October 2019 - keycloak-user - Jboss List Archives

by Joachim Lindenberg

Hello, I am experimenting with keycloak using https://hub.docker.com/r/jboss/keycloak and default database, i.e. h2. Is there a means to have h2 persist the database to a file on a docker volume and load at startup instead of starting configuration from scratch? My environment does not need to support lots of users and afai understood the database is primarily for configuration when not replication ldap users. Using any of the other databases looks overkill to me. Or if that perception is wrong, I am wondering why my configuration was lost after trivial reconfiguration of my docker-compose.yml.. Any suggestion? Thanks, Joachim

6 years

1
0
0 / 0

ldaps from keycloak container

by Joachim Lindenberg

Hello, I am trying to set up keycloak using a container and configure authentication against my ldap (a samba active directory). I configured ldaps://ldap.example.dom:636 in the user interface and test connection succeeds. However authentication of the bind user fails with the following exception: Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ... 88 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 101 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 107 more I was expecting that I have to import a CA and therefore configured environment variable X509_CA_BUNDLE to point to a cert as described in https://hub.docker.com/r/jboss/keycloak/ “Setting up TLS(SSL)”, but the section is not really clear whether it also applies for trust to LDAPs. Any suggestion? Thanks, Joachim

6 years

1
0
0 / 0

Retrieving user permissions with client_id and client_secret alone

by Akhil Lawrence

Hi Folks, I am trying to write my own policy enforcement point in pythton. I am able to retrieve permissions of a user if *username* and *password* is provided. But is there a way by which I can retrieve the user permissions only using my *client_id* and *client_secret* Thanks.

6 years

1
0
0 / 0

Query on application integration for SAML flow (IDP initiated flow)

by abhijeet chauhan

Hi, We have integrated our app so that app acts as oauth client to Keycloak and keycloak is acting as Identity broker for incoming SSO flows (SAML). APP (oauth client) <- > Keycloak <-> SAML Identity Providers. Here we generate the SSO url in app so that we select the SAML identity providers using kc_idp_hint that points the SAML IDP configured in Keycloak (this is SAML SP SSO flow) and it is working perfectly well. However I have questions how can I get this SSO integration working for SAML IDP initiated flow, I tried doing IDP initiated flow with this and I see Keycloak generating exceptions / errors. I know oauth / oidc are always initiated at RP (relying party) here APP, however if Keycloak can create user session and create Identity of user (for IDP initiated flow) and send browser to a specific url (specified on IDP through RelayState) than APP can initiate the SSO flow and as user will have the session on Keycloak, keycloak can redirect user to redirect_uri on app to have the session . Any thoughts how to get it working. ?. Thanks, Vijay

6 years, 1 month

1
1
0 / 0

Password Policies do not Work When There is a User Federation

by İlhan Subaşı

I have build an custom user storage provider using this example https://github.com/thomasdarimont/keycloak-user-storage-provider-demo/tre... Unfortunately when you activate this user federation then password policies do not work. For example under Authentication -> Password Policy -> Add policy... -> Minimum Length. This does not work. Is there any workaround to activate password policies?

