User Attributes not added in token
by Sandeep Rai
Hi Community,
I'm new to keycloak. And trying to federate login via external database.
While federating username and password validation trough JPA I'm trying to
add user attribute to the token.
To achieve that all I'm doing is adding the attribute in getAtrributes
method. As I'm expecting it then adds to the token. But after successful
validation the token I get does not have the 'phone' attribute
Is there something I'm missing ?
Do I have to add this attribute any other way ?
File:
public class UserAdapter extends AbstractUserAdapterFederatedStorage
@Override
public Map<String, List<String>> getAttributes() {
Map<String, List<String>> attrs = super.getAttributes();
MultivaluedHashMap<String, String> all = new MultivaluedHashMap<>();
all.putAll(attrs);
all.add("phone", userEntity.getMOBILE_NO());
return all;
}
Kind Regards
6 years, 7 months
Slow API Search for User Due to Wildcard
by Josh Harness
Hi -
We're using this API to search for users by email:
https://www.keycloak.org/docs-api/4.0/rest-api/index.
html#_users_resource
It looks like it does the following in a SQL database:
* Issues a "lower" function call on the search criteria
* Bookends the query criteria with wildcards, eg '%'
The lower function breaks the index. Our DBA's worked around this
with a function based index in Oracle. However, the second wildcard is
causing the entire table to be read (1,000,000 records) and is impacting
performance.
Does anybody have any ideas about how to load users without the
wildcard when you only know the username or email address? We know the the
exact username or email. Our use case doesn't require the wild card search.
Thanks!
Josh
6 years, 7 months
Fetch QR Code - TOTP REST API
by Ankur Singhal
Hi All,
I have my own login page, wish to integrate this with Keycloak OTP
Functionality.
Looking for REST API for below flows.
1.) User Enters username/password and login.
2.) If *CONFIGURE_OTP* action is configured, REST API return with QR
Code (image/secret).
3.) User scans and submits the OTP.
4.) Subsequent login just return to enter OTP if no action configured.
Thanks
Ankur
6 years, 7 months
Warning in Keycloak when using Tomcat Keycloak SAML adapter
by Leonid Rozenblyum
Every time I'm accessing a protected resource from Tomcat with SAML adapter
I see a warning in keycloak:
WARN [org.keycloak.authentication.authenticators.browser.IdentityP
roviderAuthenticator] (default task-8) Provider not found or not enabled
for rea
lm
However the authentication goes on.
Am I missing something? E.g. something not configured properly in keycloak
client or in the web app's keycloak-saml.xml?
Thanks for advice in advance.
6 years, 7 months
Best Practices for running Keycloak and Kubernetes
by Daniel Lohin
I am very new to Keycloak/Oauth concents and trying to wrap my head around all of this. I am working with a number of web applications that I want to have a single sign on provider for that is locally hosted. Keycloak seems perfect and I have gotten it working, but I am mostly trying to understand what is the best way to do things inside of the Kubernetes in relation to the Keycloak proxy.
Originally, my thought was to use the concept of sidecar containers and place Keycloak-proxy in the same pod as the web application. Essentially this meant that traffic went like this:
Ingress -> Web Service IP -> Keycloak Proxy -> Web service listening on localhost inside of the pod.
This means that Keycloak Proxy and Web service are in the same Pod.
I liked this set up for a few reasons:
- My unprotected web service is now only listening on Localhost which means other pods in the cluster can’t directly hit it
- Keycloak Proxy now scales with the web service
This works when I have one Pod in my cluster, but when I scale the pods to two or more, it seems like it only works when I get randomly load balanced to the original Pod. This of course doesn’t work, though I could possibly mess with some of the session stickiness options in the Ingress controller to make this work.
My next option:
Ingress -> Keycloak Service IP -> Keycloak Proxy -> Web Service IP -> Web service listening on the same pod
This works, but my issue here is that Keycloak Proxy now becomes a failure point and doesn’t scale with the pods. It also creates more network hops inside of the cluster.
What are the best practices for using Keycloak Proxy inside of Kubernetes?
6 years, 7 months
understanding cache and user storage SPI
by Corbetta, Francesco
Hi all
I implemented a User Storage SPI in order to authenticate users against my company User Relational DB.
Lately I had to add some custom attributes and therefore I overridden the method getAttributes of the UserAdapter to make it load the correct entities.
The problem I had is that it did not work till when I changed the cache policy of the storage provide to NO_CACHE.
Before that, the attributes where not loaded and no sql statement were sent to the DB.
Please note that I also restarted the application server with no success and cleaned all the cache for the realm from the admin interface.
Is this the expected behaviour? How does it work the user cache for external user provider? How is it possible that even a restart of keycloak did not erased the cache?
