Limit sessions per user
by Jose Suero
Is there a way to limit user sessions. So if I logon and have a previous active session for that session to be immediately expired?
Maybe have a configuration for this per realm
8 years, 5 months
Unknown authentication mechanism KEYCLOAK
by Rens Verhage
Hi all,
I’m having some trouble securing a test application with Keycloak. I downloaded the keycloak-1.6.1.Final.zip. First thing I did was changing the datasource to PostgreSQL and in Keycloak configured my realm and generated a keycloak.json file.
I copied keycloak.json to the WEB-INF folder of my war project and edited my web.xml, I added this:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>PDC</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
Upon boot however, Wildfly logs the following error:
"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./pdc-web" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./pdc-web: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK”}}
The only hint to fix this error that I could find was to make sure that the Keycloak subsystem is enabled in standalone/configuration/standalone.xml, which is the case as I didn’t change the default config:
<server xmlns="urn:jboss:domain:3.0">
<extensions>
...
<extension module="org.keycloak.keycloak-server-subsystem"/>
...
</extensions>
…
</server>
As my experience with Wildfly and knowledge of Keycloak is limited, what could be the problem here?
Regards,
Rens Verhage
8 years, 5 months
Verify token thru javascript api
by Jose Suero
How can I periodically check if the token is still active? if I manually
logout users on the admin, what can I call from the browser to know that
token is still acive
8 years, 5 months
How to refresh the account data
by Jairo Alonso Henao Rojas
Hello,
When the user edits the data of your account and returns to an application, i read the KeycloakSecurityContext but contains the old information, the new information is not loaded. :(
To get the new data, i have to logout/login.
Jairo Henao Rojas
IT ROI Solutions
8 years, 5 months
OpenId Identity Broker exception - keycloak 1.6.1
by Steve Favez
Hi all,
I'm trying to use keycloak as identity broker in front of openAm 12, using
openId Connect 1.0.
After authenticating against openAM, (so, redirection is ok), I get the
following error in keycloak when validating the token :
Caused by: org.codehaus.jackson.JsonParseException: Numeric value
(1448455006000
) out of range of int
......
at org.keycloak.jose.jws.JWSInput.readJsonContent(JWSInput.java:84)
at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdent
ityProvider.java:290)
Here's the returned jwt :
eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiNGJkYmQ0NzYtNmE1ZS00ZTZkLTk3MzEtNGEyNmNjZmQ2NGE5IiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJpbXBsaWNpdGNsaWVudCIsICJzdWIiOiAiYW1hZG1pbiIsICJhdF9oYXNoIjogIkFqTDJGSHpQTXlKWGJoODBrY2UwQ1EiLCAiaXNzIjogImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9vcGVuYW0iLCAiaWF0IjogMTQ0ODQ1NDQwNiwgImF1dGhfdGltZSI6IDE0NDg0NTQ0MDYsICJleHAiOiAxNDQ4NDU1MDA2MDAwLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgInJlYWxtIjogIi8iLCAiYXVkIjogWyAiaW1wbGljaXRjbGllbnQiIF0sICJjX2hhc2giOiAia0x1ajJfdEJMdVllZVRaWXpETFl4ZyIsICJvcHMiOiAiYTQ5ZWE5OTAtYTFiMS00MGViLWI5ZDMtYTI2YmNiMDE0OGEwIiB9.oiPF0jQP7YRfPeHWV3szNrQ1TYdDieAav0_j2dGXM0iOoMCg4Mk_2tSANQRLRct6Lr_erSFqxFE6Wo6Jvd8aaVWzX6CyS_jD4jYgXywZE5XvkUWuebw8jaODSJddlqelMnEN1bWA1U6i5uaxFDT-occhcM6J5Xpf3j7oGZ1s1i0
-> {
tokenName: "id_token",
azp: "implicitclient",
sub: "amadmin",
at_hash: "AjL2FHzPMyJXbh80kce0CQ",
iss: "http://localhost:8080/openam",
iat: 1448454406,
auth_time: 1448454406,
exp: 1448455006000,
tokenType: "JWTToken",
realm: "/",
aud: [
"implicitclient"
],
c_hash: "kLuj2_tBLuYeeTZYzDLYxg",
ops: "a49ea990-a1b1-40eb-b9d3-a26bcb0148a0"
}.
So far, as we can see using a jwt decoder ( http://calebb.net/ ) the "out
of range int" is the exp (expiration date)
As I can see in class "JsonWebToken ", expiration is an int... Isn't it
supposed to be a long ?
(same for iat and auth_time)
Thanks in advance for your help
Regards
Steve
8 years, 5 months
Configuration options SPI implementation
by Frank van Veen
Hi,
Currently i am setting up a user federation. Right now it is possible to add text fields to the user federation configuration page.
