How to use identity provider broker (google and facebook) via ajax/api
by Cosmin Ardeleanu
Hello,
*Context*: We have a single page application made with Angular JS. We want
to implement login via facebook and google, by using keycloak.
*Requirement*: We want to use ajax/api call, similar to
"../protocol/openid-connect/token" (this end point is using user/pass to
login").
*Problem*: The way the brokering works, is with a series of html redirects:
start -> redirects to keycloak -> redirects to facebook or google -> back
to keycloak -> back to start
This is not compatible with a single page application.
*Question*:
Is there any documentation (or work around) how to achieve login with
facebook/google by using ajax/api calls, similar with the one for
user/password ("../protocol/openid-connect/token" endpoint)?
We need to be able to retrieve the token from facebook and google, and send
it to keycloak, and keycloak should respond with the authentication token.
How can we do it?
Thank you.
5 years, 6 months
Registration process
by Mark Sargent
Hi there,
During an onboard game flow we would like to invite the user to register with a particular email address. Is there a way that I can send a user to the registration page with the email address filled in and possibly not editable?
I am trying to skip the page where the user can either sign in or click the register button.
Many thanks
Mark
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof.
________________________________
5 years, 6 months
forgotten password
by Francois Verhees
Dear,
I send a forgotten password message. I used the known e-mail address as a login, but did not receive a mail back with recovery of password.
I used francois(a)medicaldynamics.nl<mailto:francois@medicaldynamics.nl> and I used info(a)verdihealthcare.nl<mailto:info@verdihealthcare.nl>
What am I doing wrong. Or why do I not get a reply?
Met vriendelijke groet/Best regards/Mit freundlichen Grüssen,
François Verhees
Algemeen Directeur/CEO
[cid:image001.jpg@01D3A662.B4B39470]
Verdi Healhcare
Wijde Wade 1 a
3439 NP Nieuwegein
The Netherlands
T +31(0)30 285 12 49
F +31(0)30 285 11 06
E francois(a)verdihealthcare.nl<mailto:francois@verdihealthcare.nl>
I www.verdihealthcare.nl<http://www.verdihealthcare.nl/>
Klik HIER<http://www.verdihealthcare.nl/> om onze nieuwe website te bekijken
Zoals u waarschijnlijk heeft gehoord is sinds 25 mei 2018 de nieuwe privacywetgeving in werking; de Algemene Verordening Gegevensbescherming (AVG).
Onderdeel van deze nieuwe regelgeving is, dat wij van u willen vernemen of wij uw persoonlijk e-mailadres mogen bewaren.
Geeft u daarvoor geen toestemming, dan verzoeken wij u hier<mailto:laurens@verdihealthcare.nl?SUBJECT=Verwijderen%20E-mailadres&BODY=Via%20deze%20mail%20wil%20ik%20u%20verzoeken,%20conform%20de%20AVG%20richtlijnen,%20dit%20e-mailadres%20te%20verwijderen%20uit%20uw%20bestanden.> op te klikken en de mail te versturen.
U geeft dan geen toestemming voor het bewaren van uw e-mailadres en zullen wij deze binnen 4 werkweken uit onze bestanden verwijderen.
Mocht u geen bezwaar hebben; wij zullen uw persoonlijk mailadres alleen gebruiken om met u te communiceren aangaande Verdi Healthcare.
De volledige privacyverklaring kunt u vinden op www.verdihealthcare.nl<http://www.verdihealthcare.nl/>
5 years, 6 months
Realm templates - exporting once, importing many times
by Tiago Batista
Hello all,
This is something I have seen requested here and that I needed too. As
keycloak does not supply such a tool, I did a quick hack to create one.
I am sure there are plenty of bugs as this was created for a very
particular purpose and was not extensively tested.
Take a look here:
https://github.com/plinth-tech/keycloak-realm-generator
This is licensed as MIT, but I am sure the copyright holder will be
accomodating if you need this under any other license for some reason.
Feel free to use it as much as you want, and if you find any bugs
please report them!
Regards,
Tiago
5 years, 6 months
Does Keycloak support binding to ipv6 address
by Shiva Prasad Thagadur Prakash
Hi Guys,
Can Keycloak be bound to ipv6 address? or Can it be bound to both ipv4 and
ipv6, for example, -b [[::]]. Are there any configurations I have to
changes to be done? Eagerly waiting for the reply.
Thanks,
Shiva
5 years, 6 months
Re: [keycloak-user] token introspection endpoint does not accept its URL as audience during signed JWT client auth
by Hans Zandbelt
FWIW: the spec is not clear on this case, see a discussion about it here:
https://mailarchive.ietf.org/arch/msg/oauth/Z2QXaIPXvP8BIA0by6ktFSoyKK8
Based on that input I agree with Simon and would suggest to accept both.
