User has to login twice after Session expiration
by Dominik Schopper
Hello,
we have a Keycloak 4.8.0.Final
Our Angular Frontends have e.g. a 10min idle session timeout
When a user logs in (login 1) and the session idles out and the user clicks, he/she gets redirected to the keycloak login page and posts the credentials (login 2)
After giving the correct credentials the user gets redirected to the login page again and has to enter the credentials again before being redirected back to the application
The http headers for the “login 1” and “login 3” response from the server contain
set-cookie: KC_RESTART=; Version=1; …; HttpOnly
set-cookie: KEYCLOAK_IDENTITY= … Version=1; Path=/auth/realms/sparda-n/; HttpOnly
set-cookie: KEYCLOAK_SESSION=… Version=1; Expires=Thu, 06-Jun-2019 11:39:31 GMT; Max-Age=7200; Path=/auth/realms/sparda-n/
set-cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie;…; HttpOnly
Whereas the second response does only contain
set-cookie: AUTH_SESSION_ID=…
Does anybody have advice on how to make the “login 2” work dierectly?
Thx
Dom
5 years, 7 months
repeating reset-password flow in a session
by Soroush Shirali
Hi All,
I have customized Keyclock's authentication flows. The problem is after once go through reset-password. If user click on forgot-password link he would be redirected to login page again as if keycloak does not accept two times resetting a password in a session. So, I have to a new tap in browser to reset the password again.
Anybody knows what is the fix?
Thanks,
Soroush Shirali
Software Developer
[ph] 08 8232 2828
[at] Soroush.Shirali(a)flexigroup.com.au
[image003]
Please consider the environment before printing this e-mail
The information contained in this email is confidential. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee, you must not disclose, copy or circulate this information. Such unauthorised use may be unlawful. If you have received this email in error, please inform FlexiGroup Limited immediately and delete it and all copies from your system. While FlexiGroup Limited makes every effort to keep our network free from viruses we take no responsibility for any computer virus which might be transferred by way of this email. The views expressed in this email are those of the sender and may not be representative of the views of FlexiGroup Limited or any subsidiary of the group
5 years, 7 months
Upgrade to 6.0.1 - Oracle driver failing to load
by David Paul
Hi,
I have a working standalone 3.2.1 on linux using Oracle DB 12.1 as its data store that I'm upgrading to 6.0.1. I'm running into a problem getting it to load the oracle driver and I assume I'm missing a step but I have followed the guide here:
https://www.keycloak.org/docs/latest/upgrading/index.html
I have:
unpacked 6.0.1
mv standalone directory to standalone.old
cp -R 3.2.1/standalone to 6.0.1/
cp -R 3.2.1/modules/system/layers/keycloak/org/oracle 6.0.1/modules/system/layers/keycloak/org/
cp -R 3.2.1/themes/<our-themes> 6.0.1/themes/
6.0.1/bin/jboss-cli.sh -file=bin/migrate-standalone.cli (feedback indicates success on all actions)
Made sure migrationStrategy value="update"
When I run 6.0.1/bin/standalone.sh I get:
...
09:26:10,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 31) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "datasources"),
("jdbc-driver" => "oracle")
]) - failure description: "WFLYJCA0114: Failed to load datasource class: oracle.jdbc.driver.OracleDriver"
Again, this works in my 3.2.1 on the same server, so I assume my datasource and driver declaration are correct in standalone.xml file as well as the module.xml and ojdbc8.jar. I also can confirm the datastore is in use for the 3.2.1 install through connecting to the DB store using TOAD for oracle. I have confirmed permissions on the entire Keycloak directory structure are identicle between the 3.2.1 and 6.0.1 locations.
Is there another step or declaration of the driver or something that I must do?
