September 2019 - keycloak-user - Jboss List Archives

by Pedro Igor Silva

Hello, We would like to know if anyone from the community is using a Drools Policy in Keycloak. If you are using Keycloak Authorization Services, please let us know in advance if you are using Drools because we are planning to remove it in future releases. The reason for removing it is related to: * Number of dependencies required by Drools, thus making harder long term support, CVE, and productization * Very few demand from community (currently the policy is disabled by default Thanks, Pedro Igor

5 years, 4 months

1
0
0 / 0

2 emails being sent after pressing browser back-button in reset password process

by Igor Afanasov

Didn't find similar in the JIRA. Steps to reproduce: - Go to the login screen - Click forgot Password - Fill in your username on the screen 'Reset password' - Click Submit - After submission, the user is redirected to the login screen. - Click on Browser back-button - The URL string is refreshed and a second email is triggered and sent to the email of the candidate Is it a (known) bug? The solution seems feasible - override browser history after email sent. -- [image: Mobiquity-Logo-blue 100w.png] Igor Afanasov Frontend developer Tommaso Albinonistraat 9 1083 HM, Amsterdam The Netherlands Web <http://mobiquityinc.com/> | Twitter <https://twitter.com/mobiquityincEU> | Facebook <https://www.facebook.com/MobiquityAMS/> | LinkedIn <https://www.linkedin.com/company/mobiquity-inc-europe/> | YouTube <https://www.youtube.com/user/Mobiquityinc>

5 years, 4 months

2
2
0 / 0

IDENTITY and SESSION cookie not getting set (KEYCLOAK-8137)

by Boris Matthys

Hi, we have a use-case for the KeycloakInstalled adapter, but this does not work as expected; after login in the desktop application, there is no SSO to the web-applications. I have traced this to an open issue created for keycloak 4.x: KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie not getting set (KEYCLOAK-8137 <https://issues.jboss.org/browse/KEYCLOAK-8137>) and a closed pull request https://github.com/keycloak/keycloak/pull/5607 I'm using keycloak version 6.0.1, here is a procedure to reproduce this issue: - use https://github.com/keycloak/keycloak/tree/master/examples/demo-template/c... to login to keycloak - do not close the browser and open /auth/realms/demo/account/ in a new tab I expect that the account page opens without login, but this is not the case, keycloak present the login page. Is there a reason that the pull request was closed without merging it? There is a comment "my vote is to postpone this and merge it in early 5.x, so we have time to fix potential regressions/side-effects in 5.x " and "we need to understand this a bit better", but no explanation why the cookies are (should be) removed by the delegate page. If this cannot be solved, we'll need a workaround. I'm thinking in the direction of creating our own version of the KeycloakInstalled adapter and use a simple "login web-application" in front of keycloak... Is this a good approach or are there better ways to accomplish this? Kind regards Boris -- **** DISCLAIMER <https://media.tvh.com/content/pdf/various/Email-disclaimer.pdf> **** This message is delivered to all addressees subject to the conditions set forth in the attached disclaimer, which is an integral part of this message. When you communicate with us via e-mail, telephone, fax or via our website, we process your personal data. For more information on how we process your personal data, please consult our Privacy Policy <https://www.tvh.com/privacy-policy>. By communicating with us, you unambiguously consent to our use of your personal data as explained in the Privacy Policy.

5 years, 4 months

2
1
0 / 0

Metrics Endpoint Memory Leak

by Daniel.Meyerholt＠eventim.de

Hi guys, can somebody of you share some insights regarding memory leaks when scraping the /metrics endpoint on keycloak? A Jira Ticket already exists https://issues.jboss.org/browse/KEYCLOAK-10880 for some time but there seems to be no progress. As far as I can tell it seems to be related to internal keycloak/wildfly service integration and is not related to jdk versions/variants or means of deployment (bare,vm,container). We'd love to use the new endpoints in order to integrate them in our Grafana dashboards and are happy to provide more information. Apparently 7.0.0 is also affected. To reproduce the behaviour just issue a ton of GETs on the metrics endpoint. The more you GET the faster it dies. Thank you for any hints Best Daniel

5 years, 4 months

2
1
0 / 0

force renewal of authentication

by xljbi20

Hi I have successfully set up x509 authentication for me as a user with openidconnect. Starting a clean browsersession will prompt me for my certificate password to logon. But next time I visit the same application my earlier session is reused, this is of course nice for the user but if the administrator wants to force a real renewed authentication it is not OK. I have tried passing login=prompt but this makes no difference. How can I force a real renewal?

5 years, 4 months

1
0
0 / 0

Keycloak behind two different proxies

by Yang Yang

Hello, I have a use case where Keycloak needs to be deployed behind two different proxies: UserA —> ProxyA —> Keycloak <— ProxyB <— UserB, could you help to tell how to make it work? I followed the installation guide and got it work for UserA/ProxyA or UserB/ProxyB, but cannot make it work for both. This major problem is, rather than two different providers for UserA/ProxyA and UserB/ProxyB respectively, I can only set one fixed provider. Can anyone shed some light? Thanks, Yang

