Has anyone installed keycloak using snap or juju
by Chris Smith
I created a new Ubuntu 18.10 Server VM
During install It had a step about installing common snaps. Keycloak was one of them.
I selected it and I have no idea about how or where it installed keycloak or how to start keycloak.
I'm dubious as to it's usefulness as Java did not get installed.
Googleing has informed me a bit about snapd (snappy) and juju, but my attempts at using them were futile.
Are snap and juju based installation packages still half baked?
5 years, 11 months
Access user attributes in terms.ftl
by Sidney Beekhoven
Hello everyone,
I am trying to access the user attributes in a custom theme that I am developing. Under theme_folder/login/terms.ftl I want to access some of the user attributes to display the respective Terms and Conditions for each user. Somehow user is always null in the terms.ftl.
If i look in the source code where the freemarker template is processed i don’t see the user being set as freemarker model attribute so i guess it is not possible to access the user(’s attributes) from a required action template.
Does anyone know of any way to reach the user attributes in terms.ftl?
Best regards,
Sidney Beekhoven
5 years, 11 months
Re: [keycloak-user] kcadm update client seems to ignore defaultClientScopes
by Marek Posolda
Yes, they are few places, where there are inconsistencies between
creates and updates. And yes, there is plan to improve admin REST API in
the future to improve and hopefully remove such inconsistencies.
Thanks,
Marek
On 18/01/2019 05:38, Matt Evans wrote:
> Hi Marek
>
> I took your advice and looked at what the console does. It seems that
> you have to individually PUT or DELETE each client scope in the
> defaultClientScopes and optionalClientScopes.
>
> e.g. PUT /clients/<client id>/defaultClientScopes/<scope id>
>
> I tried to PUT to the /clients/<client id>/defaultClientScopes
> endpoint to set all the default client scopes in one go but the method
> is not allowed.
>
> We currently have our clients deployed using ansible calling kcadm
> with the json template, this works well for creating new clients, the
> default client scopes are set correctly, but the update of an existing
> client template ignores them if they are specified in the json.
>
> Whilst we can add more code to extract the scopes from the template
> and individually call DELETE or PUT to adjust them it seems overly
> complicated. I guess for now we will delete and create the whole
> client if we need to update them.
>
> Are there plans to improve this in the future? It seems inconsistent
> that the rest endpoint for the client just ignores those properties
> for updates, but accepts them for creates.
>
> Thanks
>
> Matt
>
>
> On Thu, 17 Jan 2019 at 22:20, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> There are separate REST API operations for add/remove default client
> scope or optional client scope. I suggest to try admin console with
> browser and inspect the REST request, which admin console is doing
> for
> add/remove client scopes for client. This may show you how the REST
> request looks like and you should be able to "translate" this into
> proper format for kcadm then.
>
> Marek
>
> On 17/01/2019 05:27, Matt Evans wrote:
> > Has anyone noticed that updating a client using kcadm seems to
> ignore the
> > defaultClientScopes property?
> >
> > /opt/keycloak/bin/kcadm.sh update
> > clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
> > 'defaultClientScopes=["web-origins"]' -s name=changedName
> --no-config
> > --server http://localhost:8080/auth --realm master --user admin
> --client
> > admin-cli --password xxxx
> >
> > We can update other properties ok, e.g. name, client id,
> redirectUris all
> > update ok, but defaultClientScopes doesn't change. Also I think
> > optionalClientScopes doesn't change either.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
5 years, 11 months
kcadm update client seems to ignore defaultClientScopes
by Matt Evans
Has anyone noticed that updating a client using kcadm seems to ignore the
defaultClientScopes property?
/opt/keycloak/bin/kcadm.sh update
clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
'defaultClientScopes=["web-origins"]' -s name=changedName --no-config
--server http://localhost:8080/auth --realm master --user admin --client
admin-cli --password xxxx
We can update other properties ok, e.g. name, client id, redirectUris all
update ok, but defaultClientScopes doesn't change. Also I think
optionalClientScopes doesn't change either.
5 years, 11 months
Create initial access token from command line
by Puneeth M I
Hi,
I want to create an initial access token with expiration=60 seconds and
count=1 from command line using admin-cli through kcadm.sh script or a curl
command and share with the clients to register(create clients) themselves
at keycloak. I am using the following curl command as per the keycloak
document but I am getting 401 unauthorized error. I am create an Initial
access token from admin console but I don't want to expose it. *Please let
me know on how to generate InitialAccessToken from CLI to register a
client. *
*# curl -i -H 'Content-Type: application/json' -X
POST http://<keycloak-IP>:<port>/auth/admin/realms/master/clients-initial-access
<http://10.91.96.30:8665/auth/admin/realms/master/clients-initial-access> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 0
Date: Tue, 15 Jan 2019 09:16:07 GMT
*I am able to register a client using the access token obtained from below
command but I cannot control it for number of client registrations.*
# *curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X
POST http://<keycloak-ip>:<port>/auth/realms/master/protocol/openid-connect/token
<http://10.91.96.30:8665/auth/realms/master/protocol/openid-connect/token> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
1. HTTP/1.1 200 OK
Connection: keep-alive
Cache-Control: no-store
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10
GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
Pragma: no-cache
Content-Type: application/json
Content-Length: 1848
Date: Tue, 15 Jan 2019 06:37:47 GMT
{"access_token":"eyJhbGciOiJSUzI1NiIs....","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOi.....","token_type":"bearer","not-before-policy":0,"session_state":"7af01cbb-f268-4263-bed2-c11a14008949","scope":"email
profile"}
I am using Keycloak - Version *4.5.0* in standalone-HA mode.
