Client Certificate Authentication
by Christopher Rued
Hi all,
I see in the login configuration section of the realm admin an option for “Cert” authentication (which I assume this means client certificate authentication?). I’ve enabled it, accessed it over SSL, but haven’t been able to get a prompt for a client certificate. Is this supported yet? Is there a tutorial? Am I missing an option in the configuration of the SSL listener?
Any help is appreciated.
Thanks,
-Chris
10 years, 1 month
Accessing Google+ APIs
by Christopher Rued
Hi all,
I’m just getting started with Keycloak. So far it’s been really easy to work with and seems to have nearly all of the features I need.
Recently, I’ve been testing out the “Social Login” feature with google. It seems to work well for logging in, but now I’m looking to try to do a bit more.
One question I have is how to access Google APIs to get profile information. This is the call I’m trying to use:
https://www.googleapis.com/plus/v1/people/{userId}?key={YOUR_API_KEY}
What I’ve found is that the Google+ API userId is a large decimal number, but I cannot find this number anywhere in Keycloak’s database.
Any way to do this?
Thanks,
-Chris
10 years, 1 month
Brut force attack questions
by Alexander Chriztopher
Hi,
I have a some question with regards to Brut Force Attack Protection :
# 1 / When brut force attack protection is enabled is there a way to know
when a user account is locked ? I am thinking about the admin console.
# 2 / When a user account is locked is there a way to unlock it from the
admin console ?
# 3 / What is the difference between wait increment (When failure threshold
has been met, how much time should the user be locked out?) and max wait
(Max time a user will be locked out.).
Thanks for your help.
10 years, 1 month
Unable to find a MessageBodyReader of content-type application/json and type AccessTokenResponse
by Alexander Chriztopher
Hi All,
Am trying to execute this call :
Keycloak keycloak = Keycloak.getInstance("http://localhost:9080/auth",
"master", "admin", "admin", "security-admin-console");
But am getting the following error :
Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException: Unable to find a MessageBodyReader of
content-type application/json and type class
org.keycloak.representations.AccessTokenResponse
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:140)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:58)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
at com.sun.proxy.$Proxy19.grantToken(Unknown Source)
at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:56)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:33)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:28)
at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:28)
at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:32)
at fr.klee.test.RestTest.main(RestTest.java:22)
Caused by: javax.ws.rs.ProcessingException: Unable to find a
MessageBodyReader of content-type application/json and type class
org.keycloak.representations.AccessTokenResponse
at
org.jboss.resteasy.core.interception.ClientReaderInterceptorContext.throwReaderNotFound(ClientReaderInterceptorContext.java:39)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.getReader(AbstractReaderInterceptorContext.java:73)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:50)
at
org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:248)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:181)
at
org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:211)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:104)
... 10 more
What can cause this error ?
Am running this in the admin-client example (the master one) application by
the way in order to have the right dependencies etc.
Thanks for any help.
10 years, 1 month
Which action hook should I use to run Keycloak import on Openshift?
by Christina Lau
Hi, I am trying to import realm into my Openshift Keycloak. I can import successfully in my build action hook, but something is quite strange. Because I am running ./standalone.sh to start the server, the openshift ssh window is sitting in a strange state where it cannot carry on to finish the rest of its life cycle.
$OPENSHIFT_HOMEDIR/wildfly/bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=$OPENSHIFT_HOMEDIR/app-root/repo/src/dsgapi.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
I think I am doing something wrong. Can you tell me how I should do this? I like to create a Keycloak on Openshift using the Keycloak cartridge and then automatically populate its realm. Should I kill the startup in the action hook? It seems a little strange.
Thx.
10 years, 1 month
Can not access applications on realm master or any other realm
by Alexander Chriztopher
Hi,
I just downloaded the latest appliance version of Keycloak and started
using it.
When i go to the master realm or any other realm i have create i can not
acess any application. When i click on the application link nothing happens.
I have also created new applications but can't manage to access them.
Is there a workaround/solution to this ?
Regards.
10 years, 1 month
Recommendations for protecting REST service with bearer token and basic auth
by Gary Brown
Hi
I've just started looking at KeyCloak to use with the Overlord governance projects.
I have tried the examples, and see how we could leverage KeyCloak to protect the UI apps and the backend REST services they use. However we also need to provide the REST services as independent services using basic auth - but would like the basic auth to be performed against the users managed by KeyCloak.
Is there any recommendations on how this can be achieved?