5 years, 4 months

2
2
0 / 0

Re: [keycloak-user] Enable CORS on token endpoint

by David Sautter

Hi Sebi, yes I did. I tried different configurations (* or the exact urls). I can now narrow the problem down to the fact, that the token exchange is done in a popup. My website is hostet at localhost:4200 and the popup is localhost:4200/signin.html. If my website does the token exchange everything is fine, if the popup tries it, it fails. Mit freundlichen Grüßen/ Best Regards, David Sautter Rohde & Schwarz GmbH & Co. KG Postbox 80 14 69, D-81614 Muenchen Dept. 1DS5 Fon: +49 89 4129 15256 Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten. Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer. If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original. Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it. Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86 From: Sebastien Blanc <sblanc(a)redhat.com> Sent: Thursday, September 5, 2019 10:50 AM To: Sautter David 1DS5 <David.Sautter(a)rohde-schwarz.com> Cc: keycloak-user(a)lists.jboss.org Subject: *EXT* Re: [keycloak-user] Enable CORS on token endpoint Hi, Have you set the "Web Origins" field in the client configuration on the keycloak webconsole ? That should be enough. Sebi On Thu, Sep 5, 2019 at 10:47 AM David Sautter <David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> wrote: Hello, I’m trying to do OpenId Connect Authentication using the Authorization Code Flow with the client library openid-client-js library. It behaves conformant to the specification. If you are doing the Authorization Code Flow without using a server-side component to exchange the code for a token (which you can/should do according to the security best practices recommendation), you run into a problem. The browser needs to exchange the code for a token and therefore perform a CORS request on the token endpoint. The token endpoint currently does not have CORS enabled, as far as the response is telling me. How to enable it? Mit freundlichen Grüßen/ Best Regards, David Sautter Rohde & Schwarz GmbH & Co. KG Postbox 80 14 69, D-81614 Muenchen Dept. 1DS5 Fon: +49 89 4129 15256 Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com><mailto:David.Sautter@rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com>> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten. Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer. If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original. Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it. Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86 _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

5 years, 4 months

1
0
0 / 0

Not able to extend User Storage SPI without changing Keycloak configuration files

by David VS

Goal: Setup custom federation which extends ldap provider. Question: What is the proper way to extend the ldap federation while adding one more configuration input? (without changing internal keycloak files) I followed the steps in https://www.keycloak.org/docs/latest/server_development/index.html#_user-... and specify my own provider and providerFactory, In admin console, when trying to create the federation "custom-ldap", most of the input fields do not have a label and some buttons like "Test connection" are missing. The configuration property that I added and customized has label/default value/tooltip. If it is not possible to extend the form, is there an easy way how to inherit the same UI form from the ldap federation page in my extension? (Im new to keycloak, and do not have experience with Freemarker). Thank you so much for your support, David

5 years, 4 months

3
3
0 / 0

Enable CORS on token endpoint

by David Sautter

Hello, I’m trying to do OpenId Connect Authentication using the Authorization Code Flow with the client library openid-client-js library. It behaves conformant to the specification. If you are doing the Authorization Code Flow without using a server-side component to exchange the code for a token (which you can/should do according to the security best practices recommendation), you run into a problem. The browser needs to exchange the code for a token and therefore perform a CORS request on the token endpoint. The token endpoint currently does not have CORS enabled, as far as the response is telling me. How to enable it? Mit freundlichen Grüßen/ Best Regards, David Sautter Rohde & Schwarz GmbH & Co. KG Postbox 80 14 69, D-81614 Muenchen Dept. 1DS5 Fon: +49 89 4129 15256 Email: David.Sautter(a)rohde-schwarz.com<mailto:David.Sautter@rohde-schwarz.com> Der Inhalt dieses E-Mails ist ausschliesslich für den/die beabsichtigten Adressaten bestimmt. Es kann Informationen enthalten, die vertraulich und/oder rechtlich geschützt sind. Jegliche Ansicht, Weiterleitung, Verbreitung oder Nutzung durch andere Personen oder Stellen als durch den beabsichtigten Adressaten ist verboten. Falls Sie diese E-Mail irrtümlicherweise erhalten haben, informieren Sie bitte den Absender und löschen Sie das Datenmaterial von Ihrem Computer. If you are not the intended recipient of this message, you are hereby notified that any dissemination, use or distribution of this message is unauthorized and prohibited. Please immediately notify the sender that you have received this mes-sage and destroy the original. Although this message has been checked for viruses, it is not guaranteed to be virus-free. You are strongly advised to perform another virus check of any attachment before opening it. Geschäftsführung / Executive Board: Christian Leicher (Vorsitzender / Chairman), Peter Riedel, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRA 16 270, Persönlich haftender Gesellschafter / Personally Liable Partner: RUSEG Verwaltungs-GmbH, Sitz der Gesellschaft / Company's Place of Business: München, Registereintrag / Commercial Register No.: HRB 7 534, Umsatzsteuer-Identifikationsnummer (USt-IdNr.) / VAT Identification No.: DE 130 256 683, Elektro-Altgeräte Register (EAR) / WEEE Register No.: DE 240 437 86

5 years, 4 months

2
1
0 / 0

Admin API permission enpoints for token exchange

by James Mitchell

Can I get a pointer to any admin api endpoints to enable permissions for an identity provider to perform token exchange, and an endpoint to create the client policy for the permission? Firstly, I know this would all do away if I create identity providers and redirect to Keycloak to handle the whole oauth process... but then I think that would break all the existing redirect urls I have provided to the external oauth services, so I'm reluctant to do that. I'd prefer a behind the scenes migration. So, my use case is that I have existing site with server code that authenticates users with external services then grants access to the site. I have migrated all the internal users to a Keycloak auth, and now I'm looking at how to exchange the tokens from the external service for valid Keycloak tokens. Following the steps from the documents, I can automate the following steps * create an identity provider fro the external service, and fill in all the endpoint and client ids * lookup the existing user (they are guaranteed to exist) and link them to the new IDP * < this is the missing step for automations > * perform the token exchange, which now works OK with my Google test user My problem is that I need to enable the permissions, and create the policy to allow the IDP to do token exchange; and I have not found which API endpoints will do that. Can someone point me at the right documents, or a keyword to search form in the Admin REST API document? Thanks, James ---- *James Mitchell* Developer e: jamesm(a)suitebox.com w: www.suitebox.com *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ

5 years, 4 months

2
3
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user September 2019