Re: [keycloak-user] SSO in web and desktop application
by Emanuele Gesuato
Hi Luis,
thanks for your feedback.
Is there any way to use some access token in order to identify the current
user ?
let me recap.
I have a web application and a "desktop" application they are both
different but they share the same set of users and they are both in the
same keycloak realm.
When user is logged to web application I would like to trigger some
authentication mechanism in order to let user automatically logged when he
opens the desktop application.
I am using keycloak 3.4.3 with tomcat7 adapter. Both the web application
and the server side application of the "desktop" one uses tomcat7 as
servlet container (but they are different instances). Of course keycloak
server is the same for both.
I am not sure how a servlet filter can help me solve this issue ... as I
am using the standard tomcat7 keycloak adapter.
Thanks for any help,
Emanuele
From: Luis Rodríguez Fernández <uo67113(a)gmail.com>
To: Emanuele Gesuato <Emanuele.Gesuato(a)finantix.com>
Date: 06/04/2018 17:28
Subject: Re: [keycloak-user] SSO in web and desktop application
Hello Emanuele,
OK, I see. So if I understand correctly you have "converted" your webapp
in a desktop application using something like this
https://applicationize.me/ in a dedicated browser with some restrictions.
The problem here is that you are requesting the application from a
completely different client, it would be the same if you open an incognito
window in your browser after login in the siteA.
I have done a quick test with one of our SAML applications and I am
redirected to the login page of our SSO. After authentication the app
works perfectly fine.
Perhaps you could try to configure that dedicated browser to automatically
use the windows/kerberos credentials of the logged user...
Cheers,
Luis
ps: the servlet filter can work in any servlet container. I am
successfully using it in tomcat 9 :)
2018-04-06 12:38 GMT+02:00 Emanuele Gesuato <Emanuele.Gesuato(a)finantix.com
>:
sorry for my email issue
*****************
Hi there,
client-server app is a browser application where we are using the
keycloak-saml tomcat7 adapter.
Your link refers to a java servlet application that doesn’t have an
adapter for that servlet platform.
Am I missing something in your answer ?
thanks,
Emanuele Gesuato
Software specialist
Mobile: +39 335 757 3556 | Email: emanuele.gesuato(a)finantix.com | skype:
emanuelegesuato_work
CONFIDENTIALITY NOTICE - The information contained in this communication
is intended solely for the use of the individual or entity to whom it is
addressed and others authorized to receive it. It may contain confidential
or legally privileged information. If you are not the intended recipient
you are hereby notified that any disclosure, copying, distribution or
taking any action in reliance on the contents of this information is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to this
email and then delete it from your system. Finantix is neither liable for
the proper and complete transmission of the information contained in this
communication nor for any delay in its receipt.
From: Subodh Joshi <subodhcjoshi82(a)gmail.com>
To: Emanuele Gesuato <Emanuele.Gesuato(a)finantix.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Date: 06/04/2018 12:11
Subject: Re: [keycloak-user] SSO in web and desktop application
Sent by: keycloak-user-bounces(a)lists.jboss.org
Emanuele Gesuato Look like some issue with your email client/server.
On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
Emanuele.Gesuato(a)finantix.com> wrote:
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.trendsinnews.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 10 months
Authentication with both Keycloak and client-cert
by Sjef Hoeks
Hi,
is it possible to protect an application consisting of a single WAR with both Keycloak (for the user interface) and CLIENT_CERT (for webservices).
E.g.:
endpoint /ui must be protected with Keycloak, so users must login to access these pages.
endpoint /ws must be protected with mutual authencation with certificates.
Kind regards,
Sjef
6 years, 10 months
IJ031070: Transaction cannot proceed: STATUS_MARKED_ROLLBACK during Custom User Federation
by Sachin Rastogi
Hi all,
We are using Keycloak 3.4.3 and loading users via Custom User Federation
from the database. We are using Postgres 9.4.12
When we are loading users from the database during
CustomUserStorageProviderFactory.create(..),
we are getting the following exception:-
It is throwing the following exception during con.createStatement();
13:46:43,385 ERROR [stderr] (default task-8) java.sql.SQLException:
IJ031070: Transaction cannot proceed: STATUS_MARKED_ROLLBACK
13:46:43,385 ERROR [stderr] (default task-8) at
org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransactionActive(WrapperDataSource.java:245)
13:46:43,386 ERROR [stderr] (default task-8) at
org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransactionActive(WrappedConnection.java:1928)
13:46:43,386 ERROR [stderr] (default task-8) at
org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(WrappedConnection.java:1943)
13:46:43,386 ERROR [stderr] (default task-8) at
org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransaction(WrappedConnection.java:1917)
13:46:43,387 ERROR [stderr] (default task-8) at
org.jboss.jca.adapters.jdbc.WrappedConnection.createStatement(WrappedConnection.java:340)
13:46:43,387 ERROR [stderr] (default task-8) at
com.test.service.UserServiceImpl.loadExistingUsers(UserServiceImpl.java:98)
13:46:43,387 ERROR [stderr] (default task-8) at com.test.Custom
UserStorageProviderFactory.create(CustomUserStorageProviderFactory.java:43)
But if we call loadExistingUsers in init method of
CustomUserStorageProviderFactory,
it works fine. Please advise, what are we doing wrong? what is the ideal
way of loading existing users in Custom User Federation?
