Use JWT Keycloak Generated Token
by John Rey Tanquinco
Hi,
We are developing mobile application against a headless Drupal using
Keycloak as SSO. How can we use the generated JWT token and validate it in
Drupal?
This is an example event log we are getting from Keycloak.
http://site/openid-connect/generic?code=uss.LFgEKlE3AD5MJUlmsiNZ4Vz6tkwv1...
We tried the following steps from
http://lists.jboss.org/pipermail/keycloak-user/2015-May/002254.html but
didnt work.
When checking the value
*LFgEKlE3AD5MJUlmsiNZ4Vz6tkwv1yhuhnNGGfhdzbQ.1c030743-0487-494f-9e4e-246380e6e96f.46a09a43-5450-4376-a918-ef826188f7b8*
from jwt.io we are getting strange reponse.
--
*hanks for your reply. We use Keycloak as a SSO and IDP, so the users dont
exist in Drupal. Do you have any suggestions on how Drupal can use
externally generated jwt tokens when the user doesnt already exist in
Drupal? –*
owever, Im also developing a mobile client against a headless drupal. In
this case I get a jwt token from Keycloak. Im looking to use this token
with drupal.
*-------------------------------*
* John Rey Tanquinco*
*-------------------------------*
7 years, 10 months
Prevent Users from Modifying Certain Custom User Attributes
by Josh Harness
Hi -
I have some custom user attributes that I want users to be able to modify.
Others, though, I want to forbid since they are set at account creation via
internal procedures. Does anybody know how to prevent users from being able
to edit these attributes? It isn't enough to leave it out of the account
template, since formulating the correct POST as the user will cause the
attribute to be updated (whether I modified the itl template to include it
or not).
Thanks!
Josh
7 years, 10 months
Custom User SPI implementation and user records
by Sud Ramasamy
Hi,
We wrote and deployed a custom implementation for the User SPI that authenticates a username and password against an external REST API. We’ve been able to get it to work but had some questions on how Keycloak handles this. Our implementation is based on the user-storage-properties-example from the Keycloak repo.
We see that a session is created in Keycloak for the logged in user (but no record is created in the USER_SESSION table - but this appears to be how keycloak in general works. When are records inserted into USER_SESSION if at all?).
Our primary question was that no user record is created in the USER_ENTITY table for the federated user even though we see that the session is established with the user name of the federation user who logged in (we see this the sessions area of the admin console). We were wondering if this is expected behavior since we were under the impression that all users authenticated via Keycloak (whether via federation, brokered, or internal) would always get a user record in the Keycloak database.
A second question is when we create the User federation via the admin console, the records are inserted in the COMPONENT table. We do see there is the USER_FEDERATION_PROVIDER table but that remains empty. Is this table deprecated and no longer used.
This is on Keycloak 2.5.5.
Thanks in advance for your help.
-sud
7 years, 10 months
KEYCLOAK-4509 Support IDP Initiated to OIDC RP
by Adrian Gonzalez
Hello,
I just created this PR : https://github.com/keycloak/keycloak/pull/4965.
This allows to use IDP initiated logins with OIDC Clients (for now it's limited to SAML clients).
My use case is:- My OIDC Client uses Keycloak as OIDC Authorization Server.- users use Okta as IDP.
Hence:* I register my OIDC Client in Okta portal using a url like http://<keycloak>/auth/realms/<realm>/broker/<idp-name>/endpoint/clients/<client-alias>). In a similar way to http://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated... When a user access his Okta portal, he authenticates to Okta (no KC involved)* In Okta portal he see a list of application.* he click on OIDC Client app.* Okta initiates a SAML authentication with Keycloak.* once it succeeds, Keycloak calls a URL of OIDC Client.* the OIDC Client will initiate a OIDC flow with keycloak.* Keycloak will redirect back to the OIDC Client (using the same identity as the one initiated by Okta SAML flow)
My Client is registered in a way that Okta will
This work like :* the user is authenticated in external IDP.* external IDP dashboard page lists all available Client.* user clicks on a Client.* external IDP redirects to KC (using SAML).* KC validates the authentication.* KC redirects to the OIDC RP (IDP Initiated Target URL).* OIDC RP initiates a OIDC authentication flow, and redirects to KC* KC creates automatically a session and redirects back to OIDC RP.
The code is far from bullet-proof, I'll gladly accept some feedback.
Cheers,Adrian
7 years, 10 months
Validate User Credentials Without Creating a Session
by Scott Finlay
Hi,
We're currently using Keycloak 2.5.5.Final, and in this version it's not possible
to validate a user's credentials (username / password combination) without
actually logging the user in which results in a session (and our sessions are long-
lived). Is there any new functionality introduced in the later versions of Keycloak
to validate the credentials without actually logging the user in?
Our use-case is that we have very long-lived tokens, but we want to require the
user to re-enter his/her password in order to perform some certain sensitive tasks
such as changing the password or username.
If such functionality is not available, would it be possible to add this?
