Need guidance on auto login feature
by Khyati Kataria
Hi,
I would like to get some guidance on following scenario.
I have a requirement to skip keycloak login page by setting up header
using bearer token. Is this a right approach ? or is there any way I
can skip login page and be able to logged in customer service console
Scenario:
1) create bearer token invoking:
POST to http://<server>/auth/realms/test/protocol/openid-connect/token/
with post data:
grant_type=password&client_id=client&username=admin&password=admin1
read the token from response
2) do a get using new XMLHttpRequest() and setting the header
xhr.open("GET", "http://<server>/csc/", true);
xhr.setRequestHeader('Authorization', 'Bearer ' + token);
after doing this we can see on network traces that it actually bring
the subscribed ID page but with this we do only a "static" get, and we
see all cookies are set
3) finally from page we do a redirect to http://server/csc so browser
really opens the portal (and not just get the content), but at this
stage we get redirected to Keycloak login form
I don't want redirect to login form, I need guidance on this. Is this
possible to have auto login ? or anyway we can skip login page ?
Regards,
Khyati
5 years, 8 months
Client not found error in keycloak
by Kevin Perez Moreno
Hello,
I am currently trying to integrate Celoxis into our SSO provided by keycloak. Celoxis is configured to send SAML requests to our keycloak server. However, after initiating the SAML exchange I get the following error:
* The web UI shows "Unknown login requester"
* In keycloak CLI, I can see the following "client_not_found" error:
15:53:03,293 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/realms/Demo/protocol/saml
15:53:03,294 DEBUG [io.undertow.request.security] (default task-2) Attempting to authenticate /auth/realms/Demo/protocol/saml, authentication required: false
15:53:03,294 DEBUG [io.undertow.request.security] (default task-2) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@6c2221a0 for /auth/realms/Demo/protocol/saml
15:53:03,294 DEBUG [io.undertow.request.security] (default task-2) Authentication result was ATTEMPTED for /auth/realms/Demo/protocol/saml
15:53:03,294 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) new JtaTransactionWrapper
15:53:03,294 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) was existing? false
15:53:03,295 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
15:53:03,295 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-2) SAML GET
15:53:03,295 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2) SAML Redirect Binding
15:53:03,295 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2) <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_c4606c22-dc34-44a9-86c0-b157a90c8691" Version="2.0" IssueInstant="2019-04-08T13:53:03Z" Destination="https://sso.netguardians.ch:64020/auth/realms/Demo/protocol/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://app.celoxis.com/psa/person.Login.do?code=netguardians"><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
15:53:03,296 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-2) Hibernate RegisteredSynchronization successfully registered with JTA platform
15:53:03,296 DEBUG [org.hibernate.SQL] (default task-2)
select
cliententi0_.ID as col_0_0_
from
CLIENT cliententi0_
where
cliententi0_.CLIENT_ID=?
and cliententi0_.REALM_ID=?
15:53:03,297 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-2) Initiating JDBC connection release from afterStatement
15:53:03,297 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=Demo, clientId=celoxis.com, userId=null, ipAddress=10.7.4.12, error=client_not_found
It seems that both the client ID and the realm ID are not found by keycloak.
I wonder if any of you has experienced this issue before
Thank you in advance
Kevin
[https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.netguardians.ch/>
5 years, 8 months
Redirect URI Manipulation
by vasleon
Hello everyone
i am testing keycloak server and so far I am impressed on how light it
is compared to other solutions of the same kind and how clean and
concise is the interface of the server.
I would like to use keycloak as a platform to introduce several
vulnerabilities in order to have a live example of a vulnerable open-id
provider.
Those of you who do have a good understanding of the structure of
keycloak do you believe it is a good choice or should i head to
something else?
For example if I want to bypass the check of the redirect URI, would
that require edits in multiple files?
Could someone indicate which files in that case?
thank you for your time
Vas
5 years, 8 months
Keycloak v5 final?
by mimendo
Hello,
In the documentation page for Keycloak 5.0.0 I see:
"This is a release candidate. The latest final release is 4.8."
I am not sure whether this was mistakenly left there from a pre-
release, of actually 5.0.0 is just a release candidate.
In this last case, any news about when a V5 final release is scheduled?
Thank you.
5 years, 8 months
Best practices for Infrastructure/Configuration as Code
by Zhiming Guo
Hi Keycloak Team,
Thank you so much for making this wonderful project! I'm in the process of
adopting it and need some advices.
I'm a believer of Infrastructure as Code (IaC) and configuration as code.
So just wondering how I can achieve this properly in Keycloak?
I am aware of and have tried the realm export/import feature. But I found
it difficult to maintain/share/develop the realm.json file mainly because
there seems to be no documents around its syntax, supported fields etc. And
I'm not sure what's the best way to apply the realm.json file using CI/CD:
new image containing new realm.json?
Or maybe I should focus on using the REST API to achieve IaC?
My apology for these unorganized questions. Any advice will be appreciated!
Thank you for your time
Ming
5 years, 8 months
Setting NameID to Unspecified
by Ron Alleva
Hi all,
I'm working with a particular IdP client, and they have requested that I
set the NameID field to an attribute on the user that is neither username
or email, and that it must be in the "unspecified" format.