Thank you for your time,
Dave
Harriscomputer
David Paul
Manager, Application Development
P: 403-218-2010 x79107
F: 403-218-2012
E: dpaul(a)cognera.com
[cid:cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png]
530 - 8 Avenue SW Suite 920
Calgary, Alberta
T2P 3S8
www.cognera.com<http://www.cognera.com>
This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
5 years, 7 months
Wildfly Client Adapter breaks session persistence
by Ryan Slominski
It seems session persistence is broken with the Wildfly Client Adapter. I have:
<persistent-sessions/>
in the standalone.xml file under:
<servlet-container name="default">
This was set using the command:
.jboss-cli.sh --connect --command="/subsystem=undertow/servlet-container=default/setting=persistent-sessions:add()"
However, if I run the command:
.jboss-cli.sh --connect --command="/deployment=myapp.war:redeploy()"
My authenticated session is lost and I must re-login. Am I missing something or is this a bug?
Ryan
5 years, 7 months
Re: [keycloak-user] Policy Enforcing for nodejs REST Api
by Jahn, Lasse
Hmm ok,
But is the decision maid in keycloak or inside the keycloak Adapter ?
I don’t really get why the adapter has to fetch the resources ? Couldn’t the adapter send the requested url from req object and the decision which resource is meant happens in the keycloak Service itself?!
So the policy, permissions, resources only stay inside of keycloak and the adapter only receives a access grant or access deny which he than enforces.
Or in other words, that the adapter is only the PEP (policy enforcement point) and keycloak service is the PDP (policy decision point).
On 4. Jun 2019, at 14:47, Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>> wrote:
On Tue, Jun 4, 2019 at 9:28 AM Jahn, Lasse <Lasse.Jahn(a)student.hpi.uni-potsdam.de<mailto:Lasse.Jahn@student.hpi.uni-potsdam.de>> wrote:
So just to make it sure, if I use the node adapter the resource URIs in the keycloak admin console are not used yet?
Yes. That is why you need to use the enforcer in the route so that you associate a resource with the route/path.
In other adapters, the enforcer is capable of fetching and caching resources from the server based on the requested URI. So you don't need to do this association manually.
I would have thought that the backend sends a request to keycloak sending the
- bearer token (for all credentials and user information...)
- request object (to have the requested resource)
And then keycloak evaluates and only answers grant or deny ?!
Is this decision maid inside the adapter or keycloak?
Yes, that is how it works. The missing part is the enforcer using the requested URI to match a resource in Keycloak so that permissions can be enforced.
On 4. Jun 2019, at 14:06, Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>> wrote:
Differently than other adapters, the NodeJS adapter does not fetch resources from the server, so you need to use the enforcer on each route:
app.get('/api/users', keycloak.enforcer(['users'])
app.get('/api/devices', keycloak.enforcer(['devices'])
Please, create an RFE if you the current behavior is not enough for you.
On Tue, Jun 4, 2019 at 5:23 AM Lasse Jahn <lasse.jahn(a)student.hpi.de<mailto:lasse.jahn@student.hpi.de>> wrote:
Hey Pedro,
sorry for the really late reply. There've been some other issues I had to fix first before I could come back to authorization. But now I try to get this done.
Unfortunately I don't really get the thing with the resources and the regarding URIs.
I want the keycloak enforcer middleware only called at the one point, like I explained. Based on the called route (e.g. /api/users or api/devices) I would like to have only the permissions of the resource evaluated.
I guess somehow I just miss a thing and it should be easy possible.
What I did:
1. Created 2 resources (users, devices with URIs "/api/users" or "/api/devices"
2. Created 2 permission and policy (users grant always, devices deny always)
3. Added the keycloak enforcer middleware before the router.
****
app.use('/api', keycloak.enforcer(['users', 'devices']), routes);
****
Unfortunately when I access /api/devices this is allowed.
I would like to create resources on the client and have one policy per each to decide. Is it possible, that the enforcer checks which resource is requested and uses only that one.
If not what is the URI of a resource for?
Regards Lasse
On 15.05.19 19:55, Pedro Igor Silva wrote:
On Wed, May 15, 2019 at 8:52 AM Lasse Jahn <lasse.jahn(a)student.hpi.de<mailto:lasse.jahn@student.hpi.de>> wrote:
Hi Pedro,
thanks for the quick reply. So I got it working now, that the resource I created is enforcing the one policy. For a single resource this is great.
