Logout via admin API causes offline token to go stale
by Ritesh Garg
Hi,
I have made an interesting observation with Keycloak 3.4.3. The offline token for a user is considered stale if the user sessions are logged out using Admin API. I have not checked if this happens when the user triggers logout *without* admin involvement. One thing to note here is that we have “revoke refresh token” enabled. Offline token validity is in days.
Here are the steps I followed:
1. Generated an access token for a user using API.
2. Generated an offline token for the same user using API with scope as offline_access.
3. Generated an admin access token using the API.
4. Using admin token, triggered a logout on the user id with /users/{userid}/logout API.
5. Checked the web console to verify that the user sessions are gone but consents tab still has offline token.
6. Tried to get an access token using the offline token from step 2 with grant as refresh_token and got a stale token error.
Is this expected?
Thanks,
Ritesh
6 years, 7 months
User impersonation from Javascript adapter
by Gianluca Frediani
Hi all,
I'm trying to use the impersonation feature of Keycloak from a web application using the Javascript adapter.
The idea is that a user (with the impersonation permission) can specify a user id of another user, click a button, and then he navigates the web application as the specified user (this is similar to what happens when you click "Impersonate" on the Admin Console).
I haven't found any example of how to implement this feature, and I haven't found any specific method in the Javascript adapter. The best solution I've have found so far is to call the token exchange API, obtain new tokens, and then call again the init method of the keycloak instance. However, this is only working when the checkLoginIframe is disabled. If the iframe is present the user is logged out and redirected to the login page.
I just want to know if there is a better way to do implement this feature, and I think that should be nice to have a working example. Furthermore, it would be nice to have a "impersonate" method directly on the keycloak adapter that performs all the required operations (call the token exchange API, re-sets all tokens, and so on). For the last point I can contribute if necessary.
Regards,
Gianluca
6 years, 7 months
SAML signing AuthnRequest results in invalid_signature (SigAlg was null)
by Pierre Dupont
Hi everyone,
I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
Service Provider (Ruby Omniauth) to Keycloak.
On Keycloak, I have set the "Client Signature Required" to On.
I have set Ominauth parameters with the following values :
"security" => {
"authn_requests_signed" => true,
"embed_sign" => true,
"digest_method" => "XMLSecurity::Document::SHA1",
"signature_method" => "XMLSecurity::Document::RSA_SHA1",
}
I also have copied-pasted the SAML keys from Keycloak to the SP.
When initiating a SAML request at the SP, I am redirected to an error page
with "Invalid requester" on Keycloak.
In the logs, I got the following :
08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
task-64) request validation failed: org.keycloak.common.VerificationException:
SigAlg was null
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(
SamlProtocolUtils.java:135)
at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
verifySignature(SamlService.java:518)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.
handleSamlRequest(SamlService.java:233)
...
08:49:19,058 WARN [org.keycloak.events] (default task-64)
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=10.42.128.4, error=invalid_signature
It seems that Keycloak can't read the Signature Algorithm value. I checked
the SAML data, and the SignatureMethod is set :
<ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
I checked my parameters, certificates (tried to use new ones), but I always
get this error.
What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
encountered the same errors ? I haven't found anything similar on the
internet.
Thanks in advance,
Regards,
Pierre Dupont
6 years, 7 months
Fwd: user session not shared in cluster with keycloak 3.4.3
by Lamine Léo Keita
Hi Team,
I encoutred some issues with keycloak cluster config.
It's like everything is fine but user sessions are not shared and that show
there is an issue.
To verify, I logged in in each Keycloak server on master realm with one
user and I look to number of session on master realm.
There I see only one session on each server instead of 2 sessions.
When I logged in Infinispan console I can see that both server are sharing
2 entries on session cache.
I have Two remote sites :
site3 . and site5
On each site I have a infinispan 9.2.3 Running and a Keycloak 3.4.3
As you can see in site5 logs, infinispan server see each others.
Please find attach my configuration files and my logs files.
Any help would be appreciate.