Is it also possible to add buttons and other elements?
Sincerely,
Frank van Veen
8 years, 5 months
Keycloak offline token
by Carlos Feria
Hello. I migrated my keycloak to keycloak-1.6.1.Final and i have a problem
with the session persistence.
I have a pure javascript application, this uses javacript adapter. When i
had other version of keycloak, the session is close when i do logout or
close the browser, but now in keycloak-1.6.1.Final the session is not
detroyed when i close the browser, i see that session is on cookie.
I delete the offline role of my users and roles but the session don't
close. How can i delete the session when i close the brower? Please help me.
this is my angular interceptor an bootstrap method:
keycloak.init({onLoad: 'login-required'}).success(function () {
window.auth.authz = keycloak;
angular.module('mean').factory('Auth', function () {
return window.auth;
});
//Then init the app
angular.bootstrap(document,
[ApplicationConfiguration.applicationModuleName]);
}).error(function () {
window.location.reload();
});
angular.module('mean').factory('authInterceptor', function ($q, Auth) {
return {
request: function (config) {
if (!config.url.match(/.html$/)) {
var deferred = $q.defer();
if (Auth.authz.token) {
Auth.authz.updateToken(5).success(function () {
config.headers = config.headers || {};
config.headers.Authorization = 'Bearer ' + Auth.authz.token;
deferred.resolve(config);
}).error(function () {
location.reload();
});
}
return deferred.promise;
} else {
return config;
}
}
};
});
--
Carlos E. Feria Vila
8 years, 5 months
Planned support of Node.js, RAILS, GRAILS, and other non-Java applications
by Brose, Sascha
Hello,
I read in Keycloak documentation that there are plans to support Node.js, RAILS, GRAILS, and other non-Java applications.
Is this support already in developement or when is it planned for? Will there also be support for scripting languages, e.g. PHP?
Best regards,
Sascha
8 years, 5 months
Error upgrading database, 1.2.0.Final to 1.6.1.Final
by Felipe Braun Azambuja
Hey all,
I'm trying to upgrade Keycloak in our test instance, but I'm getting a
really generic error while trying to start the service:
15:09:35,559 INFO
[org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
(ServerService Thread Pool -- 60) HHH000397: Using ASTQueryTranslatorFactory
15:09:35,594 INFO [org.hibernate.validator.internal.util.Version]
(ServerService Thread Pool -- 60) HV000001: Hibernate Validator 5.1.3.Final
15:09:38,643 ERROR [org.keycloak.services.resources.KeycloakApplication]
(ServerService Thread Pool -- 60) Failed to migrate datamodel:
java.lang.NullPointerException
at
org.keycloak.migration.migrators.MigrateTo1_6_0.migrate(MigrateTo1_6_0.java:81)
at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:55)
at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:101)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
(...)
Is there any way to increase logging level on the migration part, so
that I can try and understand where's the problem with our database?
Thanks!
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun(a)intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.
The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.
8 years, 5 months
Authentication flow wrong behaviour using custom Authenticator Implementation
by alex orl
Working on 1.5.0 keycloak final version i catched a bug related to consecutive logins.My use case was:
Configuration:
1) I've created a new realm, say "TestRealm"2) I've created 1 role: "testRole"3) I've created 2 users: "userTest1" and "userTest2"4) In the role mapping tab of each user i've assigned "testRole" to both of them5) In the credential tab of each user i've changed their pwd
Use case:1) I try to access the account application from: https://localhost:8444/auth/realms/TestRealm/account/2) I insert username: userTest1 pwd: (a wrong password)
Login page displays a tooltip saying "invalid username or password"
3) Withouth any page refreshing i try to login again with second user: username: userTest2: pwd: (whatever right or wrong password)
Keycloak catch an exception:The page displays: We're sorry ... Invalid username or password. << Back to Application
Now i'm testing keycloak 1.6.1 final.
I realize that bug is solved but only using the standard org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.
Making Reference to chapter 33 of keycloak 1.6.1 reference guide, i developed my custom Authenticator. As Proof of Concepts i simply copied the UserPassworfForm code implementing a CustomUserPasswordForm.I ve implemented CustomUserPasswordFormFactory.I tested again the previous use case in debug mode and i catched again the same error as in the 1.5.0 version.
In particular i realize that on the second login attempt the execution flow starts from the: UserFederationManager. validateAndProxyUser(RealmModel realm, UserModel user) methodwhen the right flow should begin from the action method of my CustomUserPasswordForm.Was this use case missed? Or am i doing something wrong?Thanks a lot.
8 years, 5 months
