Plugin: Get a list of users by custom attribute value
by Tamás Tóth
Hello,
I'm using keycloak:latest with postgres background in docker.
I need to get list of users, but I'm unable to use groups.
The user query in keycloak returns a user in 300ms, which is really slow
for me.
As this link suggests
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009548.html
I'm trying to create a plugin, but I have difficulties.
I need UserPermissionEvaluator to auth:
- UserPermissionEvaluator userPermissionEvaluator = auth.users();
When I use the following imports in my plugin:
- import
org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator;
I'm gettin this exception:
- java.lang.NoClassDefFoundError:
org/keycloak/services/resources/admin/permissions/UserPermissionEvaluator
You can access my code on github (
https://github.com/zingz0r/Keycloak.Plugin).
Could you please help me to solve this issue?
Thanks in advance;
Tamás Tóth
5 years, 8 months
Send Access Token via Header
by Namık Barış İDİL
Hi,
I have an application which redirects user to client login page of Keycloak and after a successful authentication, Keycloak redirects it back to my site with access token embedded in query string. What I want to ask is that if there is any way to configure Keycloak to send this access token in header instead of query string.
Thanks in advance.
Barış
5 years, 8 months
Keycloak JS library: iframe redirect when already logged in
by Kelsey RIDER
Hello,
I’m working on an SPA that uses keycloak.js to interact with my Keycloak. I initialize the Keycloak object with onload = ‘check-sso’ and checkLoginIFrame enabled.
If I perform the following steps:
* Load my site
* Click my “login” button (call Keycloak.login())
* get redirected to Keycloak’s login page, login, get redirected back to my app
* Reload my site
I observe that when the site reloads, it does a quick redirection (the URL briefly changes from mysite.com to mysite.com/#state=….. then back to mysite.com).
I would like to avoid having this redirection when I’m already logged in.
By debugging the code, I found out why this happens:
* The login-status-iframe.html page is essentially just a wrapper for some static JS to manage a cookie that stores the auth tokens.
* Its main method checkState() is called from keycloak.js during initialization…with no token (sessionState is empty since keycloak.js is not aware of the cookie).
* The login iFrame’s code reads the cookie and creates an XHR request to …/login-status-iframe.html/init?... with the cookie in the request headers.
* When it gets a 204 response (which I take to mean: the cookie is valid, everything’s OK), it compares the token (from the cookie) with what it was given from keycloak.js (i.e. nothing).
* Since they are not equal, it responds to the callback with ‘changed’.
* This is interpreted in keycloak.js to mean that (the token changed?) and thus it calls doLogin(false), which is where it changes the URL, creating the unwanted redirect.
So my questions are thus:
* Where is the documentation for API for the call to login-status-iframe.html/init?
* Would it be possible to do something like:
* Have the login-status-iframe return the token, when the KC server informs it that the token is still valid (e.g. ‘update XXXXX’ instead of ‘changed’)
* keycloak.js would then take this and update its token, without having to call doLogin()
Many thanks,
Kelsey Rider
5 years, 8 months
Upgrading from 1.9.8.Final to 4.8.3.Final
by Cory Snyder
Hi all,
We’re currently running Keycloak version 1.9.8.Final and are now investigating the upgrade path to 4.8.3.Final. The question is, can we upgrade to 4.8.3.Final directly or do you advise proceeding one major version at a time?
Thanks for your time!
Cory
5 years, 8 months
Re: [keycloak-user] Setting NameID to Unspecified
by Ron Alleva
Hi Manuel,
Thanks for replying. That url does help me understand the difference
between the different identifier types.
However, the client I'm working with has it set in their IdP that the SAML
message sent to it should contain one of the user's attributes (specific
string of numbers, like a special user id) in the NameID field, with a
format of unspecified. In Keycloak (at least 4.4 and 5.0, that I checked),
there's no option for "unspecified" in the NameID format setting, or a way
to remove it altogether to default to unspecified.
Is this something Keycloak can support out of the box? Is it something I
can accomplish with a JavaScript protocol mapper, or do I have to code my
own mapper for that purpose?
Thanks,
Ron
On Mon, Apr 8, 2019, 05:03 Manuel Waltschek <
manuel.waltschek(a)prisma-solutions.at> wrote:
> Hello Ron,
>
> maybe this url will help you:
> https://stackoverflow.com/questions/11693297/what-are-the-different-namei...
>
> As the answer states unspecified can be used and it purely depends on the
> entities implementation on their own wish. So as I understand you have to
> send the nameId in some format, but have to decide for one format to send
> the client on keycloak site. Unspecified often defaults to the
> implementation specific default settings.
>
> Regards,
>
> Manuel
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> Im Auftrag von Ron Alleva
> Gesendet: Montag, 08. April 2019 04:52
> An: keycloak-user(a)lists.jboss.org
> Betreff: [keycloak-user] Setting NameID to Unspecified
>
> Hi all,
>
> I'm working with a particular IdP client, and they have requested that I
> set the NameID field to an attribute on the user that is neither username
> or email, and that it must be in the "unspecified" format.
>
> I've been trying a bunch of different configuration options to get it
> work, but none seem to do what I need it to do. I know about
> "saml.persistent.name.id.for.$clientId" on a user, and I've been trying
> variations on that.
>
> Does anyone have any guidance on how to have a attribute of the user be
> populated in the NameID field, with a format of "unspecified"?