6 years, 1 month

2
2
0 / 0

Hide Keycloak codes exchange from the URL

by Corentin Dupont

Hi guys, is it possible to hide the complex URL Keycloak redirects to when login? For example Keycloak redirects to: https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/au... Which looks complicated (it was criticized by the users). I use Keycloak-JS wrapper. I came across the option 'silentCheckSsoRedirectUri': https://github.com/keycloak/keycloak-documentation/blob/master/securing_a... But I'm not sure it's working. Thanks, Corentin PS. I copy below a similar message posted on the mailing list for reference. [keycloak-user] OIDC login URLs, how to hide them from the user?? *Max Allan* max.allan+keycloak at surevine.com <keycloak-user%40lists.jboss.org?Subject=Re:%20%5Bkeycloak-user%5D%20OIDC%20login%20URLs%2C%20how%20to%20hide%20them%20from%20the%20user%3F%3F&In-Reply-To=%3CCADNp1BbVc6A-HsiTszRV_TJY%2BQHH4q%2BQyFeSfqhPWc-dVD1jLw%40mail.gmail.com%3E> *Tue Jan 22 10:36:05 EST 2019* - Previous message: [keycloak-user] Gatekeeper docker configuration question <https://lists.jboss.org/pipermail/keycloak-user/2019-January/017009.html> - Next message: [keycloak-user] Error controller is not invoked if authentication failed <https://lists.jboss.org/pipermail/keycloak-user/2019-January/017011.html> - *Messages sorted by:* [ date ] <https://lists.jboss.org/pipermail/keycloak-user/2019-January/date.html#17010> [ thread ] <https://lists.jboss.org/pipermail/keycloak-user/2019-January/thread.html#...> [ subject ] <https://lists.jboss.org/pipermail/keycloak-user/2019-January/subject.html...> [ author ] <https://lists.jboss.org/pipermail/keycloak-user/2019-January/author.html#...> ------------------------------ Hi, When a user hits a (Keycloak gatekeeper) protected site, they get redirected to the keycloak server login page, a URL like this : https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/au... So, a typical new user journey looks like "type in https colon slash *which slash was it? oh that one* and another slash ww dot website dot com *oops no, www and dot org dot uk ENTER" *I don't want to type _that_ in again : Click Bookmark button QUICK* So they've now bookmarked a login page that includes a state of 7103.... The session they have works and if they don't use their bookmark, it works. If they come back to it later, and use the bookmark, get asked to login and then get a "403 authorisation denied" error. The gatekeeper logs say : 1.5481603986412873e+09 error State parameter mismatch 1.5481603986665585e+09 error unable to exchange code for access token {"error": "invalid_grant: Incorrect redirect_uri"} So, how can I make this user journey easier with keycloak? Ideally I'd like to hide the auth urls completely, their browser doesn't need to know they're authenticating on different site. I tried a "sign-in-page" with a frame containing the login page from keycloak : <html> <frameset cols="100%"> <frame src="{{ .redirect }}"> </frameset> </html> (and change the security settings for frame-ancestors ) And when you've logged in, you get an empty page with a 403 error. Gatekeeper says "unable to exchange code for access token {"error": "invalid_grant: Incorrect redirect_uri"}" again. Keycloak says : type=CODE_TO_TOKEN_ERROR, realmId=86979f4f-7314-4fb6-86bc-3516fcb0c3ae, clientId=alb, userId=01cf3b8f-498e-46b8-815e-6a9a5c2dda1c, ipAddress=180.430.597.666, error=invalid_code, grant_type=authorization_code, code_id=02221f30-faa5-48ad-aae6-a5adec6a705a, client_auth_method=client-secret (ip address etc. has been obfuscated) IF the user is clever, they can then remove the oauth/authorize?state=ba4fcb0d-6ecf-4afe-8b98-e0fbcbc4ca25 from the URL in the browser and the session carries on quite happily. Is there a setting I'm getting wrong in keycloak somewhere that is breaking this? In this first instance, we are returning to an old "state". I can imagine that not working. But the second setup, I'm just logging in to keycloak, in a frame, nothing else has changed from a "working" setup, just the login page is in a frame. (I also need to figure out how to escape the frame!!) Thanks, Max

6 years, 1 month

1
1
0 / 0

Authenticate unix users

by Ajinkya Thakare

Hi all, Is there any way to authenticate local Unix users via Keycloak for a client application? The user can be on the server machine where Keycloak is hosted. Regards, Ajinkya Thakare

6 years, 1 month

1
0
0 / 0

Callbacks when I rotate my keys or revoke my JWT tokens

by Daniel Souza

Hi, In my implementation, I am validating the JWT tokens locally, keeping the public keys in a local cache to avoid making multiple calls to the Keycloak server. I won't know when a key in the server is no longer enabled or valid, therefore I could end up validating an invalid JWT token locally. I would like to know if Keycloak has a way to configure callbacks when I rotate my keys. Does it have? Then I can update my keys in the cache… In the case of JWT token revocation, can tokens be individually revoked in Keycloak? Is this feature available? Are there callbacks implemented in case I have JWT tokens revoked? Thank you in advance. Regards, Daniel.

6 years, 1 month

1
0
0 / 0

Keycloack Multi -Tenancy question

by Litom Segal

We are considering using Keycloack in a multi-tenant fashion. Each of our customer's account has its own users, and applications installed, and we also provide services API's consumed by various clients. We will have a large number of tenants. I found an open issue from 2017 that mentions that Keycloak may have some scalability issues with a large number of realms. https://issues.jboss.org/browse/KEYCLOAK-4593 And also this thread from 2016, https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html, that states that "Keycloak was not designed to support multi-tenancy directly."..."In that regards we have never tested with high amounts of realms as we expect there to be few realms (up to 10 most likely)." I was wonder if there was any progress on the multi-tenancy use case, and are there any best practices on how to setup Keycloack to support it. On the other hand, is there any other approach to handle our use-case? Thanks, Litom -- Litom Segal Software Engineer T: +972-74-700-4097 <https://www.linkedin.com/company/164748> <https://twitter.com/liveperson> <https://www.facebook.com/liveperson/?ref=bookmarks> Our mission is to make life easier by transforming how people communicate with brands. <https://liveperson.docsend.com/view/drieh2u> -- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this on behalf of the addressee you must not use, copy, disclose or take action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Thank you.

6 years, 1 month

4
6
0 / 0

Websockets with Keycloak

by Wolfgang Ederer

Hi, we are building an app with keycloak. The backend uses nodeJS the frontend is also written in JavaScript. Is there a recommended way how to secure a websocket channel with Keycloak? e.g. Heartbeats vs sending Token with each message? Thanks! Best Regards Wolfgang Ederer

6 years, 1 month

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2019