UTF-8 character set support for user name and other fields / attributes
by Upananda Singha
Hi,
I am working with the Keycloak OIDC feature, and needed some clarification
regarding the character set it supports:
1. I have a requirement to use utf-8 characters (multi byte) in the
Username field
which seems to work fine while setting the user name and I can login to
Keycloak.
But it seems there are other related issues while generating / encoding the
tokens.
Sometimes (some characters) it works fine but for some multibye characters
it throws
{
"error": "invalid_grant",
"error_description": "Code not valid"
}
while trying to get the Tokens using the authorization code.
Can someone tell me if Keycloak actually supports utf-8 character set in
Username and other fields and also in Custom user attributes?
It would be of great help if anybody can share some information.
Thanks,
Upananda,
Motorola Solutions
6 years, 8 months
Ability to login Users from different buckets
by Rakesh Alladi
Hi,
So far we have been working with KeyCloak and been able to set it up and
run it successfully.
We are able to set up the users and login and achieve SSO between our
applications.
Now we need to actually find how to achieve the below scenario with
Keycloak:
Our users can be part of multiple bukcets, meaning multiple user records
with same email can exist within different buckets. So I might need
something like BucketId in User_Entity table in Keycloak database and use
it in login page.
So,
1. While logging in a user would enter Username, Password, BucketId.
2. Keyclock should authenticate him by verifying the username and password
against the provided BucketId.
I have searched for documentation but did not find anything related. May be
I have missed it if it already exist. Can anyone please let me know how to
implement this.
Thanks
--
IMPORTANT: The information contained in this message is intended only for
the confidential use of the designated recipient. If the reader of this
message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that you
have received this document in error and that any review, dissemination,
distribution or copying of this message is strictly prohibited. If you have
received this communication in error, please notify us immediately and
delete this message and any attachments from your computer. Thank you.
6 years, 8 months
CatalinaSamlAuthenticator issue using keycloak saml eap6 adapter
by Qiang He
Hi,
I have a problem using the JBoss EAP 6 SAML Adapter.
I followed the configuration from the document. However the browser is redirected between the IDP and my SP infinitely. I researched by reading the source code and found that when CatalinaSamlAuthenticator creates handler, it always creates BrowserHandler. And in BrowserHandler, it always handle by using null samlRequest and null samlResponse.
This seems like a bug?
I also found the same question being asked one year ago in the mailing list, but without any reply: http://lists.jboss.org/pipermail/keycloak-user/2017-April/010477.html. In this mail, it suggested to comment out some code and it will work. Can anyone more knowledgeable confirm this is a bug and it will be fixed in the future release of the SAML Adapter? I would rather wait for the release of the fix from Keycloak, rather than I have to clone the source code and fix/customize it by myself, without clearly knowing the impact of changing the code.
Thanks a lot in advance.
QH
6 years, 8 months
intermittent 403 while logging in
by Pulkit Gupta
Hi Team,
I am using Keycloak OIDC JBoss EAP 6 adapter and RH-SSO version is 7.2.
I updated my app's auth method in web.xml and also added keycloak.json.
After creating the client I tried logging in and it worked as expected.
However while testing more I saw that sometimes I am getting 403 and the
login fails. This is a very random behavior and app works almost 70% of the
time.
Also I integrated one more app which is using the same Keycloak server as
IDP but the app is having a different sub-domain from the first app.
Sometimes if I login to one app successfully and then open the other app in
the other tab I see this intermittent 403 issue.
Its intermittent nature is making it difficult for me to find out the root
cause. Any suggestions where to look for such an issue.
*ADAPTER LOGS:*
2018-05-14 05:27:15,239 [ajp-/10.7.24.224:8009-15] ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] failed to turn code into
token
2018-05-14 05:27:15,239 [ajp-/10.7.24.224:8009-15] ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] status from server: 400
2018-05-14 05:27:15,239 [ajp-/10.7.24.224:8009-15] ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator]
{"error":"invalid_grant","error_description":"Code not valid"}
--
PULKIT GUPTA
6 years, 8 months
Customize email "from" by FQDN inside the same realm
by Nicolas Gillet
Hello,
We are providing a single web application that is accessed under several domain names.
We want to use KC to do the authentication to this web app.
With the different domains names also come different "brandings" or "themes" for each domain.
As we have a single realm, we managed to do this branding using a dedicated service that map KC templates' assets (css, img, ...) to the right file, based on the FQDN.
One points remains hard to change: the "from" and "reply to" fields in every mail KC sends (like password recovery).
These fields are statically configured for the whole realm in the Email settings and I don't think there exists any way to make this "dynamic".
So I turn to you folk to grab some hints/ideas about ways I could modify KC in order to replace the email' "sender" by another value using the request's domain.
I never dug into KC code yet so I don't have any clue where to start acually.
Many thanks,
Nicolas GILLET
6 years, 8 months
Authenticate websocket communication
by Benke, Tim
Hello,
I’m trying out how to secure the websocket communication between a SPA and a Spring Java backend. According to the specification it’s not possible to set the authorization header in the initial HTTP communication. Instead it’s often suggested to perform authentication and authorization in the STOMP communication afterwards.
I looked a bit at keycloak’s spring security adapter, but it seems to be very focused on the HttpFacade and I’m wondering if the right way forward is to fake this interface for STOMP or somehow re-implement something that validates the token similarly.
Here’s a link to Spring’s docs that leaves open the part about using the token from STOMP’s headers:
https://github.com/spring-projects/spring-framework/blob/master/src/docs/...
Here’s a stackoverflow question about the problem. I’m not very fond of the alternative to send the token in the request’s URL as a query parameter, but it is indeed working correctly:
https://stackoverflow.com/questions/30887788/json-web-token-jwt-with-spri...
Best regards,
Tim Benke
6 years, 8 months
Re: [keycloak-user] 403 on /sso/login with Spring Boot and Keycloak Adapter
by Juan David Sánchez Hernández
Hi,
I’m having the same annoying issue but haven’t figure it out how to fix it. According to what Marc said I thought that if I changed my sslRequired to NONE then KC should be able to construct the redirect URL (also changing that parameter on the realm), but no, same error. KC goes into SSL mode even if I declare the realm as NONE?, I’m testing outside, so is not local. How do I specify a SSL port?, I’m completely lost here, can you point me to the specs on the documentation?.
Thanks in advance
jds
6 years, 8 months
Securing a MQTT broker
by Rodney Platt
Hi,
I'm new to keycloak and am looking for some advice, I would like to know
the best way of doing the following:
- Allow user to sign up and get access to some urls;
- Use then could add devices to there account (devices been small IOT
device);
- the device then could authenticate and have access to mqtt mroker and
apis.
any pointers, examples or tutorial, would be greatl
Some more info, in my test setup I'm using openresty as my Authenticating
Reverse Proxy, device management still up in the air but most likely a
custom web portal and Mosquitto as my MQTT broker. I would think the IOT
device would need to use a JWT for access, but I'm open to ideas.
Thank for any help
Rodney
6 years, 8 months
