configure realm master on server initialization
by Koffi Yannick N'ZI
Hello,
I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm able now
to do so and to create realms on demand.
However, i have an issue. I want to automate the stmtp server configuration
in every realm when creating them, including the realm master. I'm able to
do so for new realm except the master one.
So my question is: is it possible to configure the realm master by putting
some configurations properties in the standalone.xml file or elsewhere ?
What property name must i set if so ?
thanks
--
Koffi Yannick N'ZI
*Ingénieur en Technologies de l'Information et de la Communication option
Télécommunication et Réseaux.*
*Mastère spécialisé en Technologies du web et la Cyber Sécurité *
nykykof(a)gmail.com
5 years, 8 months
Realm Admin Console not visible with "manage-users", "view-users" and "query-groups" roles
by Jody H
Hi everyone,
I got trouble to allow users the permission to access the realm admin
console.
I want some users to be able to add users to groups, but not see any of the
client configuration etc.
I added the roles "manage-users", "view-users" and "query-groups" to a test
user. When logging in with the test user (which I verified is logging in
with the correct user id in the Keycloak logs), I can not access the realm
admin console due to:
"Forbidden
You don't have access to the requested resource."
When I add more privileges, such as "view-realm", then I can access the
realm admin console with that test user. But this is too much permission
for my users.
This is a screenshot which shows the effective roles of the test user. The
three role mappings described above are set in a group and the test user is
member of this group.
[image: grafik.png]
Any tip on how to have the user access the admin console and only allow the
user to view clients and manage group membership?
Keycloak Server Version 4.8.3.Final
Thanks!
5 years, 8 months
Flow Execution REST API Inconsistencies
by Ryan Slominski
Has anyone else noticed there are a few inconsistencies in the authentication flow execution section of the REST API. For example, ordered most severe first:
1. You cannot specify an ID when creating an authentication flow execution (I believe every other create command allows this, and if you provide an ID it is ignored), which means when scripting you must programmatically capture the random ID that is generated in order to provide it to future commands (kcadm.sh create authentication/flows/<alias>/executions/execution -s id=ignored).
2. You cannot specify a flow ID when when adding an execution to a flow, instead you must use the flow alias, which may contain spaces that must be escaped (again, I believe every other create command uses ID, not alias)
3. You cannot specify the requirement (example: "ALTERNATIVE") when creating an execution. You must separately update a newly created execution. Coupled with forced random ID, this is awkward.
4. When creating an execution the parameter "provider" is used. When creating a flow the parameter is named "providerId"
5 years, 8 months
Backchannel logout for multiple webapps using a single opendid-connect client
by Michael Kebe
Hi mailinglist,
is it possible to get backchannel logout working with a single openid-connect client, which is used by multiple webapps?
To get backchannel logout working for a single webapp I had to set the Admin URL to a specific URL of one webapp.
I expected that Keycloak stores from where the session is initiated and knows where the backchannel logout has to be sent to.
I could create for each webapp a specific client and set the Admin URL accordingly, but that is too much configuration work for over 100 webapps.
Do I misunderstand the public Access Type?
Michael
H�ttenwerke Krupp Mannesmann GmbH, Ehinger Str. 200, D-47259 Duisburg
Gesch�ftsf�hrung: Dr. Herbert Eichelkraut, Dr. Gerhard Erdmann, Carsten Laakmann
Vorsitzender des Aufsichtsrats: Prof. Dr.-Ing. Heinz J�rg Fuhrmann
Sitz der Gesellschaft: Duisburg
Eintragung im Handelsregister: Amtsgericht Duisburg HRB 4716
http://www.hkm.de
5 years, 8 months
Keycloak policies eval
by Simão Silva
Hi there,
I'm implementing keycloak for authentication in a server with spring
boot. I'm doing something like "@RequestMapping("/login") " in java but
the policies aren't taken into account, because I can login with every user
in the client. I want something like this
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-je...,
that tells me if the user can or not access the specific client in a
resource. What should I do?
Best regards,
Simão Silva
5 years, 8 months
Keycloak Admin Client dependencies for Keycloak 5.0.0?
by Jody H
Hi,
I have looked around on Google for a while now but I can't seem to figure
out my problem. I mostly used the Gist from Github here to get started:
https://gist.github.com/thomasdarimont/43689aefb37540624e35
After things were not really working out, I tried some other stuff that you
can find below:
I am trying to use the Keycloak admin client in Java, version 5.0.0.
