March 2018 - keycloak-user - Jboss List Archives

Identity Brokering, external IDP require nonce

by triton oidc

Hi, in my scenario, i'm using Keycloak as an IDP broker. It works fine with a lot of configuration. I build keycloak from source 3 weeks ago. However the IDP i'm trying to integrate right now requires a nonce in the first call on the authorization endpoint. https://myidp.com/authorize?scope=openid+profile&state=state&response_typ... fails but if i manually add "&nonce=1234" in the url it works I could not find an option in the external IDP concerning this nonce generation. Did i miss something ? Should i ask for a feature and i'll wait for someone to look at it ? any help would be appreciated Thanks a lot Amaury

6 years, 9 months

3
3
0 / 0

Help for configuring keycloak with existing GWT amalgamated Spring application

by mukesh Harshwal

Hi team, I am having an existing GWT amalgamated Spring application which is currently configured with JOSSO by using Spring Security. In order to revive the application security I want to plug-out JOSSO and integrate Keycloak. I've seen few examples for Keycloak integration with Springboot application but not finding any example for simple Spring application's integration with Keycloak.Any help would be appreciated gratefully. Thanks,Mukesh

6 years, 9 months

1
0
0 / 0

Why Authz examples has been removed from 4.0.0.Beta1

by Carlos Feria

Hi There. I wonder why Authz examples has been removed from Keycloak 4.0.0.Beta1 version. I saw this commit here: https://github.com/keycloak/keycloak/commit/35b9fe043caf10287f4f8c835233d... <https://github.com/keycloak/keycloak/releases/tag/4.0.0.Beta1> I'd like to know if Keycloak 4 will change the way authz works on Keycloak 3.4.3.Final?. I have have software projects that works in the same way that photoz authz example use to work. Please I'd like to know your answer. Thanks! -- Carlos E. Feria Vila

6 years, 9 months

3
3
0 / 0

Keycloak will run server-jre only

by Subodh Joshi

Hi Team, Is their any restriction that keycloak will work with server-jre only and not with client-jre ? In my linux machine we have following version installed /usr/sbin/alternatives --config java There are 2 programs which provide 'java'. Selection Command ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java) + 2 /usr/java/jre1.8.0_102/bin/java Then its working fine with openjdk but keycloak not coming up with Oracle client-jre and giving this exception 2018-03-22 12:30:56,163 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 26) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "datasources"), ("data-source" => "KeycloakDS") ]): org.jboss.as.server.services.security.VaultReaderException: WFLYSRV0227: Security exception accessing the vault at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:124) at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341) at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66) at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:868) at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1269) at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:438) at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:619) at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:683) at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:642) at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:616) at org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:35) at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:178) at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd.secondRuntimeStep(AbstractDataSourceAdd.java:348) at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$1.execute(AbstractDataSourceAdd.java:133) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:980) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:726) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:450) at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:386) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: org.jboss.security.vault.SecurityVaultException: java.security.InvalidKeyException: Illegal key size or default parameters at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297) at org.jboss.as.server.services.security.RuntimeVaultReader.getValue(RuntimeVaultReader.java:157) at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:110) ... 25 more Caused by: java.security.InvalidKeyException: Illegal key size or default parameters at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026) at javax.crypto.Cipher.implInit(Cipher.java:801) But same setup working with *open-jdk *without any issue after that i updated the Oracle Java and used *server-jre * [root@ha1 ~]# /usr/sbin/alternatives --config java There are 2 programs which provide 'java'. Selection Command ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java) + 2 /usr/java/jre1.8.0_102/bin/java This time it worked totally fine and keycloak running without any issue . -- Subodh Chandra Joshi <subodh1_joshi82(a)yahoo.co.in> http://www.questioninmind.com

