SPI for removing user
by Pavel Drankov
Hi,
Is there any SPI, which allow removing users from keycloak?
Best wishes,
Pavel
5 years, 8 months
TCP for JGroups and bind options
by Sebastian Laskawiec
Hey,
I've been working on JGroups bind settings for Keycloak Container Image
recently and we had a discussion with Stian about changing both binding
options and transport for JGroups.
As you probably know, we use standalone-ha.xml as a default configuration
for our image. This means, that Infinispan boots up in clustered mode. At
the moment, we use the default transport from the configuration, which is
UDP (with PING as discovery).
Even though UDP transport is a bit faster for larger clusters, it often
doesn't work out of the box in cloud environments (like AWS for the
instance). Of course, the JGroups stack can easily be changed by using the
`-Djboss.default.jgroups.stack=tcp` switch.
I'm planning to revise this piece and change the default transport to TCP
(probably by adding `-Djboss.default.jgroups.stack=tcp` switch to the
default options).
I also proposed, and would like to ask you to try it out, changing the bind
parameters to match IPv4 [1]. Previously, JGroups tried to bind to wrong
interfaces, including `fe80::5003:8eff:fefa:3e53%tap0` exposed by Podman.
Please have a look at the Pull Request [1], check if it works for you and
let me know what you think about using TCP as default transport for JGroups.
Thanks,
Sebastian
[1] https://github.com/jboss-dockerfiles/keycloak/pull/186
5 years, 8 months
Getting token directly in keycloak-js
by Firoz Ahamed
Hi guys,
Could someone let me know if there is anyway to get a token by sending the username and password directly using the keycloak-js adapter without the browser redirecting to the login page? Something similar to the obtainGrant in keycloak-connect adapter.
Thanks!
Regards,
Firoz
5 years, 8 months
Several profiles for same user in keycloak
by Eduard Rakov
Hi guys, I need your help with the following question I need to provide the
ability to the user creates several profiles inside my app (I use keycloak
for login and SSO) e.g. let's imagine that user wants to have two profiles
within my application:
Name: Bruce Wayne, email: brucew(a)example.com, login: bruce.wayne and
password: secret
Name "Dark Knight", email: batman(a)example.com, login: bruce.wayne and
password: secret (credentials to login are the same)
Bruce log into my app using his creds (login: bruce.wayne and password:
secret) and when he decides to use his account for 3rd resource using SSO
he can select which profile about himself to share with this 3rd party
resource - Bruce Wayne (businessman) or Dark Knight (batman, superhero). Is
it possible to implement such use case using keycloak? Thanks.
--
_________
Best regards
5 years, 8 months
SSL load balancer causes problem on HTTP backend
by Salih Gedik
Hello community,
We have an application that uses Keycloak starters and service itself is running on Spring Boot 2. However when requested through load balancers it fails to authenticate. Backend servers themselves are not HTTPS and SSL load balancers are passing the traffic to backends insecure. I tried enabling ssl-required flag but this time it failed to redirect to correct page for login since backends are not SSL. I tried to override commenceLoginRedirect method on KeycloakAuthenticationEntryPoint which resolved the issue. But this time after successful login, redirection page fails to authenticate and returns 403.
I can see from the log that it says "Adapter requires SSL. Request: http://xx.yyy.zzzz.local" Which request endpoint should be https://xx instead of http? Here is the log message:
[http-nio-8080-exec-7] DEBUG o.k.a.OAuthRequestAuthenticator - there was a code, resolving
[http-nio-8080-exec-7] ERROR o.k.a.OAuthRequestAuthenticator - Adapter requires SSL. Request: http://xx.yyy.zzzz.local/sso/login?state=abcdef&code=uss.BRA-eewrerrew.8d...
[http-nio-8080-exec-7] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Auth outcome: FAILED
[http-nio-8080-exec-7] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
I would really appreciate if you guys have any idea/suggestion about this?
