S3_ping authentication problem
by For Ever
Hello Everyone:
I'm trying to etup clustering with S3_ping. I'm getting
the below error message when starting up Keycloak in standalone clustered
mode.
NOTE:
I did a test as the user on my Linux node using awscli. The
username on the Linux box is the same as the IAM user in AWS. I gave
list,read and write permisison(Policy) for the user in IAM
20:37:04,480 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "jgroups"),
("channel" => "ee")
]) - failure description: {"WFLYCTL0080: Failed services" => {"
org.wildfly.clustering.jgroups.channel.ee" => "java.io.IOException: bucket
's3-ping-keycloak-sothebys-dev' could not be accessed (rsp=403 (Forbidden).
Maybe the bucket is owned by somebody else or the authentication failed
Caused by: java.io.IOException: bucket 's3-ping-keycloak-sothebys-dev'
could not be accessed (rsp=403 (Forbidden). Maybe the bucket is owned by
somebody else or the authentication failed"}}
###standaline-ha.xml snippet.
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<socket-protocol type="MPING"
socket-binding="jgroups-mping"/>
<protocol type="MERGE3"/>
<protocol type="S3_PING">
<property name="access_key">
blahblah
</property>
<property name="secret_access_key">
blahblah
</property>
<property name="location">
s3-ping-somebucket
</property>
</protocol>
6 years, 7 months
Re: [keycloak-user] How to force a re-authentication using the Keycloak Filter Adapter
by Eric B
Thanks Luis, but I think that is specific to SAML and not OIDC.
Additionally, I'm not looking to force authentication at every request;
just in specific circumstances when I want an additional layer of
validation.
Thanks,
Eric
On Fri, May 25, 2018 at 3:15 AM, Luis Rodríguez Fernández <uo67113(a)gmail.com
> wrote:
> Hello Eric,
>
> I still have to try it myself, but perhaps "forceAuthentication=true" in
> your keycloak.xml configuration adaptor could help on this[1]
>
> Hope it helps,
>
> Luis
>
> [1] https://www.keycloak.org/docs/latest/securing_apps/
> index.html#_saml-general-config
>
> 2018-05-25 4:02 GMT+02:00 Eric B <ebenzacar(a)gmail.com>:
>
>> I'm securing a webapp in Wildfly using the Keycloak Servlet Filter
>> Adapter (
>> https://www.keycloak.org/docs/3.3/securing_apps/topics/oidc/
>> java/servlet-filter-adapter.html)
>> rather than the Wildfly container adapter.
>>
>> Overall the filter is great and works very well. However, I've been
>> trying
>> to figure out how I can leverage it to force a reauthentication by my
>> application. As per the OIDC specs, I know I can pass 'prompt=login' to a
>> call to Keycloak to force the user to reauthenticate himself, but not sure
>> how to leverage the adapter to do this for me.
>>
>> I've noticed some special PreAuthentication hooks in the adapter to handle
>> callbacks from Keycloak and tried to see if there was anything there, but
>> they do not seem to handle this type of case.
>>
>> Are there any special URL parameters I can use that would be recognized
>> and
>> intercepted by the filter and force a user to reauthenticate themselves?
>>
>> Thanks,
>>
>> Eric
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>
6 years, 7 months
Best Practice m2m
by Uli SE
Hi,
we are developing a quite big angular + jboss-rest application with
Keycloak OIC as auth layer. We are passing a brunch of user(login)
specific information in a bearer token from angular to the rest-services
when calling them.
Now we have the situation, that some (automated/cyclic) services has to
call some other services on behalf of an user without the user has
logged in before - but with some login information.
How do you solve such situations? Should we use persistant tokens or is
some kind of impersonation a better solution?
Many rhansk for discussion,
Uli
6 years, 7 months
SessionNotOnOrAfter attribute
by lists
Hi,
We are using keycloak as our IdP, and I am requested to add the
SessionNotOnOrAfter attibute to our SAML2 accesstoken.
I can't find it in keycloak. Is is supported..?
Thanks,
MJ
6 years, 7 months
Exception in keycloak
by Pulkit Srivastava
Hi,
I am getting below exception while getting redirected from keycloak to my
application.
Any idea how to resolve this.
org.opensaml.ws.security.SecurityPolicyException: Validation of protocol
message signature failed
Incoming SAML message is invalid.
Thanks,
Pulkit
6 years, 7 months
How to force a re-authentication using the Keycloak Filter Adapter
by Eric B
I'm securing a webapp in Wildfly using the Keycloak Servlet Filter Adapter (
https://www.keycloak.org/docs/3.3/securing_apps/topics/oidc/java/servlet-...)
rather than the Wildfly container adapter.
Overall the filter is great and works very well. However, I've been trying
to figure out how I can leverage it to force a reauthentication by my
application. As per the OIDC specs, I know I can pass 'prompt=login' to a
call to Keycloak to force the user to reauthenticate himself, but not sure
how to leverage the adapter to do this for me.
I've noticed some special PreAuthentication hooks in the adapter to handle
callbacks from Keycloak and tried to see if there was anything there, but
they do not seem to handle this type of case.
Are there any special URL parameters I can use that would be recognized and
intercepted by the filter and force a user to reauthenticate themselves?
Thanks,
Eric
6 years, 7 months
KeyCloak and Azure Active Directory / response_type
by Robin Diederen
Hello all,
I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.
After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I’m presented with an error.
Upon further investigation I’ve noticed that KeyCloak reports this error in its logs: “Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being “response_type=token_id”. KeyCloak however does include “response_type=code”, yet Microsoft doesn’t seem to like this.
So here’s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I’ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.
Any help is greatly appreciated.
Best, Robin
6 years, 7 months
(no subject)
by kalyani bharatha
kalyanibharatha(a)gmail.com
6 years, 7 months
