Script authenticators via UI?
by Craig Setera
I'm trying to (finally) wrap back around to handling our partner code.
Based on conversation with Dmitry, I'm trying to add a new authenticator to
our current flow, but I'm not seeing the script executor option in the UI.
I have enabled the profile (and see that it is enabled in the logs). Is
that something that I should expect to see via the UI or is this something
I'm only going to be able to manage via API? (I expect to eventually
configure this via API, but was trying to test things out first).
Thanks!
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
5 years, 11 months
Google Identity and Google+ API
by James Campbell
Hi all--
I'm just getting started with keycloak, and have set up the google identity
provider. I notice that the google identity provider uses the Google+ API
for profile information, which seems unnecessary, but I do not see a way to
turn it off (maybe limit the scopes requested)?
Given the now-imminent deprecation of the Google+ APIs, is there a way to
ensure I'm not using the Google+ API?
James
5 years, 11 months
Uma ticket
by BELMONTET Matthieu
Good morning every body
With the 4.x.x of keycloak we can ask for uma ticket with a specific permission for an user.
I'm really interested by this feature to set up a role access to my application.
I found the way to test it with the REST calling.
I wonder if you work on the login page to implement this feature. "After login form, the page can propose to select a role in the list and then return generate the uma-ticket"?
If it isn't planned. Should I work only with my uma-ticket which replace the authentication token or I should keep the authentication token too and send both in the header of my http requests?
If I keep both, should I refresh both?
How to access with keycloak -angular library to the uma ticket API?
Thank you
BELMONTET Matthieu
______________________________________
Systel
Pôle concevoir
*: m.belmontet(a)systel-sa.com<mailto:m.belmontet@systel-sa.com>
______________________________________
5 years, 11 months
How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :)
by Geoffrey Cleaves
Hello. I have a simple JS execution which denies access as the first step
of the first broker login flow. I would like to access some of the
attributes that Keycloak writes out to the log when executing this flow
(see below)
What objects or variables must my JS execution load in order to get the
identity_provider_identity attribute listed below?
20:29:56,588 WARN [org.keycloak.events] (default task-527)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic,
userId=null, ipAddress=90., error=user_not_found, identity_provider=google,
auth_method=openid-connect, redirect_uri=http://localhost:8222?clientid=tic,
identity_provider_identity=user(a)gmail.com, code_id=b07317fdb
Thanks in advance!
Geoff
5 years, 11 months
Re: [keycloak-user] Get the realms through the Client Admin Api
by Felix Knecht
I have almost exactly the same problem:
I run the keycloak server in a wildfly 14 distribution. When I try to get a token from a call within a deployed webapp (same wildfly) I get the same NPE. When running exactly the same code from an external application all runs fine, no NPE.
I suppose running the code from within a war/ear file does not exactly the same like running the code from single class. It worked versions ago (keycloak 2.1). For know I don't have an idea what's the difference ...
> Trying this code I receive a null token:
>
> Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth",<http://localhost:8180/auth%22,> "master", "admin", "admin", "admin-cli");
> keycloak.tokenManager().getAccessTokenString();
>
> > Il 17 dicembre 2018 alle 17.23 Luca Stancapiano <luca.stancapiano at vige.it<https://lists.jboss.org/mailman/listinfo/keycloak-user>> ha scritto:
> >
> >
> > I'm triing a simple call via Rest to my keycloak 4.7.0.Final server distribution. I created an admin user through the admin web console:
> >
> > user: admin
> > pass: admin
> >
> > The server works on the 8180 port and it starts through the command:
> >
> > ./standalone.sh -Djboss.socket.binding.port-offset=100
> >
> > I try to do a simple call using the admin client api imported through the dependency in the pom:
> >
> > <dependencies>
> > <dependency>
> > <groupId>org.keycloak</groupId>
> > <artifactId>keycloak-admin-client</artifactId>
> > <version>4.7.0.Final</version>
> > <scope>test</scope>
> > </dependency>
> > </dependencies>
> >
> > Here the java code:
> >
> > Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth",<http://localhost:8180/auth%22,> "master", "admin", "admin", "admin-cli");
> > keycloak.realm("master").clients().findAll();
> >
> > when the findAll method is executed I receive the Exception:
> >
> > javax.ws.rs.ProcessingException: java.lang.NullPointerException
> > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:599)
> > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
> > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148)
> > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112)
> > at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
> > at com.sun.proxy.$Proxy29.findAll(Unknown Source)
> > at it.vige.school.resttest.schoolmodule.test.PresenceTest.setPresence(PresenceTest.java:42)
> > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> > at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:532)
> > at org.junit.jupiter.engine.execution.ExecutableInvoker.invoke(ExecutableInvoker.java:115)
> > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$6(TestMethodTestDescriptor.java:171)
> > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
> > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:167)
> > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:114)
> > at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:59)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:108)
> > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74)
> > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
> > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112)
> > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74)
> > at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
> > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:38)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$4(NodeTestTask.java:112)
> > at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:72)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:98)
> > at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:74)
> > at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:32)
> > at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
> > at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:51)
> > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:220)
> > at org.junit.platform.launcher.core.DefaultLauncher.lambda$execute$6(DefaultLauncher.java:188)
> > at org.junit.platform.launcher.core.DefaultLauncher.withInterceptedStreams(DefaultLauncher.java:202)
> > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:181)
> > at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:128)
> > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invokeAllTests(JUnitPlatformProvider.java:142)
> > at org.apache.maven.surefire.junitplatform.JUnitPlatformProvider.invoke(JUnitPlatformProvider.java:117)
> > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
> > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
> > at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
> > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
> > Caused by: java.lang.NullPointerException
> > at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:53)
> > at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:586)
> > ... 47 more
> >
> >
> >
> > What i miss?