Thank you
--
5 years, 8 months
obtaining token for CLI when using identity brokering
by Tim Dudgeon
Apologies if this was already sent/answered, by my subscription to the
ML was cut without my realising it, so I think my first attempt to send
was not successful.
And there seems to be no archive of the ML for me to check.
My scenario:
1. My keycloak realm is set up to manage users with identity brokering
(e.g. they login through GitHub etc.)
2. I have public client in that realm that has REST API that requires
access to be authenticated
3. I want to access that API using curl or other CLI tool so need to
provide an access token.
If my users were added to Keycloak directly I could get that token like
this:
curl --data
"grant_type=password&client_id=myclientid&username=user1&password=user1"
https://<server:port>/auth/realms/realmname/protocol/openid-connect/token
But this will not work when using identity brokering.
So I was a assuming the user could login to keycloak with a browser and
then find a token there and copy it.
But if I login as a user at this URL
https://<server:port>/auth/realms/realmname/account I get logged in
using the identity broker but I can't find a token anywhere.
How do I manage this?
Tim
5 years, 8 months
State mismatch on oidc-client login
by Georgi Matev
We have a realm with an openid-connect client configured to provide
authentication for an application using Keycloak. The application is using
the Keycloak hosted login page to handle auth redirects. We have this
working well except that when one stays on the login page a little longer,
the authentication attempt fails with a state mismatch error.
We understand the protection this provides. To handle it gracefully, we
redirect the user back to login when the mismatch is detected. This creates
a weird user experience, where the user just entered their credentials and
seemingly nothing happened the first time but succeeds the second time.
Have not been able to figure out how to do the following
(1) Pass some parameter indicating that the mismatched state happened so
that when we get back to the login redirect the second time, we can use the
parameter to trigger an appropriate message on the login page (through
customizing the theme) to indicate that the user took too long to login. We
have tried adding URL parameters when redirecting back to login but this
has not worked since these get stripped.
(2) What setting in Keycloak determines how long the state parameter from
the login redirect is valid. Played with long values for "Client login
timeout", "Login timeout", "Login action timeout" under Tokens in the Realm
but none of these seems to help.
Any advice would be much appreciated.
Thanks,
-Georgi
5 years, 8 months
Token Exchange AWS Cognito & Keycloak
by Matteo Restelli
Hi all,
We're using AWS Cognito as our Identity provider for our platform. We're
trying to use an internal instance of Keycloak, in order to check the
possibility to use KC for authorization purposes (this because Keycloak has
a wonderful and powerful authorization system that fulfill our needs, and
for that i want to say you "Thank you very much" :) ). For this reason we
want to use the token exchange feature of Keycloak.
More specifically we want to follow this flow:
- User authenticates on AWS Cognito via SRP auth flow (which basically is
not a standard OIDC/OAuth2 authentication flow)
- User sends the access token to contact the backend service and, in the
middle, this token is translated to an internal one, minted by Keycloak
If we provide the AWS Cognito access token to the token exchange endpoint,
with the subject_token_type parameter set to
"urn:ietf:params:oauth:token-type:access_token", an error is returned
stating that the access token doesn't contain the "openid" scope. Despite
this we've tried another way, providing the id token to the token exchange
endpoint with the subject_token_parameter set to
"urn:ietf:params:oauth:token-type:id_token", and we discovered that this
alternative way works. So, my questions are:
- Is the "exchange with id token" approach a feasible and good one? Or is
completely a bad approach?
- From an OIDC point of view, can be a right approach accessing a backend
resource from a single page application, using an id token? I've always
read that if you want to access to a backend resource, from a client
application, is better to use the access token, because the id token
contains a lot of user informations and must be used only by the client
application
Thank you very much,
Matteo
PS: As a side note, i want to clarify that if we follow an authorization
code grant flow, or an implicit flow, during the authentication against AWS
Cognito, the access token exchange works as expected. So this means that
the problem is related to the shape of the token released by Cognito.
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
5 years, 8 months