>
> Thanks,
> Ron
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5 years, 8 months
Add custom user attributes update password page
by Keycloak Deploy
Hi,
I need to add custom attributes on update password page set by required
action: UPDATE_PASSWORD but when I edit the login-update-password.ftl file
I get a 500 error because I can't get user attributes on this page.
Is necessary to use SPI to do this, or exist another solution?
Thanks in advance for your help
5 years, 8 months
Few Admin events not getting raised
by Shiva Prasad Thagadur Prakash
Hi Guys,
We see that few admin events are not getting logged to syslog/logfile.
Creating scope, Creating New policy for a client and Creating new
permission for a client. COuld anyone please help us?
Steps to reproduce:
New permisson event
1. Create new client f.i. in master realm
2. Set "Authorization Enabled"
3. Go to clients->clientName->Authorization ->Permissions - Scope
based
4. Create New permission
Failed Symptoms: No any events generated.
1. Create new client f.i. in master realm
2. Set "Authorization Enabled"
Go to clients->clientName->Authorization ->Policies - Create
POlicy -> Role
3. Create New policy
Failed Symptoms: No any events generated.
1. Create new client f.i. in master realm
2. Set "Authorization Enabled"
3. Go to clients->clientName->Authorization ->Authorization Scopes
4. Create New scope event_scope
Failed Symptoms: No any events generated.
Thanks & regards,
Shiva
5 years, 8 months
Regarding the exception seen after upgrading the version from 3.4 to 4.5
by senthil nathan
HI All
In our environment we are seeing exception after upgrading the keycloak server version from 3.4 to 4.5
and enabling the event listener.
2019-04-09 06:25:43,325 ERROR [org.keycloak.services] (default task-6) KC-SERVICES0088: Failed to send
execute actions email: org.keycloak.email.EmailException: javax.mail.AuthenticationFailedException: ;
nested exception is:
javax.mail.MessagingException: Exception reading response;
nested exception is:
java.net.SocketTimeoutException: Read timed out
at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:145)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:251)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:246)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:237)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:197)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExecuteActions(FreeMarkerEmailTemplat
eProvider.java:163)
at
org.keycloak.services.resources.admin.UserResource.executeActionsEmail(UserResource.java:709)
at org.keycloak.services.resources.admin.UserResource.sendVerifyEmail(UserResource.java:739)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
\
2019-04-09 08:41:10,606 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117:
TransactionReaper::check timeout for TX 0:ffffac1f0dea:2f1df5ed:5cac520e:504 in state RUN
2019-04-09 08:41:10,608 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort
of action id 0:ffffac1f0dea:2f1df5ed:5cac520e:504 invoked while multiple threads active within it.
2019-04-09 08:41:10,609 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381:
Action id 0:ffffac1f0dea:2f1df5ed:5cac520e:504 completed with multiple threads - thread default task-11
was in progress with sun.misc.Unsafe.park(Native Method)
java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.
java:2039)
org.apache.http.pool.PoolEntryFuture.await(PoolEntryFuture.java:138)
org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:306)
org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:64)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:192)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:185)
org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:107)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectio
nManager.java:276)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.j
ava:263)
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190)
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
com.nokia.csf.keycloak.notifications.HTTPJsonNotifier.send(HTTPJsonNotifier.java:42)
com.nokia.csf.keycloak.notifications.URLCallBackNotification.process(URLCallBackNotification.java:47)
com.nokia.csf.keycloak.providers.events.CSFGenericEventListenerProvider.onEvent(CSFGenericEventListener
Provider.java:57)
Regards
SPS.Nathan
5 years, 8 months
Error linking users between realm
by triton oidc
Hi,
in my current scenario, i have an error in linking user between two
Keycloak IDP
i got two servers in 4.8.3.Final
both in debug mode
./jboss-cli.sh --connect
--command='/subsystem=logging/root-logger=ROOT:change-root-log-level(level=DEBUG)'
./jboss-cli.sh --connect
--command='/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=DEBUG)'
When i try to link a user, i get an error
"An internal server error has occurred"
after login on the second IDP
In the log i see a :
WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR,
realmId=RedAirlines, clientId=null, userId=null, ipAddress=172.18.56.212,
error=invalid_code
Nothing in the log for the second IDP
If i reload the webpage, i see the user is linked.
However when i try an exchange token scenario, i got a
"Not present cache item for key LoginFailureKey [ realmId=RedAirlines.
userId=XXX" error
which i'm pretty sure is related to the linking issue (because the token
exchange scenario works, when i login my user using "another realm
authentication")
I can paste some more details if it can help,
Thanks for any clue
Amaury
5 years, 8 months
horizontally scaling keycloak cluster using a cluster farm on Cloud (AWS) -> any body tried out such a thing?
by Madhu
Hi All,
Inorder to scale keycloak to handle about 2000 to 3000 realms i am thinking of running keycloak in a cluster farm..
something like have one keycloak cluster per 500 tenants and manage 5 or 6 such keycloak clusters (a farm).
But , i want my end users to be totally unware of this .. they should just be talking to keycloak on single url something like https://kecloak-yourserver/auth/realms/realm1/
Internally, i am planning resolve realm-names to a specific farm.. e.g. realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..
Any body out there tried such a thing on Cloud (AWS) ?
if so, please share your experience/pain points..
This will go a long way in helping me scale keycloak horizontally in one of my prod deployments.
Madhu
5 years, 8 months
