Bug in AbstractClaimMapper class
by Lohitha Chiranjeewa
We came across an issue when integrating a custom OIDC IDP and mapping
roles into it. When we have a list of external roles to map into Keycloak
roles, the process fails.
The issue is at the bottom of the valueEquals(String, Object) method in the
AbstractClaimMapper class. When the incoming Object is a list, it just
performs the comparison with the first element and returns...
...
} else if (value instanceof List) {
List list = (List)value;
for (Object val : list) {
return valueEquals(desiredValue, val);
}
}
...
Instead the code should be something like this:
...
} else if (value instanceof List) {
List list = (List)value;
for (Object val : list) {
if (valueEquals(desiredValue, val)) return true;
}
}
...
Regards,
Lohitha
8 years, 6 months
Issue with Bearer only auth
by Tero Ahonen
Hi,
I have a rest endpoint running on wildfly 9.
Wildfly and application is setup to use Keycloak and request to endpoints are intercepted with keycloak adapter. But is seems to be that it is not working. If auth header is not present keycloak just skips authentication and lets all request thru. It doesn’t matter do I use curl or browser.
Wilfly logs says (last line comes from servlet filter)
2015-11-06 13:10:23,962 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) --> authenticate()
2015-11-06 13:10:23,969 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-17) try bearer
2015-11-06 13:10:23,969 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) NOT_ATTEMPTED: bearer only
2015-11-06 13:10:23,970 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-17) AuthenticatedActionsValve.invoke https://localhost:8443/foobar/endpoint
2015-11-06 13:10:23,970 INFO [stdout] (default task-17) GET:/foobar/endpoint
If I add Authorization headar like this
Authorization: Bearer 123
I get HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="saas-pilot", error="invalid_token", error_description="Couldn't parse token”
Is there something that I dont understand?
I have tried with web.xml/keycloak.json and keycloak subsystem configuration methods, same outcome.
Br,
Tero
8 years, 6 months
Possible bug: Changing of role description via REST API causes deleting of role name
by Andrej P
*Description:* I want to add or change role description via REST API
interface
*Details:* In the request body only attribute “description” (from role
description) is set (see request body section)
*Usecases from API specification:* *Update a role by name* and *Update the
role*
*Request body:*
{
"description":"manage realm role of UNI-4/4. Add/delete/update of users."
}
*Observed reaction:* after request, the parameter “name” is missing in the
role.
*Result:* (of REST API Get all roles for the realm or client)
{
"id": "da1f8c02-6823-4d86-8873-f2d533ba43fa",
"description": "manage realm role of UNI-4/4. Add/delete/update
of users.",
"scopeParamRequired": false,
"composite": false
},
Printscreen of result in GUI:
[image: Inline image 1]
8 years, 6 months
Bug on consecutive logins after a wrong password
by alex orl
Hi to all.Probably i catched a bug in the keycloak authentication flow.This is my user case:Configuration:1) I've created a new realm, say "TestRealm"2) I've created 1 role: "testRole"3) I've created 2 users: "userTest1" and "userTest2"4) In the role mapping tab of each user i've assigned "testRole" to both of them5) In the credential tab of each user i've changed their pwd
Use case:1) I try to access the account application from: https://localhost:8444/auth/realms/TestRealm/account/2) I insert username: userTest1 pwd: (a wrong password)
Login page displays a tooltip saying "invalid username or password"
3) Withouth any page refreshing i try to login again with second user: username: userTest2: pwd: (whatever right or wrong password)
Keycloak catch an exception:The page displays: We're sorry ... Invalid username or password. << Back to Application
Keycloak console displays this exception:13:35:27,343 WARN [org.keycloak.events] (default task-62) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=5c9afd4e-74f4-4c51-9015-d9d4a7ef883f, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8444/auth/realms/PROVA/account/login-redirect, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest13:35:33,818 ERROR [org.keycloak.authentication.AuthenticationProcessor] (default task-72) failed authentication: USER_CONFLICT: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.AuthenticationProcessor.setAutheticatedUser(AuthenticationProcessor.java:203) at org.keycloak.authentication.AuthenticationProcessor$Result.setUser(AuthenticationProcessor.java:332) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUser(AbstractUsernameFormAuthenticator.java:129) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:41) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:34) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:62) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:692) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:307) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:288) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:334) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
13:35:33,819 WARN [org.keycloak.events] (default task-72) type=LOGIN_ERROR, realmId=44cefb3e-1b9e-4eb0-9cfe-267e0153b0de, clientId=account, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8444/auth/realms/PROVA/account/login-redirect, code_id=2920658d-1137-4caa-a2a2-0c530555b81d, username=userTest2
I experienced this error while debugging my custom user federation provider. So i tried to replicate it with a clean situation like described in the use case above.Debugging my userfederation provider i could realize the real authentication flow:
When userTest1 logs in the flow starts from:
UsernamePasswordForm.action() ---> validateUser ---> ----> UserFederationProvider.isValid() ----> ... ... ... ---> UsernamePasswordForm.validatePassword() ----> authenticate
When userTest2 logs in after userTest1 failure the flow starts from the UserFederationProvider.isValid():
UserFederationProvider.isValid() (the AuthenticationFlowContext user is still userTest1 )---> ... ----> UsernamePasswordForm.action() ---> validateUser ---> ----> UserFederationProvider.isValid() ----> ... ... ... --->Exception on Context.set(user).
