Empty username allowed in review profile config
by Kaspar Papli
Hey,
I discovered that an empty username is allowed in the Update Account
Information page which appears in the first broker login flow. I assume
this is a bug?
Steps to reproduce:
1. Setup Google as an identity provider.
2. Set Authentication Flows -> First Broker Login -> review profile config
-> Actions -> Config -> Update Profile on First Login -> "on"
3. Attempt login with Google (with a Google account that is not yet
connected to any Keycloak account).
4. After authentication with Google, in the Update Account Information
page, delete the username i.e. set it to an empty string and submit.
Expected result:
An error is shown about the username being required.
Actual result:
Registration succeeds and an account is created with an empty username.
Workaround:
Create an account with an empty username like this. In that case, the next
attempt at repeating this fails with "User with username already exists".
Realm login settings in my configuration that might be relevant:
- User registration: on
- Email as username: off
- Edit username: off
- Forgot password: on
- Remember me: on
- Verify email: on
- Login with email: on
Keycloak version: 7.0.0
All the best,
Kaspar
5 years, 4 months
Offline tokens - how to revoke a single token?
by Przemek Bielicki
Hi,
is it possible to revoke single offline token? How?
If not, do you consider adding such feature?
If not, why? Is there any specific reason why it's not possible to revoke
offline tokens one by one?
Thanks,
Przemek Bielicki
5 years, 4 months
Account registration with proprietary Masterdata
by Ratna Kamireddy
Hi,
I want to know the best practise to follow in Keycloak or any OAuth server
to sync keycloak users with the proprietary system.
We are having a proprietary system (called MDM) that handle all the user /
person / organisation / employer / employee information in microservice
environment.
We moved to keycloak for authentication & authorization across all
microservices. And all the endpoints are secured by keycloak.
And we never bothered about user registration. Now we have enabled user
registration on keycloak.And now figuring out what is the best way to sync
keycloak users after registration with the existing MDM. All our
microservices can understand the users in MDM and not the users in keycloak
as if they need more info about user it can interact with MDM. My first
thought would be sending REST request to MDM from keycloak with the newly
registered user information. Please share your experience if you guys
already done it in your system.
Regards
Ratna
5 years, 4 months
update user attributes on every social login
by kkzxak47
Hi,
Sorry I fail to provide enough info in the previous question, so here is
the detail.
Say I have implemented a new social login privider:
public class WechatWorkIdentityProvider extends
AbstractOAuth2IdentityProvider<WechatWorkProviderConfig> implements
SocialIdentityProvider<WechatWorkProviderConfig>
There are several attributes from this IdP need to be added to keycloak. So
I added them in `BrokeredIdentityContext`, details:
```
@Override
protected BrokeredIdentityContext
extractIdentityFromProfile(EventBuilder event, JsonNode profile) {
BrokeredIdentityContext identity = new BrokeredIdentityContext(
(getJsonProperty(profile, "userid")));
identity.setUsername(getJsonProperty(profile,
"userid").toLowerCase());
identity.setBrokerUserId(getJsonProperty(profile,
"userid").toLowerCase());
identity.setModelUsername(getJsonProperty(profile,
"userid").toLowerCase());
identity.setFirstName(getJsonProperty(profile,
"email").split("@")[0].toLowerCase());
identity.setLastName(getJsonProperty(profile, "name"));
identity.setEmail(getJsonProperty(profile, "email").toLowerCase());
identity.setUserAttribute(PROFILE_MOBILE, getJsonProperty(profile,
"mobile"));
identity.setUserAttribute(PROFILE_GENDER, getJsonProperty(profile,
"gender"));
identity.setUserAttribute(PROFILE_STATUS, getJsonProperty(profile,
"status"));
identity.setUserAttribute(PROFILE_ENABLE, getJsonProperty(profile,
"enable"));
identity.setIdpConfig(getConfig());
identity.setIdp(this);
AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity,
profile, getConfig().getAlias());
return identity;
}
```
New users will set and map mobile/gender... correctly, but old users
already logged in with IdP will not receive custom attributes.
My question is how can I make user attributes update everytime user login
with the social IdP not matter it's old or new user?
Is there another method that I need to override, or another API to call, or
I have to modify keycloak source code?
Thanks!
Victor Z.
5 years, 4 months
Specifying LDAP/AD domain in token endpoint
by Ajinkya Thakare
Hi team,
Is there anyway for the user to specify which LDAP/AD domain to point to while logging in, i.e. while using the token endpoint?
The scenario is for a multi-tenant environment, where the same username can be a part of multiple LDAP/AD domains but with different authorization roles setup in each. Here we don’t want our Keycloak instance to sequentially check into every LDAP/AD configuration added, like it does now, but rather check for validating the credentials in only specified domain.
Also, if there are different passwords in different domains for same username, the Keycloak instance returns invalid credential error if the user provides the password for a later LDAP/AD config. In this case, an ability to specify the domain will really be helpful.
Example:
Suppose username ‘athakare’ is a part of two different domains – ‘domain1’ & ‘domain2’, with different passwords, it would be easier if the user can specify something like ‘athakare@domain1’ as his username while logging in.
Please let me know if this is already possible in any way using Keycloak. Thanks!
Regards,
Ajinkya Thakare
5 years, 4 months
Map arbitrary LDAP value to an Attribute
by Christophe de Vienne
Hi everyone,
I need to copy a property of a parent organizational unit to a user
attribute.
>From what I understand, no existing ldap mapper is able to do that,
which means I need to code my own ldap mapper (that would inherit
AbstractLDAPStorageMapper).
Is this the best way to achive this goal?
Thanks in advance,
Christophe
5 years, 4 months
How to update user attributes with each login, not just the first one?
by kkzxak47
Hi fellow keycloak users,
It's been several months since I adopted keyclak as the SSO tool for my
company, everything went smoothly with one little glitch.
Currently we use a social login IdP as our main login method, we trust
it unconditionally.
But I find that custom user attributes from that IdP will not update in
keycloak after the first login. And old users will not have these
attributes at all.
So I was wondering what can I do to make keycloak update user
attributes on each and every login with the social IdP?
Victor Z.
5 years, 4 months
Long user upload procedure
by Игорь Хесин
Asking for your help.
We start docker image stand-alone Keycloack in openshift.
We add new users using REST. But everything works very slowly. For 240000
users the uploads takes 24 hours.
1. Has anyone come across this?
2. How do you add and update users?
Our server: CPU 4 4 GB.
Our version of keyclock 7.3.1.GA.
Thank you
Igor
5 years, 4 months
Keycloak single logout is not working
by Hashem Ramadan
Hey, I am using keycloak as IdP server for the saml SSO, I am using spring
boot application beside two more software docebo and channeltivity, The
single sign-on is working, but while I am press sign out from docebo its
not logging out, and in the same channeltivity it's not working. any leads
to solve this?
--
5 years, 4 months
Admin CLI - how to a a builtin protocol Mapper to a Client
by Bruce Smith
Hi
I am trying to add the built-in protocol mapper "realm roles" to a client
using the Admin CLI. I must have tried 500 syntactic combinations for the
"--set" parameter; they all result in either no error (but no mapper added
to the client), or a Java exception
(com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot
deserialize instance of `java.util.ArrayList` out of VALUE_STRING token).
Does anyone have an example that can be shared of successfully using the
Admin CLI for this operation, please?
Keycloak version is 6.0.1
Regards
Bruce
5 years, 4 months