Regards,
Scott
7 years, 10 months
Forgotten password workflow redirecting to account client
by BASSET Simon
Hello,
We are developing an application which relies on keycloak for authentication (with custom theme) and we are facing a problem with the keycloak forgotten password workflow.
With keycloak 3.2.1:
When a user want to access our application, she goes to app.swm.cloud ("frontend" client for keycloak) then she is redirected to auth.swm.cloud (keycloak), she starts the forgotten password workflow and receives an email with a link to reset her password. If she clicks on the link and change her password, she is logged in and redirected to the frontend client app.swm.cloud.
frontend app -> login page -> forgotten password -> mail -> change password -> logged in frontend app
However if she kills her browser before following the link from the forgotten password mail, she is redirected to the login page after changing her password and then to the account client after logging in.
frontend app -> login page -> forgotten password -> kill the browser -> mail -> change password -> login page -> logged in account client
With keycloak 3.4.3:
It seems that she is always redirected to the account client after changing her password.
frontend app -> login page -> forgotten password -> mail -> change password -> login page -> logged in account client
How to configure keycloak so our user is redirected to our frontend app after she changes her password?
Thank you,
Simon
7 years, 10 months
Allow Client to Create User in Realm without Granting manage-users Role from realm-management
by Josh Harness
Hi -
We're wanting to use keycloak as our IdP but aren't fully able to allow
users to register since we need to use an existing application to do this.
I need to be able to allow the legacy application to do the following
within the realm:
* Create user
* Reset user password
I'm wanting to avoid giving the application permissions to assign roles,
etc that it ought not be able to. Fine grained permissions looked promising
but it appears that approach won't work since there's no fine-grained
'create user' type permission (that I can tell). As such, I'm stuck using
the all powerful 'manage-users' role of the realm-management client.
Any ideas for alternative approaches to explore? Afraid I might be swimming
upstream here and need to just bite off user registration the correct way...
Thanks!
Josh
7 years, 10 months
Entreprise IDP
by Adrian Gonzalez
Hello,
I'm using Social IDP in Keycloak, that's working awesome !
Now, I need to integrate more entreprise IDP, and show those IDP only to users in these entreprises.
1. an entreprise IDP will need to be associated with a list of email domains.
(entreprise IDP will be automatically used if the user email matches). 2. in the Login UI, only the links for social IDPs will be shown, the entreprise IDPs will be hidden. 3. if the user enters an email corresponding to one of the entreprise IDP: * we hide the password field * if the user clicks on submit, he's redirected to the entreprise idp. 4. as a bonus: if he's redirected to the entreprise IDP, I'd like to have the email/username field already pre-filled.
I don't think a similar feature exist for the moment. If yes, please someone tell me :)
What I did for the moment is : - REST Service providing IDPs info to the front end (RealmResourceProviderFactory extension) - I hacked the login page (custom theme) and added a js script that : - calls the previous REST Service - hides/shows the password label and field - intercepts submit call and redirects to the entreprise idp
What I'm missing is : - is there a way to add custom information in an idp i.e. like isEntreprise boolean (how ?). if not, I'd need to create an additional table and create a custom UI to handle that (a bit awkward :( ) - didn't pass the email to the external idp
Would someone have an idea of how to do this (if I could add this custom info in the idp it would be great !)Is there a better way to achieve that ? Or more generic ?
Thanks for the insights !Adrian
N.B. some links around this subject (just as reference material)http://lists.jboss.org/pipermail/keycloak-dev/2014-November/0030... (see 4 - Selecting provider)http://lists.jboss.org/pipermail/keycloak-user/2017-January/0089...
7 years, 10 months
Fwd: how retrievie access token only with roles for specific target service(keycloak client)?
by Daniel Charczyński
Hi
I'd like to talk with you about
https://github.com/keycloak/keycloak/pull/4910
and
https://issues.jboss.org/browse/KEYCLOAK-6092
we have CRITICAL security issue that target service is able to receive
access token with roles to other services so it is able to reuse it.
We need to implement feature thet makes it possible to get access token
with roles per target service(client in keycloak)
Out idea is to use client roles that requires scope.
But in order to get all roles assigned from specific target service we need
to chance current behaviour.
At the moment there is possibility to get specific role using scope
parameter
<clinetId>/<role-name>
but we need
<clientId>/.*
Have you got any idea to make it possible ASAP?
We do not want to make any break changes...
maybe we use wildcard instead od regexp like <clientId>/* ?
Just let me know how to do it in order to be compatible with your future
plans and make it possible to merge...
Regards
Daniel
7 years, 10 months
OIDC Identity provider redirect_uri using wrong hostname
by Drew Weirshousky
Hi,
I've setup an OIDC Idenity provider in Keycloak 3.4.3 and it works correctly. Our production servers are using 3.2.1. Both servers are behind haproxy and have different internal and external host names. 3.2.1 seems to be modifying the redirect_uri I have set in the IDP to use the internal hostname.
Does anyone know when this was changed? I'm currently digging through the recently closed bugs, should probably look for the change log.
Thanks
Drew
7 years, 10 months
