June 2018 - keycloak-user - Jboss List Archives

Static API keys (long lived access tokens)

by Yuriy Yunikov

Hi everyone, We have a need to issue static access token from Keycloak which wouldn't change and have no expiry but can be revoked. From what I've seen so far Keycloak can only issue offline token <http://www.keycloak.org/docs/3.0/server_admin/topics/sessions/offline.html> for refresh token, but not for access tokens. Is there any way to achieve this? Regards, Yuriy

6 years, 6 months

1
0
0 / 0

Kerberos authentication in Windows

by Otaño Pavo, Cesar

Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-... In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." After enabling -Dsun.security.krb5.debug=true and -Dsun.security.spenego.degug=true and change Kerberos authentication from required to alternative, the server log is the following: 13:17:06,116 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (defaul t task-17) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP C onfiguration: {serverPrincipal=[HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.L OCAL], pagination=[true], fullSyncPeriod=[-1], connectionPooling=[true], usersDn =[dc=sanbox,dc=local], cachePolicy=[DEFAULT], useKerberosForPasswordAuthenticati on=[true], importEnabled=[true], enabled=[true], bindDn=[CN=keycloak,CN=Users,DC =sanbox,DC=local], usernameLDAPAttribute=[cn], changedSyncPeriod=[-1], lastSync= [1530011208], vendor=[ad], uuidLDAPAttribute=[objectGUID], allowKerberosAuthenti cation=[true], connectionUrl=[ldap://sb-ad.sanbox.local:389], syncRegistrations= [false], authType=[simple], debug=[true], searchScope=[2], useTruststoreSpi=[lda psOnly], keyTab=[C:\\keycloak.keytab], kerberosRealm=[SANBOX.LOCAL], priority=[0 ], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn] , editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: [] 13:17:06,135 INFO [stdout] (default task-17) Debug is true storeKey true useTi cketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\\keycloak.keytab refreshKrb5Config is false principal is HTTP S/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL tryFirstPass is false useFirstP ass is false storePass is false clearPass is false 13:17:06,138 INFO [stdout] (default task-17) principal is HTTPS/facultativoskey cloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,139 INFO [stdout] (default task-17) Will use keytab 13:17:06,140 ERROR [stderr] (default task-17) [LoginContext]: login success 13:17:06,142 INFO [stdout] (default task-17) Commit Succeeded 13:17:06,142 INFO [stdout] (default task-17) 13:17:06,143 ERROR [stderr] (default task-17) [LoginContext]: commit success 13:17:06,150 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,151 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,153 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,154 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,157 INFO [stdout] (default task-17) Entered SpNegoContext.acceptSecCon text with state=STATE_NEW 13:17:06,158 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceiving token = a0 6b 30 69 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 0 9 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e a2 35 04 33 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 06 00 06 00 2d 00 00 00 05 00 05 00 28 00 00 00 06 03 80 25 00 00 00 0f 53 42 2d 4 7 49 53 41 4e 42 4f 58 13:17:06,160 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10 13:17:06,162 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30 13:17:06,165 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mech Token 13:17:06,165 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceived token of type = SPNEGO NegTokenInit 13:17:06,166 INFO [stdout] (default task-17) SpNegoContext: negotiated mechanis m = 1.2.840.113554.1.2.2 13:17:06,166 INFO [stdout] (default task-17) The underlying mechanism context h as not been initialized 13:17:06,168 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: me chanism wanted = 1.2.840.113554.1.2.2 13:17:06,170 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: ne gotiated result = ACCEPT_INCOMPLETE 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token of type = SPNEGO NegTokenTarg 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02 13:17:06,173 INFO [stdout] (default task-17) [Krb5LoginModule]: Enter ing logout 13:17:06,174 INFO [stdout] (default task-17) [Krb5LoginModule]: logge d out Subject 13:17:06,175 ERROR [stderr] (default task-17) [LoginContext]: logout success Aditional information: +Keycloak is installed in Windows Server 2012. +Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL<mailto:HTTP/facultativoskeycloak.sanbox.local@SANBOX.LOCAL> -mapUser Keycloak(a)SANBOX.LOCAL<mailto:Keycloak@SANBOX.LOCAL> -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT +Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } +Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL<mailto:HTTPS/facultativoskeycloak.sanbox.local@SANBOX.LOCAL> KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

6 years, 6 months

3
2
0 / 0

Re: [keycloak-user] brokered-login only

by Marek Posolda

Yes, sure. If you need to just override themes, you may not need to override authentication flow. But if you need to override UsernamePassword Authenticator and change the implementation, so that it doesn't allow to login with username/password at all, then you will need to add this authenticator implementation into new browser authentication flow. Maybe instead of overriding UsernamePassword authenticator, it's easier to create new implementation of authenticator, which will just show the Freemarker form with links to brokers (No username/password). In that case you will also need to create new authentication flow and add that new authenticator implementation to it. Marek On 25/06/18 08:57, Corbetta, Francesco wrote: > Hello > > What about changing the browser authentication flow? > > Best > > Francesco > > -----Original Message----- > From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Marek Posolda > Sent: 25 June 2018 08:49 > To: mj <lists(a)merit.unu.edu>; keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] brokered-login only > > It's possible to remove username/password fields from login screen by doing custom theme and override freemarker template for login screen. > > You may need to remove tab "password" from account management as well so that users are not able to set their password here. This can be also achieved through theme. > > Thing is, that after changing themes, users will be still able to login with their username/passwords if they "simulate" sending the same HTTP request, which login screen is sending (they can also simulate changing their password in account management by HTTP request even if "password" > tab is not in the UI). So if you expect to have malicious users, which would try to do something like this and you want to be safe and avoid this, you may need to change/override the UsernamePassword Authenticator too and avoid authentication of users with username/password. Then login with username/password will be impossible even if user is trying to "simulate" the request like this. > > Marek > > > On 24/06/18 14:30, mj wrote: >> Hi, >> >> Is there a way to create a realm in keycloak with a few brokered IdP's, >> *without* the local username/password fields on the login screen, >> but >> *only* a list of external IdP's to choose from? >> >> Thanks! >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

