How to migrate passwords
by Robert Smol
Hi,
I am trying to follow chapter 11.9 in server development to migrate users
from existing database to Keycloak. I've implemented UserStorageProvider
and CredentialInputValidator and unlinked the user in isValid method.
However I am not sure, how to transfer the credential to keycloak. In our
local database we have only hashes, so the only moment we have access to
the password is again only in isValid.
Is this the right method to transfer password and how do I set it on the
UserModel?
Regards,
Robert Smol
5 years, 10 months
Springboot adaptor issue with browser bookmark
by Hylton Peimer
We have a SpringBoot application secured by Keycloak using the
KeycloakWebSecurityConfigurerAdapter.
When the Keycloak login page is reached the URL contains a query string
with "state" and "session_state".
Some of our users bookmark this login page in their browser, which stores
the query string (including state & session_state).
When they return to the page using the bookmark, they get an error.
How can I avoid this situation?
Or if there is no way, does it make sense to catch the error and redirect
the user to the correct page without the problematic query string?
5 years, 10 months
Re: [keycloak-user] Fine Graned user permission in Admin console
by David Erie (US)
For the record, we have a similar requirement for which we'd like to use fine grained permissions in the admin app. So we were wondering the same thing about when it will become fully supported, etc.
Thanks,
Dave
===============================
Hello everyone,
we will be using fine grained user permissions in admin console in our application. The motivation is simple: customers will be managing their realms directly in Keycloak and we want to make sure that they will not jailbreak (assign higher privileges than they currently have).
We have noticed that this feature is in preview, even though it seems that is in Keycloak from version 3.2.0 (https://issues.jboss.org/browse/KEYCLOAK-3444).
We would like to ask if there are any plans to make it "official"/default part of installation. Or if there are some plans to change the functionality in upcoming versions (so we do not base our solution on this feature only to be discontinued in next version of Keycloak).
Thanks very much for any info.
Regards,
Pavel
5 years, 10 months
Users losing their roles for no apparent reason
by MEHDi CHAABOUNi
Hi,
This is our Keycloak setup:
- Keycloak docker container 4.4.0.Final
- Azure Active Directory (mapping groups to roles)
- Keycloak client protocol: openid-connect
- 3 optional client scopes
We have one back-end application (spring-boot) and one front-end
application (angular).
We noticed lately that users using the front-end started losing their roles
for no apparent reason. I still can't figure out when it happens.
The only roles (authorities) left are offline_access and uma_authorization.
Deleting the user from Keycloak fixes the problem after reloading the
front-end but eventually the roles disappear again after a while.
Upgrading to the latest version of Keycloak didn't help.
Any ideas?
Thank you!
5 years, 10 months
Re: [keycloak-user] Google + service shutdown
by Corentin Dupont
Hi Marc,
I followed the tutorial at this page:
https://www.keycloak.org/docs/3.0/server_admin/topics/identity-broker/soc...
My application doesn't talk to G+ API directly. I do everything through
Keycloak.
Does that mean that I will not be able to use the Google Identity provider
on Keycloak? Will this service be removed from new Keycloak versions?
On Tue, Mar 5, 2019 at 1:06 PM <Markus.Keller1(a)swisscom.com> wrote:
> Hi Corentin
>
> Google will shut down the public version of G+. The business version for
> companies will still be available. It looks like the API you use is for the
> public version only. Do you connect via
> https://www.googleapis.com/plus/v1/people/me/openIdConnect ?
>
> In that case they will shut down the API at least in April 2019 and you
> cannot use it any longer.
>
> Markus
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> Im Auftrag von Corentin Dupont
> Gesendet: Dienstag, 5. März 2019 11:12
> An: keycloak-user <keycloak-user(a)lists.jboss.org>
> Betreff: [keycloak-user] Google + service shutdown
>
> Hi guys,
> is there any action I need to take regarding Google + shutdown?
> https://developers.google.com/+/api-shutdown
>
> I use Keycloak 4.4.0.Final.
> Google sends me regular email telling I'm using the soon deprecated API
> function plus.people.getOpenIdConnect.
>
> Thanks
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5 years, 10 months
keycloak customization in docker without CURL-admin-calls
by Matuszak, Eduard
Hello
We want to migrate our platform to docker. Up to now we have a lot of Keycloak configuration statements running as CURL-subscripts for creation and customization of our relams in our rpm-package. The question is, how - if ever possible - we might overcome using the admin-REST-API for customization in a reasonable way. To my understanding keycloak-admin-cli does not cover all possibilities the admin-REST-API provides and on the other hand importing realms from an exported prototype-keycloak also does not really seem to be a smart solution. Do you have any idea or hint?
Best reagards, Eduard Matuszak
Eduard Matuszak
Worldline, an atos company
T +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak(a)worldline.com<mailto:eduard.matuszak@atos.net>
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
worldline.com<http://worldline.com/de/1/Home.html>
<https://worldline.com/blog> <https://worldline.com/twitter> <https://worldline.com/linkedin> <https://worldline.com/facebook> <https://worldline.com/youtube>
Worldline Germany GmbH
Geschäftsführerin: Susanne Denker
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 98 826
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
5 years, 10 months
Set user temporary password
by Vecchietti Marco
Hi everyone,
I am using the keycloak API to configure the first (temporary) password of a new user.
My wish is to enter an encrypted password. The CredentialRepresentation data structure has various hash fields. Is it possible to do this?
Should I use the same hash rules used by keycloak to save passwrods in the db??
Thanks for you help!?
Marco
Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie.
This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks.
Rispetta l'ambiente. Non stampare questa mail se non è necessario.
5 years, 10 months
add config to authentication execution
by akula2000
Dear all,
im having trouble automating my keycloak configuration via kcadm/rest api. I would like to add a config to authentication execution, which seems to be impossible without knowing the execution id. What I'm doing:
kcadm create authentication/executions/%execution_id%/create -r realm_name -s alias=alias_name -s "config.defaultProvider=saml"
I would like to avoid using the %execution_id% and use maybe an execution name or an alias or something like that as the id is unknown until the realm is created, which is done from the script.
I could get it first and then parse it, however my script is written in cmd batch and... honestly haven't found a way to parse it neatly. If there is a nice clean way to do it than that'll do as well. Is there maybe a third way to do this?
I am very grateful since this is the only part of my config that i couldn't figure out.
Thanks a LOT,
miro
5 years, 10 months
