Set up user attributes at account creation
by Rémy Grünblatt
Hi,
Is there any possibility to automatically set up attributes (such as an
unique integer Id) at account creation, with keycloak?
I'm trying to set up a "rank" (1 for the first user, 2 for the second
user, 3 for the third one) as an attribute and I'm having trouble to
find out how I could « automate » this.
Thanks,
Rémy
6 years, 5 months
Limitations of create_realm role or a bug?
by Christian Neudert
Hello,
I have a permission problem with realms created by an user in the master realm, who has the “create_realm” role only. This user can create a realm and new users in it but can’t assign the “impersonation” role to them. From my understanding, it’s because this user doesn’t have the “impersonation” role in the master realm and therefor can’t assign it to another user in another realm. This is expected as of what’s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#realm-specific-....
My problem is that I can’t configure the created realm completely with this user without that posibility. It also contradicts what’s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#global-roles: “Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.“.
Should a user with the ‘create_realm’ role be allowed to set the ‘impersonation’ role for users in realms created by her or is it a bug? If it’s a wanted restriction I don’t know how to solve that problem without giving this user the admin permission in the master realm which is… not so good.
FYI: I’m using Keycloak 3.4 with the Java Keycloak Admin CLI atm.
Best regards,
Christian Neudert
________________________________
[https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg]<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_c...>
Kanzleisoftware für moderne Anwälte
Kostenlos testen unter www.actaport.de<https://www.actaport.de?utm_source=email&utm_medium=mail_disclaimer&utm_c...>
________________________________
[https://www.actaport.de/images/doksafe_logo_200.png]
dokSAFE GmbH
Goethestraße 1
04109 Leipzig
www.doksafe.de<https://www.doksafe.de?utm_source=email&utm_medium=mail_disclaimer&utm_ca...>
________________________________
Sitz der Gesellschaft: Goethestraße 1, 04109 Leipzig
Amtsgericht Leipzig HRB 32536, Geschäftsführer Steffen Scholz, Dr. Michael Schäfer
________________________________
Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten.
Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
________________________________
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information.
If you have received this e-mail in error, you are hereby notified that any review,
copying, or distribution of it is strictly prohibited.
Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
6 years, 5 months
Redirect uri is not working
by Abdul Basith
Hi All,
I have configured a Keycloak standalone server and created a client under a
newly created a realm and given a HTTP url (for ex: http://something.com)in
the "Valid redirect Uri section of client settings.
Then I have added Keycloak to our web application which is developed in
vue.js using the "rockt-vuejs-keycloak-npm". everything worked fine.
Due to security reasons we changed our url to HTTPS and replaced the
"Valid redirect Uri" with HTTPS URL in keycloak. But unfortunately we
started getting an error "Invalid redirect URL" while loading the page
and still the redirect URL is pointing to the old http redirect URL.
I have tried by clearing the realm cache. but still getting the error. What
will be the reason for this issue? and how can I fix this issue?
Thanks in advance
Abdul Basith
6 years, 5 months
Fwd: Custom Identity Brokering for a CAS Server
by Erlend Hamnaberg
Whops, Forgot to send this to the list.
Sure.
It all depends on how you want to implement this. You can for instance
implement the Authenticator SPI or by using the IdentityProvider SPI.
These are very differerent implementation. I have used the IdentityProvider
SPI, and used the client libs from CAS.
If you are able to change the CAS server install, you can add the OpenId
Connect plugin and then the implementation becomes trivial, as you only
need to add that as a OIDC IdentityProvider config.
For my client, that was not possible.
/Erlend
On Wed, Aug 15, 2018 at 8:28 PM, Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
> Erlend,
> At least, you could give inputs if you are not allowed to publish.
>
> 2018-08-14 13:00 GMT+02:00 Erlend Hamnaberg <erlend(a)hamnaberg.net>:
>
>> I have done this for my client.
>>
>> It is quite possible to do, however it is not trivial.
>> Not sure if I'm allowed to publish the source for the integration, but I
>> will ask.
>>
>>
>> /Erlend
>>
>> On Tue, Aug 14, 2018 at 12:07 PM, Rémy Grünblatt <remy(a)grunblatt.org>
>> wrote:
>>
>>> Hi,
>>>
>>> This adds a client protocol, what we are searching for is the other way
>>> around (use the CAS as a provider).
>>>
>>> Thanks,
>>> Rémy
>>>
>>> Le 14 août 2018 11:51:41 GMT+02:00, Meissa M'baye Sakho <
>>> msakho(a)redhat.com> a écrit :
>>> >Remy,
>>> >take a look at this [1]
>>> > [1] =https://github.com/Doccrazy/keycloak-protocol-cas
>>> >
>>> >Meissa
>>> >
>>> >2018-08-14 11:25 GMT+02:00 Rémy Grünblatt <remy(a)grunblatt.org>:
>>> >
>>> >> Hello,
>>> >>
>>> >> We would like to have a Keycloak server use data from a legacy auth
>>> >> system (namely, a CAS server,
>>> >> https://en.wikipedia.org/wiki/Central_Authentication_Service ) to
>>> >> authenticate people. We do not have admin rights on the CAS server,
>>> >nor
>>> >> we are able to access the underlying ldap database it uses
>>> >internally.