My POM contains the following:
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<keycloak.version>5.0.0</keycloak.version>
<resteasy.version>3.1.3.Final</resteasy.version>
<jackson.version>2.9.8</jackson.version>
</properties>
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>${resteasy.version}</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jackson2-provider</artifactId>
<version>${resteasy.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<artifactId>jackson-jaxrs-json-provider</artifactId>
<version>${jackson.version}</version>
</dependency>
</dependencies>
When I add the following code, building the keycloak client fails:
Keycloak keycloak =
KeycloakBuilder.builder().serverUrl("localhost:8080/auth").realm("master")
.username("admin").password("admin").clientId("admin-cli").build();
System.out.println(keycloak.serverInfo().getInfo().toString());
Produces the following exception:
java -jar .\keycloak-admin-0.0.1-SNAPSHOT.jar
Exception in thread "main" java.lang.IllegalArgumentException:
RESTEASY003720: path param realm has not been provided by the parameter map
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.replaceParameter(ResteasyUriBuilder.java:659)
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:581)
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:780)
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:772)
at
org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.getUri(ClientWebTarget.java:107)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.createRequest(ClientInvoker.java:124)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
When using the Keycloak.getInstance method, I get another exception:
Keycloak keycloak = Keycloak.getInstance("http://localhost:8080/auth",
"master", "admin", "admin", "admin-cli");
Produces exception:
Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find a
MessageBodyReader of content-type application/json and type class
org.keycloak.representations.AccessTokenResponse
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:156)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
at test.KeycloakAdmin.main(MyMain.java:17)
Caused by: javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find
a MessageBodyReader of content-type application/json and type class
org.keycloak.representations.AccessTokenResponse
at
org.jboss.resteasy.core.interception.jaxrs.ClientReaderInterceptorContext.throwReaderNotFound(ClientReaderInterceptorContext.java:42)
at
org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.getReader(AbstractReaderInterceptorContext.java:80)
at
org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:266)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:196)
at
org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:212)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:120)
... 13 more
Can someone share insight on how to use the keycloak admin client library
in the most recent version? Which dependencies do I need inside of my pom?
Thanks!
5 years, 8 months
Getting auth request params in script mapper?
by Gary Kennedy
Looking at the AuthorizationEndpoint class I notice that additional authorization request parameters are put in the authentication session client notes.
(https://github.com/keycloak/keycloak/blob/4.8.2.Final/services/src/main/j...)
I would like to work with those request parameters in a (preferably script) mapper to put calculated claims into the access token however I can't seem to find them.
Does anyone have any ideas/thoughts on how I can use the authorization request parameters to put claims into tokens?
Preferably without code customisation/provider; but that's a restriction I can break if needed :)
I thought this would work, but the only note is the issuer ("iss").
userSession.getAuthenticatedClientSessionByClient(keycloakSession.getContext().getClient().getId()).getNotes();
Cheers,
Gary
5 years, 8 months
SAML User Roles (app-profile-saml-jee-jsp )
by Joe Hedrick
Hey folks,
I'm having some trouble getting the app-profile-saml-jee-jsp quickstart
up and running. I'm getting a Forbidden for my demo user "alice" in the
demo realm demo. I followed the quickstart readme pretty thoroughly I
thought but I'm wondering if maybe there's a role that needs to be added to
the use "alice" that's specific to SAML that isn't mentioned?
The same user seems to work fine for quickstarts that are OpenID
Connect.
I'm running Wildfly 15.0.0.Final and Keycloak-5.0.0 with Maven 3.6.0 and
OpenJDK8 on Debian Buster.
Thanks!
Joe
5 years, 8 months
Re: [keycloak-user] Radius integration
by Catalin Roman
Unfortunately, we are not allowed to install anything on the RADIUS server.
On Mon, Apr 1, 2019, 16:53 Jason Prouty <jprouty(a)jcius.com> wrote:
> There is a plugin you can compile and have radius connect to a keycloak
> server.
>
> https://github.com/jimdigriz/freeradius-oauth2-perl
>
> ------------------------------
> *From:* keycloak-user-bounces(a)lists.jboss.org <
> keycloak-user-bounces(a)lists.jboss.org> on behalf of Catalin Roman <
> chroman(a)gmail.com>
> *Sent:* Monday, April 1, 2019 6:49 AM
> *To:* keycloak-user(a)lists.jboss.org
> *Subject:* [keycloak-user] Radius integration
>
> Hi,
>
> I'm on a new project with a new customer who is only exposing a RADIUS
> interface for authentication.
> Since Keycloak is part of our target architecture, we are looking into ways
> to integrate with RADIUS.
> Therefor, I'm asking for your advice what would be the best way to go
> further.
> Is it possible to write a keycloak plugin, using the User Ferederation or
> Authentication concepts from Keycloak?
> Does it even make sense?
> I googled a lot and didn't find anything related.
>
> Thanks,
> Catalin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5 years, 8 months
Keycloak Integration with Celoxis
by Kevin Perez Moreno
Hello,
I am currently trying to integrate Celoxis into our SSO provided by keycloak. Celoxis is configured to send SAML requests to our keycloak server by using the following IDP endpoint URL: https://xxx.xx/auth/realms/Demo/protocol/saml
However, I am getting an "invalid authn request reason invalid destination" WARN message in keycloak
After changing the log level to DEBUG. I found out that the Celoxis app is sending a SAML with destination URL https://xxx.xx/auth/realms/Demo/protocol/saml?
It seems that a question mark was added at the end of the destination URL. Please see DEBUG traces below. I wonder if this is the expected behavior, i.e., the question mark added at the end of the SAML Destination URL is causing keycloak to throw an invalid authn request error.
If this is the expected behavior, I wonder if there is any workaround to avoid this error (perhaps ignoring destination validation?)
17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-9) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) SAML GET
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) SAML Redirect Binding
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0" IssueInstant="2019-03-28T16:06:47Z" Destination="https://xxx/auth/realms/Demo/protocol/saml?" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://app.celoxis.com/psa/person.Login.do?code=netguardians"><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) verified request
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) ** login request
17:06:47,999 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=Demo, clientId=null, userId=null, ipAddress=x.x.x.x, error=invalid_authn_request, reason=invalid_destination
Thank you in advance
Kevin
[https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.netguardians.ch/>
5 years, 8 months
