Persistent sessions
by Alarik Myrin
When upgrading keycloak, I recently faced the problem that the upgrade
would essentially invalidate all the current user sessions. Has anyone had
any luck with using the <persistent-sessions/> tag in the wildfly Undertow
web subsystem to try and have user sessions survive a server restart?
9 years, 5 months
Bearer Only Application and refresh token
by Davide Ungari
Hi,
following some of your suggestions I designed an application composed of a:
1- frontend web application
2- backend REST API
The frontend has a servlet-proxy to the backend REST API to avoid cross
domain problems.
The backend has a bearer-only configuration.
Everything is working until the token does not expire, I tried to force
refresh when I recieve 401 status but it does not work.
What is supposed to be done every time the access tokes expires?
--
Davide
9 years, 5 months
Users spanning across realms
by Gary Brown
Hi
As mentioned in previous post, I'm looking at how to leverage KeyCloak within the Overlord governance projects.
I can see how our web UIs and REST services could be defined within a single realm, with the appropriate roles, users and user/role mappings. However if we wanted to build some apps that made use of other JBoss projects, that also used KeyCloak, but with their own realms, then how would a user be defined to use our app that may at the backend need to call services provided by other projects/realms?
Wondering whether the user concept needs to be defined outside of a realm, so that it could be assigned roles within a number of realms, allowing them to access the various apps in those different domains?
More of a conceptual discussion, rather than an actual problem at this stage - was more curious how it could work, as not a security expert.
Regards
Gary
9 years, 5 months
Re: [keycloak-user] Active Directory Realm question.
by Patrick V. Madden
Thanks Marek,
Much appreciated. One more note that is not critical but perhaps relevant. Even without those Object Classes defined, the synchronize all users result showed success. Now perhaps that means there was no error. Not sure how you want to handle that but perhaps should check for at least one result?
Thanks again.
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Patrick V. Madden" <pmadden(a)tomsawyer.com>
Cc: "keycloack-users" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, November 5, 2014 10:20:38 AM
Subject: Re: [keycloak-user] Active Directory Realm question.
yes, it makes sense to have Object classes mandatory in UI. I've fixed it (also change the tooltip), will be available in next version.
Thanks!
Marek
On 4.11.2014 22:38, Patrick V. Madden wrote:
Hi Marek,
Wow! I was about to give up and then I decided to try to enter information into the field for User Object Classes. I was leaving that blank as it shows not required and tip seems to indicate it is for creating LDAP users via KeyCloak. I noticed in my LDAP Browser that among many others, it had 4 rows named objectClass as follows:
Attribute Name Value
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
Once I added these as "top,person,organizationalPerson,user" into User Object Classes field in LDAP Provider Settings it worked!!!!
I was literally writing a response to say nope can't get it to work. Divine intervention made me try one more thing.
This may be helpful to others.
Thanks for your help.
Patrick
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Patrick V. Madden" <pmadden(a)tomsawyer.com> , "keycloack-users" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, November 4, 2014 1:58:31 PM
Subject: Re: [keycloak-user] Active Directory Realm question.
Hi,
after "Synchronize all users" you should be able to see all users from LDAP, not just those which already authenticated in Keycloak. For your LDAP tree, I believe that Base DN should be "DC=acme,DC=com" and User DN should be "OU=acmeUsers,DC=acme,DC=com" . Please let me know if it helps.
Marek
On 4.11.2014 14:58, Patrick V. Madden wrote:
BQ_BEGIN
Hi,
Hope this doesn't post twice....
I am running a local 1.0.4.Final build on my local machine to do some testing.
I have a quick question regarding an Active Directory Realm that I am trying to configure. I am able to successfully test the connection and test authentication using Bind DN and Bind Credential and Connection URL.
I can connect via an external LDAP browser using same credential and browse the directory.
When I click Synchronize all users button it says it is successful. However, when I go back to search page I get nothing when I enter a username. When I click show all users it shows nothing. I was hoping it would show me a list of all users in the search tree based on my settings.
Lets assume my company is acme.com. When I look at browser it shows:
RootDSE
+---DC=acme,DC=com
+---OU=acmeUsers
+---CN=John Doe
---CN=Jane Doe
---CN=Joe Blow
I want the users to be in OU=acmeUsers,DC=acme,DC=com
And yes OU=acmeUsers is what I need...
So what would I put in for Base DN and User DN Suffix to get it to show a list of all users in the directory?
Or does it only show users that have logged into the Realm via a web app?
Hope this makes sense.
Regards,
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user
BQ_END
9 years, 5 months
Changing passwords and current sessions
by Alarik Myrin
Should changing a password invalidate current sessions, or at least the
refresh tokens? Or would a user have to change the password AND log out
current sessions to invalidate the current sessions and refresh tokens? To
me it seems like the latter is the current behavior, I just wanted to make
sure that it is desirable.
Thanks,
Alarik
9 years, 5 months
Profile Picture
by Rodrigo Sasaki
I was going to look at Jira but it seems to be out for maintenance, so I
just have a quick question.
Is there already a feature request to add a profile image to the Keycloak
User?
Thanks!
--
Rodrigo Sasaki
9 years, 5 months
Re: [keycloak-user] Active Directory Realm question.
by Patrick V. Madden
Hi Marek,
Wow! I was about to give up and then I decided to try to enter information into the field for User Object Classes. I was leaving that blank as it shows not required and tip seems to indicate it is for creating LDAP users via KeyCloak. I noticed in my LDAP Browser that among many others, it had 4 rows named objectClass as follows:
Attribute Name Value
objectClass top
objectClass person
objectClass organizationalPerson
objectClass user
Once I added these as "top,person,organizationalPerson,user" into User Object Classes field in LDAP Provider Settings it worked!!!!
