KC4.3.0.Final- mariadb db errors on fresh install
by java_os
Struggled with this fresh install.
You get this error on startup:
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 'INT DEFAULT 30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1'
NULL' at line 1 [Failed SQL: ALTER TABLE keycloak.CREDENTIAL ADD COUNTER
INT DEFAULT 0 NULL, ADD DIGITS INT DEFAULT 6 NULL, ADD PERIOD INT DEFAULT
30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL]^M
======
I ran it in manual mode db upgrade to get the generated .sql, changed the
alter on credentials as follows (injecting COLUMN into the sql - weird?)
ALTER TABLE keycloak.CREDENTIAL ADD COLUMN COUNTER INT DEFAULT 0 NULL, ADD
COLUMN DIGITS INT DEFAULT 6 NULL, ADD COLUMN PERIOD INT DEFAULT 30 NULL,
ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL;
especially before PERIOD when it bailed out.
Re-run the sql update - works, able to bring kc up.
Really? why ? Anyone gone through this?
6 years, 3 months
Client role scope param
by Ulrik Lejon
Hi,
I'm having some issues understanding how to use the "Scope Param Required"
switch when creating a role on my client. I have created a new client in
the master realm, lets call it "master-client". Next I went to Clients >
Master-client -> Roles and added a role named "role-one". In the wizard
where I created the role I selected true on the switch "Scope Param
Required". After that I created a new user and added the role "role-one" to
that user.
When I look at the access token the user receives when logging in using the
javascript adapter I can not see "role-one" in the roles array in the
resource_access object. I get this: "resource_access": {}.
However, If I edit the role and select false on the switch "Scope Param
Required" I can see "role-one" in the JWT: "resource_access": {
"master-client": { "roles": [ "role-one" ] } }
What am I missing? I'm using Keycloak 3.1.0.FINAL and keycloak-js 3.4.3,
Cheers,
Ulrik
6 years, 3 months
org.keycloak.keycloak-services
by Nikola Malenic
I developed an authentication provider and am trying to deploy it on the KC
server. My project depends on the Keycloak-services:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-services</artifactId>
<scope>provided</scope>
<version>${keycloak.version}</version>
</dependency>
My version is the same as running Keycloak server.
I'm getting error:
java.lang.NoClassDefFoundError: Failed to link
rs/netset/aas/authenticator/user_pass/CustomUsernamePasswordForm (Module
\"deployment.aas-1.0.DEBUG.jar\" from Service Module Loader):
org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthe
nticator"}}
And wildfly succeeds in finding other dependencies, like keycloak-server-spi
etc.
Any clue why is this happening?
Many thanks,
Nikola
6 years, 3 months
authentication / authorization / 3rd party web services
by Fox, Kevin M
Hi All,
I'm trying to get a handle on Keycloak and have a use case it may be good for, but it is unclear how I proceed.
I would like to use Keycloak to provide unified authentication and provide some additional info useful for authorization. So this is OpenID Connect type things. Allow a user to login with Kerberos or some social provider such as Google/Github. And then tack on some groups/roles/whatever to allow authorization downstream. Keycloak seems to support this piece very well.
I'd like to be able to do something similar to google or github, where you have a self service website a user can go to, to get client credentials to allow external web services to auth to the web services on the users behalf. As things like Kubernetes become more widely deployed, I see users needing to launch their own web serivces and hook them into the auth system easily. I see pieces of this in keycloak but not sure how this should work.
I can see the organization providing some services, and other users providing services. How would you arrange it so that one tenants services could be authorized by a user to be used by another tenants services.
Like, in the attached diagram, I could see user logging in, then going to the Processing web service, then being asked to give access permissions to the Storage web service so that it can retrieve data.
To do something like this, would you have one master Domain users login through, and then have per tenant domains which are an openidc client of the master domain and give each tenant their own admin acccess to their own tenant?
Is there a totally different way to do this? Is this something that is out of scope for Keycloak?
Thanks,
Kevin
6 years, 3 months
Queries regarding keycloak api usage
by Prince Anand Anandaraj
Hi,
I am currently working on to secure an application using keycloak.
Currently, I am using keycloak version 3.4.3.
I have some questions..
I face some problem using authz-client. I do not find any provision
(methods) to logout of a user who has been authenticated using the
authz-client api. Is there a way to logout of user authenticated using
authz-client?
Is there a way to change the user password by consuming the keycloak
api other than keycloak admin api?
I am trying to get userModel, userSessionModel and realmModel using api
call to get some information of current loggedin user. Most of the api in
keycloak expects an instance of "KeycloakSession" including some classes and
methods that are used to change user credentials. How do I get this
keycloakSession?
Thanks in advance..
Thanks and regards,
Prince Anand
Disclaimer : http://www.objectfrontier.com/maildisclaimer.html
Disclaimer : http://www.objectfrontier.com/maildisclaimer.html
6 years, 3 months
Delete session strange behaviour
by Karol Buler
Hi Keycloaks,
I'am using my custom User's Provider and when I'm trying to delete
session by "sessionId" there is something strange, because my provider
is asking for User. In my opinion when you are trying to delete session,
it should be done as is. Problem is, that in my CRM I'm deleting the
user, so after trying to delete session error is occurred, because there
is no user in CRM, but Provider is expecting it.
Is there any "flag" or something to disable this lets say "checking"? Or
can I distinguish asking for user during the login and deleting session?
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
6 years, 3 months
Can't access REST service with valid keycloak token after secure with keycloak
by Erik G. Haugen
I used the keycloak Java API to get a valid token then using this token to
try to access a rest service that has been secured with keycloak but get
404 error, Not Found.
Here is my java code to get the token from keycloak. This appears to work:
AuthzClient authzClient = AuthzClient.create();
AccessTokenResponse response = authzClient.obtainAccessToken(user,
password);
I get a valid token in the response. I then try to use this token to
access the REST service secured with keycloak:
String urlString =
"http://localhost:3333/appname-1.0.0-SNAPSHOT/project/0.1/device/return/all";
URL url = new URL(urlString);
HttpURLConnection con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("GET");
String authString = "Bearer " + tokenStr;
con.setRequestProperty("Authorization", authString);
basicStatus = con.getResponseCode();
The basicStatus returns 404
I secured the war file with the REST service by adding a web.xml file and a
keycloak.json file. If I remove the web.xml and keycloak.json file from the
war, then above code returns 200. But then the service is not secure.
web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Device</web-resource-name>
<url-pattern>/device/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>device</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>device</role-name>
</security-role>
</web-app>
user has role of device in keycloak.
Any idea what might be wrong?
6 years, 3 months
How to update defaultGroups via kcadm
by Chih-Chun Lee 李志純
Hello,
I tried to update defaultGroups via kcadm command line, but it didn't work
I want to add a existing group to defaultGroups. The followings I've been
tried:
$ bin/kcadm.sh update realms/demo -b '{"defaultGroups":["/demogroup"]}'
$ bin/kcadm.sh update realms/demo -s 'defaultGroups=["/demogroup"]'
Didn't work, even configure defaultGroups when creating realm
$ bin/kcadm.sh create realms -b '{"realm":"demo", "enabled":true,
"defaultGroups":["/demogroup"]}'
It's weird because defaultRoles property seems to work fine.
$ bin/kcadm.sh update realms/demo -b '{"defaultRoles":["test", "demo"]}'
To verify the changes, run the following:
$ bin/kcadm.sh get realms/demo | grep default
The result shows:
"defaultRoles" : [ "test", "demo" ],
defaultGroups never shows.
Am I doing something wrong? Please help me, thanks.
Best regards,
Timothy
6 years, 3 months