Hans.
On Thu, Jun 20, 2019 at 3:45 AM <keycloak-user-request(a)lists.jboss.org>
wrote:
>
> we think we found a problem when using the token introspection
> endpoint with signed JWT client auth.
>
> In the JWT, audience is set to the URL of the token introspection
> endpoint (we use mod_auth_openidc). However, Keycloak throws an error in
> JWTClientAuthenticator which looks like this:
>
> Error when validating client assertion: java.lang.RuntimeException: Token
> audience doesn't match domain. Realm issuer is
> 'https://.../auth/realms/master' but audience from token is
> '[https://
> .../auth/realms/master/protocol/openid-connect/token/introspect]'
>
> We found the description of a similar problem in KEYCLOAK-3424 for
> the token endpoint (see [0]). Here, JWTClientAuthenticator was adapted to
> accept both the issuer as well as the actual token endpoint URL as
> audience.
>
> Now, we are wondering whether that change missed to address the
> token introspection endpoint as well or whether we are doing
> something wrong.
>
>
> [0]
> https://issues.jboss.org/browse/KEYCLOAK-3424?focusedCommentId=13285402&p...
>
>
>
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
5 years, 6 months
Caching user details in a custom User Storage Provider
by James Mitchell
Can I get a sanity check for this? I don't think my users are being
retrieved from the cache.
I'm using Keycloak 6.0.1 and doing proof of concept to use it as IDP
for our application. So far I have a working User Storage Provider to
call the existing API for user details and to authenticate users - I'm
calling the token endpoint with a password grant-type and all is good.
* I can see the initial search for email address works, and the user
is added to the cache (at least the OnUserCache function is called)
* the password matches and the user is authenticated
* then there are many calls to get the user by ID - I think these are
to get attributes for the token claims. These are not getting the
details from the cache, as I can see hits on the existing API.
So my questions are
* should the user be coming from the cache?
* is there a method I can override to confirm if the cache is being used?
These are some logs from the keycloak service and the database adapter
(both running as Docker containers). These logs are generated from the
admin console when I click for user details.
> keycloak_1 | 22:42:47,516 INFO [com.suitebox.keycloak.storage.SbxUserStorageProviderFactory] (default task-2) Create PHPAuth Provider instance
> keycloak_1 | 22:42:47,519 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4
> keycloak_1 | 22:42:49,879 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) Caching user f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4
> keycloak_1 | 22:42:49,952 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4
> keycloak_1 | 22:42:51,996 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4
> keycloak_1 | 22:42:54,069 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) Closing PHPAuth Provider
and the database API
> dbadapter_1 | 2019-06-13 22:42:47.609 INFO 1 --- [p-nio-80-exec-4] c.s.d.controller.backend.UserController : get user id=4
> dbadapter_1 | 2019-06-13 22:42:50.031 INFO 1 --- [p-nio-80-exec-5] c.s.d.controller.backend.UserController : get user id=4
> dbadapter_1 | 2019-06-13 22:42:52.094 INFO 1 --- [p-nio-80-exec-6] c.s.d.controller.backend.UserController : get user id=4
Thanks,
James
5 years, 6 months
Reduce content switch
by Nick Su
Hi ,
I am wondering whether there is a way to reduce content switch, as I have monitored the Keycloak env and found Hugh content switch broke out when concurrent user increase, so is it possible to reduce the switch, thank you
5 years, 6 months
token introspection endpoint does not accept its URL as audience during signed JWT client auth
by Simon Baatz
Hi,
we think we found a problem when using the token introspection
endpoint with signed JWT client auth.
In the JWT, audience is set to the URL of the token introspection
endpoint (we use mod_auth_openidc). However, Keycloak throws an error in
JWTClientAuthenticator which looks like this:
Error when validating client assertion: java.lang.RuntimeException: Token audience doesn't match domain. Realm issuer is
'https://.../auth/realms/master' but audience from token is
'[https://.../auth/realms/master/protocol/openid-connect/token/introspect]'
We found the description of a similar problem in KEYCLOAK-3424 for
the token endpoint (see [0]). Here, JWTClientAuthenticator was adapted to
accept both the issuer as well as the actual token endpoint URL as
audience.
Now, we are wondering whether that change missed to address the
token introspection endpoint as well or whether we are doing
something wrong.
[0] https://issues.jboss.org/browse/KEYCLOAK-3424?focusedCommentId=13285402&p...
5 years, 6 months