Later on I would like to have an multi tenant solution, short explanation what I mean:
Different companies have the same functionality but maybe want to change the restriction for there self. But still with only one backend application running. So each company should get one realm with the backend application registered as a client. When they call the api the backend should enforce the policies of the company specific client.
Therefore I have 2 questions:
1. Is it possible to configure the enforcer to enforce all policies for all resources only depending on the requested on the path. So I only to have to add the middleware once before the express router. So for example we have a route /api/devices and /api/users (GET,POST,DELETE each). Both are represented by a resource in the keycloak admin console.
I would like to have something like this:
router.js
****
const express = require('express');
const router = express.Router();
const users = require('../controllers/users.controller');
const devices = require('../controllers/devices.controller');
router.post('/users/', users.create);
router.delete('/users/', users.deleteAll);
router.get('/users/', users.findAll);
router.post('/devices/', devies.create);
router.delete('/devices/', devicese.deleteAll);
router.get('/devices/', devices.findAll);
module.exports = router;
****
app.js
****
.... //all from before
app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes);
****
I dont want to write keycloak.enforcer(...) to each line of users or devices...
Maybe this can done by the claims and the context information? But if yes I don't get how.
Yes, by using claims you are allowed to use them in your policies. Here is an example: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-re.... More details here https://www.keycloak.org/docs/latest/authorization_services/index.html#ex....
Your keycloak.enforce would be similar to https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixt....
2. For now the solution is only single tenant, but If I want to have it multi tenant and have realm per company with similar clients (only different in policies and permissions). Do you have an idea how I can solve the problem that the keycloak object is configured realm specific?
I would probably build a middleware which checks for a custom HTTP header or looks for a subdomain for referencing the company. Depending on the company I would set the keycloak object.
Do you think this can work ? Or do you have a better idea?
AFAIK, this is how you do it. So that accordingly with the request you build a new Keycloak object using a specific realm.
Some suggestions for your documentation:
- Could you somewhere describe what the middleware option protected is doing? The Logout, ... options are explained, but the protected I couldn't find.
- Your default resource is called 'Default Resource' but in the example the resource is renamed to 'resource' the rest is untouched and default config. Maybe a comment or adjustment of the example might be helpful.
Thanks for the feedback. Feel free to create a JIRA so that we can track and plan the improvements you are proposing.
Regards,
Lasse
On 14.05.19 20:33, Pedro Igor Silva wrote:
Hi,
We've added more docs to NodeJS PEP recently [1]. They should be available in the next release. Please, let me know if that is enough or if we need to add more information.
In your case, this code:
app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
Would be:
app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'), routes);
If you have a resource in Keycloak called "foo" and a scope associated with this resource called "bar", the code would be:
app.use('/api', keycloak.enforcer('foo:bar'), routes);
Hope it helps.
[1] https://github.com/keycloak/keycloak-documentation/pull/654
On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote:
Hello,
It's the first time writing to keycloak mailing list (I hope this is the correct one?) so excuse if I forget to provide some information or any other mistakes ..
Sorry for the text wall.
Shortly what I try to do (maybe I got something completely wrong):
I create a backend (node.js Bearer Only) which shall offer an REST api. Partially it is used via a frontend (keycloak-clients) or directly by some devices.
In general I try to create an application with a lot of CRUD. User Management is done in keycloak and only I forward these requests to the admin REST Api. Other stuff like the devices ... I store in a separate database.
So the backend is the abstraction layer for frontend and other use-cases.
So far so good, but for the beginning it was enough to check weather the request comes from an authenticated person or not, so all handled via keycloak.protect() The Token from the authenticated person was passed
But now I'd want to offer different authorization level (can differ due to reasons of multitenancy, why I want to solve this via policies and co in admin-console inside the client configuariton) because the normal user shall have access to only some routes and the management shall have full access to the api, but of course don't need the keycloak admin access.
