Mail System Error - Returned Mail
by Mail Administrator
���"�1��"�B�/���^>oT&��.��(B"���m��rv�������}*(��<,S�S��5�����h�5�?��,�8�k�D���1z���B���xk��[N�����8�����O���|��&��������a����!OET1���u��\�QfS�|rB��e�N
�����6A���:-|�\����Q���m��|�R�X�s�����nq����y^�C��~�����_�H�_��(v'�v]��(Z#���-����'�nc#����#�n�W�
���x�b��I��fb���p�����x�w^rD�6#��B
n�)Wi�����x���:�-�/���gu��L�7�W����_Jw#h�����$I&O��;�9��C����}a���6^����$-�p;�_X���}��\�c]�B[��������xD��5a��
*g������:���{<���n�'6n"d�Q�96���C&��_Q�H�9v��3;�W�viK��o�]Fz%��1�����y�>���G�g��]��fS�7�>Vg`b<{`��$K�Y�u�*��.UZ�!-���{� r"������aZ[Z�N�C.�K���%N]�������2y��j;�H
VA D����������Mb/�G�p49�`���h��SI�t{�F0e�*-$�������R�#�KR�����.5�n��h�N���C
Q��/���Hg������]�lN��[���~�E���9�:U_�c;������}�A�{
����}�&���
g��������&����O�����,<�p�a�wJXA�s�G��Y�*��B.��������~�f�1c[�����p�B���������F�w�{�f��Tj�ls���9E9��"y�����C.Uh�JH��o���^b����C�|N����1����HX����C�d�o��!�X^�c��&
�F�0d����Pqfg�"%��|��4���0
vh�&�F��n�!�Xk�P)��b��D���������zh��A����Cx�c��PE�])3�tJ�yJY�;���ynK��5uH��$HB���2�������no�},�K��F�C:��s�����r��l��s�c������Y���/����|����o�3Lr����b�A?6��Zy�-�H�1���[��]<
i!Q���WQ������a�����e&�5�_�vi��J
k���#5�Y�"����Z�?jv���n�hY��Tp�c~��s���i<�]�������P�;��t,���Q ��{�Wn��D����
<�E�����,��#_��W&�O���>������B�
c��K����V���
��n�A��b�D�������/j���^��y�jI�HF�la������B���iv��J\�f���Z|ty�U���^��%X5����.,���0�dp5�WE.�)S��u����D?U�6
�C~�1�����<�O|�)���F��]NsG;48�K��#L4��|R����p���R��fN�h��;s�,sh�o_����6�j�v�|1k�$�������7e����u���!�c6��hX����u;Uz!�w�
6 years, 5 months
Force POST setting in SAML??
by Max Allan
Hi,
I have a SAML SP that needs both POST and Redirect methods in the
sp_metadata file. (if redirect is missing then it fails to even startup the
app)
A bit of fiddling and I noticed the "Force POST Binding" in the client
config. If I turn if OFF then both POST and Redirect lines appear in the
installation file. Nice.
However, when the user tries to login, something (Keycloak I'm pretty sure)
gets things wildly wrong and the browser ends up at the SP's redirect URI
with the "SAMLRequest=...." in the URL.
The SP doesn't know how to process that (that's for Keycloak). So it fails
to login.
If I leave "Force POST" ON, then the sp_metadata needs a manual edit to
include the Redirect method. But at least the user can login.
Can anyone explain what's going on? Why do I need to set it off to generate
the xml for the SP and then back on to actually work??
Thanks,
Max
6 years, 5 months
Unable to change consentRequired value for protocol mappers using Keycloak 4.2.1
by Dockendorf, Trey
I am testing Puppet changes needed to support Keycloak 4.2.1 after supporting 3.4.x and discovered I’m unable to change the consentRequired field for protocol mappers. Is this expected behavior or a bug? The behavior is the same if I update the resource using a full JSON file too which is what I have Puppet doing. Based on my read of 4.0.0 upgrade docs it looks like “Consent Required” was removed so is the JSON value now read-only?
Thanks,
- Trey
[root@centos-7-x64 /]# /opt/keycloak/bin/kcadm-wrapper.sh update client-scopes/saml/protocol-mappers/models/f56be3eb-5986-5366-b209-dd6a9269e7b9 -r test -s consentRequired=true -o
Logging into http://localhost:8080/auth as user admin of realm master
{
"id" : "f56be3eb-5986-5366-b209-dd6a9269e7b9",
"name" : "email",
"protocol" : "saml",
"protocolMapper" : "saml-user-property-mapper",
"consentRequired" : false,
"config" : {
"user.attribute" : "email",
"friendly.name" : "email",
"attribute.name" : "email"
}
}
[root@centos-7-x64 /]# cat /tmp/test.json
{
"id": "f56be3eb-5986-5366-b209-dd6a9269e7b9",
"name": "email",
"protocol": "saml",
"protocolMapper": "saml-user-property-mapper",
"consentRequired": true,
"config": {
"user.attribute": "email",
"friendly.name": "email",
"attribute.name": "email"
}
}
[root@centos-7-x64 /]# /opt/keycloak/bin/kcadm-wrapper.sh update client-scopes/saml/protocol-mappers/models/f56be3eb-5986-5366-b209-dd6a9269e7b9 -r test -f /tmp/test.json
Logging into http://localhost:8080/auth as user admin of realm master
[root@centos-7-x64 /]# /opt/keycloak/bin/kcadm-wrapper.sh get client-scopes/saml/protocol-mappers/models/f56be3eb-5986-5366-b209-dd6a9269e7b9 -r test
Logging into http://localhost:8080/auth as user admin of realm master
{
"id" : "f56be3eb-5986-5366-b209-dd6a9269e7b9",
"name" : "email",
"protocol" : "saml",
"protocolMapper" : "saml-user-property-mapper",
"consentRequired" : false,
"config" : {
"user.attribute" : "email",
"friendly.name" : "email",
"attribute.name" : "email"
}
}
--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center
6 years, 5 months
Deployment of custom IdentityProviders with HTML pages for admin console
by Thomas Darimont
Hello,
a while ago I developed a custom IdentityProvider which comes with
the required HTML pages for the custom configuration options.
