Listen on specific ip address
by Elie Ferron
Hello,
Currently, my server keycloak listens on localhost:8443 but i wish he listens on ServerIp:8443, where can it be configured ?
Thanks you in advance,
6 years, 11 months
How to get rid of the basic auth window appearing when logging in on windows machines with SPNEGO / Kerberos login?
by Dominik Guhr
Hi,
I have a very weird behaviour here.
I am using an ldap federation provider and SPNEGO with its respective
WWW-Authenticate: Negotiate header to enable auto-login.
Now everything worked fine in our staging environments, but in
production (damn! there's no pülace like...), there's suddenly a Basic
Auth-Window appearing in Chrome (win7) and Edge/Chrome (win10). When
pressing "cancel", the auth-call is returning a 401 and falling back to
the login page. But: After this, when I re-open the page which should
automatically log me in in another tab or in the same tab, it suddenly
works.
Anyone has some infos about that? I am out of ideas, sadly.
Best regards,
Dominik
6 years, 11 months
Reset Password flow
by Erlend Hamnaberg
Hello list.
We would like to be able to have a different screen than the login screen
with a message after reset-password.
We would like a separate page with something like:
//Start page
*Check your email*
You have been sent and email with a link to reset your password, this link
expires in one minute.
button[Go to login]
//end page
Then a javascript timeout will bring you back to the login page after 30
secs or so.
Is this possible to get to work without modifying
the org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail
to display a success messsage instead of resetting the authentication flow?
We dont want to make it possible to guess usernames or emails, so we will
display that screen every time instead of being immediately being thrown
back to the login screen.
Are there any security implications with doing it this way?
/Erlend
6 years, 11 months
Linking pre-existing Keycloak user with LDAP user (without import)
by Mike Wakim
Hello,
I have a small question regarding a specific use case with user federation, that I am hoping someone can help with. I set up a small LDAP server using the example given in the Keycloak Git repo. I imported the LDAP realm into Keycloak and did the following:
1. Turn the "enabled" setting off in user federation (temporarily).
2. Turn the "import" setting off in user federation.
3. Turn the "sync registrations" setting off in user federation.
My use case is the following:
I would like to create a user (e.g. bwilson) manually in Keycloak, and I would like to assign to that user custom roles as needed. However, this user (e.g. bwilson), is a user that already exists in my LDAP server. If I enable user federation, and try to log in using this user, Keycloak by default will only check the Keycloak DB, and will not try to authenticate this username through user federation. Is there anyway for me to link the manually created "bwilson" user, with the "bwilson" user that already exists in LDAP? I'm mainly interested in linking the roles that appear in the Keycloak DB, I would like the user to log in using his LDAP credentials.
I am aware that if I "import" users from LDAP into Keycloak, I can go to a user's settings, and add roles to that user as needed. However if I have a pre-existing user in the Keycloak DB, can I link this user to the user with the same username in LDAP (without importing)? Any assistance would be much appreciated!
Thanks,
Mike
6 years, 11 months
how to identify groups from userfederation
by Kevin Hirschmann
Hello,
exists a way to distinguish the groups which have been imported by a group mapper and the groups created via keycloak ui?
Users have a federationLink, which is not set when they haven't been imported. Reason is, that I do not want users to edit imported groups,
but want to allow it for groups they have created in keycloak.
Thx and a have nice weekend
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
Telefon: +49 (0) 261 / 5 00 86 - 17
Telefax: +49 (0) 261 / 5 00 86 - 29
E-Mail: kevin.hirschmann(a)huebinet.de<mailto:kevin.hirschmann@huebinet.de>
Internet: www.huebinet.de<http://www.huebinet.de/>
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Dr. Carsten Schöpp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.
6 years, 11 months
mssql deadlock
by Simon Payne
Hi, i have been looking at using mssql with keycloak and have done some
local performace testing to recreate the deadlocks.
I have found that if we create and delete clients whilst simultaneously
deleting users, deadlock occurs.
I have also found that changing the transaction isolation level to
TRANSACTION_READ_UNCOMMITTED removes the occurrence of the deadlocks.
Is there any reason why i shouldnt use this isolation level? i understand
that this level comes with dirty reads, but is there a side effect to this
when keycloak is clustered?
Thanks
Simon.
6 years, 11 months
Multiple clients, same realm, cross-client REST calls
by Pieter Lukasse
Hi,
I have a use case for the following scenario:
- 2 clients connected to the same Keycloak realm (via SAML)
- user logs in to 1st client and opens a webpage that makes REST API
calls to both 1st and 2nd client apps
Currently the calls to the REST API of the 2nd client app fail with 401
error (not authorized). Any hints on how to get this working? Except for
this specific use case, SSO is working across both apps (i.e. when the user
is logged in to client 1 and then browses to client 2, he does not need to
fill in user name and password again).
Thanks,
Pieter Lukasse
E. pieter(a)thehyve.nl
T. +31(0)30 700 9713
W. www.thehyve.nl
We empower scientists by building on open source software
6 years, 11 months
Is it possible to map 'sub' claim of external identity provider to attribute
by Rens Verhage
I have configured an external OIDC identity provider and now want to add a mapper that maps the OIDC sub (subject) claim to a user attribute:
Mapper type: Attribute Importer
Claim: sub
User Attribute Name: test
On my client I have added a mapper that takes this attribute and inserts it into a claim:
Mapper type: User Attribute
User Attribute: test
Token Claim Name: test
Claim JSON Type: String
On login, I expect to see the claim ‘test’ in the other claims collection, but the collection remains empty. Am I doing something wrong or is mapping of sub not supported?
Rens
6 years, 11 months
Spring Boot Adapter - change Cache-Control : private header
by Scott Hezzell
Hi
Spring Boot Version: 1.5.10.RELEASE
Keycloak Spring Boot Adapter Version: 3.4.3.Final
Is there any way to update the Cache-Control header set to private? Any Cache-Control headers set in my controller are always overridden by the settings set by the keycloak adapter.
Thanks
Scott
[Benefex Logo]
Scott Hezzell
Senior Developer
hellobenefex.com<https://www.benefex.co.uk>
[https://bfx-media.com/img/social%20LinkedIn.png]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex>
Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546
As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you!
This message has been scanned for malware by Websense. www.websense.com
6 years, 11 months
Keycloak with nginx proxy
by Athulya Pillai
Keycloak Redirect url with nginx is going to http rather than https<https://stackoverflow.com/questions/49629610/keycloak-redirect-url-with-n...>
I have deployed keycloak docker image in ubuntu along with parameter proxy-address-forwarding =true
Now keycloak is working perfecting with nginx configuration in ssl(https). Now I have deployed another .net corapplication in ubuntu. This application is in http and able to communicate with keycloak in https for login .
However, when the application is hosted in https using nginx, keycloak is showing invalid redirect url. The redirect url is in https in keycloak configuration however keycloak is taking to http for redirect url. Please help to resolve
6 years, 11 months