Regards,
SR
6 years, 10 months
custom registration flow
by Giorgi Kinkladze
Hello, I want to create a new registration flow with multiple pages. I wasn't able to find any documentation about this. (The only documentation I found so far is about extending existing registration flow, it also says if I want to write my own registration flow I should implement Authenticator. I have already done that). I've read the default registration flow implementation, there are 3 FormAction, FormActionFactory implementations one for user creation, one for profile info validation and one for password validation. Now I implemented my own validator which extends FormAction and FormActionFactory but I wasn't able to add this validation in my custom registration flow. How can I do this? If I can't what is the alternative way to implement my custom registration with multiple pages. For example I want the first page of the registration flow to ask for user card id (It is a registration flow for a bank user so he/she must have our bank debit/credit card to register), then I want to check if the card info is valid and display next page of the registration flow... Should I create a new Authenticator per page or use the same one?
________________________________
Find out the latest about the Bank of Georgia Group products, services and recent developments from the Bank of Georgia monthly e-newsletter. If you wish to subscribe please simply send a request to enewsletter(a)bog.ge and write "subscribe" in the subject line.
This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. JSC Bank of Georgia shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. JSC Bank of Georgia does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.
6 years, 10 months
Can there be multiple keycloak.auth-server-url in keycloak adapter
by sagar bijlwan
Hi,
I am using nginx as reverse proxy facing the external world and my spring
boot app and keycloak are deployed internally.
In Spring boot application.properties i am providing proxy address and
redirecting to real instance from proxy.
keycloak.auth-server-url=https://proxyadress/auth
nginx.conf snippet
location /auth {
proxy_pass http://internalbox:9000/auth;
proxy_buffering off;
client_max_body_size 0;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Scenario:
When an unautenticated user tries to access the app, app redirects to
https://proxyadress/auth. Proxy in tun redirects to real instance and user
logs in. The issue is after the log in. keycloak adapter tries to turn
access code into acccess token and generates a POST. For that it uses the
address given in auth-server-url i.e. proxy address. Clearly there is no
keycloak sitting at the proxy at port 443 and there are errors and Auth
outcome is FAILED.
How can i tell keycoak-adapter to use an internal URL for this POST
request? Any other workaround ?
Thanks
Sagar
--
S A M
6 years, 10 months
Keycloak JWT modification and logging
by vrinda nayak
Hello All,
We use Keycloak standalone system as authentication server. On our
client/server side we have just installed the Keycloak Adapter.
For certain tests, we need to change the values of *'aud', 'sub', 'nbf',
'exp'* parameters in Json Web Token.
Also for one test, we need to send back an unsigned token to the client.
Can someone please advise how this can be achieved? Also which logger would
I need to set to DEBUG/TRACE in standalone.xml, to be able to see the JWT
parameters and their values in the response sent back to client?
Thanks in advance.
Vrinda
6 years, 10 months
Re: [keycloak-user] Keycloak Express middleware VS self signed cert
by Ali Ok
Resending, after subscribing to Keycloak user list
----------------------------------
(also adding Keycloak ML)
Hi,
I am trying to integrate a Node application with a Keycloak instance
running on my local OpenShift cluster.
Node app uses the Keycloak client in this Gist: [1]
Here is the keycloak.json file used in Node app: [2]
When I pass a valid token to the Node app, Keycloak middleware on the Node
app side is trying to get the public key from Keycloak, I see there is
"self signed certificate in certificate chain" error when Keycloak lib
tries to do this:
"
// retrieve public KEY and use it to validate token
this.rotation.getJWK(token.header.kid).then(key => {
"
here: https://github.com/keycloak/keycloak-nodejs-connect/blob/
master/middleware/auth-utils/grant-manager.js#L359
2 questions:
- How can I configure client and the Node app to have the public key
already, so that it doesn't go and fetch the public key?
- If question above doesn't make sense (I can be considered a beginner in
this area), how can I make middleware to work with a self signed cert
Keycloak instance?
I prefer the first approach.
Thanks,
Ali
[1]: https://gist.github.com/aliok/8ae2c9d240d09367b59e491677400a96
[2]: https://gist.github.com/aliok/23e93794847ef3493893627ca68e9650
6 years, 10 months
Fwd: Access Token Timeout behaviour - Changes between Keycloak 2.5.5 and Keycloak 3.4.1
by Online User
>
> How do I know what changed between these versions in subject?
>
> An internal client of mine reports that there is a change in the behaviour
> between these versions.
>
> He is observing in 3.4.1 that, keycloak redirects the user to the service
> after access token expirey and before the session timeout where in he
> expected to be redirected to the login page.
>
>
6 years, 10 months
Problem with kerberos
by Simon Lelardoux
Hello everyone !
I am new to my Kerberos authentication problem: When it is required in the authentication flow, I remain stuck on a page displaying "Kerberos not configured". Yet the configuration was made on ldap in user federation. Is the problem on the client or server side?
Thank you for your answers
6 years, 10 months
