Example of a remote REST authentication
by Alexander Chriztopher
Hi all,
On one of our applications we need to have very customisable login page
-works with an online customisation facility- and hence we need to have the
login page built in our application and be able to authenticate users
remotely via the java rest api.
Are there any examples to do this ? Otherwise any tips would be great.
Thanks for any help.
10 years, 1 month
Query Parameters in redirect url goes missing
by Travis De Silva
Hi,
Has anyone faced this issue where when we have a url with query parameters
and after the keycloak login, it redirects back to the original url but the
query parameters are no longer in the url?
Cheers
Travis
10 years, 1 month
Allow access to REST without authorisation
by Сергій Дзюбін
Hello.
Is it possible to have access without authorisation to one of many REST
resources? For example that embedded small device would be able to send
data to this resource.
Thank you.
10 years, 2 months
Connect as another user
by Alexander Chriztopher
Hi,
I would like to know if there is a way to let a connected user -an admin-
reconnect as another user -with less privilegies- without providing a
password.
The idea is to be able for a super user to see how exactly an application
behaves with another user without knowing that user credentials.
Thanks for any help.
10 years, 2 months
What is the point of the cancel button on the log-in screen?
by Alarik Myrin
At least with the Wildfly adapter, clicking cancel gets you a HTTP 400 --
Bad Request on your protected resource, and doing something more graceful
would take some thinking.
It's not clear to me what *should* happen when clicking cancel. Users in a
browser have a back button, or a button to close the tab, and they can
always use that to get out of the login screen.
Maybe the cancel button should just be removed?
Alarik
10 years, 2 months
(no subject)
by Alarik Myrin
I am having a strange situation, which might be arising from a bug in
Keycloak.
I have a direct grants only OAuth client which makes invocations against a
bearer-only REST interface, running on Wildfly 8.0.0 Final with Keycloak
1.0 final.
A side effect of making one of the invocations is that the user is added to
a realm role. So far so good. The access token used to make that
invocation though does not contain the new realm role so he cannot, yet,
make invocations against another endpoint (call it endpoint B) without
getting a 403 Forbidden. This is expected.
So, the client has to refresh the access token
(realms/{realm}/tokens/refresh), in order to get a new access token with
the realm role. The refresh goes OK, but when he tries to make invocations
against endpoint B, he still gets a 403 Forbidden.
What is maybe even stranger is that if instead of refreshing the access
token, he just requests a brand new access token using the direct grant
keycloak stuff (realms/{realm}/tokens/grants/access) then he gets an access
token which allows him to access endpoint B successfully.
So, in short, refreshing the access token does not yield an access token
with the new realm role, but asking for a brand new access token does yield
an access token with the new realm role.
I can reproduce this in my automated tests 100% of the times that I have
tried it, but I don't have a nice little test case for you...
Does that sound like a bug, or am I missing something about how this is
supposed to work?
Thank you in advance for taking the time to read this long e-mail,
Alarik
10 years, 2 months
CORS / Cross Domain Javascript calls
by Dean Peterson
I had this working with previous versions of keycloak. Now I am not able
to figure it out. I have one confidential javascript application with the
following config:
{
"realm": "abecorn",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
"auth-server-url": "http://fnb-dean-vm2:8080/auth",
"ssl-required": "external",
"resource": "item_repository",
"enable-cors": true,
"cors-max-age": 1000,
"credentials": {
"secret": "d1d72a4d-7ab2-4dbe-82b2-f78ef386908a"
}
}
I have another for REST services that is bearer only:
{
"realm": "abecorn",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
"bearer-only": true,
"enable-cors": true,
"cors-max-age": 1000,
"ssl-required": "external",
"resource": "itemreposervices"
}
No matter what web origins I add to the first "confidential" application, I
continue to get the error: XMLHttpRequest cannot load
http://localhost:8080/itemrepository-rs/rest/items. The request was
redirected to '
http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/logi...',
which is disallowed for cross-origin requests that require preflight.
I also tried making the bearer only application into a confidential
application and gave it the appropriate web origins. Still no luck.
Shouldn't the bearer only applications have a place to enter web origins
like the admin console had a while back? How do you make the white list
for a bearer only application to allow cross domain javascript?
10 years, 2 months
