February 2018 - keycloak-user - Jboss List Archives

by Yuriy Yunikov

There's been an issue before about KeyCloak CVE's however no more information found about it. http://lists.jboss.org/pipermail/keycloak-user/2017-December/012541.html I would like to get a clear understanding about https://nvd.nist.gov/vuln/detail/CVE-2017-12160 https://www.saucs.com/cve/CVE-2017-12159 https://www.saucs.com/cve/CVE-2017-12158 Why they're the case and if there are patches for them. There are no information on CVE websites. It's critical for us to make sure KeyCloak has known vulnerabilities fixed. Can anyone point me please in the right direction or post more information about them? Regards, Yuriy Yunikov

6 years, 10 months

3
2
0 / 0

Auth with Kaycloak

by valsaraj pv

Hi, I would like to know how to implement auth using Keyclock for an existing model using JAAS & LDAP. Currently a user is aithenticated with LDAP directly from login module. If the user is in LDAP group, those roles will be set. If there is no group for a user in LDAP, some hard coded roles will be set from login module. When Keyclock is used, what kind of role mapping required for this scenario? How to do this conditional role mapping? Thanks!

6 years, 10 months

2
4
0 / 0

How to generate jwt?

by Anton

Hello We are trying to integrate Keycloak into both a mobile app and also a web app. We need to be able to generate jwt tokens, specifically for development and research. Is there an api we can call that will return a jwt token? We cannot find anything in the docs about how to do this - which seems odd, I assumed this would be a very commonly used feature. Any help is appreciated. Regards Anton

6 years, 10 months

3
2
0 / 0

Possible IDP configuration bug keycloak 3.4.3

by Drew Weirshousky

Hi, I was wondering if anybody has seen this issue. I had an OIDC IDP configured and working using Okta as the IDP. This was setup with a trial account of Okta. When I modified the config to use the URL of the production server Keycloak had issues. The first login worked. The next user and all following logins received a 500 error using the IDP. I then deleted the entire config for the IDP and created a new configuration for it. Everytime I tried logging in using the IDP Keycloak just generated stack traces. Finally I had to delete the config, restart keycloak, and cleared all caches. Then when I recreated the config everything finally started working fine. I don't have logs from this at this time. I was wondering if there is some sort of bug I came across here or should I create a bug report for it. If a bug doesn't exist I will try to recreate the issue and get logs for it. Thanks Drew

6 years, 10 months

2
1
0 / 0

Connection pool configurations in Keycloak 3.4

by Upananda Singha

Hi All, Can any one give some pointer how to change the connection pooling configurations in Keycloak. I am using Keycloak (3.4 latest version) standalone-ha cluster deployment. I want to use c3p0 connection pooling instead of the default connection pooling. Thanks & Regds, Upananda

6 years, 10 months

1
0
0 / 0

Keycloak REST API

by Stephane Epardaud

Hi, I'm trying to use the REST API of keycloak to seed an initial config for tests that depend on keycloak, but I only found this doc: http://www.keycloak.org/docs-api/3.3/rest-api/index.html Are there better docs somewhere else? If not: they barely explain what the entities are, and don't tell me which parts are settable, required, or server-generated. They also contain some links to types that are not documented (like Map), and don't explain how to get a token to play along (found that somewhere completely different). A set of examples with each endpoint and entity type would be _greatly_ appreciated too. Otherwise there's a lot of guesswork involved :( Otherwise, pretty impressed with the rest of KeyCloak, so don't take that issue harshly :) Cheers.

6 years, 10 months

3
3
0 / 0

Keycloak, OutOfMemoryError

by Lars Martin Kristensen

Hi, We're seeing occasional starvation of our keycloak instance in one of our environment. The instance becomes unresponsive and the logs reveals that it's running out of heap space: 19:54:22,305 ERROR [io.undertow.request] (default task-22) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/certs: java.lang.OutOfMemoryError: Java heap space We're running in standalone mode (single instasnce), and this is the only environment we're using the paypal identity provider. Could this be the problem? In the log, around the time of the OutOfMemoryErrors we have seen: 19:39:08,036 INFO [org.apache.http.impl.execchain.RetryExec] (default task-21) Retrying request to {s}->https://api.paypal.com:443 19:40:36,330 INFO [org.apache.http.impl.execchain.RetryExec] (default task-21) I/O exception (java.net.SocketException) caught when processing request to {s}->https://api.paypal.com:443: Connection reset 19:40:40,362 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff6468b804:-2ac1cab1:5a1ee0de:5cda0d in state RUN 19:40:37,591 INFO [org.apache.http.impl.execchain.RetryExec] (default task-21) Retrying request to {s}->https://api.paypal.com:443 19:41:51,957 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff6468b804:-2ac1cab1:5a1ee0de:5cda0d in state CANCEL ..but whether this is the cause or a consequence of the OutOfMemoryError I'm a little bit uncertain about. Are there perhaps any way to tune the paypal connection configuration so that connection errors consumes less resources? Users: Around 50k Keycloak-version: 3.4.0.Final Java-version: 3.4.0.Final Memory-settings: -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m Any pointers would be greatly appreciated. Best Reagards, Lars Martin

