Re: [keycloak-user] Configuring Admin Access Control or realm-management client role for LDAP user in keycloak via imported realm.json configuration
by kapil joshi
On Thu, 31 Jan 2019, 17:53 kapil joshi, <kapilkumarjoshi001(a)gmail.com>
wrote:
> Hi Marek,
>
>
> Thanks for the reply, actually we see one ldaprealm.json in the LDAP
> integration with keycloak example. But even there we saw entries only for
> role-ldap-mapper.
>
> Can someone in your team provide a sample for hardcoded-ldap-mapper
>
> Thanks
> Kapil
>
>
> On 31 Jan 2019 17:21, "Marek Posolda" <mposolda(a)redhat.com> wrote:
>
> I am not sure about the JSON format from the top of my head. I suggest to
> create things manually in admin console, then export it to JSON, so you can
> see proper JSON format. See keycloak documentation for Export/Import for
> more details.
>
> Marek
>
> On 31/01/2019 07:19, kapil joshi wrote:
>
> Hi Marek,
>
> I was trying to import realm.json which contains following entry, to
> include hardcoded-ldap-mapper in keycloak, for realm-management role of
> manage-users, but its failing to import, can you give us a small example of
> such entry in realm.json which we can follow on.
>
> // snippet of realm.json
>
> * {*
> * "name": "administrator",*
> *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
> *"**federationProviderDisplayName"*
> * : "ldap", *
> * "subComponents": {},*
> * "config": {*
> * "role": [*
> * "realm-management.manage-users"*
> * ]*
> * }*
> * }*
>
>
> *Thanks *
> *Kapil*
>
> On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001(a)gmail.com>
> wrote:
>
>> Hi Marek,
>>
>> First of all thanks for your response, it works !!! . I tried mapping a
>> client role (i.e realm-management roles), few observations:
>> 1) I was not able to save the configuration was getting below attached
>> error message.
>> [image: image.png]
>>
>> But then i saw there is already a bug filed on this issue.
>> So applied the work around, and was able to get the client role added for
>> LDAP imported user.
>>
>> Thanks again,
>> Kapil
>>
>>
>>
>> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda(a)redhat.com>
>> wrote:
>>
>>> Yes, this should be doable with hardcoded-ldap-role-mapper if I
>>> understand your use-case correctly (See tab "mappers" in the admin console
>>> when you're on the page with the details of LDAP provider).
>>>
>>> Marek
>>>
>>> On 28/01/2019 10:24, kapil joshi wrote:
>>>
>>> Hi All,
>>>
>>> Can we assign realm-management client roles for users imported from LDAP in
>>> Keycloak.
>>> Currently we are trying to set up LDAP based user federation using by
>>> importing a realm.json, configured with LDAP related configuration. Have
>>> attached it to this email.
>>> Basically the requirement is when we login to the client using the LDAP
>>> credentials, the user should be able to access user-management and
>>> view-realm client(i.e accessing the admin console) from client side.
>>>
>>> Thanks
>>> Kapil
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>
>
5 years, 11 months
GSS Credential delegation works for Internet Explorer but not for Chrome?
by Chris Smith
I have Keycloak setup to authenticate to an Active Directory domain using LDAP/Kerberos
I have set Windows Internet options for SSO
Both Internet Explorer and Chrome successfully perform Authentication.
I have a requirement for a Delegated GSSCredential and have configured Keycloak and my Active Directory domain controller to perform this task
When I run my web app using Internet Explorer as my browser, in the servlet I successfully get a Delegated GSSCredential from the Access Token.
When I run my web app using Chrome as my browser, in the servlet I fail to get a Delegated GSSCredential from the Access Token.
Why the difference and what do I need to set to allow Chrome to be used as a fully supported browser?
5 years, 11 months
When realm count reaches around 470, Keycloak basically becomes unstable
by Kamal Mettananda
Hi all
We are having a Keycloak 4.8.1.Final deployed on a k8 cluster with two
nodes with default settings. Backend database is PostgreSQL.
We are increasing the number of realms in Keycloak to figure out if
Keycloak can support a larger number of realms; these creations are done
sequentially.
However, when the quantity of realms reach around 470, it makes keycloak
basically unusable with admin GUI not loading at all and requests taking
too long to execute.
Below is a summary of the time taken. We have not added any users into the
realms.
+--------------+----------+------------+------------+------------+
| Operation | 0 realms | 100 realms | 250 realms | 350 realms |
+--------------+----------+------------+------------+------------+
| Create realm | 1104 | 3739 | 8659 | 11535 |
| Get realm | 128 | 961 | 3067 | 3853 |
| Get token | 636 | 1159 | 2714 | 3197 |
| Get roles | 127 | 1037 | 3034 | 3649 |
+--------------+----------+------------+------------+------------+
Are there any known limitations or an optimal number of realms for a
Keycloak deployment?
