Keycloak UI customization
by Pulkit Srivastava
Can we customize keycloak's UI to completely replace with custom UI.
Thanks,
Pulkit
6 years, 8 months
Restricting users by realm
by valsaraj pv
Hi,
I have a set of users & 2 realms for 2 different applications.
One is my application and other is test vanilla application. These two are
using separate realms under single Keycloak server.
When a user logged in to my application & when I click login button of
vanilla application, it shows that user as logged in.
Is this existing scenario in Keyclock? Since user is logged in with
different realm, how that user shown as logged in in vanilla app?
Is there any way to prevent this?
Thanks,
Valsaraj Viswanathan
6 years, 8 months
Keycloak spring-boot-adapter logout session from keycloak.
by saloni udani
Hi
I have a spring-boot 2 application which I am trying to secure with
Keycloak. I have used 'keycloak-spring-boot-2-starter' adapter.
Following is my security configuration
--------
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
@ConditionalOnProperty(value = "keycloak.enabled")
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfiguration extends
KeycloakWebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws
Exception {
KeycloakAuthenticationProvider keycloakAuthenticationProvider =
keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
SimpleAuthorityMapper());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Bean
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
// Specifies the session authentication strategy
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http
.csrf().disable()
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.logout()
.logoutUrl("/logout")
//.invalidateHttpSession(true)
//.deleteCookies("JSESSIONID")
.and()
.authorizeRequests()
.antMatchers("/").hasRole("superuser").anyRequest().permitAll();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
--------
Following are the keycloak properties from application.properties
--------
keycloak.enabled=true
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.realm=MyRealm
keycloak.resource=my-app
keycloak.public-client=true
keycloak.security-constraints[0].authRoles[0]=superuser
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
--------
Now the default logoutSuccessfulUrl used by KeycloakLogoutHandler is '/'
which is my secure endpoint. So when I do logout in application, it hits
'/' and automatically logs in again as the session with Keycloak does not
get deleted on logout.
If I change logoutSuccessfulUrl to some unsecure endpoint , then the
session from keycloak seems to get deleted.And from that unsecure page if I
try to hit secure page, it asks for login as expected.
So here I am trying to understand that in which scenario the session from
Keycloak should be deleted(logged out) when we fire logout from
application? What is the difference in both the above mentioned logout
scenario?
Thanks
6 years, 8 months
IdentityBrokerState Exception
by Rory Hart
Hi
I have this exception with a client's ADFS IdP integrating with our
Keycloak. The exception happens upon login and isn't happening on the
staging instance.
Caused by: java.lang.NullPointerException
at java.base/java.util.regex.Matcher.getTextLength(Matcher.
java:1769)
at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
at java.base/java.util.regex.Pattern.matcher(Pattern.java:1147)
at java.base/java.util.regex.Pattern.split(Pattern.java:1264)
at org.keycloak.keycloak-server-spi-private//org.keycloak.
broker.provider.util.IdentityBrokerState.decode(IdentityBrokerState.java:75)
at org.keycloak.keycloak-server-spi-private//org.keycloak.
broker.provider.util.IdentityBrokerState.getDecodedState(
IdentityBrokerState.java:54)
at org.keycloak.keycloak-services//org.keycloak.services.resources.
IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:
958)
at org.keycloak.keycloak-services//org.keycloak.services.resources.
IdentityBrokerService.authenticated(IdentityBrokerService.java:473)
at org.keycloak.keycloak-services//org.keycloak.broker.
saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:440)
... 63 more
Any ideas what this could be?
Thanks
Rory Hart
6 years, 8 months
Comma separated attribute value to roles
by Brent Yarger
Hello,
I am using keycloak ( Red Hat SSO 7.2 ) as an identity broker for a SAML
v2.0 identity provider. The SAML XML that I get back has an attribute named
"groups" with a value of a comma-separated list of user roles.
Example:
<saml:Attribute Name="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema "
xsi:type="xs:string">
Admin,User,Auditor,Manager
</saml:AttributeValue>
</saml:Attribute>
Is it possible to map the "groups" attribute to all of the roles in the
list? In the above example, the user would then have four roles assigned --
Admin, User, Auditor, and Manager.
Thanks,
Brent
6 years, 8 months
Unable to process SAML response from Azure AD
by Lynxlogic
I’m trying to setup SAML SSO between Azure AD and Keycloak. On the redirect back after auth, Keycloak is failing to process the response and generates an internal server error:
00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:444)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:479)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:237)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:157)
.