So I enabled the service account for my backend client and gave this one the realm-admin role so the client has access to everything and I can handle the authorization inside the backend client it self (using policies, permissions, .. inside the admin-console).
(Just in case no one gets what I'm talking about. Fixing [1] should help me fixing my issue I guess)
Setup
- node.js application using express
- registered as single client in keycloak admin-console (confidential, but config inside the code is bearer-only)
- Keycloak is running in a docker-container (version 4.5)
- all services are running in a docker-compose network and are behind a reverse proxy for common uri
- enabled Authorization in client and changed the default policy to Negative to always deny => to see if it is enforced)
My Problem
I don't understand how to use the policies, permissions and Co I created in the admin-console inside the backend it self. How do I enforce that these are used?
I tried to check different examples and documentation, but could get it working.
The last thing I found was that the entitlement api was removed, but a policy-enforcer was added to the nodejs adapter. In the documentation for the policy-enforcer [2] I couldn't find a documentation of the middleware (keycloak.enforcer({}) [3][4]).
My Code
*****
app.js
const express = require('express');
const app = express();
const Keycloak = require('keycloak-connect');
const session = require('express-session');
const routes = require('./routes/index');
const kcConfig = {
'realm': 'master',
'bearer-only': true,
'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
'ssl-required': 'all',
'resource': 'fm-backend',
'credentials': {
secret: 'SOME_SECRET',
},
'confidential-port': 0,
'policy-enforcer': { //tried with an without this, changed nothing
'enforcement-mode': 'ENFORCING',
},
};
const memoryStore = new session.MemoryStore();
const keycloak = new Keycloak({ memoryStore }, kcConfig);
app.use(keycloak.middleware({ logout: '/api/logout', protected: '/api/gates' }));
// used before, worked for well for authentication
app.use('/api', keycloak.protect(), routes);
// now unfortunately I don't understand how to use keycloak.enforcer() middleware
app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
module.exports = app;
*****
[1] https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforci...
[2] https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_serv...
[3] https://github.com/keycloak/keycloak-documentation/blob/master/securing_a...
[4] https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/i...
Any Help is appreciated :)
With kind regards
Lasse
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 7 months
LDAP user federation with AD range retrieval
by Sidney Beekhoven - INFO
Hi Aaron,
I created ticket https://issues.jboss.org/browse/KEYCLOAK-8525 back then. That one was closed because there were some other tickets which would hopefully resolve this issue. In the meantime in version 6 some of those other tickets were solved and for us it solves the issue with AD range retrieval.
Regards,
Sidney Beekhoven
This looks to be an issue still in in 5.0.0. Did you end up creating ticket
for this? I had to do the same workaround for a similar issue I'm having
with larger groups not syncing from AD > Keycloak. Raising the MaxValRange
allowed that group to sync as well.
--
Aaron Echols
On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven <sidney.beekhoven at info.nl<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
wrote:
> Hello,
>
> We have a keycloak setup (3.4.3.Final) with active directory as a user
> federation provider. We ran into an issue with adding a certain role to
> users. We got an error message like this:
>
> Uncaught server error: org.keycloak.models.ModelException: Could not
> modify attribute for DN
> [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110)
> at
> org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112)
> at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181)
> at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262)
> at
> org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380)
> at
> org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316)
> at
> org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236)
> …
> Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error
> code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment:
> Error in attribute conversion operation, data 0, v1db1]; remaining name
> ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>
> After some investigation the issue is that active directory uses range
> retrieval when there are more than 1500 entries in the member (list)
> property of a group. See eg
> https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s...
> .
> When i look at the keycloak source code it looks like keycloak does not
> handle/support the range retrieval, so an error happens when trying to add
> a user to that role.
>
> For now we work around the issue by setting the MaxValRange to a higher
> value. See
> https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-...
> for more info about this.
>
> The real solution would probably be to add support for range retrieval in
> the keycloak ldap user federation provider, so i will create a jira ticket
> for that.
