Older Java Spring client libraries with newer Keycloak server
by Hylton Peimer
I'm using keycloak-spring-security-adapter version 4.4.0-Final.
This library works perfectly with SpringBoot 1.5.
I've tried to upgrade my Keycloak server to 4.8.3 and also Spring client
libraries to 4.8.3, but there is a problem with redirects. [The actual
problem seems connected to reported issues].
The 4.4.0-Final client libraries seem to work with 4.8.3 Keycloak server.
My question: is it safe to use to older client libraries with a newer
Keycloak server?
5 years, 8 months
Keycloak Import/Export an proper exit status.
by Ramon Spahr
Hy,
I already searched the documentation, issues and user mailing list with
no result.
I'm looking for a way to let the Keycloak import/export properly exit
after work done with exit status 0 or non-zero when command failed. Is
this a new feature? Then i will create a feature request.
This is a important feature for us to automate backup, migration and
test scenarios in our container environment.
Currently we do this by grepping the log output but this is kind of a
work around and no proper solution.
Regards
Ramon
5 years, 8 months
problem with social identity providers with broker (only google works)
by mizuki
Hi,
I've verified this problem with keycloak latest version as well as v4.8.x,
using broker only works with google, with other social identify providers,
all throws the same error 'Unexpected error when authenticating with
identity provider' to the browser and in server.log:
10:46:59,838 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
Failed to make identity provider oauth callback:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at com.ibm.jsse2.k.a(k.java:32)
at com.ibm.jsse2.k.a(k.java:37)
at com.ibm.jsse2.av.b(av.java:549)
at com.ibm.jsse2.av.a(av.java:715)
at com.ibm.jsse2.av.i(av.java:574)
at com.ibm.jsse2.av.a(av.java:280)
at com.ibm.jsse2.av.startHandshake(av.java:431)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
That happens after the correct credentials being put in. So far, I've
tested:
- linkedin
- facebook
- microsoft
- github
The error almost suggest the error is with incorrect TLS version. To
troubleshoot, I sniffed network packets, comparing Google with non-working
providers (ex, LInkedIn).
Interesting thing found out was that, the keycloak instance is hosted
behind a proxy, when authenticating with external providers, all
communication shall go through proxy,
in google's case it went well and communication was successful, however
with Linkedin for example, after username/password successfully
authenticated, the backend keycloak instance all in sudden start to talk to
LinkedIn server itself instead of going through proxy. Of course the
communication will fail and error returned.
Can anyone advice?
PS: keycloak mailing list seems to have trouble with google email, I
apologize in advance if the reply is delayed or resent multiple times.
Thanks!
Mizuki
5 years, 8 months
Adding alwaysHttps to Hostname SPI in Docker
by Hylton Peimer
I'm trying to figure out how to add the "alwaysHttps=true" to the Hostname
Provider in Keycloak running under Docker.
I've tried the following:
1) Modifying the standalone.xml and adding with sed:
name=properties.alwaysHttps,value="true"
2) Adding a CLI to the startup-scripts directory, but this fails since the
server isn't running and the connect doesn't happen.
3) Modifying the tools/cli/hostname.cli file and adding:
/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.alwaysHttps,value="true")
What is the correct approach to adding the alwaysHttps when overriding the
default Dockerfile ?
5 years, 8 months
Need guidance on auto login
by Khyati Kataria
Hi,
I would like to get some guidance on following scenario.
I have a requirement to skip keycloak login page by setting up header
using bearer token. Is this a right approach ? or is there any way I
can skip login page and be able to logged in customer service console
Scenario:
1) create bearer token invoking:
POST to http://<server>/auth/realms/test/protocol/openid-connect/token/
with post data:
grant_type=password&client_id=client&username=admin&password=admin1
read the token from response
2) do a get using new XMLHttpRequest() and setting the header
xhr.open("GET", "http://<server>/csc/", true);
xhr.setRequestHeader('Authorization', 'Bearer ' + token);
after doing this we can see on network traces that it actually bring
the subscribed ID page but with this we do only a "static" get, and we
see all cookies are set
3) finally from page we do a redirect to http://server/csc so browser
really opens the portal (and not just get the content), but at this
stage we get redirected to Keycloak login form
I don't want redirect to login form, I need guidance on this. Is this
possible to have auto login ? or anyway we can skip login page ?