Do we need to provide our own filter - is there any example code to do this?
Is it possible to do something via the KeyCloak subsystem configuration approach, in case we wanted to secure the REST service without modifying the war?
Thanks in advance.
Regards
Gary
10 years, 1 month
(no subject)
by Davide Ungari
Hi Bill,
I see you have pushed some changes.
Tell me as soon as you need me to test it.
Thank you,
Davide.
> Weird... I'm actually screwing around with writing a security proxy
> right now. I just started like an hour or so ago so I'm not exactly
> sure...but I don't think you can implement this with the current
> codebase. You need a Undertow only (no servlet) authentication
> mechanism and to set up the security handler chain correctly. (See the
> BasicAuthServer example in Undertow).
> I should have something working in master by the end of the week.
> On 11/19/2014 6:33 PM, Davide Ungari wrote:
> >* Hi everybody,
> *>* this is the big picture:
> *>* a. frontend application with Undertow
> *>* b. backend application with Undertow and Resteasy for REST API
> *>
> >* Both are using Keycloak as SSO.
> *>
> >* I'm trying to configure a proxy from A to B in order to expose backend
> *>* API without CORS problems to the frontend.
> *>
> >* I asked support also to Undertow guys but the issue seems around the
> *>* integration of Keycloack in Undertow. My proxy is implemented like:
> *>
> >* final ProxyClient proxyClient = new
> *>* SimpleProxyClientProvider(new URI("http://localhost:8181 <http://localhost:8181/>
> *>* <http://localhost:8181/ <http://localhost:8181/>>"));
> *>* final ProxyHandler proxyHandler = new
> *>* ProxyHandler(proxyClient, servletHandler);
> *>* proxyHandler.addRequestHeader(new
> *>* HttpString("Authorization"), new ExchangeAttribute() {
> *>* @Override
> *>* public String readAttribute(HttpServerExchange
> *>* exchange) {
> *>* exchange.
> *>* RefreshableKeycloakSecurityContext context =
> *>* (RefreshableKeycloakSecurityContext) exchange.getSecurityContext();
> *>* return "Bearer " + context.getTokenString();
> *>* }
> *>
> >* @Override
> *>* public void writeAttribute(HttpServerExchange
> *>* exchange, String newValue) throws ReadOnlyAttributeException {
> *>* // TODO Auto-generated method stub
> *>* }
> *>* });
> *>
> >* The problem is that the exchange.getSecurityContext() is always null.
> *>* Any ideas?
> *>
> >* Thanks
> *>
> >
> >
> >* --
> *>* Davide
> *>
> >
> >* _______________________________________________
> *>* keycloak-user mailing list
> *>* keycloak-user at lists.jboss.org <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> *>* https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> *>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
10 years, 1 month
Authentication throw a proxy on Undertow
by Davide Ungari
Hi everybody,
this is the big picture:
a. frontend application with Undertow
b. backend application with Undertow and Resteasy for REST API
Both are using Keycloak as SSO.
I'm trying to configure a proxy from A to B in order to expose backend API
without CORS problems to the frontend.
I asked support also to Undertow guys but the issue seems around the
integration of Keycloack in Undertow. My proxy is implemented like:
final ProxyClient proxyClient = new
SimpleProxyClientProvider(new URI("http://localhost:8181"));
final ProxyHandler proxyHandler = new
ProxyHandler(proxyClient, servletHandler);
proxyHandler.addRequestHeader(new
HttpString("Authorization"), new ExchangeAttribute() {
@Override
public String readAttribute(HttpServerExchange
exchange) {
exchange.
RefreshableKeycloakSecurityContext context =
(RefreshableKeycloakSecurityContext) exchange.getSecurityContext();
return "Bearer " + context.getTokenString();
}
@Override
public void writeAttribute(HttpServerExchange exchange,
String newValue) throws ReadOnlyAttributeException {
// TODO Auto-generated method stub
}
});
The problem is that the exchange.getSecurityContext() is always null. Any
ideas?
Thanks
--
Davide
10 years, 1 month
Restrict application access by role
by Evan Thompson
Howdy All,
II currently have two applications in the same Realm and I was wondering if
it is possible to restrict a users access to an application based on the
existence of a specific role. For example:
Let's call my applications: application_x and applicaiton_y. Would it be
possible to only allow users to access applicaiton_x if they have role_x
assigned to them.
Any insight that could be offered would be greatly appreciated.
Thanks,
Evan
10 years, 1 month
