Putting Keycloak behind a Proxy in Kubernets
by Jason Leach
Hi,
I’m using a small k8s cluster on DigitalOcean. I have a DO Loadbalancer that manages my certificates. This goes in to Traefik my reverse proxy. Everything works great, except: When a user is sent an email for verification it fails because of the protocol:
23:13:11,352 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTION_TOKEN_ERROR, realmId=test, clientId=null, userId=24406bf4-2b97-4e40-b5d6-4xxxxxxxx, ipAddress=154.5.nnn.nnn, error=not_allowed, reason='Invalid token issuer. Expected 'https://www.xxxca/auth/realms/test', but was 'http://www.xxx.ca/auth/realms/test'', token_id=c96e1531-be72-407e-8c4e-071xxxxxxxxx, action=execute-actions
The link itself in the email starts with http that will be redirected to https by the load balancer.
No sure where the problem is.
Maybe I need to get my proxy Traefik to redirect http to 8443 and use KC’s self-signed certs?
Thanks,
J.
5 years, 7 months
Autenticating Applications AND users
by Rémi GOYARD
Hi guys,
We have a Keycloak installed and configured to authenticate our users on a realm.
Our users are logged in on a single page application (react application) then we pass the token to a backend application (using HTTP authorisation header) and it works fine !
We have other services / applications (like cron jobs) that need to connect and access the backend application, those services do not have any users.
Today we authenticate those services with a single key/value hosted in config files (shared between services and backend app), but we would like to make this applications authenticated on the backend via Keycloak, creating clients on the same realm.
I could not find a way to do it in the documentation (or I did not search well) or on Google … The only way I found was to pass the credentials of the logged in user to other services, but as those services (like cron jobs) are not initiated with a user, how is it possible ?
Is it possible to authenticate applications with Keycloak ?
If Yes does anyone can give me a link or anything that can help me ?
Thanks
Rémi
5 years, 7 months
Keycloak WildFly Adapter domain mode
by David Mellen
Hi,
I'm trying to install the Keycloak WildFly Adapter on a WildFly Server
running in domain mode. I unzipped the
|keycloak-wildfly-adapter-dist-6.0.1.zip |in my WildFly home directory
and while the server was running I executed |./bin/jboss-cli.sh -c
--file=bin/adapter-install.cli|. The Keycloak OpenID Connect Extension
installed successfully, but then I get the following error:
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0030: No resource definition is
registered for address [(\"subsystem\" => \"keycloak\")]",
"rolled-back" => true
}
Is there something I'm missing?
Thanks and best regards,
David
||
5 years, 7 months
checked "remember me"
by Christophe Lehingue
Hello,
On the login form, sometimes I have the check box "remember me" (once
ticked) which is no longer tick when I come back on the login page?
Do you have an idea why: the check box "remember me" which was check
at the time of the connection is not checked when I come back on this
screen?
Thank you.
=====
IN FRENCH
=====
Bonjour,
Sur le formulaire de connexion, quand je coche la case à cocher "se
souvenir de moi" (une fois cocher) n'est plus cocher quand je reviens sur
la page de connexion ?
Avez-vous une idée pourquoi : la case cocher "se souvenir de moi" qui était
cocher au moment de la connexion ne l'est plus quand je reviens sur cet
écran ?
Merci à vous.
5 years, 7 months
Keycloak U2F
by Ramon Spahr
Hi,
we tested Keycloak U2F from Stian Thorgersen
(https://github.com/stianst/keycloak-experimental/tree/master/fido-u2f)
and are highly interested. But there are still a few open questions like
e.g. self-registration similar to OTP or the fact, that it needs writing
access to LDAP (user repository) to enable "U2F registration" action on
a user.
Is there a roadmap available when U2F will be available for keycloak?
Regards,
Ramon
5 years, 7 months
Keycloak enforcer nodejs adapter
by Rafael Tovar.
Hi everybody,
How can i check if i have access to an specific scope of a resource with
the enforcer method?
Example:
I have the resource 'res:devices' with the scope 'read' and an scope based
permission 'devices-read', that permission has associated the resource
'res:devices' and the scope 'read'. Im aplying a role based policy with the
admin role to that permission.
How can i check that the role admin can access to the scope read of that
resource.
Thanks,
Rafael.
5 years, 7 months
Help to use Keycloak to test SSO feature in our application
by preethi nandakumar
Hi Folks,
I'm new to this group. I'm an automation engineer by profession, the
project that I'm working on requires the SSO feature introduced in our
application to be tested. Initially we had plans to use okta but then it
was decided to use some open source. I assumed keycloak would serve the
purpose to me (I'm complete novice, please correct if I'm wrong).