Regards,
Puneeth
5 years, 11 months
keycloak security proxy does not proxy to external application url
by Dimitris Charlaftis
Hello,
I have built the architecture shown in the attached image.
Step 1. A client authentication request reaches the keycloak security
proxy docker container
Step 2. Proxy asks the actual keycloak server docker container
Step 3. Keycloak Server asks an external LDAP for user credentials
Step 4. Keycloak server replies OK
Step 5. Keycloak proxy replies OK and passes control to the external
application url.
THE PROBLEM IS that after successful authentication, the url of the host
server (i.e. where the keycloak proxy container and keyclak
authentication container lie) appears on the address bar of the browser
instead of the actual external application url.
For example, if the host machine where the keycloak containers lie is
keycloak.containers.gr, and the external application domain name is
www.external.application.gr, then, after a SUCCESSFUL login to the
keycloak SSO login page, the url in the address bar appears to
behttp://keycloak.containers.gr <http://keycloak.containers.gr/>instead
ofhttp://www.external.application.gr
<http://www.external.application.gr/>. This fact destroys all the
relative css, js scripts, etc, attached to the site
www.external.application.gr.
KEYCLOAK SECURITY PROXY CONFIGURATION
{
"target-url": "http://www.external.application.gr",
"bind-address": "0.0.0.0",
"send-access-token": true,
"http-port": "8180",
"https-port": "8443",
"applications": [{
"base-path": "/",
"adapter-config": {
"realm": "internal_applications",
"auth-server-url": "http://keycloak.containers.gr:8202/auth",
"resource": "test_app",
"ssl-required": "external",
"credentials": {
"secret": "xxxxx-xxx-xxx-xxxx-xxxxxxxxxxx"
}
},
"constraints": [{
"pattern": "/*",
"authenticate": true
}],
"proxy-address-forwarding": true
}]
}
I use a proxy.json for the keycloak security proxy configuration
NOTE: I have tried to change the "bind-address": "0.0.0.0" parameter,
from 0.0.0.0 to the IP of the www.external.application.gr but with no
luck...
please... any help??
Thank you!!
Dimitris
--
_____________________________
Dimitris Charlaftis
Software Engineer
National Documentation Center
email: dharlaftis(a)ekt.gr
_____________________________
5 years, 11 months
gatekeeper and multiple realms per subdomain
by Clint Shuman
I have a multi-tenant application that has a keycloak realm per subdomain. Is there a recommended way to configure keycloak-gatekeeper for such a setup? Is there an interface that I could implement to dynamically select a keycloak realm given the subdomain of the origin?
Thanks,
Director of Systems Architecture
REPAY
Telephone:404.637.1680
Customer Service:
877.607.5468
Email:cshuman@repay.com
Web:www.repay.com
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
5 years, 11 months
Kerberos Credential Delagation
by Chris Smith
I have a web app that is secured by KC and uses Active Directory to authenticate users.
I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i Server.
SSO/EIM is successfully setup on the IBM i.
My Web app is following the instructions at
https://www.keycloak.org/docs/latest/server_admin/index.html#credential-d...
My servlet code
KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
String username = at.getPreferredUsername();
System.out.println(at.getName());
wtr.append("Windows User: ").append(username).append('\n');
// Retrieve kerberos credential from accessToken and deserialize it
Map<String, Object> otherClaims = at.getOtherClaims();
String otherClaim = (String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim);
The otherClaims map is always empty.
KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since otherClaim is null;
org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
at testing.LogIn.doGet(LogIn.java:71)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Kerbos delegation is enabled in the browser and mapping of gss credential to access token
What am I missing?
5 years, 11 months
Download and import X.509 client certificate from Keycloak
by Wei He
Hello dear all,
A question about the process to get the client X.509 certification:
I set up the Keycloak 4.8.2-Final on my localhost and enabled the SSL as described in the documenthttps://www.keycloak.org/docs/latest/server_admin/index.html#_x509.
The server could start but I could not open the server page on the localhost:8443 (openssl s_client -connect 127.0.0.1:8443) due to the SSL error code 42 (4566025836:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 42), which means that the client certificate problem. But my imagination was that the server should redirect me to the login page. After I logged in, the server should generate the client certificate and ask me to download the certification and import it to my browser. After that I should be able to connect to the server without any further authentication, because I already had the client certificate trusted by the Keycloak.
What did I do wrong? Or this process is not supported by the current keycloak yet?
Thanks a lot!
Wei He
5 years, 11 months
shared UMA 2.0 resource & scope based policies
by Marek Lindner
Hi,
I am working on a keycloak setup trying to replicate the photoz example. The
'test' realm is configured as follows:
* UMA enabled
* has a client 'photoz' with Authorization enabled
* 2 authorization scopes: album:view & album:modify
* each scope has a scope-based 'only owner' permission associated (Javascript)
* 2 users: alice and bob
Alice creates a new album resouce with the following request:
POST /auth/realms/test/authz/protection/resource_set
{"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true",
"uri": "/albums/100", "type": "album", "resource_scopes": ["album:view",
"album:modify"]}
Simulating Bob accessing album "Amazing sunsets" using the authorization
evaluation tab, returns permission denied for both scopes (view & modify) as
expected.
Now, Alice shares "Amazing sunsets" via the account management interface but
limits the scope to 'view' by sharing 'album:view' only.
Back to evaluating Bob's access:
* Scope album:view on "Amazing sunsets" is granted (yay!).
* Scope album:modify on "Amazing sunsets" also is granted ??
Why would Bob get full access if Alice only shared album:view ? The evaluation
output even states that the granted album:view access was the reason why
access to album:modify is granted too (see attached screenshot for details).
Does anybody have a suggestion what I am missing here ?
Thanks,
Marek
5 years, 11 months