6 years, 6 months

4
6
0 / 0

Why does error page always use base theme?

by Neujahr, Jana

Dear Keycloak users, my task is to style the custom keycloak theme. But I found some strange behavior for which cannot find a solution. I'm using Keycloak 4 beta. For the error pages ("We're sorry..." "Page not found"...) Keycloak always uses the base/keycloak theme, not my custom one... These are the steps I tried: · In the Admin Console, I added custom theme to all possible areas (Login, Account...) · added error.ftl, info.ftl and others to the custom theme in folder "login" · ensured that "template.ftl" from the same folder is used in all these FTLs: <#import "template.ftl" as layout> · created an own login.css with specific overwriting styles (which is already used in login´pages successfully) · added login.css to theme.properties: styles=node_modules/patternfly/dist/css/patternfly.css node_modules/patternfly/dist/css/patternfly-additions.css lib/zocial/zocial.css css/login.css But in the error page always the base/keycloak css is used. I ensured that with altering the base css -> then it worked with the error page. What to do to make Keycloak take my custom theme for errors? I'd appreciate any help! Kindly yours Jana Treffen Sie GISA auf folgenden Veranstaltungen! 06.-07.09.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig 11.-12.09.2018 Jahreskongress der Energieforen: Energiemarkt der Zukunft, Leipzig 23.-24.10.2018 metering days 2018, Fulda 15.11.018 BEMD-Jahreskongress 2018, Mannheim Aufsichtsratsvorsitzender: Norbert Rotter Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

6 years, 6 months

2
1
0 / 0

keycloak | Wildfly

by vandana thota

Hello Does any one knows the blow process : If yes can you able to tell us how to set up the broker in keycloak for keycloak final 4.0.0.0 version . 1. Set up a client for your application in Keycloak 2. Set up a broker in Keycloak that points to Okta and sets that as the automatic delegate. This means no keycloak login screen would be shown and it would delegate directly to Okta for authentication. 3. Log into Okta 4. Get to Okta app screen. 5. Click on app link 6. App redirects to Keycloak for authentication 7. Keycloak redirects automatically to Okta 8. Okta sees you are already logged in 9. Redirects back to Keycloak 10. Creates SAML assertion or OIDC token for client Thanks, Vandana

6 years, 6 months

1
0
0 / 0

Keycloak & Okta

by John D. Ament

Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John

6 years, 6 months

3
6
0 / 0

UMA 2.0 permissions for service client owned resources

by Gary Schulte

Hello all, I have some criteria for resource scope sharing that I am trying to reconcile. We are using keycloak to protect data resources. The data resources are created with a corresponding keycloak resource and scopes. These resources are logically owned by the resource creator, but we want to have the resources technically owned by the service client for a couple reasons: * resources may be created by CS and "transitioned" to users * resources created by users who leave the organization should not be orphaned To accomplish this we have an owner scope which is a proxy for the actual resource ownership, and the service client actually owns all of the resources. However, we want to allow users to share scopes dynamically. We are looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this sharing, and intend to continue to use policies for our administrative RBAC scenarios. In testing, I have been able to grant and revoke permissions using the permission ticketing for service-client-owned resources. However when I attempt to use the evaluation console to verify the behavior, I get a 500 error (and no logging on the keycloak side): {"error":"server_error","error_description":"Error while evaluating permissions."} Are UMA 2.0 permissions for service client owned resources a supported use case? TIA Gary Schulte

6 years, 6 months

2
3
0 / 0

Is there any update on https://issues.jboss.org/browse/KEYCLOAK-2940 ?

by Schenk, Manfred

Does anyone have information about https://issues.jboss.org/browse/KEYCLOAK-2940 ? Is there something planned for the near future or will we have to wait for years before this will be implemented? Some kind of roadmap could be helpful. Regards, Manfred -- Manfred Schenk, Fraunhofer IOSB Informationsmanagement und Leittechnik Fraunhoferstraße 1,76131 Karlsruhe, Germany Telefon +49 721 6091-391 mailto:Manfred.Schenk@iosb.fraunhofer.de http://www.iosb.fraunhofer.de

6 years, 6 months

2
2
0 / 0

Keycloak 4.0.0.Final Implicit flow response is different to 3.4.3.Final

by Ian Duffy

Hi All, In Keycloak 3.4.3.final when I used the implicit flow the URL fragment path contained: - session_state - access_token - id_token - token_type - expires_in - not-before-policy in Keycloak 4.0.0.Final I'm only seeing: - session_state - id_token - access_token Why is this? Is there configuration missing or is this a bug? Thanks, Ian.

6 years, 6 months

1
0
0 / 0

Keycloak always create user when use exchange_token grant_type

by Florian Bernard

Hello, We try to implement the following use case : We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it’s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it’ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian

6 years, 6 months

2
2
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2018