6 years, 9 months

2
2
0 / 0

Does Keycloak Support EAR deployments

by matt prpic

Hello, I've been searching for this question online and on Keycloak's community pages, but I cannot find the answer anywhere. I have an EAR file with a JAR file within it. The JAR file is an application with various EJBs. The EAR file is deployed on a Wildfly 11 server and the Keycloak Adapter was installed using the CLI (adapter-elyton-install-offline.cli). I have tried calling one of my service's EJBs using a JNDI lookup through a test application, but there is no mention of any Keycloak authentication. I can only authenticate if I use one of the Wildfly users, which tells me that Keycloak is not participating in this authentication at all. Below is my configuration: EJB @SecurityDomain("keycloak") @Stateless(name="TestBean") @RemoteHome(TestBeanHome.class) @TransactionAttribute(value=TransactionAttributeType.REQUIRED) public class TestBean implements ITestBean { ... Standalone.xml <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="testapplication.ear"> <realm>testrealm</realm> <auth-server-url>http://localhost:8180/auth</auth-server-url> <public-client>true</public-client> <ssl-required>EXTERNAL</ssl-required> <resource>testclient</resource> <credential name="secret">password</credential> </secure-deployment> My question is: Does Keycloak support this project setup? The documentation only mentions WAR files, which is not an option for me. Any help would be appreciated. Thanks, Matt

6 years, 9 months

1
0
0 / 0

Keycloak SAML Elytron adapter with aggregate-realm

by Zoltán Kukk

Hi all, I tried to use Keycloak SAML adapter in Wildlfy 11 but I have to enrich SAML claim with local roles so I have grouped KeycloakSAMLRealm as authentication realm and a properties-realm as authorization realm with an aggregate-realm. I have figured out it is not working because Elytron properties-realm limited to use NamePrincipal only and Keycloak returning SamlPrincipal. Can you suggest a solution to add roles to a SAML claim from local store (file or database)? Best regards, Zoltán Kukk

6 years, 9 months

1
0
0 / 0

Having trouble with SSL and HTTPS with Keycloak 3.4.3

by Matthew Beliveau

Hello, I've been having trouble setting up SSL and HTTPS with Keycloak recently. I have already tried doing what these two links suggest: https://www.keycloak.org/docs/3.3/server_installation/topics/network/http... https://github.com/dcm4che/dcm4chee-arc-light/wiki/Enabling-SSL-HTTPS-for... But I still can't get it to work. If there is a different or better way of setting up SSL and HTTPS in keycloak, I would love to know. Any help would be gratefully appreciated. Thank you, Matthew Beliveau

6 years, 9 months

2
1
0 / 0

mappers and user federation

by Corbetta, Francesco

Hello I wrote a JPA federation provider which works perfectly but I'm not able to add claims via the client mappers table. For example, I have a User property "gender" which is mapped to my UserModel getGender method, which does mapping to the underline hibernate entity. I configured the mapper as: Consent required: Off Mapper Type: user Property Property: gender Token Claim Name: person_gender Clain JSON Type: string Add ID token: ON Add to Access Token: ON Add to userinfo: ON While the hibernate entity correctly loads the value, the claim is never included in the userinfo object. To develop the provider I basically followed the user-storage-jpa example. Server version is 3.4.0.Final Best regards Francesco

6 years, 9 months

1
0
0 / 0

Token exchange without configured policy

by Виталий Ищенко

Hi I've been experimenting with internal to internal token exchange [1] and managed to exchange token without configured policy My original token belongs to public client (token_owner_klient_id) and I'm trying to exchange it with audience set to a confidential client that allows only client credentials grant (confidential_client). If I execute request as provided in documentation access is denied, but if I'll provide confidential_client+confidential_client_secret exchange operation succeeds. The only difference in tokens issued with and without policy is that with policy azp claim is set correctly to token_owner_klient_id. The question is -- is it correct behaviour from the perspective of token exchange? curl -v -X POST --user confidential_client:confidential_client_secret \ -d "client_id=token_owner_klient_id" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ -d "subject_token=${TOKEN}" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \ -d "audience=confidential_client" \ http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token [1] http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...

6 years, 9 months

1
2
0 / 0

How to add user attribute through admin-cli

by Subodh Joshi

I am trying to add three attributes of user and used below admin-cli command /opt/keycloak/bin/kcadm.sh create components -r master -s name=user-attribute -s providerId=user-attribute -s parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s 'config."appid"=["SURE_APP"]' -s 'config."tenantId"=["T0"]' -s 'config."ugId"=["Admin_UserGroup"]' but its throwing No server or realm specified. Use --server, --realm, or 'kcadm.sh config credentials'. Can someone please let me know what wrong with above command? -- Subodh Chandra Joshi subodh1_joshi82(a)yahoo.co.in http://www.questioninmind.com

6 years, 9 months

2
4
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2018