How to resolve ERR_CONNECTION_TIMED_OUT
by vandana thota
When I was tryin to open the keycloak admin console Im gettting below
error .
How to resolve it
This site can’t be reached
-
ERR_CONNECTION_TIMED_OUT
6 years, 6 months
Brokered logins only?
by pkboucher801@gmail.com
Any way (other than a custom theme that enforces it in the UI) to allow only
brokered logins to a realm?
For reasons beyond my control, the user's password is the same in the IDP as
it is in KC (they point at the same OU in LDAP), but the IDP has been
configured with a particular 2FA method that is not supported by KC. So the
problem is that if the users login with username/password submission on the
KC login page, they can bypass the IDP's 2FA.
We can set the IDP as the default, but kc_idp_hint as a blank value will
bring up the KC login page.
Maybe there's a way to adjust the flows so that brokered login works, but
username/password submission on the KC login page fails (or is not even
offered)?
Maybe setup pre-configured OTPs on the accounts, so that the users can't get
past there? (this would be a bad, confusing UX)
Any other ideas?
Regards,
Peter K. Boucher
6 years, 6 months
Backchannel logout with SSL
by PEETERS.THOMAS (ICT)
Hey all,
One of our requirements for SSO is that when one SSO application in the SSO realm gets a logout request, that it logs out all the other applications in the same SSO realm.
For that, I'm assuming 'backchannel logout' is what we need.
We've configured an "admin url" in the clients configuration, using https. But this throws an exception in Keycloaks Undertow subsystem.
When using http instead of https we get an error in our client application telling us that we need SSL. (PreAuthActionsHandler in the Keycloak adapter).
SSL is configured in our client (JBoss 6.4 EAP standalone.xml) and in Keycloak standalone.xml. All https authentication request/response from/to the Keycloak server and our JBoss client seems to work.
The exception is as follows:
KC-SERVICES0057: Logout for client '****' failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.keycloak.connections.httpclient.DefaultHttpClientFactory$1.postText(DefaultHttpClientFactory.java:70)
at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:243)
at org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:187)
at org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:142)
at org.keycloak.protocol.oidc.OIDCLoginProtocol.backchannelLogout(OIDCLoginProtocol.java:266)
at org.keycloak.services.managers.AuthenticationManager.backchannelLogoutClientSession(AuthenticationManager.java:331)
at org.keycloak.services.managers.AuthenticationManager.lambda$backchannelLogoutAll$0(AuthenticationManager.java:242)
at java.util.HashMap$Values.forEach(HashMap.java:972)
at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
at org.keycloak.services.managers.AuthenticationManager.backchannelLogoutAll(AuthenticationManager.java:241)
at org.keycloak.services.managers.AuthenticationManager.backchannelLogout(AuthenticationManager.java:203)
at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:208)
at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logoutToken(LogoutEndpoint.java:198)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 92 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 98 more
Setup:
JBoss EAP 6.4, Keycloak-spring-security-adapter 3.4.1.Final, Keycloak 3.4.1.Final.
Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer
6 years, 6 months
Mapping LDAP group-roles to Keycloak
by Alvaro Martin
Hi,
We have defined a set of fine-grain roles to secure endpoints on a backend
application. We wanted to assign different set of roles to users. To avoid
having to assign roles one-by-one to each user we have created groups and
we have mapped roles to them (groups will work as profiles here) . Then we
have assigned users to groups. This worked well.
Now we want to create this setup in a LDAP and configure user federation.
We can map LDAP roles to keycloak roles and LDAP groups to keycloak groups.
We also even import group users to keycloak. But we don´t know how to
transfer LDAP group-roles to keycloak group role-mappings. We haven´t found
a mapper for this. Is there any way to do it?
Thanks in advance,
*Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/>
alvaro.martin(a)bluetab.net
+34 91 457 16 97
+34 687 398 622t
6 years, 6 months
Fwd: Keycloak 4
by Corentin Dupont
OK, interesting: I didn't know about this console :)
I can access it with my "test" user, but I don't see the "My Resources"
menu entry (see screenshot).
