Problems with expired user action emails
by Samuel Otter
Hi,
We have discovered a somewhat strange behavior with the User Action
timeouts. We need to have a fairly long User Action timeout but the links
provided in the emails to the users expire well before that time. After
some digging around in the source code I think this is because both a user
and a client session is created for the user action, but when the user
session expires and is removed the client session is also removed with it.
If we set the User Session SSO timeout to the same value it does indeed
seem to work as expected.
This seems unintentional and I can't really see why the user session is
created at all in this case as it is not really used as far as I can tell
(the client session id is used in the email link)? OTOH I am not sure why
the client session is removed when the user session expires? Or have we
completely misunderstood how this is supposed to work?
Anyway, as it is you can't really have a User Action timeout that is longer
than the SSO Session timeout.
Thanks,
Samuel Otter
8 years, 4 months
Are relative redirect URIs supported?
by Håvard Wigtil
I'm trying to get a relative (i.e. path only with no host) redirect URI
for a Keycloak client to work. My client works with full host and path,
but if I remove the host part I get an illegal parameter error.
The inline help bubble has the following sentence: "Relative path can be
specified too, i.e. /my/relative/path/*."
So as far as I can tell, it should work according to the help message.
As I was trying to find out more about this I came across Jira issue
KEYCLOAK-8[1], where a comment pointed to section 3.2.1[2] of the OAuth
2.0 spec. If I'm reading the spec correctly the redirect *must* be
absolute to be conformant with the spec.
Is the inline help wrong, or is it something here that I don't get?
Håvard
[1] https://issues.jboss.org/browse/KEYCLOAK-8
[2] https://tools.ietf.org/html/rfc6749#section-3.1.2
8 years, 4 months
Keycloak 1.6.1 possible bug. Deleting User
by alex orl
Hi to all.Working on my custom user federation provider i'm facing up to a possible bug.I used the last 1.6.1 final keycloak version.In my legacy user database i have 3 users:user1user2user3
I try to log into my secured application with all three users' credentials and all goes fine.This way all three users are present inside the keycloak properties file so, if i open keycloak admin console and list all users by clicking on the "view all users" button, inside the user section, keycloak lists to me user1user2user3
Now i delete user3 from my legacy database, then i come back to the keycloak admin console in order to list users again.After clicking the "view all users" button... nothing is listed and the page stucks in loading mode.
Debugging my code, after "view all users" click... my user federation provider executes the isValid() method for all the 3 users.The isValid method returns true for user1 true for user2 false for the deleted user3 The last false value is returned to the UserModel validateAndProxy(RealmModel realm, UserModel local) method which will return a NULL UserModel object.
ValidateAndProxy method passes the ball to org.keycloak.models.UserFederationManager with its method:
protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) { UserModel managed = managedUsers.get(user.getId()); if (managed != null) { return managed; } UserFederationProvider link = getFederationLink(realm, user); if (link != null) { UserModel validatedProxyUser = link.validateAndProxy(realm, user); if (validatedProxyUser != null) { managedUsers.put(user.getId(), validatedProxyUser); return validatedProxyUser; } else { deleteInvalidUser(realm, user); return null; } }
The UserModel NULL value triggers the deleteInvalidUser(...) method. (row 135 of org.keycloak.models.UserFederationManager class). At this point nothing happens and keycloak console stays in loading state.
Am i wrong with anything? or is it a bug?thanks
8 years, 4 months
Securing dynamic services
by Jose Suero
i've installed keycloak to secure a software as a service application that
allow users to create scripts they can run as services, for the
authentication part keycloak works like a charm, users are required to
enter a login and I get their roles and everything.
The idea is to let users create services and roles, and assign them to
users, this all works
The issue i'm having is authorization, since i have no knowledge before and
of what services or roles would be created i can't use Security Constrains
on web.xml or annotations.
Since I have the roles I could write a function that does auhorizations,
but would love for keycloak to do it for me, I'm already passing realms to
keycloak as the multi-tenant example, is there any way I could assign urls
to roles I create so keycloak checks where or not I can access that url?
thanks in advance
8 years, 4 months
[Identity Providers] set default roles for a Client
by Pavel Maslov
Hello everyone,
Is it possible to set default roles to all users of an Identity Provider
(e.g. github)?
Usecase: I have a client registered in my realm. This client has a set of
roles. I would like to apply those roles to all github users (no manual
assigning).
Thanks.
Regards,
Pavel Maslov, MS
8 years, 4 months
[OAuth2.0] scope parameter
by Pavel Maslov
Hi everyone,
I am testing my API service (secured with Keycloak) using the Postman's
OAuth2.0 workflow. In my Keycloak client's role I have enabled the Scope
Param Required setting, but I am not being asked to consent to this role.
What is the format of the scope variable?
Thanks!
Regards,
Pavel Maslov, MS
8 years, 4 months
SAML attribute extraction and invalid_redirect_uri
by Joseph.George@finantix.com
Dear All
May I ask - how to get the user id and other SAML additional attribute
which server asserts. Do you have any url for java program to extract
these info from client/service provider program
Secondly,
am running keycloak server in a standalone mode and defined realm - demo
with SAML and users/roles etc
Now, once i access http://localhost:8280/sample/, it is getting redirect to
IDP server ..but it is not challenging for user authentication..
it just says "Invalid redirect uri"..
