Getting 'Failed to find provider' when attempting to set default SPI provider
by Jared Blashka
I'm trying to use a custom Email sender provider with keycloak 3.4.3.Final
but something isn't working correctly because keycloak fails to start up
with:
java.lang.RuntimeException: Failed to find provider serviceEmailSender for
emailSender
I'm deploying the provider via a war in the /deployments directory. I have
the factory class listed in the
META-INF/services/org.keycloak.email.EmailSenderProviderFactory file
I've added this to the keycloak-server subsystem
<spi name="emailSender">
<default-provider>serviceEmailSender</default-provider>
<provider name="serviceEmailSender" enabled="true"/>
</spi>
If I leave out the <default-provider> entry and restart the server I can
see that the init() method is called on my EmailSenderProviderFactory
implementation so as far as I can tell everything is configured correctly.
But keycloak doesn't like when I try to set this provider as the default.
Is there something I'm missing?
Jared
5 years, 11 months
Admin client API - usersResource.list(offset, limit) - slowness
by Shetty, Shweta
We are seeing extreme slowness in using this API, we are still not sure what could be the culprit. We enabled more logging on the postgres side of thing, thinking it could be related to keycloak – postgres slowness. Once we enabled more logging, we do see that keycloak is issuing a query like this one at a rate of about one per millisecond
```select clientscop0_.ROLE_ID as col_0_0_ from CLIENT_SCOPE_ROLE_MAPPING clientscop0_ where clientscop0_.SCOPE_ID=$1```
This fills up the logs so that it is hard to see anything else.
This could be the cause of the problem; which could be slowing postgres down. We wanted to know if its some configuration issue which we can optimize to overcome this issue or if it’s a known issue. Please advice.
Shweta
5 years, 11 months
Logout from IDP with Spring Keycloak adaptor
by Hylton Peimer
I have a Keycloak Security Adaptor setup with a logout URL "/sso/logout".
The user logins in using to my application using an IDP, and then logs out
by POSTing to the /sso/logout the - they are redirected to the login page.
However when attempted to login again, the user doesn't need to
reauthenticate. It seems Spring doesn't logout from the IDP.
Is there a simple way to get Spring to logout from the IDP? Should I change
the logout URL?
5 years, 11 months
Custom ClaimInformationPointProvider for Spring Boot not called.
by Alexey Titorenko
Hello guys!
Can someone help me please with the following problem.
I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot.
I’ve configured the system and all works fine with OOTB Claim Information Point provider ‘claims’. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, thus, never instantiates the CIP.
Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ‘document’ name. I call both /documents/- Get an
Thank you,
Alexey
application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/
keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/
logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG
# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public
keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*
keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}
META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory
5 years, 11 months
Incomplete ClientRepresentation returned from /{realm}/clients REST endpoint
by John Dennis
A GET on the /{realm}/clients REST endpoint is supposed to return an
array of ClientRepresentation JSON objects. This is documented here:
https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clients_resource
According to the REST documentation
(https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clientrepresen...)
a ClientRepresentation is supposed to contain the following top level keys:
access
adminUrl
attributes
authenticationFlowBindingOverrides
authorizationServicesEnabled
authorizationSettings
baseUrl
bearerOnly
clientAuthenticatorType
clientId
consentRequired
defaultClientScopes
defaultRoles
description
directAccessGrantsEnabled
enabled
frontchannelLogout
fullScopeAllowed
id
implicitFlowEnabled
name
nodeReRegistrationTimeout
notBefore
optionalClientScopes
origin
protocol
protocolMappers
publicClient
redirectUris
registeredNodes
registrationAccessToken
rootUrl
secret
serviceAccountsEnabled
standardFlowEnabled
surrogateAuthRequired
webOrigins
However when authenticated as the admin in the master realm on Keycloak
version 4.8.2.Final a GET on /{realm}/clients returns
ClientRepresentation's containing only these keys:
access
attributes
authenticationFlowBindingOverrides
bearerOnly
clientAuthenticatorType
clientId
consentRequired
defaultClientScopes
directAccessGrantsEnabled
enabled
frontchannelLogout
fullScopeAllowed
id
implicitFlowEnabled
nodeReRegistrationTimeout
notBefore
optionalClientScopes
protocol
publicClient
redirectUris
serviceAccountsEnabled
standardFlowEnabled
surrogateAuthRequired
webOrigins
This means the following keys are omitted from the ClientRepresentation.
Why?
adminUrl
authorizationServicesEnabled
authorizationSettings
baseUrl
defaultRoles
description
name
origin
protocolMappers
registeredNodes
registrationAccessToken
rootUrl
secret
As far as I can tell the documented ClientRepresentation closely matches
what is in the code here:
https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...
I believe this is the method used to return the ClientRepresentation
from the REST endpoint:
https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44...
The conversion from model to representation occurs here:
https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44...
I don't see anything which is dropping the missing keys in the returned
ClientRepresentation.
Is something filtering the result?
The context for the question arises from this: We were creating a client
via a PUT and allowing Keycloak to generate the client secret, we then
wanted to extract the client secret from the ClientRepresentation but
it's absent. I can also undersand why the client secret might be omitted
for security reasons (although I did find that seems to replace that
value with "**********", but that's not happening either, it's just
absent). That's when we noticed it wasn't just the client secret that
was missign but 12 other keys as well.
--
John Dennis
5 years, 11 months
Force certain realm users to login via IDP
by Tim Hedlund
We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login.
I've tried to "Disable Credentials" for "password" for such a user but still he could login.
I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password.
Any thoughts or suggestions?
Regards
Tim
5 years, 11 months
Custom Authenticator
by Artem Grebenkin
Hi folks,
I have following use case. There is a service which creates ("registers") a
user in keycloak over REST API. After that I would like to login the user
automatically. So I need some kind of link which I can return to the
browser and which will login the user and redirect them back to some
location.
Where I have to look? Can somebody give me some advice and some keywords.
Thanks for your help
Artem
5 years, 11 months
Expose role attributes in Keycloak javascript adapter
by Tom Barber
Hi folks,
We’ve got some attributes in the Keycloak roles. Is there a way to release
them with a user using the Javascript adapter?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
5 years, 11 months
Rest Extension?
by Craig Setera
I was in the process of creating a new REST extension per the current
developer docs at
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
, however, I noticed I had to pull in the keycloak-server-spi-private
module and also I'm seeing the following in the logs:
keycloak_1 | 22:49:44,975 WARN [org.keycloak.services] (MSC
service thread 1-1) KC-SERVICES0047: bv-user-invitation
(com.baseventure.keycloak.userinvite.rest.UserInvitationActionTokenResourceProviderFactory)
is implementing the internal SPI realm-restapi-extension. This SPI is
internal and may change without notice
Should this have me concerned about the long term viability of this feature?
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
5 years, 11 months
OWASP check
by Ondrej Scerba
Hi,
Lastest Keycloak version (4.8.3.Final) contains several potential security issues related to jackson-databind library. All isues should be resolved, when you update jackson-databind to version 2.9.8 or higher.
Could you please fix it?
Thanks,
Ondrej
5 years, 11 months
