KeyCloak integrate with external Idp get an infinity loop.
by Lap Tran
Hi,
I am integrating OpenAM 10.1 vs KeyCloak 3.4.3.
I used SAML v2 for this integration.
My application and KeyCloak SAML Adapter are deployed on WildFly 11.
The intergration does not work as my expectation, please see below steps:
1) When I access to my application first time, KeyCloak SAML Adapter is
triggered and bring me to OpenAM Login page
2) I complete my login from OpenAM Login page
3) Browser bring me back to my application after login, I see the saml
response sent back to my application (I debug KeyCloak 3.4.3 code for this)
4) KeyCloak analyzes that saml response and then redirect to the first link
(in step 1#)
As my expectation, after step 4, the Browser has to bring me back to the
first link with authenticated status, then I can access my application from
now. But it does not work like that.
5) Browser bring me to the OpenAM Idp link again, but the login page is not
displayed
6) Browser bring me back to the application link again ... then I have a
infinity loop of step 5 - 6 from this time
It seems we have a bug in KeyCloak for SAML integration.
Any idea, please share me a work around to fix this bug ?
Regards,
Lap Tran
mailto:lapth82@gmail.com
6 years, 8 months
Error with Infinispan
by Adrien Desbiaux
Hello there,
I am not a pro of JAVA neither all JBoss tools :/
But I just did follow the tutorial on how to setup Infinispan and KC and I
end up having this error:
Caused by: java.lang.ClassNotFoundException:
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory from
[Module "org.wildfly.clustering.service" from local module loader @7a0ac6e3
(finder: local module finder @71be98f5 (roots:
/opt/jboss/keycloak-3.4.3.Final/modules,/opt/jboss/keycloak-3.4.3.Final/modules/system/layers/keycloak,/opt/jboss/keycloak-3.4.3.Final/modules/system/layers/base))]
My Infinispan cluster is up, everything looks fine on its side via the
admin console.
I am running KC and Infinispan in Domain mode.
Do you have any thoughts on what could be the reasons for the class to not
be found?
Thanks in advance for your direction.
Cheers,
6 years, 8 months
Question regarding User Client Role mapper
by Thomas
Hi all,
I have a question regarding the user client role mapper: How can I map the first role from the list of client roles to a field named "role" in the id token?
I've got that far that I create a mapper but it only returns a "[]" string. Obviously I've already mapped the user to some client roles before I tried to get the token.
Thanks,
Thomas
6 years, 8 months
Accounts linking on multiple identity providers returns "Invalid username or password"
by Yuriy Yunikov
In our setup we have 2 identity providers set up (further I refer as
*custom_idp* and *google*), *custom_idp* of them is a default one and has
browser authentication to "Identity Provider Redirector" set.
The goal is the following:
- When user is logged in via *custom_idp*, KeyCloak should authenticate
user successfully
- When user is logged in via *google* KeyCloak should link existing account
created with *custom_idp* and just add another identity provider to a user.
After that user should be authenticated successfully.
Considering that user is already created in *custom_idp*, login *google*
via option *kc_idp_hint=google* gives an error "Invalid username or
password".
Here is the debug log from server:
[org.keycloak.broker.oidc.OIDCIdentityProvider] (default task-7) GOOGLE
userInfoUrl: https://www.googleapis.com/plus/v1/people/me/openIdConnect
2018-05-04 11:23:15,589 DEBUG [org.keycloak.social.user_profile_dump]
(default task-7) User Profile JSON Data for provider google: {...}
...
[org.keycloak.services.resources.IdentityBrokerService] (default task-7)
Federated user not found for provider 'google' and broker username
'yuriy.yunikov@test' . Redirecting to flow for firstBrokerLogin
2018-05-04 11:23:15,593 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-7)
RESET FLOW
...
2018-05-04 11:23:15,804 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-12)
execution is processed
2018-05-04 11:23:15,805 WARN [org.keycloak.services] (default task-12)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.keycloak-services//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:856)
at
org.keycloak.keycloak-services//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at
org.keycloak.keycloak-services//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:286)
Here is a line which specifies what is happening:
"Federated user not found for provider 'google' and broker username
'yuriy.yunikov@test' . Redirecting to flow for firstBrokerLogin"
With configuration added as an attachment I expect KeyCloak to link
accounts and login, however this doesn't happening.
I've tried to switch IDP's vice versa, and tried to reproduce in opposite
way but it's still the same issue, so it doesn't look like IDP
configuration issue to me.
I've seen this issues happened to other users but there is not solution to
fix it:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Force-Keycloak-to-...
Please let me know if I'm wrong, but this doesn't look like correct
behavior to me. Any ideas?
6 years, 8 months
User data export
by Blaž Divjak
Hi,
In order to comply with GDPR regulations in 2018 user has to have an option
to export his user data.
How did you tackle this in Keycloak?
