Support for Mongodb
by Kodeeswaran Jeyakkannu
Hi Team,
Is it possible to integrate the Keycloak with the Mongo DB or any other
NoSQL database. ?
Is there any support or documentation for integrating with the Mongo DB.
Thanks in advance.
Thanks & Regards,
Kodeeswaran J
5 years
Access scope parameter in protocol mapper
by Luca Graf
Hello Community,
i try to implement a multi tenant application scenario (single realm)
with keycloak. The idea is to use a custom scope (tenant:<tenant_id>) to
represent a tenant. This idea was already described on the mailing list [1].
I implemented a custom protocol mapper to map permissions depending on
the scope/tenant to the access token. To access the scope parameter i
use the client session
(clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM)). This approach
was mentioned in a JIRA Ticket related to scopes [2]. This seems to be
working fine and can be used to access the custom scope value. After
looking at the keycloak code how the client session note is managed a
few questions came up where i am a bit unsure.
If i understand the code correct, the client session note is only set
during the authorization flow. During a refresh flow this note will not
set/updated, this would mean that the scope note in a refresh flow will
have the value set from the "last" authorization flow in the client
session. Not sure if this is a problem at all, but looking at the code
how keycloak determines "client scopes" objects during a refresh flow,
the scope claim from the refresh token is used [3].
Is it correct to assume that the client session note will always have
the correct scope value set?
In this scenario the keycloak "client scope" concept is more or less
ignored (no client scope object per tenant), not sure if there are other
areas where this can lead to problems?
Another way i can think of could be to create a keycloak "client scope"
object for each tenant, associated with the mapper (scope value set as
mapper config property for each scope). But i fear that would not scale
well with the current storage layer (as far i can tell there will be one
sql query per client scope before they get cached). Although we start
with a relative small number of tenants, we expect up to 2000 tenants in
the future.
What do you think?
Thanks
Luca
[1]
https://lists.jboss.org/pipermail/keycloak-user/2019-February/017225.html
[2] https://issues.redhat.com/browse/KEYCLOAK-349
[3]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
5 years
Changing the base path from /auth to /
by Garth
Hello,
I've been searching around to try to understand how to change the base URL. I've found how to change it from "/auth" to "/some/other/path/auth", but I can't find any documentation on removing the "auth" part. I'd like to have my installation served at the root (e.g. "https://foo.com/realms/master/....").
I have tried changing:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
....
to:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>/</web-context>
....
but that seems to produce other errors. Is this the right approach? Are there other spots where it must be changed also?
Thanks for your help,
GP
5 years
Readonly database connection
by Gunnar Hilling
I'm currently setting up a failover scenario with a postgresql
master/slave (hot-standby) database.
Using the database "failover" features of wildfly in the datasource I
can accomplish to failover to the second, readonly database.
Now I know that certain functions won't be available when the db is readonly.
Do we have any documentation about use cases that won't work on readonly dbs?
Or should I just handle the whole scenario manually?
Kind regards,
Gunnar
5 years
Adding ACL security to Keycloak Server
by Alfonso Vidal García
Hello,
I am wondering if I can implement ACL Security to my Spring Application, to delimit which objects can retrieve the users, depends on the user. Like the each user can retrieve only the objects that belong to him.
Thanks in advance!
P Please consider the environment before printing this e-mail.
5 years
Writing custom authentication module
by abhijeet chauhan
Hi,
I have a requirement to write the custom authentication module such that
user will get authenticated (primary factor of auth) by sending a SMS to
user registered mobile (invoking external api) (mobile is one of user
profile attribute ). I looked at existing sample secrete question auth
module available with keycloak however did not find it much helpful.
Please let me know any pointers to write such module.
Thanks
5 years
Re: [keycloak-user] create user via java api
by John Norris
And doing as I suggested (builder object with Master, create user realm)
with SpringBootKeycloak) causes a 404 error on the create user line.
So that is not right either. And using "Master" throughout also fails
with a 404 error.
Interestingly, setting realm back to SpringBootKeycloak and using an
incorrect password for admincloak still causes a 401 (unauthorized)
error on the create user line. Not on the keycloak builder line. Is that
a design error in the api? It does seem inherently wrong to not return
an exception if the incorrect user credentials are input.