Thanks
5 years, 11 months
OAuth2 extensions - oob vs oob:auto
by David North
Hi,
I am working on a desktop application which wants to access various APIs
secured by OAuth2 using Keycloak.
The workflow I am trying to support is that the application will show an
embedded browser widget with the Keycloak login page, and once the user
is logged in, my application will extract the OAuth token and use it.
I don't want my application to have to listen on a local port and use a
redirect URI of http://localhost:port, so the OAuth extension which
allows a redirect URI of urn:ietf:wg:oauth:2.0:oob:auto seems ideal.
The documentation at https://www.keycloak.org/docs/4.0/securing_apps/
says Keycloak only supports the urn:ietf:wg:oauth:2.0:oob variant, where
the user has to copy/paste the code manually into the app. However,
confusingly the documentation also claims:
"When this redirect uri is used Keycloak displays a page with the code
in the title and in a box on the page."
The code is not in the title (which just says "Success code") - if it
were then it would be easy for my application to extract, and the
behaviour would be equivalent to urn:ietf:wg:oauth:2.0:oob:auto
Would there be any objection to a bug and patch to:
* Treat urn:ietf:wg:oauth:2.0:oob:auto as an alias for
urn:ietf:wg:oauth:2.0:oob
* Put the code in the page title as well as a box on the page?
Thanks,
David
5 years, 11 months
keycloak bearer token error - Didn't find publicKey for specified kid
by Subodh Joshi
Hi
I have configured keycloak4.5 with Wildfly(With LoadBalancer) and able get
the token , but when I am using that token for to get response from rest
service getting below error :
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*HTTP/1.1 401 Unauthorized*
*Cache-Control: no-cache, no-store, must-revalidate, private*
*X-Powered-By: Undertow/1*
*X-XSS-Protection: 1; mode=block*
*Server: WildFly/11*
*X-Frame-Options: SAMEORIGIN*
*Date: Wed, 30 Jan 2019 07:42:45 GMT*
*Connection: keep-alive*
*WWW-Authenticate: Bearer realm="demorealm", error="invalid_token",
error_description="Didn't find publicKey for specified kid"*
*X-Content-Type-Options: nosniff*
*Content-Type: text/html;charset=UTF-8*
*Content-Length: 71*
*<html><head><title>Error</title></head><body>Unauthorized</body></html>*
*------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------*
*Can anyone help me here please what configuration I am missing , I am
struggling for so many days to solve this problem but couldn't get any
solution .*
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.trendsinnews.com
5 years, 11 months
Re: [keycloak-user] Configuring Admin Access Control or realm-management client role for LDAP user in keycloak via imported realm.json configuration
by kapil joshi
Hi Marek,
I was trying to import realm.json which contains following entry, to
include hardcoded-ldap-mapper in keycloak, for realm-management role of
manage-users, but its failing to import, can you give us a small example of
such entry in realm.json which we can follow on.
// snippet of realm.json
* {*
* "name": "administrator",*
*"federationMapperType"**: "hardcoded-ldap-role-mapper",*
*"**federationProviderDisplayName"*
* : "ldap",*
* "subComponents": {},*
* "config": {*
* "role": [*
* "realm-management.manage-users"*
* ]*
* }*
* }*
*Thanks *
On Thu, Jan 31, 2019 at 11:49 AM kapil joshi <kapilkumarjoshi001(a)gmail.com>
wrote:
> Hi Marek,
>
> I was trying to import realm.json which contains following entry, to
> include hardcoded-ldap-mapper in keycloak, for realm-management role of
> manage-users, but its failing to import, can you give us a small example of
> such entry in realm.json which we can follow on.
>
> // snippet of realm.json
>
> * {*
> * "name": "administrator",*
> *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
> *"**federationProviderDisplayName"*
> * : "ldap",*
> * "subComponents": {},*
> * "config": {*
> * "role": [*
> * "realm-management.manage-users"*
> * ]*
> * }*
> * }*
>
>
> *Thanks *
> *Kapil*
>
> On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001(a)gmail.com>
> wrote:
>
>> Hi Marek,
>>
>> First of all thanks for your response, it works !!! . I tried mapping a
>> client role (i.e realm-management roles), few observations:
>> 1) I was not able to save the configuration was getting below attached
>> error message.
>> [image: image.png]
>>
>> But then i saw there is already a bug filed on this issue.
>> So applied the work around, and was able to get the client role added for
>> LDAP imported user.
>>
>> Thanks again,
>> Kapil
>>
>>
>>
>> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda(a)redhat.com>
>> wrote:
>>
>>> Yes, this should be doable with hardcoded-ldap-role-mapper if I
>>> understand your use-case correctly (See tab "mappers" in the admin console
>>> when you're on the page with the details of LDAP provider).
