | at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) wildfly | at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) wildfly | at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) wildfly | at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) wildfly | at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) wildfly | at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) wildfly | at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) wildfly | at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) wildfly | at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) wildfly | at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) wildfly | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) wildfly | at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) wildfly | at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) wildfly | at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) wildfly | at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) wildfly | at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) wildfly | at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) wildfly | at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) wildfly | at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) wildfly | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) wildfly | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) wildfly | at java.lang.Thread.run(Thread.java:748) wildfly | I can join more details if needed. If someone help me, I would be very grateful. I'm waiting for your response. Thx a lot -- *Kevin HOARAU - Engineering student* Computer Science & Industrial Electronic ISEN

6 years

1
0
0 / 0

Need review for Latvian translation

by Stian Thorgersen

We have an open PR for Latvian translations. Unless someone from the community can review it I will have to reject the PR. https://github.com/keycloak/keycloak/pull/5676

6 years

1
0
0 / 0

Review switch to UTF-8 encoding for Lithuanian translation

by Stian Thorgersen

Can someome from the community please review $sub? https://github.com/keycloak/keycloak/pull/5767

6 years

1
0
0 / 0

Review Chinese translation update

by Stian Thorgersen

Can someone from the community please review updates to the Chinese translation? https://github.com/keycloak/keycloak/pull/5778

6 years

1
0
0 / 0

Device Flow in Keycloak

by Jaroslaw Surkont

Hi, I am investigating the possibility of using Keycloak with the Device Flow (https://tools.ietf.org/html/draft-ietf-oauth-device-flow-13) for browserless devices. Does Keycloak support Device Flow? If it does, what is the device endpoint (.well-known/openid-configuration does not specify one)? Regards, Jaroslaw

6 years

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user December 2018