Regarding resourcePath in email html template
by vidhyadharan D
Hi,
I am customizing the email template for password-reset. I wish to access
the logo from *email *resources directory (i.e)
<keycloak>\themes\<my-custom-theme>\email\resources\img\marketing.jpg
This can be possible for *login *module via ${url.resourcesPath}
Some one please point out me how to access the email resource path.
Regards,
vidhya
6 years, 4 months
admin/api interface ip restrictions
by Jernej Porenta
Hey,
based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i’ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs.
We have used the following commands:
/subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={‘193.189.160.11/32 allow’})")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add()
But unfortunately, this has totally blocked our access to administrative interfaces.
We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error.
We have dig into the issue a bit more and we got a bit more information:
- as it seems Keycloak sees the right IP when we try to login into fake realm
12:29:41,069 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-re..., code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd
- but when we try to access admin console, we get 403. The requestDumper gives us this:
==============================================================
14:13:36,876 INFO [io.undertow.request.dump] (default I/O-6)
----------------------------REQUEST---------------------------
URI=/auth/admin/
characterEncoding=null
contentLength=-1
contentType=null
cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
header=X-Real-IP=193.189.160.11
header=Cache-Control=max-age=0
header=Accept-Encoding=gzip, deflate, br
header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64
header=X-Original-Forwarded-For=193.189.160.11:58359
header=X-Scheme=https
header=Connection=close
header=X-Forwarded-Port=443
header=X-ORIGINAL-HOST=taurus1.siol.net
header=X-Forwarded-For=193.189.160.11
header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam(a)ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development
header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564
header=Host=taurus1.siol.net
header=X-Forwarded-Host=taurus1.siol.net
header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
header=Accept-Language=en-US,en;q=0.9
header=Max-Forwards=10
header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
header=SEC-WEBSOCKET-EXTENSIONS=
header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6
header=X-Forwarded-Proto=https
header=X-Original-URI=/auth/admin/
header=X-Original-URL=/auth/admin/
header=Upgrade-Insecure-Requests=1
locale=[en_US, en]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=193.189.160.11:0
remoteHost=193.189.160.11
scheme=https
host=taurus1.siol.net
serverPort=443
--------------------------RESPONSE--------------------------
contentLength=74
contentType=text/html
header=Connection=close
header=Content-Length=74
header=Content-Type=text/html
header=Date=Fri, 24 Aug 2018 14:13:36 GMT
status=403
==============================================================
Any clues, what are we doing wrong?
Thank you in advance, br, Jernej
6 years, 4 months
Removal of adapters for older containers| Please don't remove for wildfly 11
by vandana thota
Hello
We have are using Wildfly 11 and keycloak 4.0.0 onwards for our SAML
congiguratiion and it includes the keycloak 4.0.0 SAML adapaters also
at our client project .
Please don't reomve the suport for them
If its removed what is the alternate option for us for SAML
configuration ( Like for single sign on for our application.
yesterday have seen some email thread regarding this from Stain
Thorgersen .
Thanks,
Vandana
6 years, 4 months
Removal of adapters for older containers| Please don't remove for wildfly 11
by vandana thota
Hello
We have are using Wildfly 11 and keycloak 4.0.0 onwards for our SAML
congiguratiion and it includes the keycloak 4.0.0 SAML adapaters also
at our client project .
Please don't reomve the suport for them
yesterday have seen some email thread regarding this from Stain
Thorgersen .
Thanks,
Vandana
6 years, 4 months
Load denied by X-Frame-Options
by Ryan Piper
Hello,
I am receiving the error message on the `auth/admin/master/console/#/`
page. I am running keycloak in a docker container which has nginx instance
in front of it. The precise error I get is:
```
Load denied by X-Frame-Options:
https://keycloak.fqdn.com/auth/realms/master/protocol/openid-connect/logi...
does not permit framing.
```
I configured the xml files so proxy-address-forwarding is set to true. Not
sure how to correct this issue in context to keycloak. Any help would be
appreciated!
Thanks.
6 years, 4 months
Enabling login events causes ERROR: value too long for type character varying(2550)
by Dennis de Vaal | Rovecom
When a user logs in via our custom SAML-based identity provider (which in turn is based on the one provided with keycloak), keycloak will throw the following exception: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(2550). This happens when the user is redirected back to keycloak from the external IdP.
I have traced this back to the details_json column in the event_entity table. This column has a varchar data type of length 2550. Can this limit be increased or removed? For now we decided to disable this feature (Save Events: OFF) under Events > Config > Login Events Settings.
We are running keycloak 3.4.3 Final (from theofficial jboss docker image). See attached log for a full stacktrace.
Regards,
Dennis de Vaal
[Rovecom]
Dennis de Vaal
webontwikkelaar
[Rovecom] elbe 2, 7908 hb hoogeveen [Rovecom] 0528 22 35 35 /
[Rovecom] postbus 2126, 7900 bc hoogeveen [Rovecom] rovecom.nl<https://www.rovecom.nl/>
Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
Disclaimer: https://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
6 years, 4 months
Token with information about login method
by Nikola Malenic
Suppose we have multiple login methods (multiple authenticators) user can be
logged in with.
Is there a way to place this information (which authenticator done the
authentication) in access token?
It would be even better to assign different scopes to the access token based
on the authentication method.
Many thanks,
Nikola
6 years, 4 months
User import strategy
by Robert Smol
Hello, we are migrating from old system to keycloak, and I've implemented
several interfaces:
UserStorageProvider,
UserLookupProvider,
CredentialInputValidator,
CredentialInputUpdater,
UserQueryProvider
When I now go to Users tab and do View All Users, I do see some users
twice, once for those that logged in via keycloak and got local account
created (section 11.9.1 on server_development) and once because they are
listed due to UserQueryProvider - but I do not see any way to distinguish
between those entries. Both have Federatoin Link set to our Custom provider.
I ideally would love so see which user is local and which one is remote so
I know which users we still should migrated.
What is your strategy on this? Shall I tweak `getUsers` method to check
userLocalStorage() for already imported user and skip those?
Robert
6 years, 4 months
Multiple password policies
by Jamie McDowell
Hi,
Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated)
We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.
We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies?
Has anyone configured this before or can suggest alternatives?
Regards,
Jamie
6 years, 4 months
Browser not maintaining session for keycloak users
by Test Oauth
I am using openid-connect for authenticating users. After successful
authentication, browser windows says:
"Login Successful
You may close this browser window and go back to your console application."
However, even without closing the window if I relaunch my application
(using keycloak.loginDesktop();) even within 10 seconds, still the login
page appears instead of : you are already logged in.
Browser: Firefox.
6 years, 4 months