>>>
>>> Marek
>>>
>>> On 28/01/2019 10:24, kapil joshi wrote:
>>>
>>> Hi All,
>>>
>>> Can we assign realm-management client roles for users imported from LDAP in
>>> Keycloak.
>>> Currently we are trying to set up LDAP based user federation using by
>>> importing a realm.json, configured with LDAP related configuration. Have
>>> attached it to this email.
>>> Basically the requirement is when we login to the client using the LDAP
>>> credentials, the user should be able to access user-management and
>>> view-realm client(i.e accessing the admin console) from client side.
>>>
>>> Thanks
>>> Kapil
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
5 years, 11 months
[i18n] Time units in e-mails sent by Keycloak
by Rodrigo Leme
Hi people,
We are currently using an i18n e-mail theme (to Brazilian Portuguese,
pt_BR), but we noticed that a few portions of the e-mails sent by
Keycloak cannot be internationalized, as in the sample below:
"Seu administrador acaba de solicitar que você atualize sua conta
FEPAS-CARDSE executando as seguintes ações: *Verify Email*. Clique no
link abaixo para iniciar este processo.
Link para a atualização da conta
Este link irá expirar dentro de *12 hours*.
Se você não sabe que seu administrador solicitou isso, apenas ignore
esta mensagem e nada será alterado."
According to the text above, the time was not internationalized ("12
hours"), neither the action ("Verify Email"). We added the asterisks
here for clarification purposes only.
In Portuguese, the displayed texts should be "12 horas" and "Verificar
email".
Is somebody aware of any method to fully internationalize the emails,
including the mentioned passages?
We even issued a bug report in Keycloak's JIRA
(https://issues.jboss.org/browse/KEYCLOAK-9459), but it was summarily
rejected by devs.
Best regards,
Rodrigo Lem
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
5 years, 11 months
Logo for customized theme
by Amritha Amarnath
Hello,
How to add logo for customized theme for my application.? I have set parent=keycloak in theme.properties for customized theme.
I need source like below :
<body>
<div class="login-pf-page atcard ">
<div id="kc-header" class="login-pf-page-header">
<div><img src="/auth/......./img/logo.png" alt=""></div>
<div id="kc-header-wrapper" class="">{product name}</div>
</div>
</div>
</body>
But currently getting the source as:
<body class ="">
<div class =" login-pf-page ">
<div id =" kc-header " class =" login-pf-page-header ">
<div id =" kc-header-wrapper " class =""> {product name} </div>
</div>
<body>
--
With Regards ,
Amritha Amaranath
5 years, 11 months
User sessions in DB
by Lukasz Lech
Hello,
I'm using Keycloak docker image for 4.8.1
I have logged in users, but in DB, I see no entries in user_session.
Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console.
Are there any issues with JPA cache?
Best regards,
Lukasz Lech
5 years, 11 months
Accessing Admin Console from client application without logging in
by kapil joshi
Hi All,
In our product, we are using keycloak.js adapter. We are receiving access
and refresh token from 3rd party server. We store these tokens in our
instance variables and update keycloak.js variables explicitly as shown
below:
let tokenStr = this.someService.tokenString;
console.log('token is ' + tokenStr);
let keycloakInstance = this.keycloakAngular.getKeycloakInstance();
if (tokenStr) {
if (keycloakInstance['tokenTimeoutHandle']) {
clearTimeout(keycloakInstance['tokenTimeoutHandle']);
keycloakInstance['tokenTimeoutHandle'] = null;
}
keycloakInstance.token = tokenStr;
keycloakInstance.authenticated = true;
this.authenticated = true;
keycloakInstance.tokenParsed = this.decodeToken(tokenStr);
keycloakInstance.subject = keycloakInstance.tokenParsed.sub;
keycloakInstance.realmAccess = keycloakInstance.tokenParsed.realm_access;
keycloakInstance.resourceAccess =
keycloakInstance.tokenParsed.resource_access;
this.roles = await this.keycloakAngular.getUserRoles(true);
This code is actually taken from setToken() API of keycloak.js and we
have just replaced it in our custom code.
So that we can make use of the keycloak.js adapter variables and methods.
Problem is when we try to access the account-management UI, it takes
the user to login screen, which want to avoid.
we are not able to find out the reason behind this ? When we login to
the application and
then when we try accessing account management url then it renders the
account management page seamlessly.
Would be great if there is a solution to render account management UI
when we update the tokens programatically into keycloak.js adapter
variables.
Let me know If we are doing anything wrong or work arounds to fix this issue.
Thanks
Kapil
5 years, 11 months
