Admin rest api - PUT - client update 500 internal server error
by Tungatkar, Niranjan
Hi,
I am trying to update my client through the following curl request. I am to enable implicit flow. I also tried updating webOrigins and redirectUris but everytime I get 500 Internal server error.
curl -ivk -X PUT -H "Authorization: bearer $access_token" -H "Content-Type: application/json" https://$KC_FQDN:$KC_PORT/auth/admin/realms/TEST/clients/$client_id -d '{ "implicitFlowEnabled": true }'
Error in keycloak logs –
00:41:53,557 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
at org.keycloak.services.resources.admin.ClientResource.updateClientFromRep(ClientResource.java:584)
at org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:152)
I checked the Admin rest api PUT request spec here - https://www.keycloak.org/docs-api/3.4/rest-api/index.html#_clients_resource
The client representation from here - https://www.keycloak.org/docs-api/3.4/rest-api/index.html#_clientrepresen...
The representation suggests all attributes are optional
Keycloak version: 3.4.3.Final
Keycloak image: docker.io/jboss/keycloak-openshift:3.4.3.Final
How can I update the client through admin rest api.
--
Niranjan
5 years, 10 months
Stuck configuring IdP broker
by Manuel Waltschek
Dear KC Community,
me and my team are stuck configuring a simple SAML service provider with Keycloak for at least half a year now.
Our use case is a simple SP initiated login and both idp and sp initiated logout. We deploy on wildfly10 and we tried to use the wildfly-saml-adapter only, since keycloak server as a broker forces a first login flow, which we tried to skip. Unfortunately we couldn't get the keycloak login module get triggered and therefore we cannot obtain a login on ejb tier. We made a workaround for this and managed to finally login. After that, we found out, that the logout does not work as expected. HttpRequest.logout() and setting request param to ?GLO=true does not work alone, since we have to combine it to get the logout-request sent to the external idp, but then we keep the session cookie in the sp alive and we cannot process the success message from the idp.
So we finally decided to try out the keycloak server, since we might be missing something. Unfortunately we just can't get it to work.
We are using nginx as a reverse proxy and configured the following:
location ^~ /auth/ {
proxy_pass http://127.0.0.1:8180/auth;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
We also configured standalone.xml of keycloak as follows:
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
But we are stuck, since we cannot access the management/admin console of keycloak over the nginx, since it redirects to localhost:8180/auth/admin (we are using a port offset)
Why does it do this? It might be the auth-server-url configuration of the master realm:
{"realm":"master","auth-server-url":"http://localhost:8180/auth","ssl-required":"external","resource":"security-admin-console","public-client":true,"confidential-port":0}
When I access the console over ssh tunnel, the redirect works as expected (to localhost:8181)
But how could we change that confusing behaviour? We really need to login over the proxy, since we need to configure an IDP which redirect-uri binds to the uri of the request in the browser (which is really confusing too).
Please help us, we decided to use keycloak and we really had a lot of trouble with it.
Regards,
[Logo]
Manuel Waltschek BSc.
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
5 years, 10 months
Token exchange: on-behalf-of + downgrade
by Alexey Titorenko
Hello guys.
I would like to ask you help with the following. I’m currently looking at on-behalf-of scenario with Keycloak. In this case we have ‘web app’ calling ’svc-1’, which in turn calls another service ‘svc-2’. That is, we have: web —> svc-1 —> svc-2.
The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end identity propagation). The question is about how to do that with Keycloak.
First, in order to propagate caller identity we could exchange tokens in ‘svc-1’. In this case we can have correct audience and, thus, control token usage. Second, we need is to remove any excessive permissions (client roles) that are not related to ‘svc-2’ call in order to reduce potential harm in case this token is intercepted by someone.
And if I know how to exchange tokens, I cannot find how to downgrade the token during the exchange. As I see in documentation, ‘scope’ parameter is not supported for token exchange.
So, my questions are:
Is token exchange a right tool for this task?
Is it possible to downgrade exchanged token? And how, if so?
Thank you,
Alexey
5 years, 10 months
Announce of the GuardianKey extension
by Paulo Angelo
Hi all,
We are glad to announce the first release of the GuardianKey extension for
KeyCloak.
In the opportunity, we would like to acknowledge that the KeyCloak's
community is very active and contributed a lot by providing directions for
the problems faced by us in this foray. We give a special thank you for
Aléxis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont.
GuardianKey is a solution to protect systems against authentication
attacks. We use Machine Learning to analyze the user's behavior, threat
intelligence, and psychometrics (or behavioral biometrics) and provide an
attack risk in real-time. The protected system (in the concrete case,
KeyCloak, via the extension) sends the events via REST for the GuardianKey
on each login attempt and can notify users or even block the high-risk
events. Also, there is a panel that presents dashboards about login
attempts. We have cloud and product versions. We note that there is a free
service for small environments. More info at [1].
