Domains for Realms
by Peter S
Can I run different domains for different realms in the same keycloak
cluster? I have several services but they are so different from the master
domain, would be great to assign a domain to a realm. Any hints?
Peter.
5 years, 11 months
One time password
by Jason Prouty
I would like to use Keycloak with OTP only instead of Password and OTP.
Is this possible?
5 years, 11 months
How to find applications a user can access from KC DB
by Denis Danov
Hi keycloak users,
some time before I asked if it is possible to find all applications a user
has access to from the REST API. It turned out that it is not possible out
of the box.
Now I am exploring the idea to extract this data from DB. Our Keycloak
instance has federation user provider LDAP which is already synced and I
can see users and roles in KC. However on Keycloak's account page I can see
more roles assigned to a user than in DB. Is there different data provider
than the DB for Keycloak to build its mapping between user and the list of
application he can access in the account page?
Regards,
Denis
5 years, 11 months
Launch change password flow from action token?
by Craig Setera
With Dmitry's help, my action token is now functional in terms of the token
handler being called. Part of my new function is to launch the change
password for a particular user. Is there a good/easy example in the code
base that shows how I might do that from my action token handler function?
Thanks!
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
`
5 years, 11 months
Modify source code, recompile and deploy
by Noriyuki TAKEI
Hi.
I,d like to modify source code of keycloak(version 3.4.3), recompile and
deploy.
Exactly, the source file I'd like to modify is
org/keycloak/social/google/GoogleIdentityProvider.java.
I am now running keycloak as standalone mode.
I guess the following way to recompile.
# git clone https://github.com/keycloak/keycloak.git
# git checkout 3.4.3.Final
# cd distribution/server-dist
# mvn clean package
It worked fine.
Please tell me the way to deploy recompiled package.
5 years, 11 months
Integration with GuardianKey
by Paulo Angelo
Hi all,
We are trying to integrate KeyCloak with GuardianKey. However, we have
doubts related to the best way to do this and the best point in the
KeyCloak’s code for this integration.
GuardianKey is a service to protect systems against authentication attacks.
It uses Machine Learning and analyses the user's behavior, threat
intelligence and psychometrics (or behavioral biometrics). The protected
system (in the concrete case, KeyCloak) must send an event via REST for the
GuardianKey on each login attempt. More info at https://guardiankey.io .
The best way to integrate would be on having a hook in the procedure that
process the user credentials submission in KeyCloak (the script that
receives the POST), something such as:
if(<POST IN AUTH FORM>) {
boolean loginFailed = checkLoginInKeyCloak();
GuardianKeyEvent event = createEventForGuardianKey(username,loginFailed);
boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
if(GuardianKeyValidation){
// Allow access
} else {
// Deny access
}
}
Where is the best place to create this integration? Is there a way to
create a hook for this purpose? Should we create an extension?
Any help is welcome.
Thank you in advance.
Best regards,
--
Att,
Paulo Angelo
5 years, 11 months
[spring-boot-adapter] get token/principal/etc.
by Pavel Maslov
Hi, guys. Haven't been here for quite a while :)
I'm using the Springboot Keycloak adapter
(org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST
API via bearer token [1]. And it works! Cool.
Now, I would like to get the access token in my @RestController, or even
better some information about the user. Is it possible?
Thanks in advance.
Regards,
Pavel Maslov, MS
[1] https://github.com/maslick/barkoder
5 years, 11 months
How to disable request restore in OIDCFilterSessionStore (how to make eclipse RAP work with keycloak)?
by Clemens Eisserer
Hi,
I am trying make a server-side framework (eclipse RAP) integrate
nicely with keycloak.
The issue I am facing is, the client-side part of the framework is
using XMLHttpRequests and therefore can not cope with the HTTP-302
redirects sent by the keycloak servlet in case the HttpSession times
out.
Instead it expects some hand-craftet JSON to perform the redirect
itself - I've implemented it using a HttpServletResponse facade so I
can later manually re-do the redirect genereated by Keycloak (please
see code at end of mail) and this seems to work fine.
However, after the redirect, Keycloak seems to restore the old request
in OIDCFilterSessionStore which initially caused the redirect.
The server-side framework-code receives the outdated POST and goes
nuts (instead of the expected GET to re-start the whole session), only
if I remove __REDIRECT_URI manually (leads to needRequestRestore =
false) everything works as expected.
Is there any way to disable this request-restoring process with public
API, instead of messing with the HttpSession in an undocumented way?
Thank you in advance, Clemens
PS: risking beeing a support-vampire, what is the idea behind this
request-restoring process?
The browser network log looks like:
1. POST (application URL, session timed out) -> response: {"head":
{"redirect": "https://..../protocol/openid-connect/auth?response_type=code&client_id=someid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%someapplication%2F?cid%3Dd28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&login=true&scope=openid"}}
2. Browser loads keycloak login page itself using GET:
https://....../protocol/openid-connect/auth?response_type=code&client_id=someid&redirect_uri=http://localhost:8080/someapplication/?cid=d28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&login=true&scope=openid
3. keycloak login page immediatly redirects (302) to the application
again: http://localhost:8080/someapplication/?cid=d28559d9&state=7dcab171-d3bc-4...
4. the keycloak filter in the application redirects again to the
application URL, cuts off the parameters:
http://localhost:8080/someapplication/?cid=d28559d9
However for this request keycloak restores some previous request, so
the initial GET request sent by the browser becomes POST, confuses the
JS application framework.
Code:
// Use a fascade here which ignores sendError() issued by the keycloak filter,
// this way we are able to reload the login-page instead
HttpServletResponseFascade responseFascade = new
HttpServletResponseFascade(response);
// request.getSession(true).removeAttribute("__REDIRECT_URI"); //does
not work without
super.doFilter(req, responseFascade, chain);
if(responseFascade.getStatus() == 302) {
String location = responseFascade.getLocation();
if(request.getMethod().equalsIgnoreCase("POST")) {
response.setStatus(200);
PrintWriter pw = response.getWriter();
pw.println("{\"head\": {\"redirect\": \"" + location + "\"}}");
pw.flush();
} else {
response.setHeader("Location", location);
response.setStatus(responseFascade.getStatus());
}
5 years, 11 months