I was literally writing a response to say nope can't get it to work. Divine intervention made me try one more thing.
This may be helpful to others.
Thanks for your help.
Patrick
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Patrick V. Madden" <pmadden(a)tomsawyer.com>, "keycloack-users" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, November 4, 2014 1:58:31 PM
Subject: Re: [keycloak-user] Active Directory Realm question.
Hi,
after "Synchronize all users" you should be able to see all users from LDAP, not just those which already authenticated in Keycloak. For your LDAP tree, I believe that Base DN should be "DC=acme,DC=com" and User DN should be "OU=acmeUsers,DC=acme,DC=com" . Please let me know if it helps.
Marek
On 4.11.2014 14:58, Patrick V. Madden wrote:
Hi,
Hope this doesn't post twice....
I am running a local 1.0.4.Final build on my local machine to do some testing.
I have a quick question regarding an Active Directory Realm that I am trying to configure. I am able to successfully test the connection and test authentication using Bind DN and Bind Credential and Connection URL.
I can connect via an external LDAP browser using same credential and browse the directory.
When I click Synchronize all users button it says it is successful. However, when I go back to search page I get nothing when I enter a username. When I click show all users it shows nothing. I was hoping it would show me a list of all users in the search tree based on my settings.
Lets assume my company is acme.com. When I look at browser it shows:
RootDSE
+---DC=acme,DC=com
+---OU=acmeUsers
+---CN=John Doe
---CN=Jane Doe
---CN=Joe Blow
I want the users to be in OU=acmeUsers,DC=acme,DC=com
And yes OU=acmeUsers is what I need...
So what would I put in for Base DN and User DN Suffix to get it to show a list of all users in the directory?
Or does it only show users that have logged into the Realm via a web app?
Hope this makes sense.
Regards,
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
_______________________________________________
keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 5 months
Keycloak 1.1.0.Beta1 Released
by Stian Thorgersen
Keycloak already supports OpenID Connect, but with this release we're also introducing support for SAML 2.0.
We've also significantly improved our clustering support, for the server and application adapters. The server can now be configured to use an invalidation cache for realm meta-data and user profiles, while user-sessions can be stored in a distributed cache allowing for both increased scalability and availability. Application adapters can be configured for either sticky-session or stateless if sticky-sessions are not available. We've also added support for nodes to dynamically register with Keycloak to receive for example logout notifications.
Thanks to Juraci Paixão Kröhling we now have multi-tenancy support in application adapters. His contribution makes it easy to use more than one realm for a single application. It's up to you to decide which realm is used for a request, but this could for example be depending on domain name or context-path. For anyone interested in this feature there's a simple example that shows how to get started.
A while back Davide Ungari contributed a Tomcat 7 application adapter for Keycloak, but we haven't had time to document, test and make it a supported adapter until now.
The next release of Keycloak should see the introduction of more application adapters, with support for JBoss BRMS, JBoss Fuse, UberFire, Hawt.io and Jetty.
For a complete list of all features and fixes for this release check out JIRA (https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fix...).
I'd like to especially thank all external contributors, please keep contributing! For everyone wanting to contribute Keycloak don't hesitate, it's easy to get started and we're here to help if you need any pointers.
9 years, 5 months
Active Directory Realm question.
by Patrick V. Madden
Hi,
Hope this doesn't post twice....
I am running a local 1.0.4.Final build on my local machine to do some testing.
I have a quick question regarding an Active Directory Realm that I am trying to configure. I am able to successfully test the connection and test authentication using Bind DN and Bind Credential and Connection URL.
I can connect via an external LDAP browser using same credential and browse the directory.
When I click Synchronize all users button it says it is successful. However, when I go back to search page I get nothing when I enter a username. When I click show all users it shows nothing. I was hoping it would show me a list of all users in the search tree based on my settings.
Lets assume my company is acme.com. When I look at browser it shows:
RootDSE
+---DC=acme,DC=com
+---OU=acmeUsers
+---CN=John Doe
---CN=Jane Doe
---CN=Joe Blow
I want the users to be in OU=acmeUsers,DC=acme,DC=com
And yes OU=acmeUsers is what I need...
So what would I put in for Base DN and User DN Suffix to get it to show a list of all users in the directory?
Or does it only show users that have logged into the Realm via a web app?
Hope this makes sense.
Regards,
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
9 years, 5 months
LDAP Synch All Users Question
by Patrick V. Madden
Hi,
I am running a local 1.0.4.Final build on my local machine to do some testing.
I have a quick question regarding an Active Directory Realm that I am trying to configure. I am able to successfully test the connection and test authentication using Bind DN and Bind Credential and Connection URL.
I can connect via an external LDAP browser using same credential and browse the directory.
When I click Synchronize all users button it says it is successful. However, when I go back to search page I get nothing when I enter a username. When I click show all users it shows nothing. I was hoping it would show me a list of all users in the search tree based on my settings.
Lets assume my company is Acme. When I look at browser it shows:
RootDSE
+---DC=acme,DC=com
+---OU=acmeUsers
+---CN=John Doe
---CN=Jane Doe
---CN=Joe Blow
I want the users to be in OU=acmeUsers,DC=acme,DC=com
So what would I put in for Base DN and User DN Suffix to get it to show a list of all users in the directory?
Or does it only show users that have logged into the Realm via a web app?
Hope this makes sense.
Regards,
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
9 years, 5 months