5 years, 8 months
Keycloak Gatekeeper + API Key + Service Account
by Sylvain Malnuit
Hi,
Using Keycloak , it's possible to declare client like a service account .
Client secret becomes API key.
In my case, I'm going to generate 10 clients (10 API keys).
I have tried to use Keycloak-gatekeeper to cover this use case but GK
support only one client.
In my case, I 'm understanding that I must create 10 instances of GT :(.
Is there a way to associate various client to one instance of GT
(different paths .) ?
Thxs for your help.
Regards,
Sylvain
5 years, 8 months
no nameid leads to npe in SAMLEndpoint.java
by Manuel Waltschek
Hello,
I try to configure a kc-saml idp broker for an external IdP. The logout request from the external idp to the saml broker unfortunately does not contain NameID and therefore org.keycloak.dom.saml.v2.protocol.LogoutRequestType.getNameID() returns null in org.keycloak.broker.saml.SAMLEndpoint. This leads to a nullpointerexception to be thrown.
There is a requirement for us to support nameid-format:unspecified, since USERID is delivered via saml attribute. I configured this in IdP configuration, but it seems that settintg nameid-format to unspecified has no effect (does this also default to persistent?). Am I mixing up these things? Is there a workaround for this issue?
I hope anyone can help me or at least answer me this time. Regards,
[Logo]
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
5 years, 8 months
Re: [keycloak-user] Keycloak demo
by Bruno Oliveira
Hi Micha, moving this to keycloak-user mailing list. Because it's the
appropriate place for questions like this.
I could not find the link you mentioned, but I suggest you to try
our quickstarts https://github.com/keycloak/keycloak-quickstarts/archive/latest.zip
I hope it helps.
On 2019-04-04, Micha Preußer wrote:
> Hey there,
>
> this is not really a development question (not yet), but I think
> somebody can help me out here.
>
> In the latest (5.0.0) documentation for server development, you
> have the topic 8.3. Authenticator SPI Walk Through. There you can find
> an example for third auth plugins, but the latest "demo distribution",
> which contains this example, could I found for the version 4.3.0.
>
> Is there any newer version, I didn't found or how can I go on to take a
> look at this example and deploy it?
>
> Thanks a lot.
> Micha Preußer
>
> _______________________________________________
--
abstractj
5 years, 8 months
Re: [keycloak-user] Mapping provider user ID to user attribute
by Leandro Nunes
Hi Garret, Simon, community,
We were recently trying to achieve something similar but, after trying a
similar approach to the one you discuss here we decided not to use that
because even though this seemed to work at a first glance, we soon realise
that things would quick get out-of-sync if the users removed and/or added
links after the creation of their accounts. It seemed odd at the beginning
but after giving it some thought it made sense: we were adding an attribute
to the user (not to the link) so, removing the link won't remove this
property (we then wrote an EventListener to circumvent this) but the whole
set up seemed very convoluted so we decided to try a different approach:
Why not extract the "Provider User ID" from the link itself instead of a
User Attribute? Well this approach seemed to work quite well. No more
problems maintaining mappings from Provider to User Attribute and then from
User Attribute to token and no more out-of-date information that we needed
to address.
Is this approach correct? Am I missing an obvious reason not to use this
approach (can you see a reason why this may be unsafe or fall in some
problems in the future)?
I've written a SPI that does exactly this:
https://github.com/leandronunes85/idp-user-id-token-mapper and I would
really appreciate if someone could take a look and peer-review it :)
Thanks,
Leandro Nunes
5 years, 8 months
Wildfly Elytron client adapter - Propagate security domain to EJB
by Ryan Slominski
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml? Creating a single file that is bundled with the application war seems like a better solution than importing and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.
I placed the file into WEB-INF with contents:
<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:security"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd"
version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>keycloak</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
I also tried label "KeycloakDomain" instead of "keycloak". In either case I get the following error when I attempt to deploy the war file:
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
"jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
"jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
5 years, 8 months