6 years, 10 months

2
1
0 / 0

Re: [keycloak-user] Set Client Roles for Users with Admin Rest Api

by Alessandro Meyer

Hey there We run into the same Problem, is this actually supposed to work? The UI seems to do it differently (not in an Atomic Operation, but in separate steps) Thanks a lot. Alessandro

6 years, 10 months

2
1
0 / 0

Fwd: keycloak authorization code flow id_token missing

by lucie lucas

Sorry, I didn't forward for everyone And another thing: do you think it's a bug of keycloak (version 3.4.3), if yes, how could I report this bug ? Thanks a lot ---------- Forwarded message ---------- From: lucie lucas <xiaoning.sunx(a)gmail.com> Date: 2018-02-18 12:15 GMT+01:00 Subject: Re: [keycloak-user] keycloak authorization code flow id_token missing To: valsaraj pv <valsarajpv(a)gmail.com> And another thing: do you think it's a bug of keycloak (version 3.4.3), if yes, how could I report this bug ? Thanks a lot Xiaoning 2018-02-18 12:09 GMT+01:00 lucie lucas <xiaoning.sunx(a)gmail.com>: > Hi, > Thank you for your response, but in my case, I can't use implicit or > hybrid flow because of security problem. And for information, I want use > keycloak just as Identify provider, and I've an authorization server. I > don't know if it works, so I want to do tests with postman to be sure. > > Have you had the similar situation? > > Thanks in advance > Have a nice day > Xiaoning > > 2018-02-18 6:49 GMT+01:00 valsaraj pv <valsarajpv(a)gmail.com>: > >> Hi, >> >> Can you check implicit ir hybrid flow instead of cide flow? >> >> Thanks! >> >> >> On 18-Feb-2018 3:15 AM, "lucie lucas" <xiaoning.sunx(a)gmail.com> wrote: >> >> Hi, >> >> I'm a new dev for the field of OpenID Connect. I want to do a test about >> the authorization code flow with keycloak. >> >> So, I just clarify what I did >> >> 1. installation the standalone version (keycloak) with configuration >> admin console >> 2. create a client app as client (protocole openid-connect), select >> standard flow enabled, >> 3. from browser: I use url like : http://localhost:8080/auth/ >> realms/master/protocol/openid-connect/auth?client_id={ >> client_id}&response_type=code >> <http://localhost:8080/auth/realms/master/protocol/openid-c >> onnect/auth?client_id=%7Bclient_id%7D&response_type=code> >> 4. the request redirect to{redirect_uri} with *code* and *sessionstate* >> 5. with postman, I filled the information as below: >> >> POST http://localhost:8080/auth/realms/master/protocol/openid-con >> nect/token >> body : >> client_id, client_secret,grant_type(authorization_code), scope(openid), >> response_type(id_token%20token), redirect_uri, state (copy from 5th step >> url), code (copy from 5th step url) >> >> *BUT* there are only access token, refresh token in the response, there is >> no id_token which I waited for. >> >> Could you tell me what's wrong ? or keycloak support only access token? (I >> don't think so, because when I test about Grant Access Flow, there's >> id_token) >> >> I looked for this information 2 weeks ago, until now, I've no solution. >> >> Thank you for your feedbacks >> >> Xiaoning >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >

6 years, 10 months

2
1
0 / 0

Custom user storage (external user DB) + Social Login

by Adrien Desbiaux

Hi there! I am currently implementing a custom `UserStorageProvider`. The Module does NOT store the user into Keycloak but rather in-memory. This is the, let's say, opposite of the Import method for a `UserStorageProvider`. For reference: http://www.keycloak.org/docs/latest/server_development/index.html#_user-s... So, the user is properly Authenticated against the external User database/service and is into the `loadedUsers` in-memory Keycloak store. What about with a Facebook login then? How can the FB login be intercepted in the same way than for a usual username/password login so that the user is not stored into the Keycloak database but rather into the external user database/service? Thanks in advance for any hints! Cheers,

6 years, 10 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2018