Thanks
Lemso
6 years, 7 months
Keycloak with apache in front
by Haikal Rios
Version: 3.4.3
Hello everybody,
I am trying to use keycloak in my application. My structure is apache em front and one server with my application e other server for keycloak
There is ssl in Apache.
When I open my application it is call the login page in keycloak, but when I put login/password and click in log in button My browse is directed to the local address, the same address that is configured in httpconf section virtual host
ProxyPass "/auth/" "http://localhost:8180/auth/ <http://localhost:8180/auth/>"
ProxyPassReverse "/auth/" "http://localhost:8180/auth <http://localhost:8180/auth>/“
Anyone have idea about this problem? Maybe is configuration apache, maybe not.
6 years, 7 months
Frontend connecting to middleware protected by keycloak-nodejs-connect (intended usage)
by Rudresh Shashikant
Need to share some context and setup before asking my question, so please
excuse the wall of text. =)
My app:
`frontend` is a SPA served as a static resource from NGINX (http://frontend)
`keycloak` server running on http://keycloak
`middleware` is a NodeJS app that frontend communicates with as API
endpoint (eg: http://middleware). Middleware is using
keycloak-nodejs-connect (https://github.com/keycloak/keycloak-nodejs-connect)
to protect the API endpoint
setup code in middleware looks like this:
```
const session = require('express-session')
const memoryStore = new session.MemoryStore()
app.use(session({
secret: 'mySecret',
resave: false,
saveUninitialized: true,
store: memoryStore
}))
const keycloak = require('./auth/keycloak')
app.use(keycloak.middleware({
logout: '/logout'
}))
```
The setup in auth/keycloak.js is:
```
const keycloakConfig = {
'realm': 'realmName',
'auth-server-url': `http://keycloak/auth`,
'ssl-required': 'external',
'resource': 'clientName',
'credentials': {
'secret': 'aaaaaaaa-bbbb-cccc-dddd-1a49c9dfbbef'
}
}
module.exports = new Keycloak({store: memoryStore, responseType: 'code'},
keycloakConfig)
```
when a user clicks "/login" link from frontend, the frontend spawns a new
tab and the new tab calls http://middleware/login. The motivation is for
the existing state in UI to not be touched, all redirects etc happen in a
new window. The code in middleware looks like this:
```
app.get('/login', keycloak.protect(), (req, res) => {
const keycloakTokens = JSON.parse(req.session['keycloak-token'])
const userInfo = JSON.stringify(decodeToken(keycloakTokens))
res.status(200).send(`<html><head>
<script type="text/javascript">
window.opener.postMessage(${userInfo}, 'http://frontend')
window.close()
</script>
</head></html>`)
})
const decodeToken = ({id_token}) => {
const payload = JSON.parse(atob(id_token.split('.')[1]))
return payload
}
```
So the idea is that after the OIDC dance, the middleware will respond
asking the new tab to postMessage to the opener (parent) with the contents
of the id_token JWT.
Assumption 1: the session in the cookie connect.sid is what the middleware
uses to ensure the user is still authenticated. Is this assumption accurate?
there is a event listener in frontend that watches for the `postMessage`
and saves the information sent (id_token) to localStorage.
Question 1: is this a correct way of doing login given the setup described
above?
I think i'm definitely missing something because another protected route in
middleware causes redirect to keycloak again telling me that middleware
does not know the frontend is authenticated.
Question 2: how would logout work in this case? just clear the browser
cookies?
I tried the example app (
https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example)
but that has a different architecture, the browser points to the middleware
domain.
please let me know if you are looking for more code snippets or details.
Happy to provide.
Regards,
Rudy.
6 years, 7 months
Re: [keycloak-user] Keycloak user session time out
by Luis Rodríguez Fernández
Hello Ashutosh,
I must to admit that I do not know if it is possible. Maybe you can find
something useful in the keycloak REST API:
https://www.keycloak.org/docs-api/4.0/rest-api/index.html
Anyway you will need to also keep in mind your application session, unless
it never expires :)
Cheers,
Luis
2018-05-30 8:55 GMT+02:00 Ashutosh Kanthi <ashutosh.kanthi(a)exfo.com>:
> Hi Luis,
>
> Just to clarify more on my requirement.
