Tomcat session timeout using spring-security adapter
by Ken Haendel
Hello Keycloak users,
I want to secure a web-app using tomcat and the spring-security adapter.
Since the token timeout values are configured in the Keycloak,
1.
to which value should i set the tomcat session timeout to not interfere
with the keycloak token timeouts.
Currently my settings in web.xml are:
<session-config>
<!-- must be set to infinite for keycloak ??? -->
<session-timeout>-1</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
and
2.
is there a disadvantage to use indefinite sessions?
Thank you in advance and kind regards,
Ken
5 years, 10 months
Docker and Invalid token issuer
by Svyatoslav Babych
Good morning everyone,
Could you please help me with this, I believe, common problem:
I setup keycloak in Docker container, and have second container what communicate with Keycloak through private IP.
I acquire access token through public IP and then send request to this second container. As a result - "Invalid token issuer" exception.
Unfortunately second container cannot use public IP.
Appreciate any help with this ?
Thank you,
Best regards,
Svyat
Svyatoslav Babych | Senior Solution Architect, Technical team Lead
s.babych(a)dataclaritycorp.com
DataClarity Corporation | www.dataclaritycorp.com
Facebook | Twitter | LinkedIn
Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as “Confidential” DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement.
5 years, 10 months
User registration with eMail-address already in use shows internalServerError
by Mitra Rajib, Bedag
Dear keycloak-users,
I'm not sure if I'm doing something wrong or if it is by design, but I get an 'internalServerError'-message when I'm trying to register a new user with an email-address that is already in use by another Keycloak-user.
-Realm-Settings:
Email as username: Off
Verify email: On
Login with email: Off
Duplicate email: Off
-Keycloak version:
4.8.3.Final
-Database:
Postgres
With Keycloak 3.4.3.Final I was faced with the same issue, but received a different error message.
Any pointers would be greatly appreciated!
Best,
Rajib
5 years, 10 months
Re: [keycloak-user] Configuring SMTP settings via rest API
by kapil joshi
Thanks Felix, but i was looking more from rest api end, as im using
javascript adapter of keycloak.
Can someone point to the rest API way of saving SMTP settings.
Thanks
Kapil
On Fri, Feb 15, 2019 at 5:50 PM kapil joshi <kapilkumarjoshi001(a)gmail.com>
wrote:
> Thanks Felix, but i was looking more from rest api end, as im using
> javascript adapter of keycloak.
>
> Can someone point to the rest API way of saving SMTP settings.
>
> Thanks & regards
> Kapil
>
> On Fri, Feb 15, 2019 at 3:42 PM Felix Knecht <Felix.Knecht(a)hrm-systems.ch>
> wrote:
>
>> Hi Kapil
>>
>> I use something like
>>
>> Keycloak keycloak = KeycloakBuilder.builder()
>> .serverUrl(serverUrl)
>> .realm(realm)
>> .clientId(clientId)
>> .clientSecret(clientSecret)
>> .username(username)
>> .password(password)
>> .build();
>> RealmRepresentation smtpRealm = new RealmRepresentation();
>> Map<String, String> smtpServer = new HashMap<>();
>> smtpServer.put("host", myHost);
>> smtpServer.put("port", myPort);
>> smtpServer.put("from", myFrom);
>> smtpServer.put("auth", "true");
>> smtpServer.put("user", mySmtpUser);
>> smtpServer.put("password", mySmtpPassword);
>> smtpRealm.setSmtpServer(smtpServer);
>> keycloak.realms().realm(myRealm).update(smtpRealm);
>>
>> Regards
>> Felix
>>
>>
>> > -----Ursprüngliche Nachricht-----
>> > Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-
>> > bounces(a)lists.jboss.org> Im Auftrag von kapil joshi
>> > Gesendet: Donnerstag, 14. Februar 2019 19:49
>> > An: keycloak-user(a)lists.jboss.org
>> > Betreff: [keycloak-user] Configuring SMTP settings via rest API
>> >
>> > Hi all,
>> >
>> > I wanted one small example of configuring SMTP settings via rest API.
>> >
>> > We are planning to create one similar UI as like keycloak. But use rest
>> API to set it.
>> >
>> > Also how to test the saved settings, like is it saved or not
>> >
>> > Thanks
>> > Kapil
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
5 years, 10 months
Keycloak as OpenID Connect provider for Liferay Portal 6.2
by Chris Smith
Liferay Portal has an OpenID Connect plugin, configured by a property file with these properties
openidconnect.enableOpenIDConnect=true
openidconnect.token-location=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/token
openidconnect.authorization-location=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/auth
openidconnect.profile-uri=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/userinfo
openidconnect.issuer=https://<my keycloak and port>/auth/realms/CMFIRST/protocol/openid-connect/certs
openidconnect.client-id=Portal
openidconnect.secret=<my secret>
openidconnect.scope=openid profile email
Property docs at end of email
My keycloak Client is an out of the box setup
Here are the realm keys.