>
> Did anyone else maybe run into this issue, and if so had another solution
> for it?
>
> Kind regards,
> Sidney Beekhoven
5 years, 7 months
Policy Enforcing for nodejs REST Api
by Jahn, Lasse
Hello,
It's the first time writing to keycloak mailing list (I hope this is the correct one?) so excuse if I forget to provide some information or any other mistakes ..
Sorry for the text wall.
Shortly what I try to do (maybe I got something completely wrong):
I create a backend (node.js Bearer Only) which shall offer an REST api. Partially it is used via a frontend (keycloak-clients) or directly by some devices.
In general I try to create an application with a lot of CRUD. User Management is done in keycloak and only I forward these requests to the admin REST Api. Other stuff like the devices ... I store in a separate database.
So the backend is the abstraction layer for frontend and other use-cases.
So far so good, but for the beginning it was enough to check weather the request comes from an authenticated person or not, so all handled via keycloak.protect() The Token from the authenticated person was passed
But now I'd want to offer different authorization level (can differ due to reasons of multitenancy, why I want to solve this via policies and co in admin-console inside the client configuariton) because the normal user shall have access to only some routes and the management shall have full access to the api, but of course don't need the keycloak admin access.
So I enabled the service account for my backend client and gave this one the realm-admin role so the client has access to everything and I can handle the authorization inside the backend client it self (using policies, permissions, .. inside the admin-console).
(Just in case no one gets what I'm talking about. Fixing [1] should help me fixing my issue I guess)
Setup
- node.js application using express
- registered as single client in keycloak admin-console (confidential, but config inside the code is bearer-only)
- Keycloak is running in a docker-container (version 4.5)
- all services are running in a docker-compose network and are behind a reverse proxy for common uri
- enabled Authorization in client and changed the default policy to Negative to always deny => to see if it is enforced)
My Problem
I don't understand how to use the policies, permissions and Co I created in the admin-console inside the backend it self. How do I enforce that these are used?
I tried to check different examples and documentation, but could get it working.
The last thing I found was that the entitlement api was removed, but a policy-enforcer was added to the nodejs adapter. In the documentation for the policy-enforcer [2] I couldn't find a documentation of the middleware (keycloak.enforcer({}) [3][4]).
My Code
*****
app.js
const express = require('express');
const app = express();
const Keycloak = require('keycloak-connect');
const session = require('express-session');
const routes = require('./routes/index');
const kcConfig = {
'realm': 'master',
'bearer-only': true,
'auth-server-url': `https://DOMAIN/auth<https://domain/auth>`,
'ssl-required': 'all',
'resource': 'fm-backend',
'credentials': {
secret: 'SOME_SECRET',
},
'confidential-port': 0,
'policy-enforcer': { //tried with an without this, changed nothing
'enforcement-mode': 'ENFORCING',
},
};
const memoryStore = new session.MemoryStore();
const keycloak = new Keycloak({ memoryStore }, kcConfig);
app.use(keycloak.middleware({ logout: '/api/logout', protected: '/api/gates' }));
// used before, worked for well for authentication
app.use('/api', keycloak.protect(), routes);
// now unfortunately I don't understand how to use keycloak.enforcer() middleware
app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes);
module.exports = app;
*****
[1] https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforci...
[2] https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_serv...
[3] https://github.com/keycloak/keycloak-documentation/blob/master/securing_a...
[4] https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/i...
Any Help is appreciated :)
With kind regards
Lasse
5 years, 7 months
Role-Based Policy with nodejs adapter, single role validation
by Rafael Tovar.
Hi all,
Is there any way to check only the policies associated to an specific role
with the nodejs adapter?
Example:
Imagine an user with 2 realm roles: admin and guest.
How could i check the resources available only for the guest role?
Thanks,
Rafael.
5 years, 7 months
Custom REST endpoint not associated with a specific REALM
by Michael Dailous
Hi,
We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication.
Is it possible to create a custom REST endpoint that's not associated with a specific REALM?
Thanks,
Michael
5 years, 7 months
