Using the Keycloak Client Adapter for JBOSS as a Relying Party (RP) to a non-keycloak OpenID Provider (OP)
by Doyle Collings
Is it possible to use the Keycloak Client Adapter for JBOSS as a Relying Party to a non-keycloak OpenID Provider? My CA Single Sign-On (Siteminder) OP uses the following endpoints:
"authorization_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/authorize",
"token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/token",
"userinfo_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/userinfo",
"validate_token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/introspect",
"revoke_token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/revoke",
"jwks_uri": https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/jwks?Aut...
The Keycloak Client Adapter does not allow me to use those exact URL's . It builds the URLs, based on the auth-server-url
and the realm specified within the <subsystem> element in my standalone.xml, using the following code in the package org.keycloak.constants :
public interface ServiceUrlConstants {
public static final String AUTH_PATH = "/realms/{realm-name}/protocol/openid-connect/auth";
public static final String TOKEN_PATH = "/realms/{realm-name}/protocol/openid-connect/token";
public static final String TOKEN_SERVICE_LOGOUT_PATH = "/realms/{realm-name}/protocol/openid-connect/logout";
public static final String ACCOUNT_SERVICE_PATH = "/realms/{realm-name}/account";
public static final String REALM_INFO_PATH = "/realms/{realm-name}";
public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/register-node";
public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/unregister-node";
public static final String JWKS_URL = "/realms/{realm-name}/protocol/openid-connect/certs";
}
I am thinking that I can edit the source code so that if https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc is entered as my auth-server-url in the standalone.xml, I could achieve the following needed endpoint urls:
"authorization_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/authorize"
"token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/token"
"userinfo_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/userinfo"
"jwks_uri": https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/jwks?Aut...
using the following altered source code:
public static final String AUTH_PATH = "/authorize";
public static final String TOKEN_PATH = "/token";
public static final String TOKEN_SERVICE_LOGOUT_PATH = "/realms/{realm-name}/protocol/openid-connect/logout";
public static final String ACCOUNT_SERVICE_PATH = "/userinfo";
public static final String REALM_INFO_PATH = "/realms/{realm-name}";
public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/register-node";
public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/unregister-node";
public static final String JWKS_URL = "/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev";
Is my logic flawed? Or does anybody know of another OIDC Client Adapter that can be used for JBOSS that can be used as a Relying Party for a Non-Keycloak OpenID Provider?
Thank You for your Help.
Doyle Collings
Distributed Services Application Engineer and Single Sign-On Implementer/Administrator
Zions Bancorporation
======================================================================
THIS ELECTRONIC MESSAGE, INCLUDING ANY ACCOMPANYING DOCUMENTS, IS CONFIDENTIAL and may contain information that is privileged and exempt from disclosure under applicable law. If you are neither the intended recipient nor responsible for delivering the message to the intended recipient, please note that any dissemination, distribution, copying or the taking of any action in reliance upon the message is strictly prohibited. If you have received this communication in error, please notify the sender immediately. Thank you.
6 years, 3 months
GATEWAY_TIMEOUT
by vandana thota
Hello
After I have installed 4.2.1 keycloak and bring up the server . Checked
logs no errors were shown up but when I hit the url showing the below
error.
Date: Thu, 13 Sep 2018 13:57:46 CDT
Username:
Source IP: 10.101.69.143
URL: GET http://nl005382:/auth/
Category: Global NoAuth
Reason: UNKNOWN
Notification: GATEWAY_TIMEOUT
Server is up and running and pinging . Installed keyclaok on separate VM
not on wildfly server.
All ports in standalone.xml is configured well . and all ports were
listening though.
How to resolve this error ?
Thanks,
6 years, 3 months
GATEWAY_TIMEOUT
by vandana thota
Hello
After I have installed 4.2.1 keycloak and bring up the server . Checked
logs no errors were shown up but when I hit the url showing the below
error.
Date: Thu, 13 Sep 2018 13:57:46 CDT
Username:
Source IP: 10.101.69.143
URL: GET http://nl005382:/auth/
Category: Global NoAuth
Reason: UNKNOWN
Notification: GATEWAY_TIMEOUT
Server is up and running and pinging . Installed keyclaok on separate VM
not on wildfly server.