I created some resources owned by that user (using the API). But they don't
show up.
What did I missed?
On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
> Yeah, you can access those claims in a JS policy.
>
> Regarding the "account management console" take a look here:
> https://www.keycloak.org/docs/latest/authorization_ser
> vices/index.html#_service_authorization_api_aapi.
>
> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> Ok, I see the "claim_token" parameter in the request.
>> I guess you can retrieve those claims in a javascript rule, from the
>> evaluation context.
>>
>> By the way, I still cannot figure out where is the "account management
>> console", where user can manager users access (as per the release notes)??
>>
>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> The new form of obtaining entitlements relies solely on the token
>>> endpoint just like when you are obtaining access tokens using other OAuth2
>>> grant types. With that in mind the new format of the request should be a
>>> HTTP POST + parameters. Check this documentation [1] for more details.
>>>
>>> Regarding pushing claims to your policies, there is a specific HTTP
>>> parameter that you can use to pass a Base64 encoded JSON with the claims
>>> you want to push.
>>>
>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>>> ces/index.html#_service_obtaining_permissions
>>>
>>>
>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Thanks Pedro, I went through the pull request.
>>>> I'm not sure how to modify my entitlement requests?
>>>> For example I have:
>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>> "permissions" : [
>>>> {
>>>> "resource_set_name" : "Sensors",
>>>> "scopes" : [
>>>> "sensors:update"
>>>> ]
>>>> }
>>>> ]
>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>>>
>>>> This call has been moved to uma-2, right?
>>>> Can I add pushed claims to this call? What I'm imagining is:
>>>>
>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization:
>>>> Bearer $TOKEN" -d '{
>>>> "permissions" : [
>>>> {
>>>> "resource_set_name" : "Sensors",
>>>> "scopes" : [
>>>> "sensors:update"
>>>> ]
>>>> }
>>>> ],
>>>> claims: ["owner": "cdupont"]
>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>>>
>>>> In this example, I would like to push the owner of the sensor
>>>> ("cdupont"), which I take from our own database before calling the API.
>>>>
>>>> Sorry about the questions, maybe I should just wait that the
>>>> documentation is merged :)
>>>>
>>>>
>>>>
>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We have a few changes to docs that were not released because the PR
>>>>> [1] was not merged on time. But you can check about pushed claims (if you
>>>>> are using our adapters) here [2].
>>>>>
>>>>> Regards.
>>>>> Pedro igor
>>>>>
>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402
>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi
>>>>> ces/index.html#_enforcer_claim_information_point
>>>>>
>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont <
>>>>> corentin.dupont(a)gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> I'm playing with the new version of Keycloak (
>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html)
>>>>>>
>>>>>> I have some questions:
>>>>>> - where is the "account management console"?
>>>>>> - How to use pushed claims? Which APIs are affected?
>>>>>>
>>>>>> Thanks!
>>>>>> Corentin
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
6 years, 6 months
Re: [keycloak-user] keycloak-user Digest, Vol 54, Issue 41
by Otaño Pavo, Cesar
Hi Dominique,
There is an error in the description of the ktpass command.
the command is really: ktpass -out c:\keycloak.keytab -princ HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL -mapUser Keycloak(a)SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Regards
------------------------------
Message: 5
Date: Tue, 26 Jun 2018 12:46:01 +0000
From: Dominique ARNOU <dominique.arnou(a)cnieg.fr>
Subject: Re: [keycloak-user] Kerberos authentication in Windows
To: Ota?o Pavo, Cesar <c.otano(a)ibermatica.com>,
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<DB6PR07MB323955D8C4121CCE0FFC686686490(a)DB6PR07MB3239.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi
Your server principal would be HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL, not HTTPS/...
Dominique
-----Message d'origine-----
De?: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] De la part de Ota?o Pavo, Cesar
Envoy??: mardi 26 juin 2018 14:13
??: keycloak-user(a)lists.jboss.org
Objet?: [keycloak-user] Kerberos authentication in Windows
Hi,
I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-...
In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>.
But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login."
Aditional information:
? Keycloak is installed in Windows Server 2012.