The extension is available at [2], in which we also included documentation
(docs and video [3]) for its installation, configuration, and use.
We appreciate any suggestion or comment.
[1] https://guardiankey.io
[2] https://github.com/pauloangelo/guardiankey-plugin-keycloak
[3] https://youtu.be/R5QFcH4bXuA
Once again, thank you!
Best regards,
Paulo Angelo
https://www.linkedin.com/in/reddhatt/
5 years, 10 months
keycloak authorization services (enforcer) with RPC API - GraphQL or GRPC
by Eugen Stan
Hello,
I'm trying to figure out how to work with the Authorization Services and
a RPC style API.
For reference, I'm using spring boot, graphql-java and
graphql-java-tools and keycloak spring security adapter.
I wish to know how can I call the enforcer pragmatically in my graphql
resolvers.
Since I am not using http paths I need to build the authorization
request depending on which resolver is called.
Some of the API requests are public - they don't require user
authentication.
Some are private and require user authentication and authorization.
*Background*
We have a GraphQL based API that we would like to expose. It's also
multi-tenant and a User (in Keycloak) can be a member of multiple tenants.
What I am trying to achieve is to secure access to resource like
/{org_id}/project/{id} (complex version) or /account/{org_id} - (simple
version)
I would like to call the enforcer at the begining of each resolver and
build the authorization request there - also providing the tenant id for
authorization.
*Example*
I managed to make the integration work and I can get the AccessToken :
How can I make the authorization call and provide the tenant ID to the
policy as a claim?
I know about [cip-spi], just not clear how to make things happen.
I imagine I have to build a resource like /{org_id}/project/{id} and
provide the tenant_id and id values.
public class QueryResolver implements GraphQLQueryResolver {
public CompletableFuture<Project> getProject(Long id, Long tenanID,
DataFetchingEnvironment dfe) {
HttpServletRequest req =
((GraphQLContext) dfe.getExecutionContext().getContext())
.getHttpServletRequest()
.orElseThrow(() -> new IllegalStateException("Request object
is missing"));
KeycloakAuthenticationToken authToken =
(KeycloakAuthenticationToken) req.getUserPrincipal();
if (authToken != null) {
// we have authenticated user
KeycloakPrincipal principal = (KeycloakPrincipal)
authToken.getPrincipal();
AccessToken accessToken =
principal.getKeycloakSecurityContext().getToken();
log.info("Authenticated with {}", accessToken.getEmail());
} else {
log.info("User not authenticated ");
}
}
Thanks,
Eugen
[1]
https://www.keycloak.org/docs/4.8/authorization_services/#claim-informati...
5 years, 10 months
Interesting MySQL error creating a Keycloak project on Openshift
by Murat Doner
Hello,
I just want to create a Keycloak app on Openshift which is using MySQL.
1- I have created an Openshift project.
2- I created a MySQL instance (as I am not sure if this template
automatically create one) with these credentials:
user: keycloak
password: password
db : keycloak
3- Then I have copy this: Openshift-template:
https://github.com/jboss-dockerfiles/keycloak/blob/master/openshift-examp...
But I just changed Keycloak image: "image": "jboss/keycloak:4.8.1.Final"
(as keycloak-openshift image deprecated.)
And I am getting this error:
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException:
Cannot load connection class because of underlying exception:
'java.lang.NumberFormatException: For input string: "tcp:"'.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.Util.getInstance(Util.java:408)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
... 55 more
Caused by: java.lang.NumberFormatException: For input string: "tcp:"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
... 56 more
(Note: S.o.f link:
https://stackoverflow.com/questions/54907901/interesting-mysql-error-crea...
)
5 years, 10 months
Give access to his account to a client
by François Gourrier
Hello everyone,
we are currently using keycloak. We created several clients on a realm. To simplify the management of URIs, we would like to give the management of his account to each client.
T he REST API allows to modify the account but it is not necessary that a customer can go to see the configuration of the other customers, which is nevertheless possible if he has the rights of access to the service (unless one can restrict access to a client).
Another track would be that a customer connects to his account via the back office.
A track to meet the need?
Thank you in advance.
François GOURRIER
5 years, 10 months
Logged user losing roles after adding a new identity provider mapper
by MEHDi CHAABOUNi
I have Keycloak (4.8.3 FINAL) setup with Azure Active Directory with groups
being mapped to roles. I used to have:
GROUP1 mapped to ROLE1
GROUP2 mapped to ROLE2
Everything was working fine until I added a third identity provider mapper:
GROUP3 mapped to ROLE2
Now, a logged user will lose their roles after a while. I still haven't
figured out when it happens, I enabled events logging in the web console of
keycloak but I can't see anything out of the ordinary. Whenever this
happens, I have to manually delete the user from keycloak and reload the
application.
Any ideas?
Thanks!
5 years, 10 months
