Liferay 6.2 with Keycloak
by Yeo Wee Tat (NCS)
Hi all
I have install Keycloak 6.0.1 Tomcat 7 adapter in Liferay 6.2 for SSO authentication and authorization.
I have download keycloak.json to our web application WEB-INF and add below for context and web tomcat XML.
The integration between Liferay and Keycloak SSO have no issue.
However I have a doubt about protected resources in <security-constraint> tag. Currently I have added /group/*, hence all URL path is /group value required to log in.
If I would like to add URL /admin/* to use Liferay login page instead of SSO Login page , how to do it ? Thanks
---- context.xml
<Context path="/XXXX" crossContext="true" allowLinking="true">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
---- web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Lawnet</web-resource-name>
<url-pattern>/group/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>XXXXX</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Best Regards and Thanks
Wee Tat , Yeo (NCS)
Consultant, NCS Pte Ltd
WARNING: This e-mail transmission is intended only for the addressee. Privileged/Confidential information may be contained in this message. If you are not the intended addressee, you should delete it and must not copy, distribute it or take any action in reliance thereon. Communication of any information in this email to any unauthorised person is an offence under the Official Secrets Act (Cap 213). Please notify the sender immediately if you have received this by mistake.
6 years
Cannot send verification/update password email behind reverse proxy
by Dave B
Hi all,
I'm really struggling with this one. We can't send verification emails when
the docket image is behind a reverse proxy. I'm using nginx and everything
works apart from the email functionality, none of which works. We can get
tokens, verify tokens etc. But no email functionality works.
The realm functions fine on a local instance and sends emails as expected.
Can't see anything in the logs. This is a killer for us so if anyone has
any ideas please contact asap.
Dave
6 years
Keycloak Offline User Sessions and Online User Sessions
by Nagendra Darla
Hello Keycloak experts,
We have below challenges in out project where we are building User Access
Management using Keycloak.
1. *Offline User Sessions:* When a Offline token is used from two
different machines, There is only one Session that will be created and
session will have the IP address of the machine from where the User Session
is first created. Because of this we cannot suspect any suspicious activity
by hackers. Should n't we create different sessions even though same
offline token is used from different machines.
2. *Why there is no separate REST end point to get only Online User
Sessions: *Below REST end point returns all the User Sessions ie., both
Offline and Online User Sessions.
GET /{realm}/clients/{id}/user-sessions
You help is much appreciated !
Thank you,
Nagendra Darla
6 years
Recommended way for a custom login page
by Nils Christian Ehmke
Hi,
We are using Keycloak in a Spring Boot based application with Spring
Security. Now we need to add the realm somehow dynamically to the
request. As there is also the requirement to not use the default
Keycloak login page I decided to add a custom made login page for this.
My thoughts on this:
* I can change the redirect to the login url by setting it at the
KeycloakAuthenticationEntryPoint in the
KeycloakWebSecurityConfigurerAdapter.
* I could assemble the login url (with the realm) manually based on the
user's input.
But now I feel a little bit lost. Even if I perform the POST request to
the Keycloak server, how do I announce this to the Keycloak Adapter and
especially to Spring Security? Would I use the Javascript Adapter
instead? Can I somehow use the existing Java Keycloak Adapter?
Thanks for your help and best regards,
Nils
6 years
Re: [keycloak-user] Efficient per client session statistics (solved)
by Christian Becker
When checking the source code, I found, that this is already implemented with the "client-session-stats" endpoint. The only downside is, that it requires Keycloak v4 and older versions only return the sessions, but not offline sessions.
A global endpoint would be even nicer, but this is good enough and better than several hundred calls.
On 23.10.19, 20:19, Christian Becker wrote:
We've recently implemented a monitoring system, that's scraping the /session-count and /offline-session-count of each client. However we noticed, that this causes huge spikes on the Infinispan nodes (200k sessions and 2M offline sessions), also it's not very efficient and requires several hundred API calls.
Is there any metric system currently available that provides this data?
We're specifically looking for the per-client values as we had several incidents with misconfigured clients that created huge amounts of sessions. And we can never rule out reoccurrence, as long as per-client or per-user session limits are implemented.
6 years
Admin Console Error Messages Are Not Internationalized
by Hossein Doutaghy
Hi,
I am using keycloak version 6.0.1. But when I change the language to
specific language other than English in admin console error messages are
still in English and not in selected language
*Steps to reproduce: *
1) Make sure "Internationalization Enabled" is "ON" for the realm
2) Go to respective realm login page, select a different language (other
than English) and login
3) Try to create scenario where keycloak throws error. Ex: create a user
with username which already exists.
4) Notice the error message is still in English not in the language you
selected at login page.
Please find attachment for error snapshot.
Is this expected behavior or a bug ? Please guide me through this.
Thank you.
6 years
Supported MySQL versions (for KeyCloak 4.8.3 and 7.0.1)
by AMIEL Patrice
Hi everybody,
I'm trying to find a documentation giving the list of MySQL versions that are supported by KeyCloak 4.8.3 and by the very latest 7.0.1, but I was not able to find it.
Can someone provide a pointer to that ?
Thanks a lot!
Best regards
Patrice
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
6 years
SAML implementation of Keycloak Identity Providers
by Thankam Sreedharan Vipin
Dear Keycloak team,
I have a question about the SAML implementation associated with the `Identity Providers` in Keycloak - Is it able to consume a (SAML) metadata file with many IdPs listed in it? Also I assume that it misses support for a discovery service that is necessary to handle multiple IdPs in one place. Can you please comment on the same.
I know I can manually configure single IdP in Keycloak.
Thanks in advance,
Vipin
6 years
Keycloak issue - Wrong ECDSA signature R and S encoding
by Ori Doolman
Hi,
There is a Major bug opened since February this year, which prevents us from deploying Keycloak as an IDP, since we are using Java SpringBoot and ECDSA algorithm for signing the tokens:
https://issues.jboss.org/browse/KEYCLOAK-9651
We cannot change the signature algorithm due to other limitations.
Is there any plan to resolve that?
Can you speed it up?
Thank you,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
6 years
unsubscribe
by Sebastian Perkins - Hoist Group - Switzerland
6 years
