Suppression of basic challenge on login of Web App?
by Chris Smith
I have a web app secured by KC. It authenticates against out Active Directory and that appears to be working.
I'm developing using Tomcat as my web app server.
When on a Windows client of a machine that is a member of my Active Directory, and Windows Internet options are set, Both Chrome and Internet Explorer do not put up the Browser challenge or forward to the KC login page.
I have a requirement that a browser on a client that is not in my Active Directory log in with the users Active Directory user id and password.
After a successful login, everything is great.
My issue is that when running from a browser on a client that is not a member of the Active Directory domain, First the browser presents a Basic Challenge. Then regardless of what is entered or if the challenge is dismissed, the browser forwards as expected to the KC login page.
How can the Basic Challenge Be suppressed?
My web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>SSO-Example</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name> MYREALM </realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSO-Example</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
My keycloak.json
{
"realm": "MYREALM",
"auth-server-url": "https://my.keycloak:8443/auth",
"ssl-required": "external",
"resource": "MYCLIENT",
"verify-token-audience": true,
"credentials": {
"secret": "my secret"
},
"disable-trust-manager": true,
"allow-any-hostname" : true,
"use-resource-role-mappings": true,
"confidential-port": 0
}
6 years, 10 months
Custom Email Attribute
by Kunal Kumar
Hi,
There are some users from department in my company that uses the one SAME
EMAIL for all its users, eventhough they all have their own user IDs.
But Keycloak doesn't allow for different users to have the same email
address.
Is there any workaround for this? Lets say if I create a custom email
attribute that connects to the mail LDAP attribute, how do I make Keycloak
to recognise this custom email attribute as THE EMAIL ATTRIBUTE?
Regards,
Kunal
6 years, 10 months
Error! Failed to send email
by Kunal Kumar
Hi,
I am trying to use the Forgot Password function for my Keycloak
authentication. So I have already set On for the Forgot Password in the
Login section. And I have tried to set up a the configurations under Realm
> Email, where I put
Host : smtp.gmail.com
Port : 587
But when testing the connection, I keep getting the error *"Error! Failed
to send email".*
What could be the reason for this?
Regards,
Kunal
6 years, 10 months
Cross client authentication
by Tom Barber
Hi folks
Trying to solve a question for one of my web developers.
We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.
This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren’t we passing or config
am I missing?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
6 years, 10 months
UMA Share Resource with a User via AuthZ Client
by Christian Sandmeier
Hi All,
first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.
I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a resource with other Users.
Given the following 4 Steps, i don't understand why the Permissions are not in the RPT token
// Code for Steps 1 and 2 taken from here
// https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
// Code for Steps 3 and 4 taken from here
// https://www.keycloak.org/docs/latest/authorization_services/index.html#ob...
1) Creating a Resource "Resource A" with Owner "demo"
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");
resource = getAuthzClient().protection().resource().create(resource);
2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");
ProtectionResource protection = getAuthzClient().protection("demo", "demo");
UmaPermissionRepresentation permission = protection.policy(resource.getId()).create(newPermission);
3) get a RPT for the User "test" for all Resources
AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test", "test").authorize(request);
String rpt = response.getToken();
4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");
for (Permission granted : requestingPartyToken.getPermissions()) {
System.out.println(granted);
}
The Resource and Permission are saved correctly, i can correctly read them via the AuthZ Client
but now i would assume that the Permission is in the RPT of the User "test".
Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in the "Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.
Thank you in Advance
Best regards,
Christian Sandmeier
6 years, 10 months
Common Clients, Client scopes, Roles among multi Realm
by Hari Prasad
Hi All,
Please let me know is there any way to share Clients, Client Scopes, Roles
among multiple Realm.
Because I want use single Clients configurations and Role configurations
among multiple Realm.
Regards
Hari Prasad
6 years, 10 months
Common Clients, Client scopes, Roles among multi Realm
by Hariprasad N
Hi All,
Please let me know is there any way to share Clients, Client Scopes, Roles
among multiple Realm.
Because I want use single Clients configurations and Role configurations
among multiple Realm.
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
6 years, 10 months
Dynamically assign roles to user for single session
by Nikola Malenic
I have implemented different authenticators which users can choose when they
login.
Now, I would like to assign various roles to the user based on
authentication method user has chosen. Those roles would be assigned to the
user only in current session.
Is this possible to achieve? I used a mapper to put user's decision on
authentication method in the tokens, but how to map this property (field) to
the specific role/roles?
Best regards,
Nikola
6 years, 10 months
Disable HTTP2 in Keycloak 4.6 container?
by Gareth Western
It looks like the wildfly server used for the Keycloak 4.6.0.Final image is
configured to use HTTP2. Is there an easy way to disable this? I think it
might be the cause of some strange behaviour in Chrome, similar to as
described here: https://issues.jboss.org/browse/KEYCLOAK-2656.
The related 'test http2' issue is pending for the Keycloak 5.x release, so
i assume Keycloak 4.x does not officially support HTTP2, is that correct?
Kind regards,
Gareth
6 years, 10 months
keycloak-js: token in cookie
by Massimo Redaelli
I read here:
http://lists.jboss.org/pipermail/keycloak-user/2014-December/001389.html
that (if I understood correctly) at the time the javascript adapter didn't support returning the token in a cookie rather than in the response body.
Is that still the case?
I'm writing a SPA and I'm faced with the problem of where to store the token. Most tutorials just put it in local storage, or in a variable in memory, but I read around that it's very susceptible to XSS attacks, while using a secure, httponly cookie is much safer.
What would you recommend?
Thanks
M.
6 years, 10 months