Is there a way to export all user data in Keycloak?
Keycloak's admin REST API offers required functionality but can the same be
achieved with user's credentials?
Best regards,
Blaz
6 years, 8 months
OpenId logout not working as it should
by Adrian Madaras
Hi Keycloak team, We are using Keycloak 3.4.3.Final for a while now with both SAML and OpenId clients. We have encountered a possible bug in your code and we need advice from your side on how to proceed. The problem occurs if we are logged in into multiple SAML and OpenId clients and when we want to log out from 1 OpenId client. The following happens:• Authenticate against a SAML client• Authenticate against an OpenId Client• The SAML client has “Logout Service POST Binding URL” and “Logout Service Redirect Binding URL” configured with a link. -> this is business requirement from our customers as their clients do not send a redirect url in the SAML Logout Request• Logout from OpenId Client with correct redirect url for that OpenId Client -> at this point we are being redirected to the SAML Client page (one from previously logged in) and NO logout happens.
Desired solution is to be logged out from all clients and redirected to the link that we specify in the redirect_uri of the auth/realms/<realm>/protocol/openid-connect/logout request.
Thanks,
Adrian
6 years, 8 months
Hardware sizing
by Nicolas Buisson
Hi,
I would like to estimate the hardware requirement for a production cluster.
I'm planning to deploy the cluster over AWS on two Availability zones (DC).
The topology consists in a load balancer, 2 VMs for keycloak cluster, 2 VMs
for Infinispan cluster, and 1 AWS RDS instance running MySQL/PostgreSQL.
In term of figures I'm expecting to store 300k active users, and a load of
around 2 sign-in/s at peak.
I made some researches but only found the minimal hardware requirements in
the official documentation or unrelated/vague benchmarks.
Regards,
Nicolas.
6 years, 8 months
Confused about backchannel logout with a Java adapter
by Eric B
I was trying to understand the flow of a backchannel logout from my web
application.
I find the documentation confusing. The documentation for logging out (
https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:
You can log out of a web application in multiple ways. For Java EE servlet
containers, you can call HttpServletRequest.logout(). For other browser
applications, you can redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...,
which logs you out if you have an SSO session with your browser.
The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:
For example the way backchannel logout works is:
1. User sends logout request from one application
2. The application sends logout request to Keycloak
3. The Keycloak server invalidates the user session
4. The Keycloak server then sends a backchannel request to application with
an admin url that are associated with the session
5. When an application receives the logout request it invalidates the
corresponding HTTP session
So from my understanding, either:
1. calling HttpServletRequest.logout() is supposed to magically send a
request to Keycloak (obviously not possible).
2. a GET to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...
should magically detect the clientId and send a request to the appropriate
backchannel (doesn't happen either).
I've tried sending the GET to the logout endpoint with an access_token, but
that doesn't make any difference either.
What am I misunderstanding from this documentation? How am I supposed to
code the logout?
Thanks,
Eric
6 years, 8 months
Re: [keycloak-user] Keycloak DB - field and table description
by Pavlos Kaimakis
Hello Domenico,
Thanks for your prompt answer. I suppose through the link you sent me I can put together a list of tables and columns of the database.
Nonetheless, there’s no description of what each table and its columns actually are and what purpose they serve ( I would expect that to be a comment in the xml, but I’m afraid that isn’t the case).
If I’m not mistaken, you are saying this info is not available, right?
If I am mistaken (I hope I am :) ), where can I find this or at least do you know whom I can contact?
BRs
Pavlos Kaimakis
Systems Engineer
| t: +30.2106930664
| e: pkaimakis(a)omilia.com
| w: www.omilia.com
> On 3 May 2018, at 13:28, Domenico Briganti <briganti.domenico(a)gmail.com> wrote:
>
> Hi Pavlos,
> you can start from https://github.com/keycloak/keycloak/tree/4.0.0.Bet
> a1/model/jpa/src/main/resources/META-INF that contains all LiquiBase
> instructions to create the database (you can also run only Liquibase to
> create just the database).
> I do not think it's present a more detailed documentation.
>
> Regards,
> Domenico
>
>
>
> Il giorno mer, 02/05/2018 alle 18.52 +0300, Pavlos Kaimakis ha scritto:
>> Hi there,
>>
>> I've been trying (unfortunately in vain) to find in the documentation
>> some information regarding the database the keycloak tool is using.
>> More specifically, I am interested in finding :
>> a)a list of all the tables it contains along a short description of
>> what their purpose is and
>> b)what fields (columns) these tables have
>>
>> Can anybody help me out with this or at least point me to a document
>> outlining the above?
>>
>> Thanks in advance
>>
>> Pavlos
>> Pavlos Kaimakis
>> Systems Engineer
>>> t: +30.2106930664
>>> e: pkaimakis(a)omilia.com
>>> w: www.omilia.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 8 months