"2015-11-23 17:15:03,998 WARN [org.keycloak.events] (default task-1)
type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_redirect_uri"
My client application is a localhost application with url
http://localhost:8280/sample/* ..so I registerd same on Valid Redirect URIs
field.
am not sure how to debug it.. I enabled ALL for logger. Kindly advice
please attached screen shots for client applicaiton and keycloak-saml.xml -
client application is running on tomcat 7
Client Application from keycloak server
(Embedded image moved to file: pic32702.jpg)
keycloak-saml.xml
(See attached file: keycloak-saml.xml)
8 years, 5 months
Proxy configuration issue (Bill Burke)
by Adrian Matei
Hi Bill,
The problem was that the proxy did not ask the user to "login", but it was
my error because I had forgotten to configure the "constraints" section in
proxy.json
The issue I am having now is that the "sign out" from another application
in the same realm, doesn't sign out the user in the proxied application
(the "session" cookie is still present) - should I configure something
special regarding this?
Here it is my working configuration now:
{
"target-url": "http://localhost:8280/",
"send-access-token": true,
"bind-address": "localhost",
"http-port": "8080",
"applications": [
{
"base-path": "/backend",
"error-page": "/error.html",
"adapter-config": {
"realm": "demo",
"resource": "proxy",
"realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GN....",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required" : "external",
"principal-attribute": "name",
"credentials": {
"secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
}
}
,
"constraints": [
{
"pattern": "/*",
"roles-allowed": [
"user"
]
}
]
}
]
}
Thanks,
Adrian
Message: 1
Date: Fri, 20 Nov 2015 10:09:59 -0500
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] Proxy configuration issue (Bill Burke)
To: keycloak-user(a)lists.jboss.org
Message-ID: <564F37C7.9010007(a)redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
That all looks right. What are the problems you are seeing? I don't
see them listed explicitly in this email thread.
On 11/20/2015 6:31 AM, Adrian Matei wrote:
> Hi Bill,
>
> Thank your for your answer, but I still don't seem to get Keycloak to
> "catch" my requests against the protected application.
> Let me make the scenario clear:
>
> 1. Application to be protected runs on http://localhost:*8280*/backend
>
> 2. Server proxy started and runs on http://localhost:*8080*, when I type
> http://localhost:8080/backend in the browser I see the protected
application
>
> 3. Keycloak server runs on http://localhost:*8180*/auth
>
> 4. The adapter config in the "applications" section corresponds now the
> proxy client I have configured in the Keycloak realm:
>
> Client ID: proxy
>
> Client Protocol: openid-connect
> Access Type: confidential
> Valid Redirect URIs: http://localhost:8080/backend/*
>
>
> I am not sure how to configure the proxy Server - now I have the
following:
> {
> "target-url": "*http://localhost:8280/*", ???
> "send-access-token": false,
> "bind-address": "localhost",
> "http-port": "8080", ???
> "applications": [
> {
> "base-path": "*/backend*",
> "error-page": "/error.html",
> "adapter-config": {
> "realm": "demo",
> "resource": "*proxy*",
> "realm-public-key":
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> "auth-server-url": "http://localhost:8180/auth",
> "ssl-required" : "external",
> "principal-attribute": "name",
> "credentials": {
> "secret": "4ef4196d-9e86-4795-9219-dc1288b87c2b"
> }
> }
> }
> ]
> }
> Questions:
> 1. The target-url I set it to the URL of the application the proxy
> server is proxying - this means the server can only proxy applications
> on the same URL?
> 2. What am I doing wrong :((((?
>
>
> Thanks a bunch,
> Adrian
>
> "Can't really see the screenshot, but you have to point keycloak to the
> host/port of the proxy.
>
> On 11/19/2015 9:13 AM, Adrian Matei wrote:
> > Hi everyone,
> >
> > I am trying to make a simple test and configure a keycloak proxy to
> > protect an application running on http://localhost:8280/backend/
>
> >on looks like the following:
> >
> > {
> > "target-url": "http://localhost:8280/",
> > "send-access-token": false,
> > "bind-address": "localhost",
> > "http-port": "8080",
> > "applications": [
> > {
> > "base-path": "/backend",
> > "error-page": "/error.html",
> > "adapter-config": {
> > "realm": "demo",
> > "resource": "sandbox-backend",
> > "realm-public-key":
> >
>
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
> > "auth-server-url": "http://localhost:8180/auth",
> > "ssl-required" : "external",
> > "credentials": {
> > "secret":
"9323cdd6-7e0e-46ce-814f-b5ac79581395"
> > }
> > }
> > }
> > ]
> > }
> >
> > 2.
> > I've started the proxy server as specified in the documentation
"java
> > -jar bin/launcher.jar proxy.json"
> > I am getting an error "ERROR: UT005026: Jetty ALPN support not
> found on
> > boot class path, SPDY client will not be available.", but the
server
> > still starts, I don't think there should be a problem with that...
> >
> > 3. In the admin console (keycloak running on port 8180) I've
> configured
> > the backend application like the following:
> >
> > Could you tell me what I am doing wrong? When I put in the app's
> url in
> > the browser it goes directly to the application...
> >
> > Thanks,
> > Adrian"
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 5 months
mobile security
by Jose Suero
I need to create a mobile application that consumes services from a
keycloak protected services, users don't create an account, but I don't
want people outside the app to consume the services.
How can I send the token authenticate on the mobile app the same way I
authenticate on websites. meaning having a keycloak.json key or something
Any thoughts?
8 years, 5 months
