Springboot
by Fabio Ebner
Anyone has a sample to how can I secure my springboot rest api?
I wanna to configure a keycloak to work with my Backend (Spring boot rest
api) and a front-end (vuejs)
tks
6 years, 7 months
direct access grant + kerberos
by Fox, Kevin M
Is there a way to get back an id token by doing a direct access grant with kerberos negotiate instead of a password?
Thanks,
Kevin
6 years, 7 months
Keycloak generic adapter on Openshift Online
by Augusto dos Santos Pereira
Hello,
I'm new to Openshift and Keycloak and I am currently trying to protect a PHP REST service using the keycloak generic adapter.
This repository (https://github.com/stianst/keycloak-demo) was used, and this video (https://www.youtube.com/watch?v=mdZauKsMDiI) was followed.
I was able to secure the NodeJS app(demo-app) as expected using keycloak, so my Keycloak pod is working.
After the NodeJS app, I added an app called "demo-service-php" with the "Import YAML / JSON" option, using the demo-service-php/demo-service-php.json file in the repo. The pod fails to spin up and shows a link to the logs. The following error shows up:
[error] invalid options, flag provided but not defined: -skip-client-id
I tried editing the line - '--skip-client-id' from the YAML and it worked. The pod spined up.
I looked at the json file and the arg "--client-id=demo-service" is in there. I checked in the demo realm and there is no client called "demo-service", so I added it with bearer-only Access Type. Still with the same error.
I edited the SERVICE_URL environment variable of the demo-app to match the demo-service-php url.
Responses:
INVOKE PUBLIC -> Message: public
INVOKE SECURED -> Request failed
INVOKE ADMIN -> Request failed
The service pod says "The logs are no longer available or could not be loaded.".
Looking at the browser console, the logs are:
demo-service-php-keycloak.7e14.starter-us-west-2.openshiftapps.com/admin:1 GET https://demo-service-php-keycloak.7e14.starter-us-west-2.openshiftapps.co... 401 (Unauthorized)
(index):1 Access to XMLHttpRequest at 'https://demo-service-php-keycloak.7e14.starter-us-west-2.openshiftapps.co...' from origin 'https://demo-app-keycloak.7e14.starter-us-west-2.openshiftapps.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I noticed that there is an arg "--client-secret=secret", I figured it should be one of the 2 secrets created early in the process(keycloak-server-tls and keycloak-client-tls) but i didn't know which, so I tried setting it to both while editing the YAML. No luck, still getting the same results.
What would you guys suggest? is there another repository I can try?
thanks in advance!
Guto Pereira.
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Rio de Janeiro, Brazil, www.gym2gym.com.br
6 years, 7 months
can't setup keycloak into a mysql database.
by Priyamal Madushan
Hi guys.
I am trying to setup keycloak to use a mysql database. I have read the documentation and edited the standalone.xml to use the mysql datasource and included the driver in the module.xml as well. Here is the datasource I created
<datasource jndi-name="java:/jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:mysql://localhost:3306/keycloak?useSSL=false&characterEncoding=UTF-8</connection-url>
<driver>mysql</driver>
<pool>
<min-pool-size>5</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</pool>
<timeout>
<idle-timeout-minutes>0</idle-timeout-minutes>
</timeout>
<security>
<user-name>root</user-name>
<password>password</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<validate-on-match>true</validate-on-match>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
With the above configuration I always end up in this error
Timeout after [300] seconds waiting for service container stability. Operation will roll back. Step that first updated the service container was 'add' at address '[
("core-service" => "management"),
("management-interface" => "http-interface")
]'
I tried keycloak version 5,6 and 6.0.1 assuming older version might fix the issue, but it didn't here is a similar discussion
https://developer.jboss.org/thread/272010
after going through that I changed my time out but it didn't solve the issue either.
<timeout>
<blocking-timeout-millis>60000</blocking-timeout-millis>
<allocation-retry>3</allocation-retry>
</timeout>
Here is the question that I posted on stack overflow : https://stackoverflow.com/questions/56357585/how-to-migrate-keycloak-to-m...
I am trying to fix this for couple of days now and still couldn't get this solved Any help would be appreciated.
Thanks and regards
Priyamal.
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
Mobitel (Pvt) Ltd.
6 years, 7 months
MultiTenant system with SSO for selected users
by Babji Kundateeri
Hi Team,
I have a unique requirement in our project to solve.
Out project is multitenant based, we need to enable SSO only for specific
tenant only.
And for remaining user's wanted to used old form based login it self.