How we have used okta: we would configure our applicaton in it , add
required users, groups etc. Then we would configure the wellknown url of
okta application in our application. So the sso in our application would
redirect to okta.
Now I want to replace the same with keycloak. I brought up the local host ,
created a realm , user and client. I assumed the client in keycloak is
similar to applications in okta. So configured the redirect url to my
application. But when I configured the well known url of keycloak in my
application it is not working.
https://localhost:8443/auth/realms/demo/.well-known/openid-configuration.
Please advice if my decision is right and if so what is that I'm missing in
the configuration
Thanks and Regards,
Preethi
5 years, 7 months
Client Credentials flow for external applications
by Leslie C
Hi!
We're looking into using Keycloak as our auth server for securing our REST APIs. The APIs are setup to only be accessed by a limited audience - all trusted external clients. We do not store or maintain user data, so I don't think the "resource owner" concept of OAuth2 applies in our scenario - so we'll be using the Client Credentials authentication flow. I found the following on StackOverflow and just wanted to know your thoughts on whether this is a valid and acceptable implementation of the flow in Keycloak:
Issuing "API keys" using Keycloak
I finally found a solution that works well and seems to be "the Keycloak way" to issue credentials to external applications. To create a new set of credentials, add a new Keycloak client and change the following settings:
Standard Flow Enabled: OFFDirect Access Grants Enabled: OFFAccess Type: ConfidentialService Accounts Enabled: ONThe external application will use our newly created client's name as the client_id. The client_secret was generated automatically and can be found under the Credentials tab.
Granting Client Access to Your ServicesIf your Keycloak-protected services are configured to check the aud claim of incoming Bearer tokens, a second step is necessary. By default, the audience of the JWT tokens that Keycloak issues to your client will be set to your client's name, so they will be rejected by your services. You can use Client Scopes to modify that behavior:
Create a new client scopeSelect "Audience Template"Select the service you'd like to grant your external applications access to and click "next"Add the scope to the client you just created (Client Scopes tab)Keycloak will now add your service's name to the aud claim of all JWT tokens it issues to your new client. Check out the Keycloak documentation on Service Accounts for more details.
Exchanging Client Credentials for an Access TokenAn external application can now use its credentials to obtain an access token from Keycloak's token endpoint:
POST {keycloak-url}/auth/realms/atlas/protocol/openid-connect/token
Set the Content-Type header to application/x-www-form-urlencodedAuthenticate the request with Basic Authentication, using your client id as the user and your client secret as the passwordSet grant_type=client_credentials in the request body
Found a similar flow here which is more comprehensive and much closer to what I'm trying to achieve: https://stackoverflow.com/questions/56186951/keycloak-oauth-2-au...
Our REST APIs are implemented using Mulesoft and honestly, being a beginner myself, I'm not sure how to use the Keycloak adapters to integrate with Mulesoft. I plan to use the available oidc endpoints (/introspection) to just validate the tokens, if this is acceptable.
Kindly let me know what you think. If you have any suggestions/alternative solutions in mind, please feel free to share. Appreciate any help I can get.
Thanks,Lian
5 years, 7 months
RestEasy NoMessageBodyWriterFoundFailure
by Frank Herrmann
Hello,
I've recently had to extend some of the functionality of
RealmsResource.java. I've created my own resource, and, for the most part,
is working great. However, one of the rest methods calls
realmsResource.getProtocol(...). This generates a resteasy error that it
cannot find a message body writer for application/signed-exchange.
I'm sure I'm probably just missing a dependency in my module.xml. However,
for the life of me, I can't figure it out. Now, I will admit, my
Jboss/Wildfly knowledge is limited.
Any help would be greatly appreciated.
Thanks,
-Frank
--
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT
T: 561-880-2998 x1563
E: frank.herrmann(a)modmed.com
[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>
[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
--
*CONFIDENTIALITY NOTICE:* This e-mail message may contain material
protected by the Health Insurance Portability and Accountability Act of
1996 and its implementing regulations and other state and federal laws and
legal privileges. This message is only for the personal and confidential
use of the individuals or organization to whom the message is addressed. If
you are an unintended recipient, you have received this message in error,
and any reading, distributing, copying or disclosure is unauthorized and
strictly prohibited. All recipients are hereby notified that any
unauthorized receipt does not waive any confidentiality obligations or
privileges. If you have received this message in error, please notify the
sender immediately at the above email address and confirm that you have
deleted or destroyed the message.
5 years, 7 months