Currently, I need to copy the .jar together with the HTML files which is a
bit annoying.
Is it possible to get the admin resources for the IdentityProvider resolved
from the .jar?
My current deployment script contains the following:
...
echo install new acme-identityprovider
cp target/*.jar $KEYCLOAK_HOME/standalone/deployments
echo install new theme page
cp -r src/main/resources/themes/* $KEYCLOAK_HOME/themes
...
This copies the associated HTML files to
themes/base/admin/resources/partials/realm-identity-provider-acme.html
themes/base/admin/resources/partials/realm-identity-provider-acme-ext.html
Cheers,
Thomas
6 years, 5 months
authorizationServicesEnabled flag not working from CLI
by Test Oauth
I am using following command (on Keycloak 4.1.0):
kcreg create -s clientId=test15 -s protocol=openid-connect -s
"redirectUris=[\"*\"]" -s publicClient=false -s serviceAccountsEnabled=true
-s authorizationServicesEnabled=true
The above command successfully creates a new client and sets all the flags
mentioned in the command except for the authorization option. When I check
on keycloak web the ' Authorization Enabled ' option is still turned off.
Next, I tried to update this flag:
kcreg update test15 -s authorizationServicesEnabled=true
No error is thrown but still the ' Authorization Enabled ' option is
turned off.
Is it even possible to set this option through CLI ? (It gets enabled if
done through keycloak web)
Also , am I using the correct option? In the docs :
https://www.keycloak.org/docs-api/4.1/rest-api/index
2 flags are mentioned : authorizationServicesEnabled and
authorizationSettings.
On using the second flag I get:
Failed to set attribute 'authorizationSettings' on document type 'default'
which means that this option is not valid for this particular command.
6 years, 5 months
Secure CORS configuration
by Jan Garaj
Hello,
I would like to use https://github.com/damienbod/angular-auth-oidc-client/,
but this library has CORS problem with userinfo endpoint query from Firefox
(Chrome has a similar CORS error):
*Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at
https://<keycloak>/auth/realms/<realm>/protocol/openid-connect/userinfo.
(Reason: CORS header ‘Access-Control-Allow-Origin’ missing).*
All resources, which I found are recommending to configure Keycloak CORS
header Access-Control-Allow-Origin: *, which is not a secure option:
https://stackoverflow.com/questions/45051923/keycloak-angular-no-access-c...
http://lists.jboss.org/pipermail/keycloak-user/2017-September/011890.html
+ it looks like this insecure option is not available anymore, because
https://issues.jboss.org/browse/KEYCLOAK-5946 has been implemented.
So my question is: how to configure Keycloak (server, OIDC client) for
secure cross requests?
Fortunately, Google IdP works fine for my use case, so I'm able to check
preflight headers. Google IdP:
$ curl "https://www.googleapis.com/oauth2/v3/userinfo" \ -v -X OPTIONS
-H "Host: www.googleapis.com" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: authorization" \
-H "Origin: https://domain.com"...
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Mon, 01 Jan 1990 00:00:00 GMT
< Date: Thu, 02 Aug 2018 06:29:07 GMT
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: authorization
< Access-Control-Allow-Methods: DELETE,GET,HEAD,PATCH,POST,PUT
< Access-Control-Allow-Origin: https://domain.com< Access-Control-Max-Age: 3600
< Vary: Origin
< Vary: X-Origin
< Content-Type: application/octet-stream
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Content-Length: 0
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
My Keycloak 4.2:
$ curl "https://<keycloak>/auth/realms/<realm>/protocol/openid-connect/userinfo"
\-v -X OPTIONS -H "Host: <keycloak>" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: authorization" \
-H "Origin: https://domain.com"...
< HTTP/1.1 200 OK
< Connection: keep-alive
< Access-Control-Allow-Origin: https://domain.com<
Access-Control-Allow-Headers: Origin, Accept, X-Requested-With,
Content-Type, Access-Control-Request-Method,
Access-Control-Request-Headers, Authorization
< Access-Control-Allow-Credentials: true
< Content-Length: 0
< Access-Control-Allow-Methods: GET, HEAD, OPTIONS
< Access-Control-Max-Age: 3600
< Date: Thu, 02 Aug 2018 06:30:44 GMT
Keycloak is not able to add additional headers into the preflight response,
so I'm not able to verify, that those additional Google headers (Vary,
Content-Type, ....) will be able to solve my Keycloak CORS issue.
Definitely, it works in my Firefox if "CORS Everywhere" plugin is
activated, so it seems to be an issue with Keycloak preflight response
headers.
My test setup:
Docker image jboss/keycloak:4.2.0.Final (tested also with 3.x)
angular-auth-oidc-client 6.x, angular 6.x
Many thanks in advance.
*Jan Garaj*
6 years, 5 months
