November 2015 - keycloak-user - Jboss List Archives

by robinfernandes .

Hi All, Just wanted a clarification regarding generation of offline tokens. 1. Can we use the *grant_type = authorization_code* or* grant_type = refresh_token* to get the offline tokens? Or is it only available for grant_type = password & grant_type = client_credentials? 2. Is there a way to give offline token to a particular user without using direct access grants? Thanks, Robin

8 years, 5 months

2
1
0 / 0

Custom Authentication and Federation question

by Jeff Macomber

Hi, I am trying to figure out how/if KeyCloak can be used for a project. The background is that we need three pieces of information to login a user location, username, password. The location is used to allow us to figure out where that user record can be found in distributed environment. We have no single central user database but instead a number of different user databases installed in logically/physically different locations. We do not want anything other than login from KeyClaok and we need to be able to support SAML and eventually OAuth2. Based on reading the documentation it seems i would need to do the following: 1. Custom Authentication and AuthenticationFactory to handle validation of the user credentials 2. Custom federation provider and factory to handle construction of the user object I then created the custom authentication and factory. Packaged them and placed them in the standalone. I then saw the new option in the Authentication Admin menu. I created a new Flow by copying the Browser flow and removed the default items and just required the new provider. Saved, restarted. Then using a SAML client i tried login but i dont get the new login form (which i reference in the code for the authenticator). What i get is still the default login page with the two normal fields. When i submit that form it never attempts to execute the code in my custom authenticator. So my questions are: 1. Am i correct that i need a custom authentication and federation providers? Is there additional items i need here? 2. How do i get the SAML login page to use my custom login page and how do i route to the custom authentication code? and ideally how do i leave the admin console login page alone since that will use local users not these federated remote users. Please let me know if i can provide more info for clarification. Thanks Jeff

8 years, 5 months

1
0
0 / 0

Native applications and federated login

by Tomas Groth Christensen

Hi, I have a question about how to use OpenId Connect and KeyCloak and hope that someone here will be able to help. I'm part of a project where federated login will be used. We are planning to use Keycloak as Identity Broker and multiple Identity Providers will be set up, some Identity Providers will be Keycloak instances, others not. For now the assumption is that all the Identity Providers will support OpenId Connect. One of the use cases we need to support is authentication of applications for communication to webservices (machine to machine communication), but it is causing us some trouble. The webservices will be created as clients in the Keycloak Identity Broker. But how do we authenticate the applications? The applications will not be browser based, so using the webinterface for authentication is not possible. There exists some guides (including this Keycloak blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html) that describes how this can be done when using Keycloak directly as Identity Provider, but I haven't been able to find any solutions to how to make it work when there is an Identity Broker involved. Reading the Keycloak documentation I couldn't help notice the big fat warning in the chapter about Direct Access Grant (http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...) which discourages bypassing the webinterface. This leads me to think that this kind of federated authentication without a browser is not supported by OpenId Connect, or am I missing something? I've had a look at offline tokens, but to generate them, manual browser based authentication is still needed, at least as far as I can see... I hope someone on the list has an idea for a smart workaround :) Best regards, Tomas

8 years, 5 months

2
1
0 / 0

Not working link generated via REST API - Send an email-verification email to the user

by Andrej P

I am using Keycloak 1.6.1 Final. I can generate Verify Email in two ways: 1.) via GUI it works fine - link in generated email.: http://172.31.32.216:8080/auth/realms/universities/login-actions/email-ve... 2.) via REST API (Send an email-verification email to the user) - PUT http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8... here is not working link in generated email: http://172.31.32.216:8080/auth/realms/universities/login-actions/email-ve... We are getting WE'RE SORRY ... screen. Summary: in link generated via REST API is missing code (only key is present), in GUI link are both code and key

8 years, 5 months

3
2
0 / 0

disable edit account after password reset

by Mark Hayen

Hi, Is it possible to disable the Edit Account page? Currently (keycloak 1.4.0) users who click on the link in the password reset email get redirected to the Edit Account page. I would like them to get redirected to my application. How should I approach this? Thx Mark Hayen First8.nl

8 years, 5 months

2
2
0 / 0

Can not make SAML2.0 work anyway.

by Mai Zi

Hi, there, I am trying version is 1.6.0 keycloak 's brokering. I have imported two realms :saml-broker-realm.json and saml-broker-authentication-realm.json by following the readme in the broker example. It works fine ( except failed logout somehow) Now I decide to give more try and here is my steps: 1) Create a realm named testsaml and the saml descriptor can be found here: http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor2) In the saml-broker-authentication-realm, create a new ID provider named saml by importing the URL above: http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor 3) Download the SP metadata named "keycloak.xml" from the export tab page. 4) Go to the testsaml reaml, and create a client by importing the downloaded "keycloak.xml" 5) open the page : http://localhost:8080/saml-broker-authentication and can see the IDprovider named saml on the left. 6) login with the ID provider but finally get the errors as below: Context Path:/authServlet Path: Path Info:/realms/saml-broker-authentication-realm/broker/saml/endpointQuery String:nullStack Trace java.lang.RuntimeException: request path: /auth/realms/saml-broker-authentication-realm/broker/saml/endpoint org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) ...... So what happened for my configuration? I missed something? T.I.A. Maizi .

8 years, 5 months

2
2
0 / 0

Documentation on website

by Mark Hayen

8 years, 5 months

3
3
0 / 0

Security implications when having long login action timeout

by Libor Krzyzanek

Hi, we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX. It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK. I’m thinking about security implications. Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication? Thanks, Libor Krzyžanek jboss.org Development Team

8 years, 5 months

3
3
0 / 0

Enable CORS

by Revanth Ayalasomayajula

Hi, I am using keycloak1.5.0 to secure a few of my applications and i want to request the keycloak's Login page from an ajax call. It is currently giving me a CORS error. So i wanted to know how do i enable CORS support or add my URL to allowed set?? Thanks.

8 years, 5 months

4
9
0 / 0

Revision in chapter 8 JAAS plugin

by Victor Neves Evangelista

Come to knowledge Don't have informations about org.keycloak.adapters.jboss.KeycloakLoginModule . Dont exist references in user guide about JAAS plugin.

8 years, 5 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2015