Mariadb driver version
by Andrew Meyer
What mariadb Java driver version should I use when using mariadb 10.1.x as the server??
Sent from Yahoo Mail on Android
5 years, 9 months
Account linking as a required login action
by Erik Orbons
Hello,
I'm facing difficulties implementing a specific requirement using Keycloak. Since searches on the topic also came up empty I'm hoping someone could shed some insight into how I can approach the following situation:
We have a Keycloak realm containing user accounts that can access several clients also within the same realm, all pretty standard. This realm also has a federated identity provider (using OpenID Connect) which can be linked to the local accounts and for which external claims are mapped to local user attributes.
One of our client applications requires the attributes from the external identity provider to be present, which may not be the case if the user hasn't set up the account link yet (through explicit linking or brokered login). Also from a strategic point of view we want to encourage users to log in using their local accounts instead of the external accounts (we're using this construction as a first step to migrate away from the external IDP).
Now I'm tasked with the challenge to come up with a login flow that after a normal local login (form+OTP) checks if the link to the external account is present and if not, present the user with the choice to set up the link there and then as part of the login flow. I've tried:
- Implementing a custom authenticator that checks if the IDP link is present. Combined with the IDP redirector authenticator I'm able to force a login at the external IDP. After being redirected back to Keycloak the user enters the first broker login flow, however any kind of customization there doesn't seem to allow me to link the external account to the existing local account without re-authentication (which doesn't make sense from a user point of view because he or she just logged in to the local account).
- It occurred to me that a required action might be a more suitable solution, however Keycloak doesn't appear to offer such functionality out of the box and so far I've come up blank as to how to implement this specific use case as a required action.
As for my questions:
1) What would be the best way to approach this specific use case using Keycloak? Or perhaps there's a good reason why I should avoid this situation that I haven't spotted yet?
2) Assuming customization is required: could someone share some pointers as to how to implement the account linking as a required login step? I've implemented my fair share of required actions and authenticators, so I'm familiar with the basics.
Thank you, any insights are greatly appreciated!
Regards,
Erik
5 years, 9 months
Best practice for getting roles for all users
by Benjamin Huskic
Hello everybody,
I need to query a list of all users with their roles in our application. I would like to avoid calling for every user (~10000) the GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm. The GET /auth/admin/realms/{realm}/users unfortunately does not provide the roles. I have read the API documentation and tried to find out any recommendation on the web, but I didn't find any. The only thing I found was a feature request which might help to lower the calls: https://issues.jboss.org/browse/KEYCLOAK-2035 but it seems that this feature was not implemented.
I would like to know if there is a best practice for getting roles for all the users because calling a million times the role-mapping is very inefficient.
Thank you in advance
Kind regards,
Benjamin
[cid:image001.png@01D4D841.19FC8380]
Benjamin Huskić
Founder & Solution Director
mobile: +971-5444-9-4664
email: benjamin.huskic(a)thequalitygate.com<mailto:benjamin.huskic@thequalitygate.com>
web: http://www.thequalitygate.com<http://www.thequalitygate.com/>
5 years, 10 months
Keycloak to Keycloak identity brokering fails with "No access_token from server"
by Jody H
Hi,
we have a keycloak instance up and running which we want to use for
identity brokering (
https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_br...)
with another keycloak instance.
We use the keycloak to keycloak identity broker method, which is offered in
the admin dashboard of keycloak. After configuring the required fields and
setting the authentication method for the browser flow to redirect to our
"keycloak identity broker", we get an exception in the server logs of the
"consuming keycloak":
14:38:09,312 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-52) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:476)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:344)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:422)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
I have described the problem more in-depth in this JIRA ticket:
https://issues.jboss.org/browse/KEYCLOAK-9829
Has someone set up keycloak to keycloak identity brokering before?
Am I missing some configuration in the client settings within my "keycloak
identity broker"?