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
To: "John Norris" <johnnorris-10(a)outlook.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 04/12/2019 17:35:01
Subject: RE: create user via java api
>If you look under the Users Role mapping tab, and select the client Roles for realm-management you will find all the roles there.
>
>
5 years
Stuck with "org.keycloak.broker.provider.IdentityBrokerException: No access_token from server"
by Carsten Aulbert
Hi,
we just started evaluating keycloak (v8.0.1) for our use case (central
authentication which would eventually/hopefully allow us to handle
authorization for web spaces, wiki and the likes with users either taken
from our internal LDAP, our gitlab instance and/or edugain via SAML).
So far, it looks really nice, but after some early success I am
currently stuck.
Current test set-up:
keycloak side:
- users from local LDAP
- our local gitlab as an identity provider
- AFAIK, truststore has all necessary certificates
apache2 webserver:
- directory secured via auth_openidc pointing to keycloak
What works:
Browsing to secured directory, redirect to keycloak, log in against LDAP
and based on my role/username/email address, access is granted.
What fails:
Using gitlab as a secondary means of authentication (i.e.
realm/demo/account page has gitlab on the right hand side), it starts to
redirect to gitlab, however fails to (renew?) a token. On the gitlab
side, I only get HTTP code 401 for keycloak accessing /oath/token, on
keycloak I either only get a very terse error like
14:58:22,912 WARN [org.keycloak.events] (default task-22)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=demo, clientId=null,
userId=null, ipAddress=1.2.3.4, error=invalid_code
(when using "Client Authentication" set to "Client secret sent as post")
or much more verbose when setting it to "Client secret as jwt" (see the
very end of the email).
Anyone with an idea, what is wrong here (I have checked the client
id/secret multiple times, set and reset it again and again, played
around with all the visible knobs in various configurations, bit so far
to no avail).
Cheers and thanks a lot in advance!
Carsten
Long error:
15:00:28,047 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-24) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.
at
org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at
org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at
javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.keycloak-services@8.0.1//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:91)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.core@2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.core@2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.core@2.0.27.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.core@2.0.27.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.core@2.0.27.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.core@2.0.27.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.core@2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.core@2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.core@2.0.27.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
org.wildfly.extension.undertow@18.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at
io.undertow.servlet@2.0.27.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at
io.undertow.core@2.0.27.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
at
io.undertow.core@2.0.27.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at
org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at
org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
15:00:28,049 WARN [org.keycloak.events] (default task-24)
type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null,
ipAddress=1.2.3.4 error=identity_provider_login_failure
--
Dr. Carsten Aulbert, Max Planck Institute for Gravitational Physics,
Callinstraße 38, 30167 Hannover, Germany
Phone: +49 511 762 17185
5 years
Re: [keycloak-user] create user via java api
by John Norris
So I go into keycloak admin and look at the admincloak user in the master realm, select a realm under client roles, and long list of effective roles (no assigned or available roles) but for both SpringBootKeycloak realm and Master realm there is no realm-management. There is however a manage-realm which I guess is the same thing.
So admincloak does have those permissions.
Which leads back to the base question, why is admincloak getting invalid user credentials error. Should realm be master for the KeycloakBuilder object and then changed for the line
keycloak.realm(REALM).users().create(userRepresentation);
so that REALM is SpringBootKeycloak.
PS - sorry for the awful naming - this was originally just going to be a quick play.
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com<mailto:Tony.Harris@oneadvanced.com>>
To: "John Norris" <johnnorris-10(a)outlook.com<mailto:johnnorris-10@outlook.com>>; "keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Sent: 04/12/2019 17:35:01
Subject: RE: create user via java api
If you look under the Users Role mapping tab, and select the client Roles for realm-management you will find all the roles there.
5 years
Manage Access to Resources via own App
by David Sautter
Hello,
I want to build an application, that looks like the “My-Resources” site which Keycloak provides.
It should be possible to share access to different Resources defined on different clients and also list those sharings etc.
I’m trying to find the relevant endpoints I would need to call from my application. Is there a place where I can see the exact requests that the “My-Resources” site is doing (it’s server rendered…)?
Mit freundlichen Grüßen/ Best Regards,
David Sautter
Rohde & Schwarz GmbH & Co. KG
Postbox 80 14 69, D-81614 Muenchen
Dept. 1DS5
Fon: +49 89 4129 15256
Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>
Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten.
Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer.
If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original.
Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it.
Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86
5 years