>
> I want to show an info, before the session runs in a timeout, so that the
> user can react and not be logged out. For this I need to read the session
> timeout that is configured in the keycloak. Is there a possibility to get
> the timeout value through Keycloak API?
>
> Thanks & regards,
> Ashutosh Kanthi
>
> -----Original Message-----
> From: Ashutosh Kanthi
> Sent: Wednesday, May 30, 2018 11:18 AM
> To: 'Luis Rodríguez Fernández'
> Subject: RE: [keycloak-user] Keycloak user session time out
>
> Hi Luis,
>
> Thanks for your response.
>
> As per my scenario, I am more concerned about keycloak session. I trying
> to find out that is there any way to have push mechanism in Keycloak so
> that keycloak would tell the client (idle user) that session timeout is
> reaching near.
>
> Thanks & regards,
> Ashutosh Kanthi
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Luis Rodríguez Fernández
> Sent: Thursday, May 24, 2018 12:39 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak user session time out
>
> Hello Ashutosh,
>
> Perhaps it would be useful if you could describe your scenario a bit more.
> E.g, me I am using the SAML2 java keycloak adapter [1]. In this scenario I
> have two sessions, the Service Provider and the Identity Provider one. The
> Service Provider is an application deployed in apache-tomcat. If you have
> something like this you could think in use [2] and/or [3]. This listeners
> can notifiy you when sessions have been activated/deactivated or attributes
> changed.
>
> Hope it helps,
>
> Luis
>
>
> [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
> [2]
> https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/
> HttpSessionAttributeListener.html
> [3]
> https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/
> HttpSessionActivationListener.html
>
>
>
>
>
>
> 2018-05-23 14:11 GMT+02:00 Ariel Carrera <carreraariel(a)gmail.com>:
> >
> > Maybe you can do it modifying keycloak’s adapter or using with sse,
> browser
> > notifications or phone notifications (android, iOS...)
> >
> > El El mié, 23 may. 2018 a las 08:40, Ashutosh Kanthi <
> > ashutosh.kanthi(a)exfo.com> escribió:
> >
> > > Hi,
> > >
> > > We want to implement one functionality with regard to session
> > > timeout in keycloak i.e. if session timeout is reaching near, then
> > > user should be notified of the same.
> > > Does anyone know whether it is possible to do this in Keycloak? And
> > > if
> is
> > > possible then how to do this?
> > >
> > > Thanks & regards,
> > >
> > > Ashutosh Kanthi
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > --
> > Ariel Carrera
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 7 months
FreeIPA --> Keycloak --> simplesamlphp --> edugain
by Yossi Baruch
Hi,
I'm using Keycloak to connect to FreeIPA and create a user federation, I'm mapping several attributes from FreeIPA, among them is eduPersonTargetedID (EPTID). This EPTID is used to connect to a saml client and then as one of the attributes used in the edugain inter-federation.
The issue is that EPTID should be an array and not a single value, I get errors from the inter-federation that this EPTID is not structured right, I think that usually this EPTID is generated whenever the saml client connects but I have no idea how to do so.
Anyone has an opinion about this? Has mitigated this In the past?
[https://ci3.googleusercontent.com/proxy/7W7WLuvZjirS7ZgZCSisfzJizY7_Rc_hU...]
Sincerely Yours,
Yossi Baruch, IT specialist
office: +972-3-646-0569
fax: +972-3-646-0557
E-Mail: yossi.baruch(a)iucc.ac.il<mailto:yossi.baruch@iucc.ac.il>
Website: www.iucc.ac.il<http://www.iucc.ac.il/>
"May The Force Be With You." — Master Yoda
"I'm trying to free your mind... But I can only show you the door. You're the one that has to walk through it." — Morpheus
"We are continually faced with a series of great opportunities brilliantly disguised as insoluble problems." - John W. Gardner
"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light." - Dylan Thomas
6 years, 7 months