.
.
Caused by: java.lang.NullPointerException
at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
at java.util.regex.Matcher.reset(Matcher.java:309)
at java.util.regex.Matcher.<init>(Matcher.java:229)
at java.util.regex.Pattern.matcher(Pattern.java:1093)
at java.util.regex.Pattern.split(Pattern.java:1206)
at org.keycloak.broker.provider.util.IdentityBrokerState.encoded(IdentityBrokerState.java:41)
at org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:980)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:490)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:440)
... 63 more
I’ve posted the SAML response at https://gist.github.com/dieseldjango/72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/72057b7df68dbe3dc289ec8e3f5826bf>.
The stack trace indicates it’s failing at IdentityBrokerService.parseEncodedSessionCode(). I’ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point me in the right direction to solve this?
Thanks,
David
6 years, 8 months
Adding another User Federation
by Matthew Beliveau
Hello,
I am currently working on another Federation that allows me to read and write to freeIPA. Right now I am trying to get used to the Keycloak development code/build. I have cloned LDAP's code and changed the ID to "foobar" and it compiles just fine. I've added a foobar module in the federation pom.xml. However, when I start the testsuite server, I do not see my extra provider there. I was wondering where else in the code I would have to add my extra provider for it to show up on the testsuite.
Any help would be gratefully appreciated,
Matthew Beliveau
6 years, 8 months
Getting user information for a service behind a reverse proxy running keycloak
by Omri Tavor
Hi,
Quick question. I have an Apache httpd server running the OIDC httpd adapter. This httpd server acts a reverse proxy to another Tomcat server running legacy JSF code (httpServletRequest).
What would be the correct (and simplest) way of getting the user information from within that tomcat scope? (I've tried request.getUserPrincipal() but got a null value).
I would appreciate any help!
Omri.
6 years, 8 months
New mappers not reflected when using original refresh token
by Neil Chapman
Hello
We are using Keycloak to store users, roles, and we have various role name mappers to transform the roles into a custom format within the access token. Once a user had been setup, we issue them a refresh token and they are able to create access tokens from the refresh token and all is good.
The issue we are having is that if we then create a new role and new role name mapper to map this new role into the access token, the new mapper functionality is not reflected in the original refresh token we issued to the client.
Whether we use the access token or new refresh token that is based on the initial refresh token we never see the new mapper functionality reflected in the access token. We see the new role in the default position in the access token, but it's not mapped to the right place based on our mapper.
We find ourselves having to create a brand new refresh token by running the following cURL command internally and then instructing the client to use the new refresh token:
curl --data "grant_type=password&client_secret=xxxxxxxxxxx&client_id=xxxx&username=xxx(a)xxx.com&password=xxxx&scope=offline_access" https://auth.xxxxxxxx.com/auth/realms/opta/protocol/openid-connect/token
After we do this and give the user the new refresh token the new mapper functionality is present in all future access tokens.
Is there a way for our users to continue to use the original refresh token and have new role mappers be reflected in the user's access tokens?
Our goal and understanding was that there is a way to issue a client a refresh token once and all changes to that user's profile (roles, attributes, mappers) would be reflected by using the original refresh token to create access tokens.
We'd like to issue a single refresh token to a user and then make changes to the users roles, mappers, etc. and not have the user adopt a new refresh token each time.
We are using version 3.2.1-final.
Thank you
6 years, 8 months
Spring Context in custom user storage module
by Jeremy Simon
Hi,
I’ve been trying to standup a Spring context in my user storage factory but I ran into some classloader issue(s) I cannot get past. I created a separate Spring module which seems to resolve all the Spring dependencies I needed, but upon start up of the server, the configuration class I have referenced in my user storage module cannot be seen.
Snippet of standing up Spring Context in my user storage module:
ApplicationContext springContext = new AnnotationConfigApplicationContext(SomeConfig.class);
SomeConfig.class is the same package as the factory class.
On startup there’s a stack trace that the bottom cause is as follows:
Caused by: java.lang.ClassNotFoundException: com.mycompany.keycloak.storage.user.SomeConfig from [Module "deployment.keycloak-server.war" from Service Module Loader]
Any thoughts? I started going down the trail of putting all my dependencies into this module, but it’s becoming a rabbit trail as well.
jeremy
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer.
6 years, 8 months