>>> >>
>>> >> People would be able to have « pure » keycloak accounts (new users),
>>> >but
>>> >> also link their identity from the CAS or use the CAS to identify, and
>>> >> create an account the first time they do so.
>>> >>
>>> >> I tried to find documentation to develop our own identity provider
>>> >(as
>>> >> Keycloak only has an social, oidc, and saml providers), but I find it
>>> >> difficult to guess what are the interfaces we need to implement.
>>> >>
>>> >> Right now, this is what I have:
>>> >https://github.com/Reventl0v/KeycloakCAS
>>> >>
>>> >>
>>> >> So, questions:
>>> >>
>>> >> - Is there somewhere listing everything we need to implement beside
>>> >> looking at the code of keycloak?
>>> >> - Is there online some custom provider example code for something
>>> >that
>>> >> is not talking oidc, saml, or is a social provider?
>>> >> - Do you think it's a good idea to create such a provider?
>>> >>
>>> >>
>>> >> I found
>>> >>
>>> >http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html
>>> >> but I have no news about the result of this enterprise: Dominik (can
>>> >I
>>> >> call you Dominik?), did you manage to achieve this goal?
>>> >>
>>> >> Many thanks,
>>> >>
>>> >> Rémy
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user(a)lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>> Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser
>>> ma brièveté.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
6 years, 5 months
Re: [keycloak-user] How to logout
by Ryan Slominski
Hi Stan,
If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security:
https://javaee.github.io/tutorial/security-webtier003.html
And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself?
Ryan
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: "Ryan Slominski" <ryans(a)jlab.org>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, August 15, 2018 3:02:18 PM
Subject: Re: [keycloak-user] How to logout
Why is your client out of sync with the keycloak server? If you are
building a servlet-based application (JSF, JSP, Struts, etc.), then why
not use the WildFly adapter in the JEE way as described in the Keycloak
documentation? The WildFly Keycloak adapter takes care of all the hard
stuff for you.
On 8/15/2018 9:50 AM, Ryan Slominski wrote:
> Hi Stan,
> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true?
>
> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server:
>
> {"error":"invalid_request","error_description":"No refresh token"}
>
> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client).
>
> Thanks,
>
> Ryan
>
> ----- Original Message -----
> From: "Stan Silvert" <ssilvert(a)redhat.com>
> To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
> Sent: Monday, August 13, 2018 7:15:15 PM
> Subject: Re: [keycloak-user] How to logout
>
> HttpServletRequest.logout() should not be a no-op. It was implemented a
> long time ago:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro...
>
> If there is an issue with it you should report it in JIRA.
>
> Stan
>
> On 8/13/2018 4:19 PM, Ryan Slominski wrote:
>> Hi Keycloak Users,
>>
>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways:
>>
>> 1. Call HttpServletRequest.logout()
>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_re... {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
>>
>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...
>>
>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips?
>>
>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague.
>>
>> Thanks,
>>
>> Ryan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 5 months
Need to stop multiple reset password request
by Khyati Kataria
Hi,
As per one of the vulnerability requirement, it should possible to
block a hacker from flooding user's email box with the password reset
feature.
Can you please let us know if Keycloak can be configured to prevent
this vulnerability.
Thanks,
Khyati Kataria
6 years, 5 months
Re: [keycloak-user] How to logout
by Ryan Slominski
Hi Stan,
The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true?
So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server:
{"error":"invalid_request","error_description":"No refresh token"}
So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client).
Thanks,
Ryan
----- Original Message -----
From: "Stan Silvert" <ssilvert(a)redhat.com>
To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Monday, August 13, 2018 7:15:15 PM
Subject: Re: [keycloak-user] How to logout
HttpServletRequest.logout() should not be a no-op. It was implemented a
long time ago:
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro...
If there is an issue with it you should report it in JIRA.
Stan
On 8/13/2018 4:19 PM, Ryan Slominski wrote:
> Hi Keycloak Users,
>
> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways:
>
> 1. Call HttpServletRequest.logout()
> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_re... {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
>
> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...
>
> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips?
>
> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague.
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 5 months
Custom Identity Brokering for a CAS Server
by Rémy Grünblatt
Hello,
We would like to have a Keycloak server use data from a legacy auth
system (namely, a CAS server,
https://en.wikipedia.org/wiki/Central_Authentication_Service ) to
authenticate people. We do not have admin rights on the CAS server, nor
we are able to access the underlying ldap database it uses internally.
People would be able to have « pure » keycloak accounts (new users), but
also link their identity from the CAS or use the CAS to identify, and
create an account the first time they do so.
I tried to find documentation to develop our own identity provider (as
Keycloak only has an social, oidc, and saml providers), but I find it
difficult to guess what are the interfaces we need to implement.
Right now, this is what I have: https://github.com/Reventl0v/KeycloakCAS
So, questions:
- Is there somewhere listing everything we need to implement beside
looking at the code of keycloak?
- Is there online some custom provider example code for something that
is not talking oidc, saml, or is a social provider?
- Do you think it's a good idea to create such a provider?
I found
http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html
but I have no news about the result of this enterprise: Dominik (can I
call you Dominik?), did you manage to achieve this goal?
Many thanks,
Rémy
6 years, 5 months