Best regards
Francesco
6 years, 7 months
SSO for multiple applications – Session Timeout sync
by abhishek raghav
Hi
I have configured two apps in a single realm, one is protected by mod-auth
openidc and other is a SAML type client.
SSO and SLO works as expected and no problem with that.
I have a small doubt regarding a scenario, if anyone could clarify -
- SSO session max is set as 8 hours. If a user is logged in for 8 hours.
After 8 hours the KEYCLOAK_SESSION will be timed out. Is it possible that
local SAML app cookie can also be invalidated after 8 hours, or can
keycloak invalidated the local SAML cookie/session like how it happens on
SLO (single logout).
- Right now what happens if a user leave his/her laptop overnight and
opens next day, keycloak cookie is invalided due to max session age but the
old app cookie still remains in the browser. is there a way to force
authenticate even if a local SAML cookie already present in the browser.
- In other words if the SSO cookie is timeout due to SSO max then is
there a way that local app cookies can also be invalidated which are
attached with that SSO session for a user.
I need to keep these sessions in sync in terms of session timeouts. Based
on my understanding no IDP really supports this kind of behavior as IDP is
not aware of all these 'local sessions'.
I was wondering can someone suggest any solution for this. Alternatively,
are there any best practices/recommendations available.
*- Best Regards*
Abhishek Raghav
6 years, 7 months
Recommended practice for utf-8 messages resources
by Federico Navarro Polo - Info.nl
Hello,
I noticed there was an upgrade of freemarker templates and a few text resources changed to start using the function “?no_esc”
However, there are still text resources in the messages properties files that would need escaping.
Eg:
In keycloak/themes/src/main/resources-community/theme/base/login/messages/messages_nl.properties
linkIdpMessage=U moet uw e-mailadres verifiëren om uw account te koppelen aan {0}.
This text resource is passed to the template as a message, which is used in template.ftl:
<#if displayMessage && message?has_content>
<div class="${properties.kcFeedbackAreaClass!}">
<div class="alert alert-${message.type}">
<#if message.type = 'success'><span class="${properties.kcFeedbackSuccessIcon!}"></span></#if>
<#if message.type = 'warning'><span class="${properties.kcFeedbackWarningIcon!}"></span></#if>
<#if message.type = 'error'><span class="${properties.kcFeedbackErrorIcon!}"></span></#if>
<#if message.type = 'info'><span class="${properties.kcFeedbackInfoIcon!}"></span></#if>
<span class="kc-feedback-text">${message.summary?no_esc}</span>
</div>
</div>
</#if>
The result is that the character ë is not escaped, but displayed as below:
U moet uw e-mailadres verifiëren om uw account te koppelen aan Facebook.
I understand there might be reasons to use ?no_esc on the message summary, so my question would be, what’s the recommended approach for those resource files. Should be everything html?
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | -<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
6 years, 7 months
Set client roles to registered users automatically once synced from source LDAP/DB
by valsaraj pv
Hi,
Here is the scenario:
Java web application client registers users to local LDAP/DB and sets roles.
These users are periodically synced to Keycloak. Roles are also synced once
as it not changed more often.
So when a user registered in local LDAP via application, they are also
reflected in Keycloak but they can't access web application after login via
Keycloak.
The new users can access only after setting client roles manually.
What is the best option to automate this. Is there is any API to set client
roles?
If available, we can't write code to set role in registration method since
the users will be synced to Keycloak only on next sync. Then option is a
delayed call which first ensures that the user reached Keycloak DB and then
set role.
Please share your thoughts!
Thanks!
6 years, 7 months
ldap group-ldap-mapper needs up to 60 seconds to add a user to a group
by Michael Meier
We are using keycloak 3.4.3-final with an ldap user federation. Users
and groups are created in keycloak, and from there automatically written
to an openldap servers, since some application can only access them over
ldap. So the "edit mode" is writable and "sync registrations" is activated..
The group-mapper is configured as ldap_only.
Creating a new user is lightning fast. But if I add the user to a group,
where already around 1000 users are members of, it takes around 60
seconds to add it or also to remove it.it was faster when the group had
less member, but we can watch how the time grows the more members that
groups has. But it was already slow when there were only around 100
users, then it took around 10 seconds to add the user to the group.
When we add the users to th e groups directly in ldap it works in
miliseconds. So the problem seems to be a keycloak one.
In total there are maybe 2000 users and 15 different groups.
Keycloak is running in a docker container.
Anybody experiences similar problems? Or has any ideas what we could change?
We already tried to change the "User Groups Retrieve Strategy", disabled
the ldap cache. disable connection pooling and pagination. But nothing
seems to work.
thanks in advance
michael
6 years, 7 months