I've been trying a bunch of different configuration options to get it work,
but none seem to do what I need it to do. I know about
"saml.persistent.name.id.for.$clientId" on a user, and I've been trying
variations on that.
Does anyone have any guidance on how to have a attribute of the user be
populated in the NameID field, with a format of "unspecified"?
Thanks,
Ron
5 years, 8 months
Access Forbidden
by Aaron Echols
Hello All,
I was running 4.1.0.Final and decided to upgrade this week to 4.8.3.Final.
I'm running into an issue where we set a group up with the `manage-users`
Role Mapping. In 4.1.0.Final, the members of said group were able to login
and reset passwords for users successfully in the realm they are in.
Now when they attempt to access the Security Admin Console under
Applications in their profile, they get the following message on the user
side:
Forbidden
You don't have access to the requested resource.
All I see in the Events log:
LOGIN
Client: security-admin-console
User: <identifier>
IP Address: <local-ip>
Details:
auth_method: openid-connect
auth_type: code
response_type: code
redirect_uri: /auth/admin/realm/console/
consent: no_consent_required
code_id: <code-id>
response_mode: fragment
username: <username>
CODE_TO_TOKEN
Client: security-admin-console
User: <identifier>
Details:
token_id: <token-id>
grant_type: authorization_code
refresh_token_type: refresh
scope: openid
refresh_token_id: <refresh-token-id>
code_id: <code-id>
client_auth_method: client-secret
I've verified that they have the proper roles assigned, why isn't this
working now and anyone have any help to be able to troubleshoot?
Thanks in advance for any help or recommendations. :)
--
*Aaron Echols*
5 years, 8 months
Token Exchange AWS Cognito & Keycloak
by Matteo Restelli
Hi all,
We're using AWS Cognito as our Identity provider for our platform. We're
trying to use an internal instance of Keycloak, in order to check the
possibility to use KC for authorization purposes (this because Keycloak has
a wonderful and powerful authorization system that fulfill our needs, and
for that i want to say you "Thank you very much" :) ). For this reason we
want to use the token exchange feature of Keycloak.
More specifically we want to follow this flow:
- User authenticates on AWS Cognito via SRP auth flow (which basically is
not a standard OIDC/OAuth2 authentication flow)
- User sends the access token to contact the backend service and, in the
middle, this token is translated to an internal one, minted by Keycloak
If we provide the AWS Cognito access token to the token exchange endpoint,
with the subject_token_type parameter set to
"urn:ietf:params:oauth:token-type:access_token", an error is returned
stating that the access token doesn't contain the "openid" scope. Despite
this we've tried another way, providing the id token to the token exchange
endpoint with the subject_token_parameter set to
"urn:ietf:params:oauth:token-type:id_token", and we discovered that this
alternative way works. So, my questions are:
- Is the "exchange with id token" approach a feasible and good one? Or is
completely a bad approach?
- From an OIDC point of view, can be a right approach accessing a backend
resource from a single page application, using an id token? I've always
read that if you want to access to a backend resource, from a client
application, is better to use the access token, because the id token
contains a lot of user informations and must be used only by the client
application
Thank you very much,
Matteo
PS: As a side note, i want to clarify that if we follow an authorization
code grant flow, or an implicit flow, during the authentication against AWS
Cognito, the access token exchange works as expected. So this means that
the problem is related to the shape of the token released by Cognito.
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
5 years, 8 months
Doubts regarding fine grained permission on groups
by Rafael Weingärtner
Hello Keycloak community,
We seem to have stumbled across a feature that we do not fully understand
(after reading and re-reading, and testing). Could somebody help to clarify
the design of this feature?
When enabling fine grained group permissions, we see the option to assign
the scope "manage" to users in specific groups. According to our
understand, this scope would allow us to create the "role" of users
("group-admins") to manage (update user information, reset credentials,
enable/disable) other users in the same group; users with this "role" would
also not be able to see the other users in the realm that are not assigned
to the group where they have this special permissions. Therefore, the
actions of creating and removing users would still be restricted to the
manage-users permission that can be set to "user-managers" in the whole
realm.
During our tests, we noticed the the users that receive the "manage" scope
permission in a group are able to delete users of the group. Is this the
expected behavior? After noticing this, we also thought that they would
then be able to create users in the group (if they can remove, why not
enabling them to create as well?); however, these users are not able to
create other users in the group that they have permission to manage (even
when assigning explicitly the group to the user being created). Is this a
bug? Or something that is not completely documented?
--
Rafael Weingärtner
5 years, 8 months
obtaining token for CLI when using identity brokering
by Tim Dudgeon
My scenario:
1. My keycloak realm is set up to mange users with identity brokering
(e.g. they login through GitHub etc.)
2. I have public client in that realm that has REST API that requires
access to be authenticated
3. I want to access that API using curl or other CLI tool so need to
provide an access token.
If my users were added to Keycloak directly I could get that token like
this:
curl --data
"grant_type=password&client_id=myclientid&username=user1&password=user1"
https://<server:port>/auth/realms/realmname/protocol/openid-connect/token
But this will not work when using identity brokering.
So I was a assuming the user could login to keycloak with a browser and
then find a token there and copy it.
But if I login as a user at this URL
https://<server:port>/auth/realms/realmname/account I get logged in
using the identity broker but I can't find a token anywhere.
How do I manage this?
Tim
5 years, 8 months