5 years, 11 months
Map authenticator information to AccessToken
by Lösch, Sebastian
Hello folks,
we would like to use keycloak to secure multiple applications using OIDC. Some applications have requirements on the authentication method the users are allowed to use for login. I know, that it is possible to set the Authentication Flows for each OIDC client. That way it is possible, to e.g. restrict the user login to X.509 certificate login for a certrain application.
For us it would be better to allow multiple authentication methods, e.g. X.509 certificate login and username/password login, and let the application decide what the user is allowed to do depending on the level of assurance, i.e. the authentication method used. Is it possible to write the authentication method to the AccessToken? Possibly by writing a custom IdentityProviderMapper?
Best regards,
Sebastian Lösch
--
Solution Engineering
Governikus GmbH & Co. KG
5 years, 11 months
Questions around keycloak IdP initiated flow
by Bhavana Motwani
Hi all
We are using keycloak 4.5.0 for SP-initiated and IdP-initiated auth flows.
We are using Auth0 as the external IdP for test purposes.
We have managed the SP-initiated flow successfully. But we are facing
issues with IdP initiated flow. I was hoping you could help.
1. Will the external IdP need two separate clients to connect to our
keycloak instance, one for SP-initiated and other for IdP. PFA the metadata
we generated for SP-initiated flow. The SingleLogoutService.Location and
AssertionConsumerService.Location are '
https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-s...
'
But, for IdP initiated flow, we are having to replace the above with '
https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-s...
'
This would result in 2 clients on the external IdP side.
Is there a way to avoid this?
2. With the IdP initiated flow, we are also facing issues with backchannel
logout. It gives a certificate issue. What certificate does keycloak
expect? The SP client's or the external IdP's?
Any help will be appreciated!
Thank you once again.
5 years, 11 months
Keycloak adapter for single page app
by Nhut Thai Le
Hello,
I have a single page web app that mostly use ajax to retrieve data from
REST services, it also have some polling requests going every few seconds
to check for changes on server. My take is that i should use js adapter to
protect my app, however, we want to store authorization artifacts
(permission, resources, ...) on KC server and using JS adapter force us to
use public client which disable authorization. Is there a way to use js
adapter with authorization? I use KeycloakAdmin client to query the
permission from KC server directly btw
Thai Le
5 years, 11 months
Hide realm name behind proxy in a single realm application
by Or Harary
Hey,
Can I somehow use keycloak for a single realm without using the realm name
in the URL and set a proxy to pass requests to the single realm (proxy pass
to /auth/realms/<realm_name>/)?
I managed to set this for the login url (proxy pass "/login" to
"/auth/realms/<realm_name>/protocol/openid-connect/auth" for example), but
I'm having trouble when i'm trying to do the "auth code flow" to a client
with a consent screen, because keycloak redirects the browser, after the
login, to a different url (the "action" attribute in the form) which is the
full keycloak url that contains the /realms/<realm_name/> and this URL
can't be changed somewhere.
I'm trying to achieve that because as I see, the consent screen can't be
created in my application and be used with the keycloak API (like login
with direct grant API) and can only customized with templates.
Thanks,
Or
5 years, 11 months