We are planning to use Keycloak for identity brokering to connect with
customers IDP.
Can any one guide, how can i solve this problem ?
--
Kind Regards,
Babji Kundateeri.
6 years, 7 months
KeycloakWebSecurityConfigurerAdapter and sessionAuthenticationStrategy()
by Leonid Rozenblyum
Hello!
I'm using keycloak-spring-security and I have a question related to
usefulness of sessionAuthenticationStrategy() used twice in
the KeycloakWebSecurityConfigurerAdapter.
1) it's used for
KeycloakAuthenticationProcessingFilter
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
2) it's passed to httpSecurity
http
.sessionManagement()
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
While the first usage looks fine and indeed in-use, the second one
intention is unclear.
It has influence on SessionManagementFilter however in keycloak filter
chain the session management filter is not invoked on successful
authentication
(KeycloakAuthenticationProcessingFilter.continueChainBeforeSuccessfulAuthentication
is false).
Are there any real cases when this http session authentication strategy
initialization is useful?
Thanks for your help!
6 years, 7 months
TOTP claim in jwt
by Mark Sargent
Hi all,
Some users in our realm must have setup TOTP for to access some services. Is it possible to configure a claim to include if a second factor was used during authentication?
We could check if such a claim existed in our service, before granting access.
Thanks in advance.
Cheers
Mark
________________________________
This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof.
________________________________
6 years, 7 months
Re: [keycloak-user] Parameter Forwarding
by Dmitry Telegin
First, I'd recommend against using arbitrary parameters for that. This is a bit unreliable and harder to deal with. See this thread for the explanation and possible solution (as well as general problem outline): http://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html
I'd rather recommend to (ab)use OpenID Connect "scope" parameter for that. It is automatically exposed to the authenticators, and is guaranteed to survive all redirects.
Let's assume your parameter is named "partner_code". Consider the following format:
scope="openid email partner_code:1234"
Create a custom JavaScript authenticator, propagate the whole scope param to userSession:
function authenticate(context) {
authenticationSession.setUserSessionNote("scope", authenticationSession.clientNotes.scope);
context.success();
}
Then, create a custom JS mapper to parse the value and put it inside a token:
var partner_code = userSession.notes.scope.match(/partner_code:(\d+)/);
print(partner_code[0]);
print(partner_code[1]);
token.scope += " " + partner_code[0];
token.setOtherClaims("partner_code", partner_code[1]);
The value will appear both in the "scope" claim and as a "parner_code" custom claim. Alternatively, you can parse the value inside the authenticator.
Good luck!
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Wed, 2019-05-29 at 15:48 +0000, Namık Barış İDİL wrote:
> Hey Dimitry!
>
> Thanks for the response. Yes, the parameter I send via login URL to be returned in the access-token will be ok for me. How can I do that?
>
> Best,
>
> Barış
>
> ------------------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------------------??
>
>
> From: Dmitry Telegin <demetrio(a)carretti.pro>
> Sent: Wednesday, May 29, 2019 6:41 PM
> To: Namık Barış İDİL; keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Parameter Forwarding
>
> Hello Barış,
>
> Unfortunately, you can't do that OOTB (unless you're willing to plug your own customized OIDCLoginProtocol variant).
>
> However, it is possible to return back the parameter as a part of access/ID token (as a custom claim). Does that work for you?
>
> Regards,
> Dmitry Telegin
>
> Carretti Consulting OÜ | Keycloak Consulting and Training
> Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
>
> On Tue, 2019-05-28 at 16:06 +0000, Namık Barış İDİL wrote:
> > Hi,
> >
> > I am redirecting my current user to Keycloak login page and it redirects me back to my app. I would like to send a parameter to login url and would like to receive it on redirect url. How can I forward my parameter?
> >
> > Thanks in advance!
> >
> > Barış
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
6 years, 7 months
How do you export a REALM from keycloak when running within a Docker container?
by Melissa Palmer
Hi
How do you export a REALM from keycloak when running within a Docker
container?
*If running Keycloak via docker, eg: using *
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
-e DB_VENDOR=h2 --name kc jboss/keycloak
How can you export a realm that you have added via the UI?
Thanks in Advance
Melissa
6 years, 7 months
Parameter Forwarding
by Namık Barış İDİL
Hi,
I am redirecting my current user to Keycloak login page and it redirects me back to my app. I would like to send a parameter to login url and would like to receive it on redirect url. How can I forward my parameter?
Thanks in advance!
Barış
6 years, 7 months