AES
OCT
<a uuid>
100
aes-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/rea...>
HS256
OCT
<a uuid>
100
hmac-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/rea...>
RS256
RSA
<something>
100
rsa-generated<https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/rea...>
Public key
Certificate
Liferay does not like the jwt signature
13:09:39,833 WARN [http-bio-8080-exec-10][Liferay62Adapter:46] The token was not valid: -- JWT --__Raw String: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJWTUtfTHpWbDY0T2plZW9NVkppajRTLTFNYTZ3aDU5b1dkWHpycXZ5MDJBIn0.eyJqdGkiOiJmZWY0MzVmMS0wOTI0LTQ5MWUtODk0MS1kMjFhMGRhZWNlY2EiLCJleHAiOjE1NTA1ODIwNzksIm5iZiI6MCwiaWF0IjoxNTUwNTgxNzc5LCJpc3MiOiJodHRwczovL21vYmlsZXBvcnRhbC5jbWZpcnN0dGVjaC5jb206OTI4MC9hdXRoL3JlYWxtcy9DTUZJUlNUIiwiYXVkIjoiUG9ydGFsIiwic3ViIjoiZmYwYmY1MWUtOWFmOS00M2JkLWE0NTQtZGQzZDM5OTM4ZjFhIiwidHlwIjoiSUQiLCJhenAiOiJQb3J0YWwiLCJhdXRoX3RpbWUiOjE1NTA1ODE3NzksInNlc3Npb25fc3RhdGUiOiI1YjE3NzVjZS0xYWZlLTQ3ODItYWM4OC1jOTgwZTg4NTIxOTUiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJmbXNzdGFmZiJ9.APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "kid": "VMK_LzVl64OjeeoMVJij4S-1Ma6wh59oWdXzrqvy02A"}__Claims Set: {"iss": "https://<my kc host and port>/auth/realms/CMFIRST", "sub": "ff0bf51e-9af9-43bd-a454-dd3d39938f1a", "aud": ["Portal"], "exp": 1550582079, "nbf": "0", "iat": 1550581779, "jti": "fef435f1-0924-491e-8941-d21a0daececa", "typ": "ID" }__Signature: APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__--------- [Sanitized]
I don't have this problems in my web apps, they use the Tomcat adapter and no issue with the JWT sig.
Any suggestions?
Property docs
Portal properties
The following portal properties can be set. They are required unless specified as optional.
openidconnect.enableOpenIDConnect
Whether to enable the plugin (effectively allowing you to disable the plugin without uninstalling it). Boolean, either 'true' or 'false'. Default is false.
openidconnect.authorization-location
Complete url to the OpenID Connect Provider's authorization location. Example for Google: https://accounts.google.com/o/oauth2/v2/auth
openidconnect.token-location
Complete url to the OpenID Connect Provider's token location. Example for Google: https://www.googleapis.com/oauth2/v4/token
openidconnect.profile-uri
Complete URL to the 'user info' endpoint. Example for Google: https://www.googleapis.com/plus/v1/people/me/openIdConnect
openidconnect.sso-logout-uri (Optional)
openidconnect.sso-logout-param (Optional)
openidconnect.sso-logout-value (Optional)
Complete URL to the 'SSO logout' endpoint. Ignored if empty. After redirection to the given URL, the OpenID Connect Provider should redirect to the Lifery Portal home page (or another public after-logout-resource). This target may be included in this URL as a URL parameter or may be configured for the OpenID Connect Provider.
openidconnect.issuer
The information retrieved from the user info endpoint has to be verified against a preconfigured string, according to the OpenID Connect spec. This 'issuer' claim is used for that. Example for Google: https://accounts.google.com
openidconnect.client-id
Register your Liferay portal as a 'client app' with the Google developer console, and the resulting client id is the openid connect client id. Non-working example for Google: 7kasuf1-123123adfaafdsflni7me2kr.apps.googleusercontent.com
openidconnect.secret
Secret of the client, after registration of the Liferay portal, just like the client-id.
openidconnect.scope
Scope(s) of the access token (space separated), should be the same (or a subset) of the scopes allowed by the provider to the client. Default value: openid profile email
openidconnect.provider (Optional)
Type of OpenID Connect provider. Supported values: generic (default), azure. For most Provider implementations, the generic provider works. For Azure, use the value azure as this makes slight changes to the fields sent as UserInfo.
5 years, 10 months
Does Keycloak support WebSphere 8.5.x?
by Quoc Truong
Hello,
My enterprise application supports both JBoss EAP 7.x and WebSphere 8.5.x. I'm currently using JAAS for both application servers. I'd like to change my enterprise application to also support Keycloak, but I couldn't find the Keycloak adapter for WebSphere.
I'd like to know if there is WebSphere support for Keycloak? If WAS is supported, where can I acquire documentation as well as where to download Keycloak adapter for WAS?
Thanks,
Quoc
5 years, 10 months
Changing logging format?
by Tim Ward
We're using Keycloak in Kubernetes using the jboss/keycloak Docker image.
We want to import the logs into Elasticsearch, but the default logging format is not useful because the date is missing (only the time is included).
How can I change the logging format to include the date?
Preferably without having to build a custom Docker image, so by passing command line parameters and/or mounting files into the container?
(It would be nice to get rid of the colour codes from the log messages as well, but that's not a big deal because I can strip them off later.)
Tim Ward
The contents of this email and any attachment are confidential to the intended recipient(s). If you are not an intended recipient: (i) do not use, disclose, distribute, copy or publish this email or its contents; (ii) please contact the sender immediately; and (iii) delete this email. Our privacy policy is available here: https://origamienergy.com/privacy-policy/. Origami Energy Limited (company number 8619644); Origami Storage Limited (company number 10436515) and OSSPV001 Limited (company number 10933403), each registered in England and each with a registered office at: Ashcombe Court, Woolsack Way, Godalming, GU7 1LQ.
5 years, 10 months
Version endpoint removal
by Matt Evans
Hi
I was wondering why the /auth/version endpoint was removed in 4.0.0?
Thanks
Matt
5 years, 10 months
Invalid code error
by Ondrej Scerba
Hi,
I'm trying to integrate Grafana and Keycloak. I'm getting following error when trying to authenticate against Keycloak.
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.80.10.25, error=invalid_code
Any idea what could be wrong, or what the error message is indicating?
Thanks,
Ondrej
5 years, 10 months
