GSS delegation credential mapper
by Paolo Tedesco
Hi,
I'm trying to configure the GSS credential mapper for an application.
I've configured SPNEGO authentication on the server, and this is working.
Then I've created an application (confidential client) and add a gss delegation credential mapper to the application, but I don't seem to get a claim with the GSS credentials in the token after I authenticate. If I understood correctly, I should see a claim in the access token named "gss_delegation_credential".
Is there anything else I need to configure, like some additional mappers?
Also, is it possible to get this gss_delegation_credential token only authenticating with SPNEGO, or would it be possible to get it also with other authentication mechanisms (e.g. x509 certificate, username and password)?
Thanks,
Paolo Tedesco
6 years, 5 months
Wildfly Container Managed Security Constraint Redirect localhost
by Ryan Slominski
Hi Keycloak Users,
I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com". This breaks the process with the Keycloak error "Invalid parameter: redirect_uri". How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost? When I browse my Wildfly application on unprotected pages I'm using the actual hostname already. In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1. I've also updated the host element default-host alias to match myserver.example.com to replace "localhost". Neither of those changes made a difference.
Thanks,
Ryan
6 years, 5 months
Version API endpoint removed in 4.2.1?
by Dockendorf, Trey
I updated a test node to 4.2.1 from 3.4.2 and notice /auth/version no longer works. I use this endpoint with Nagios to check Keycloak is booted. Is this removal expected and if so is there a viable alternative in 4.2.1? I need something that requires no authentication.
4.2.1:
$ curl http://localhost:8080/auth/version
$
3.4.2:
$ curl http://localhost:8080/auth/version
{"version":"3.4.2.Final","build-time":"2017-12-21 12:57"}
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
6 years, 5 months
Setting up realm automatically -Client Service Account Roles
by Henning Waack
Dear all.
Using KC 4.2.1.
I want to setup my realm and all (initial) clients automatically (using
Ansible). Most things work, but right now I do not know how to set the
"Client Service Account Roles". I am looking at kcadm primarily, but any
other way to set this would be great, too.
Thanks & greetings
Henning
6 years, 5 months
Set key at realm creation or replace an existing key
by triton oidc
Hi,
i'm trying to do an openshift based implementation.
Two server (Keycloak and a relying party RP)
They cannot communicate, but the RP is supposed to verify Keycloak's token.
For that he needs to have the public key of the realm.
When my pod (Docker instance) restart, i re-create the same realm, with the
same clientID,
but of course the realm's key is a newly generated one.
I saw in an old documentation that it was possible to upload a key
https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html
I didn't found the certificate in the json from
kcadm.sh get realms
so i don't think it's going to help using a
kcadm.sh create realm --file [my_json_with_the_certificate_in_it]
What I would like to do is set the key at the realm creation, or modify it
just after it's creation.
If anyone has a clue, or can just confirm me that it's not possible
Thanks a lot
Amaury
6 years, 5 months
Re: [keycloak-user] [keycloak-dev] Error while updating jboss/keycloak from old :latest to newer :latest
by Hynek Mlnarik
Fixing the target list.
The changelogs between Betas were allowed to change freely so this change
(which came between Beta1 and Beta2) causes the issue. Always prefer exact
Final releases to :latest.
To fix this issue, you would have to either delete the corresponding row in
the 'databasechangelog' table and revert all the changes from [1], or
update the checksum in the corresponding row in database changelog table
and apply the differences from [1] manually to match the final version of
that file.
[1]
https://github.com/keycloak/keycloak/blame/master/model/jpa/src/main/reso...
On Wed, Aug 8, 2018 at 9:37 AM Lukasz Lech <l.lech(a)ringler.ch> wrote:
> Hello,
>
> I've started keycloak locally from docker image jboss/keycloak:latest
>
> Today I've pulled the image, and I've got the following error:
>
> Caused by: liquibase.exception.ValidationFailedException: Validation
> Failed:
> 1 change sets check sum
> META-INF/
> jpa-changelog-authz-4.0.0.CR1.xml::authz-4.0.0.CR1::psilva@redhat.com is
> now: 7:57960fc0b0f0dd0563ea6f8b2e4a1707
>
> at
> liquibase.changelog.DatabaseChangeLog.validate(DatabaseChangeLog.java:206)
> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1139)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.keycloak.common.util.reflections.Reflections.invokeMethod(Reflections.java:379)
> The problem is, I'm not sure what was the :latest state I was using, it
> was some snapshot of 4.0.0-Beta,
> I've tried to start now :latest, :4.0.0.Final, and :4.0.0.Beta3, but
> neither of them can work with the old database.
>
> Does it mean, that my current database is unusable and I need to start
> from scratch or there is some way to update it?
>
> Should I never ever in the future use :latest image?
>
> Best regards,
> Lukasz Lech
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
6 years, 5 months
Still getting DB upgrade issue with 4.2.1
by GARDAIS Ionel
Hi list,
When migrating to 4.2.1 from 4.1.0, I'm still getting DB upgrade issue :
22:02:27,350 ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 58) Change Set META-INF/jpa-changelog-authz-4.2.0.Final.xml::authz-4.2.0.Final::mhajas@redhat.com failed. Error: Column 'VALUE' cannot be null [Failed SQL: INSERT INTO keycloak.RESOURCE_URIS (RESOURCE_ID, VALUE) VALUES ('e34d82f8-d106-4ec8-b235-4b895001cefb', NULL)]
No more complains about table name mismatch but now about a null value.
Any hints ?
DB is mysql 5.7
Regards.
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
6 years, 5 months
Kubernetes integration
by Fox, Kevin M
Question regarding using KeyCloak and Kubernetes.
Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui, in Dex or Google you setup two clients, one for the website, and one for the cli. you mark the cli a Public Client, and you establish a trust between the website client and the cli. In either case then, the token passed to Kubernetes is for the same client.
What is the recommended way of doing something like this with KeyCloak? I see a Public Client option, but I don't see a way to establish the trust between clients.
Thanks,
Kevin
6 years, 5 months
FW: Access control and client setup
by Wyns Dean
Hi
I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things.
We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all.
Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions:
- create:item
- read:item
- update:item
- delete:item
Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes.
Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it.
Thanks for any feedback
Kind regards
Dean
6 years, 5 months
