Domain per Realm
by Peter S
I'm currently using several realms. Is there any way at all (or was it ever
asked) to have ability to setup a realm on a completely different domain?
My services are domain based hence redirect to master domain for signin is
somewhat out of sync with the experience.
Peter
5 years, 11 months
Keycloak non-interactive SAML login
by Tom Barber
Hi folks,
I have 2 apps, the UI which is authenticated using the Keycloak NodeJS OIDC
connector and provides a user UI login. This works fine.
Then I have a Java based app that is legacy and uses the Spring SAML
connector and when you go to its UI Keycloak also logs you in fine, but
we’re trying to connect to its API without a user having to manually open
its landing page to login.
When you try and use a service on the Java app having authenticated on the
client app you get:
Note: Since your browser does not support JavaScript, you must press the
Continue button once to proceed.
In the javascript console. Both these apps are in the same realm. Is there
anything I’m missing on the Keycloak side I can do to resolve this issue or
do I have to find the Java code and jump in with two feet there?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
5 years, 11 months
Keyclaok Integration with SAML+ADFS+Tomcat
by Sandeep Muddamsetty
HI ,
I need assistance in setting up the SSO for my tomcat application using Keycloak . Can any one suggest me on this . Actually my requirement is to use SAML which should redirect to my tomcat application after successful authentication of my ADFS . Can any one suggest a good work around for this or any documentation .
Thanks in Advance .
Thanks ,
Sandeep .
This e-mail message and any files transmitted with it may contain confidential and proprietary information and are intended solely for the use of the individual or entity to which they are addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you have received this e-mail in error please notify the sender by reply email and destroy all copies of the original message. Thank you for your cooperation.
5 years, 11 months
Keycloak - Email-verify Issue
by Parth Kakadiya
I am working with the JHipster built Application where we authenticate via Keycloak(version 4.4.0 final).
During verify email, I am receiving email with confirmation link to confirm email. In few situation the verification link is not working. Below I have mention the steps that I did and problems.
Steps:
1. Registration with chrome
2. Get mail for email verification
3. Close the chrome and restart
4. Try to use verification link
Problem:
1. If I closed the current browser window/ open link in private window/ open link in different browser, the link is not working anymore.
Cause of the problem:
This problem is accrued because of the cookies that keyclaok creating during registration. AUTH_SESSION_ID and KC_RESTART
Because when I close the browser window this cookies are no more in browser.
If i try to use verifcation link is the same browser window that i used for Registration than it’s working fine. Becuse in this browser window those two Cookies are stored.
Sent from Mail for Windows 10
5 years, 11 months
keycloak-gatekeeper and token refresh
by Alex Chatziparaskewas
Hi All,
We are using keycloak-gatekeeper to secure some server side application, however, we are having troubles with refreshing its access token.
Keycloak-gatekeeper stores its access/refresh tokens in server side cookies (kc-access / kc-state). Information about the access token can be obtained via the /oauth/token service.
I have now added logging to the client to show for how long the access token is valid. What I see: the number is slowly getting negative, /oauth/expired even says that the access token is expired. Regardless of the 'enable-refresh-tokens' setting, the access token is not refreshed by the keycloak-gatekeeper. Instead after some additional time - the expiry time long showing negative numbers, maybe once the refresh token is also almost expired - the application is delegated to the login sequence at which time (the refresh token still seems to be valid) a new access token is created and the application ends up on its 'home screen'.
Question: how to explicitely ask keycloak-gatekeeper to refresh the access token? As the access token is kept in some server side cookie keycloak-gatekeeper must do this.
Thanks & Regards,
Alex
5 years, 11 months
Add dynamically resolved token claim
by Vagelis Savvas
Hello,
I have an authenticator script and a mapper script and I would like to
attach a piece of information
during login in the authenticator script then retrieve it in the mapper
script and set it as a token claim.
(background: this piece of information originates from an extra input
field of a custom login page and
I want it to appear in the user's access token in order to differentiate
users based on it).
So, I can't use the user object to attach my info because its not fully
reliable.
What would work best is to use an object that is unique per
authentication session and available in both scripts.
The user object is both unique and available but is also a singleton.
Thus I've tried via keycloakSession.setAttribute('myInfo', value) in
auth script and then keycloakSession.getAttribute('myInfo')
in mapper script but it doesn't work (why isn't the keycloakSession
object the same in the two scripts?).
I've also tried in auth script
authenticationSession.setUserSessionNote('myInfo',value) and then
userSession.getNote('myInfo')
in mapper script but it doesn't work as well.
Any further ideas on how to solve this in a reliable way?
Cheers,
Vagelis
5 years, 11 months
Timeout value for DEFAULT cache policy
by Chandrashekhar, Nithin
Hello,
1. What is the timeout value for DEFAULT cache policy under user federation?
2. How can this DEFAULT value be configured?
Thanks
Nithin
5 years, 11 months
how to access user details.
by Khyati Kataria
Hi,
Is there a way to retrieve the last login time of a given user? I
would like to store some other user attribute like last successful
login time, login attempts, user name etc.
Please let me know best possible way to fulfill this requirement.
Thanks in advance.
Regards,
Khyati
5 years, 11 months
configure keycloak nbf value in jwt token
by Xiaoling Chen
Hi,
I am trying to use keycloak as our authentication server in the google cloud endpoints. But looks the google cloud endpoints required nbf > 0. In the jwt token I get from keycloak, the nbf is always 0. Is there a way I can configure the nbf value in the keycloak jwt token? I search the documentation and the internet but did not get any result.
Thanks in advanced
Xiaoling
5 years, 11 months
Error controller is not invoked if authentication failed
by Aliaksei Lahachou
Hello,
I'm migrating our application from Spring Boot 1.5.19 / Keycloak 3.4.3 to
Spring Boot 2.1.2 / Keycloak 4.8.3.
I'm currently facing the problem that if authentication fails (invalid
token), the error controller is not invoked (BasicErrorController by
default).
The reason is that when authentication fails, the request is redirected to
error controller, and the security filters are invoked again. Because the
authorization header is still there, KeycloakAuthenticationProcessingFilter
fails again.
In older versions of Spring Boot / Keycloak security filters are not
invoked after request is redirected to error controller. Basic
authentication works as expected in both old and new versions, seemingly
because BasicAuthenticationFilter extends OncePerRequestFilter, which skips
filter for error URI (skipDispatch method).
I created example applications with tests that reproduce the problem, see
[1] and [2]. Am I missing some configuration? Or is this a bug?
[1] https://github.com/htfv/examples/tree/master/spring-boot-1-keycloak
[2] https://github.com/htfv/examples/tree/master/spring-boot-2-keycloak
Regards,
Aliaksei
5 years, 11 months