Thanks
Jody
5 years, 10 months
saml idp broker logout
by Manuel Waltschek
Hello KC community,
I try to implement logout with SAML by doing Httprequest.logout() as documented in KC docs, but it seems that I keep the session cookie and nothing happens.
Any workarounds for this?
regards
[Logo]
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
5 years, 10 months
keycloak saml idp redirect to specific url
by Manuel Waltschek
Hello KC community,
I am trying to configure my saml client of a brokered IdP. I want to redirect to a specific url after login so I tried to configure
Root URL = https://myhost.bla/myapp
Valid Redirect URIs = https://myhost.bla/myapp/myurl
Base URL = myurl
But it always redirects me to https://myhost.bla/myapp after successful login.
Can you please tell me what each of them really do?
regards
[Logo]
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
5 years, 10 months
Terms and conditions on the registration page
by Андрей Ушаков
Hi, keycloak has a "terms and conditions" feature, but it appears only on
the next page after registration. Is there a way to make it on the
registration page as a checkbox using admin panel?
If no, will security be impacted if I do it programmatically via js and
editing register.ftl?
5 years, 10 months
Changes in Keycloak 3.4.3 SAML Logout Requests Spec
by Jyoti Kumar Singh
Hi Team,
We are seeing slight difference in SAML logout request (specifically
*<samlp:SessionIndex>
*tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
sample logout response for the same.
If you notice the highlighted section, you can see *SessionIndex *value in
Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
separated by " *::* ", I am willing to know the significance of this
separation.
It seems that some of the SAML Service Provider is not able to recognize
this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
during Base64 decoding of LogoutRequest * error*.* Please suggest your
thoughts on this.
Kindly let me know for any further clarification on this.
*#SAML Logout Request for Keycloak 3.1.0 :-*
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_d3b2da60-3206-4d3f-9596-9d67427ffa5a"
IssueInstant="2019-03-15T07:51:25.547Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxxxx/auth/realms/XXXXX
</saml:Issuer>
<samlp:Extensions>
<kckey:KeyInfo
xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="LxW4jzZXu92jXUeZF9-CSmp0vUMajPpPsVU0RabB4Mk"/>
</samlp:Extensions>
<saml:NameID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx(a)xxx.com
</saml:NameID>
*<samlp:SessionIndex>4d0ad6ad-370a-4a3a-b6ef-eaaaed06dad3</samlp:SessionIndex>*
</samlp:LogoutRequest>
*#SAML Logout Request for Keycloak 3.4.3 :-*
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_9d769896-1798-4e66-acef-263b0270bb19"
IssueInstant="2019-03-15T07:59:32.178Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxx/auth/realms/XXXXX
</saml:Issuer>
<samlp:Extensions>
<kckey:KeyInfo
xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="HyaGrSnYhspOs2ZZj1vUX5EufQIa4-uh3mBL8FCl7oc"/>
</samlp:Extensions>
<saml:NameID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
xxxx(a)xxx.com
</saml:NameID>
*
<samlp:SessionIndex>28d53802-0174-49e7-b6d7-ed16fdf6e909::c665a382-6583-470f-92d5-e91861edc86a</samlp:SessionIndex>*
</samlp:LogoutRequest>
--
*With Regards, Jyoti Kumar Singh*
5 years, 10 months
Exclude a user with realm-management role from keycloak's password policy
by Fateh
I have a user with Client Roles realm-management in a realm called xx which
contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API
and I don't want all the operation to stop until we update the user password
when the password policy triggered
Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm
I would appreciate any Help or ideas?
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
5 years, 10 months
Monitoring Keycloak
by Niko Köbler
Hi,
is there any documentation about how and what is possible to monitor in Keycloak via an API or something?
I don't find anything about a special Keycloak monitoring in the docs.
Customers are in general curious about the current session count, cache size (and memory allocation) of Infinispan, error rates, etc.
Do we have to use standard Wildfly/Infinispan APIs? JMX?
How do others solve this? Any ideas?
Thanks and regards,
- Niko
5 years, 10 months