All ports in standalone.xml is configured well . and all ports were
listening though
6 years, 3 months
Fetch user groups from Google IAM account
by Roland Tepp
Hey,
Please bear with me as I am quite new at this stuff and I am still
struggling with getting to grips with all the terms and relationships in
Keycloak.
I am trying to set up Keycloak realm to use Google OIDC IDP and whole
setting up oidc login flow was rather straight forward, there are still few
things I can not figure out.
First - I want to limit set of users who can gain access to a single google
hosted domain.
The google identity token contains a claim called ‘hd’ but I can’t figure
out how can I use it to limit/restrict logins from other google hosted
domains.
I suppose it should be part of initial login flow, but I can’t really see
how or where should I configure this.
(Google oidc endpoint also supports a proprietary argument with the same
name that should be used to restrict google account selection dialogue to
only the specified hosted domain, but again, I do not see where I can hard
code it’s value for an IDP authentication request)
Second. How do I get google domain groups for the authenticated users?
They are not returned as user claims in a token. Google’s documentation
suggests I need to ask google directory services for that information.
Has anyone managed to integrate google hosted domains with Keycloak ad do
you have a recepie for how one can fetch google group memberships for
logged in users into Keycloak.?
Roland
6 years, 3 months
User registration outside of Keycloak and automatic authentication,
by Andy Skiba
Hi All,
I'm trying to integrate Keycloak into our project and I'm running into the
following problem. We have a pretty involved registration flow, so my idea
was to go through that flow and create users in Keycloak via admin REST
API. That works fine but I end up with a user that is not authenticated
after registration. Is there a way to register users outside of keycloak
and then end up with an authenticated SSO session?
I've seen this thread
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008018.html
from two years ago, and it proposes writing a custom Authenticator. Is that
still the easiest/only option?
Thanks for any pointers,
Andy
6 years, 3 months
Unable to perform Keycloak single logout
by Amjad
Hi,
I have two applications, i.e. one django based protected using
mod_auth_openidc and another java based hosted on wildfly and protected
using keycloak specific java adapter. The SSO works fine on both
applications. However, the problem occurs in case of Logout. When I perform
logout from django application, then both applications are redirected to
login on next request (as expected). However, when I perform logout on java
application, then django application still works as normal rather than
asking for login again on next request. As per the keycloak documentation,
Admin URL shall be set for a particular client that can be used by Keycloak
server to send backend requests to the application for various tasks, like
logout users or push revocation policies. From the apache logs, I can see
that no back-end request generated by keycloak against the logout perform
from java based application. If I generate the logout from keycloak admin
utility then apache logs shows a post action for k_logout.
Any idea/help in this regard will be much appreciated. Many thanks.
I used,
mod_auth_openidc 2.3.7
apache 2.4.34
Ubuntu 16.4
Keycloak 4.2.1
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 3 months
Keycloak single logout
by Amjad Ullah
Hi,
I have two applications, i.e. one django based protected using
mod_auth_openidc and another java based hosted on wildfly and protected
using keycloak specific java adapter. The SSO works fine on both
applications. However, the problem occurs in case of Logout. When I perform
logout from django application, then both applications are redirected to
login on next request (as expected). However, when I perform logout on java
application, then django application still works as normal rather than
asking for login again on next request. As per the keycloak documentation,
Admin URL shall be set for a particular client that can be used by Keycloak
server to send backend requests to the application for various tasks, like
logout users or push revocation policies. From the apache logs, I can see
that no back-end request generated by keycloak against the logout perform
from java based application. If I generate the logout from keycloak admin
utility then apache logs shows a post action for k_logout.
Any idea/help in this regard will be much appreciated. Many thanks.
--
*Regards,*
*Amjad Ullah*
6 years, 3 months
OAuth and SAML autnentication
by Craig Setera
Reading the documentation, there is a statement that makes it appear that
you can't support *both* OAuth and SAML authentication to the same
resources? Is that really the case? We would like to allow both OAuth and
SAML authentication to access our API (along with appropriate differences
in functionality). Is that possible?
Thanks,
Craig
6 years, 3 months
Keycloak with react-native application
by Christophe Lehingue
Hello,
what should you put as an address in the "redirect url" section of the
keycloak configuration panel for a native application made with
react-native (or native-view)?
Thank you.
Regards,
Christophe
6 years, 3 months