? Command to create keytabfile:
ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL -mapUser Keycloak(a)SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
? Configuration KRB5.ini located in c:\windows
[domain_realm]
.sanbox.local = SANBOX.LOCAL
sanbox.local = SANBOX.LOCAL
[libdefaults]
default_realm = SANBOX.LOCAL
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
[realms]
SANBOX.LOCAL = {
kdc = sb-ad.sanbox.local
admin_server = sb-ad.sanbox.local
default_domain = SANBOX.LOCAL
}
? Kerberos Integration:
Allow Kerberos authentication: YES
Kerberos Realm SANBOX.LOCAL
Server Principal HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL
KeyTab C:/keycloak.keytab
Debug YES
Use Kerberos For Password Authentication YES
Regards
Cesar
AVISO LEGAL
El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido.
LEGAL NOTICE
The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.
6 years, 6 months
RESET_PASSWORD_ERROR incorrect clientId
by Dan Neville
Hello,
I am currently experiencing some issues with resetting credentials via Keycloak. I've experienced this with both 3.4.0 and 4.0.0.
We have the "account" client disabled because we do not want a user to have access to changing any of their details other than the password as we saw here http://lists.jboss.org/pipermail/keycloak-user/2017-September/011873.html.
We have another two clients "web" and "mobile" which we use.
When we request a reset with client_id set to "web" (http://localhost/auth/realms/my-realm/login-actions/reset-credentials?cli...) an email is sent, I click on the link and I can correctly reset my password.
However when I reset with client_id set to "mobile" (https://localhost/auth/realms/my-realm/login-actions/reset-credentials?cl...) an email is sent, I click on the link and I get a page which says "Login requester not availble" and the log line seen is:
14:25:42,543 WARN [org.keycloak.events] (default task-70) type=RESET_PASSWORD_ERROR, realmId=my-realm, clientId=account, userId=d4486f3c-ac49-49da-aecf-8898d80f59b7, ipAddress=X.X.X.X, error=client_not_found, reason=loginRequesterNotEnabledMessage, auth_method=openid-connect, token_id=1c9a2709-2902-496b-9e2c-90cdb4404374, action=reset-credentials, response_type=code, redirect_uri=http://localhost/auth/realms/my-realm/account/, remember_me=false, code_id=7ac6953f-a943-473c-b333-e526202c9793, response_mode=query
In the log line I can see that it is trying to use the "account" client id which is disabled, so I understand this is why I'm getting the error. However I'm not sure why it is trying to use the "account" client id.
What reasons could there be for the client_id with "mobile" acting differently?
Many Thanks
Dan
[Benefex Logo]
Dan Neville
Senior Backend Engineer
hellobenefex.com<https://www.benefex.co.uk>
[https://s3-eu-west-1.amazonaws.com/commsmedia-bucket/images/benefex/socia...]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex>
Benefex Ltd, Mountbatten House, , Southampton, SO15 2JU. Registered Number: 04768546
As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you!
This message has been scanned for malware by Websense. www.websense.com
6 years, 6 months
Kerberos authentication in Windows
by Otaño Pavo, Cesar
Hi,
I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-...
In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>.
But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login."
Aditional information:
· Keycloak is installed in Windows Server 2012.
· Command to create keytabfile:
ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL -mapUser Keycloak(a)SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
· Configuration KRB5.ini located in c:\windows
[domain_realm]
.sanbox.local = SANBOX.LOCAL
sanbox.local = SANBOX.LOCAL
[libdefaults]
default_realm = SANBOX.LOCAL
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
[realms]
SANBOX.LOCAL = {
kdc = sb-ad.sanbox.local
admin_server = sb-ad.sanbox.local
default_domain = SANBOX.LOCAL
}
· Kerberos Integration:
Allow Kerberos authentication: YES
Kerberos Realm SANBOX.LOCAL
Server Principal HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL
KeyTab C:/keycloak.keytab
Debug YES
Use Kerberos For Password Authentication YES
Regards
Cesar
AVISO LEGAL
El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido.
LEGAL NOTICE
The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.
6 years, 6 months
