How to ignore access token from external IDP and only look for ID_TOKEN?
by Mart Abel
Hi, I need to integrate external identity provider to Keycloak and in that External Identity provider all the info about the user is forwarded in Identity token.
This is what I get back from the /oidc/token endpoint
{
"access_token": "AT-40-aswvpV85wez9xpZTNsmKnaFlkafmHPe7",
"token_type": "bearer",
"expires_in": 28800,
"id_token": "JWTIDENTITYTOKEN"
}
JWTIDENDITYTOKEN payload:
{
"jti": "XXXX",
"iss": "XXXX",
"aud": "XXXX",
"exp": 1550511120,
"iat": 1550482320,
"nbf": 1550482020,
"sub": "ZZZZZ",
"profile_attributes": {
"date_of_birth": "ZZZ",
"family_name": "ZZZ",
"given_name": "ZZZ"
},
"amr": [
"ZZZ"
],
"state": "hkMVY7vjuN7xyLl5",
"nonce": "",
"at_hash": "ndHD+z4/M/If7NGFUEOOig=="
}
1) So as you can see, that Access_token is not in jwt format so that is a problem number 1 because Keycloak will give me a error when it gets it in that format. How to disable it or change it somehow?
"Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint."
2) So then I mocked the IDP just to test it and changed Access_token to some jwt formated token and then it told me Invalid paramater, username is missing.
How to configure Keycloak like that I could get all the data from ID_token and having Access token in that format would not break the flow?
Thanks!
________________________________
Disclaimer: This email and its attachments might contain confidential information. If you are not the intended recipient, then please note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Please notify the sender immediately by replying if you have received this e-mail by mistake and delete it from your system. Kindly note that although Finestmedia and its subsidiaries have taken reasonable precautions to ensure that no viruses are present in this email, Finestmedia and its subsidiaries cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
5 years, 10 months
Extending "Add User UI"
by Pavel Micka
Hi,
what is the easiest way to extend Keycloak UI? In our scenario the user may have a privilege to manage resources belonging in some group, but not be a member of this group.
Our idea how to implement this is to have group selector on "Add User" page, which would either store the data into user attribute or into new JPA entity created for this. The question is, what is the easiest way to extend Keycloak JavaScript. I found in docs how to change the templates, but this is definitely much more in depth.
Thanks,
Pavel
5 years, 10 months
Session idle timeout and KeycloakSecurityContextRequestFilter
by Enguerrand Dibanda
Hello community,
I'am using keycloak to secure an application with the
keycloak-spring-security-adapter version 4.8.3.Final. This is not a
spring-boot application.
I want to display a popup to the user says 5 minutes before the session
timeout to give him/her a chance to save his/her work. To do that I use the
refreshToken expiration date which match the "session idle timeout" config
in Keycloak to compute how long the session is still valid.
The issue I'm facing however is that all requests go through the
KeycloakSecurityContextRequestFilter which refreshes the access token when
it expires but will also get a new refresh token prolonging the session
automatically.
My workaround was to insert a filter before the
KeycloakSecurityContextRequestFilter which will put the same FILTER_APPLIED
variable in the request that the KeycloakSecurityContextRequestFilter sets
when applied to be able to skip that filter for the session check url. This
works but I'm not very happy with that solution because it is not very
elegant and rely on private data of the
KeycloakSecurityContextRequestFilter.
Is there maybe a better way to configure excludedUrls for the
KeycloakSecurityContextRequestFilter?
Shouldn't the keycloak-spring-security-adapter make that filter
automatically skip unsecured urls, i.e urls declared as
.antMatcher("/unsecured").permitAll() ?
Or maybe I'm not taking the right approach to solve this issue?
best regards,
5 years, 10 months
How to set the user login in registration process.
by Jérôme Blanchard
Hi all,
I would like to know if it possible to start the registration process by
fixing the username (a specific email) in some cases (by giving a url param
or something like that).
In my app I send invitations to member's email and I'de like the user to
use the same email during keycloak registration process so I want my app to
redirect to registration form with this particular email as a readonly form
param.
I imagine I can provide a dedicated template allowing the username email
readonly in some cases but I can't figure how to access url specific
parameters in this template ?
Thanks for your help, best regards, Jérôme.
5 years, 10 months
Still no luck with native iOS Facebook auth
by Andrew J. Alexander
I am just completely lost here.
I need to integrate the Facebook SDK directly with Keycloak - Facebook is
threatening to remove the ability to login entirely from my client's app.
I am, however, absolutely and completely lost with how to do this in
Keycloak.
Here's my original post:
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html
And I am wondering a similar question - is there a way to use native
Facebook access token to authenticate with Keycloak?
Facebook is saying that they want my client to update their app to use the
Facebook SDK for login as opposed to non-standard SDK (i.e.
AeroGear/Keycloak)
I am trying to use the token provided by Facebook on successful login, with
absolutely no luck.
What is the recommended way (or is there a guide) on how to do this?
Is there absolutely any compliant way to integrate the iOS Facebook SDK
with Keycloak? Anything at all? I've been working on this for two weeks and
I'm completely lost and have no idea how to do it.
5 years, 10 months
Offline Token Issue
by Shetty, Shweta
I am using an offline token to refresh and using the following api : auth/realms/uda/protocol/openid-connect/token
grant_type=refresh_token
refresh_token=AAAA
Basic Auth with the client credentials
I am getting the following error? What does it mean to not have session? I do see active sessions in the admin dashboard on the client. What should I do to avoid getting this error ?
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
}
5 years, 10 months
Configuring SMTP settings via rest API
by kapil joshi
Hi all,
I wanted one small example of configuring SMTP settings via rest API.
We are planning to create one similar UI as like keycloak. But use rest API
to set it.
Also how to test the saved settings, like is it saved or not
Thanks
Kapil
5 years, 10 months
UMA specs submitted to IETF
by Pedro Igor Silva
Hi,
The UMA work group did an important move this week by contributing [1] UMA
2.0 specs to IETF.
As an OAuth2 extension, UMA aims to leverage OAuth2 in order to support
asynchronous authorization, loosely coupled AS, clients and resource
servers (in regards to authorization to protected resources) as well as
give to resource owners more control over the permissions that govern
access to their protected resources.
Regards.
Pedro Igor
[1] https://mailarchive.ietf.org/arch/msg/oauth/r1mFPzQaXy322wSR3my5i1uCdXQ
5 years, 10 months
How to add roles to acquired LDAP user
by Vecchietti Marco
Hi,
I know it's possible to map roles from LDAPto keycloak roles, I found documentation and samples on it.
Unfortunatelly I need or I'd like to do the reverse work: maps keycloak roles to LDAP users.
There's a way, for instance by extension or callback, to intercept login phase and enrich user with a specific set of roles. The goal is to obtain as a response a token (JVT token) with added roles.
Otherwise I should use keycloak as authetication sever and a separated application server as authorization server.?
Best regards
Marco Vecchietti
Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.
This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.
Rispetta l'ambiente. Non stampare questa mail se non è necessario.
5 years, 11 months
