Automatic rebuilding of jboss/keycloak on Docker Hub not working
by Matser, Jonas (KNMI)
Hi,
It seems that, unlike the other jboss images on Docker Hub, jboss/keycloak doesn't rebuild when it's parent image updates.
For example, 3.4.3.Final is a build from 4 months ago, even though centos:7, jboss/base and jboss/base-jdk have been updated as recent as 25 days ago.
I emailed docker(a)jboss.org<mailto:docker@jboss.org>, and Marek Goldmann suggested asking on this mailing list. He supposed it might be a misconfiguration, since images are normally rebuild on parent update.
Thanks in advance. Kind regards,
Jonas Matser
6 years, 8 months
Keycloak freezes for more than 40 seconds after checking state cookie
by Sachin Rastogi
Hi all,
We are using Keycloak 3.4.3 on Windows 10. We are using user created in
Keycloak database.
But after providing the login credentials, Keycloak freezes for more than
40 seconds at following points.
2018-05-08 19:11:24.679 DEBUG 15900 --- [0.0-8445-exec-5]
o.k.adapters.OAuthRequestAuthenticator : checking state cookie for after
code
2018-05-08 19:11:24.679 DEBUG 15900 --- [0.0-8445-exec-5]
o.k.adapters.OAuthRequestAuthenticator : ** reseting application state
cookie
2018-05-08 19:12:10.775 DEBUG 15900 --- [0.0-8445-exec-5]
o.k.adapters.OAuthRequestAuthenticator : Verifying tokens
Keycloak and browser both are local.
Please advise, what could be the potential cause for this freeze.
Also, is there any performance optimization guide for Keycloak. Please
guide.
Regards,
SR
6 years, 8 months
KC 3.4.3 Final: Remove group from policy always failed with NPE
by Nhut Thai Le
Hello,
I'm using the admin-client to remove a group from group policy but it
always fail with NPE. Here is my code:
GroupRepresentation group =
realm.groups().group(groupUuid).toRepresentation();
String policyUuid = groupPolicies.get(0).getId();
GroupPolicyResource polRes =
client.authorization().policies().group().findById(policyUuid);
GroupPolicyRepresentation policy = polRes.toRepresentation();
policy.removeGroup(group.getPath()); //TODO: not sure why it always fail
here with NPE
polRes.update(policy);
I'm using the test suite as guideline:
https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f180f510630cd71...
Hope to get some help here.
Thai
6 years, 8 months
GDPR
by Nicolas Buisson
Hi,
Any information regarding compliancy of Keycloak against GDPR?
Thanks,
Nicolas.
6 years, 8 months
Support for automatic IdP selection
by Marcin Okraszewski
Hi,
I went through documentation and a bit of experiments, but I have a trouble
to figure out if my use case would be doable with Keycloak.
I need to authenticate some users with password, but some with external
SAML IdP. The decision whether to use IdP and which one, would need to be
based on the domain of the email address (email is a login). Is it possible
to select identity provider based on domain of user email address?
When user logs in with external SAML IdP, I would like to assign groups of
the user based on an SAML attribute value. Basically, this comes down to
allow a user to manage user-group assignment in their system, while
group-role would be within Keycloak. Is it supported by Keycloak?
We also use vanity domains to distinguish tenants (a user might have access
to multiple tenants). We have tens of thousands of tenants. Is it possible
to avoid registration of SP/client app for every single tenant (vanity
domain)? I’m not bound to any SSO protocol here. The OpenID Connect seems
to be closest, as it allows wildcards in path part of client URL, but
unfortunately not in domain part.
Thank you for help,
Marcin
6 years, 8 months
run code at login
by Matthew Broadhead
i am using TomEE 7.0.3. i am trying to execute code when the user first
authenticates in order to log the ip address and username. i tried
implementing @WebListener public class SessionListener implements
HttpSessionListener
but the session is created before the redirect to the login system so
KeycloakPrincipal<KeycloakSecurityContext> is not available at that point.
6 years, 8 months
Principal name is showing different after switching to KC
by valsaraj pv
Hi,
UserPrincipal.getName showing cb3634be-e0e1-479e-aec9-0cb38c8a0468 like
this after switching to Keyclock. LDAP uid was showing when we were using
LDAP. After syncing users from LDAP to KC, when the application code checks
user principal name, it shows this.
Any thoughts?
Thanks,
Valsaraj Viswanathan
6 years, 8 months
User Attributes security and organization
by Eric B
I just starting working with KeyCloak (3.4.3) and have been looking at the
user attributes and trying to determine how I can leverage some custom
attributes for my different clients. Two things in particular stand out
when I look at the user attributes:
1) there is no mapping/assignment of attributes per client
2) there is no security assignment on the attributes (ex: what can be
self-administered, what is read-only, what is visible to the client, etc)
This becomes an issue when a user logs into the admin panel. Once he is
logged in, he can essentially post a form with any attributes defined and
these will automatically be persisted in the KeyCloak DB. While I'm not
concerned about CSRF, I am concerned about a malicious user trying to
explode by DB by submitting an extraneous number of attributes that KC will
persist.
Additionally, if I want to use a user attribute to specify some read-only
information about a user, if the user knows the attribute name, he can
override it via a form post. So essentially, I have no way to secure the
attributes.
In a similar vein, I am a bit taken aback that all attributes are
associated to the user only and cannot be assigned to a client. I would
like to be able to specify some client-specific attributes, and have KC
automatically filter the attributes available to a client token
accordingly. Is this not feasible?
Are either of these functionalities implementable through some form of
customization, or are they on the roadmap for a future version?
Thanks,
Eric
6 years, 8 months
Non-Ascii characters in email
by Mike Wakim
Hello,
Keycloak currently doesn't allow users to have Non-Ascii characters in
their emails. Was this decision made to be compliant with a certain
standard? If so, can you please let me know which one?
Is it possible to override this behavior and to allow Non-Ascii characters
in emails?
Thank you,
Mike
6 years, 8 months
Help problem with Bad request
by valsaraj pv
Hi,
When user clicks login, redirected to Keycloak login page & then after
successful login, user comes back to application with 400 error page.
Server log shows following:
> [Server:node-00] 13:40:00,709 WARN
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-30) state
> parameter invalid
My application conf is:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="appWEB.war">
<realm>demo</realm>
<resource>app</resource>
<public-client>true</public-client>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
Application URL is https://localhost:8443/app & redirect_url is
https://localhost:8443/app/private.jsf.
When I use http, it works. But the error comes when I use same with https.
Any thoughts?
Thanks,
Valsaraj Viswanathan
6 years, 8 months