It seems like Context is not cleaned after the first wrong login attempt, bringing with itself the userTest1 user object on the second one. So when keycloak tries to set the new user object catches a USERCONFLICT exception.
8 years, 6 months
Infinite loop in all browsers except Edge
by Stuart Jacobs
Good Day,
I am working on a angular administration web project using wildfly 8.2 with
Keycloak.
The base url to my site is http://localhost:9000/#/dashboard/home.
Keycloak does a successful login when using the new Edge browser from
Windows but in any other browser it goes into an infinite loop between the
landing page url and the landing page url appended with the token provided
by Keycloak.
I specify my redirect uri as http://localhost:9000/* because if I specify
the full landing page uri it returns invalid, I presume this is due to the
# anchor symbol in the uri?
My question is what is a possible cause of this infinite loop and what is
the correct way to keep the # anchor and specifying specific redirect uri's?
Kind Regards
Stuart Jacobs
--
********************************************************************************
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.
********************************************************************************
8 years, 6 months
Issue with 3.3. Adding Keycloak server in Domain Mode with 1.6.0.Final version
by AAA BBB
Hi all,
I am starting with keycloak and I have issue with add it to existing
Wildfly 9.0.1.Final.
I already used KEYCLOAK BLOG with quick and helpfull conversion with Stian
Thorgersen, but we didn't solve it.
I have issue with modify domain.xml for keycloak.
-----------------------------------------------------------------------------------------------------------------
Hi last advice was:
So you need to get 3 pieces from standalone-keycloak-ha.xml and add to
domain.xml. The bits you need are:
** extension org.keycloak.keycloak-server-subsystem* cache-container
name="keycloak"* subsystem urn:jboss:domain:keycloak-server:1.1*
------------------------------------------------------------------------------------------------------------------
And my last answer was:
Thanks, but It doesn't work for me. Step1 and Step3 are clearly for me. For
Step2 I have to add whole infinispan:
*<subsystem xmlns="urn:jboss:domain:infinispan:3.0">
<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
<local-cache name="realms"/> <local-cache
name="users"/> <local-cache name="sessions"/>
<local-cache name="loginFailures"/> </cache-container>
<cache-container name="server" default-cache="default"
module="org.wildfly.clustering.server"> <local-cache
name="default"> <transaction mode="BATCH"/>
</local-cache> </cache-container> <cache-container
name="web" default-cache="passivation"
module="org.wildfly.clustering.web.infinispan"> <local-cache
name="passivation"> <transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache> <local-cache name="persistent">
<transaction mode="BATCH"/> <file-store
passivation="false" purge="false"/> </local-cache>
</cache-container> <cache-container name="ejb" aliases="sfsb"
default-cache="passivation"
module="org.wildfly.clustering.ejb.infinispan"> <local-cache
name="passivation"> <transaction mode="BATCH"/>
<file-store passivation="true" purge="false"/>
</local-cache> <local-cache name="persistent">
<transaction mode="BATCH"/> <file-store
passivation="false" purge="false"/> </local-cache>
</cache-container> <cache-container name="hibernate"
default-cache="local-query" module="org.hibernate.infinispan">
<local-cache name="entity"> <transaction
mode="NON_XA"/> <eviction strategy="LRU"
max-entries="10000"/> <expiration max-idle="100000"/>
</local-cache> <local-cache
name="local-query"> <eviction strategy="LRU"
max-entries="10000"/> <expiration max-idle="100000"/>
</local-cache> <local-cache
name="timestamps"/> </cache-container> </subsystem>*
because it was missing complety. After run system with such *.xml starting
auth wasn't possible.
I attached my domain.xml with last updated steps mentioned below.
Thanks for answer and Best Regards
Andrej.
8 years, 6 months
Re: [keycloak-user] Issue with Tomcat 8 adapter ?
by Nic Grange
Hi Harsh,
Your problem is most likely caused by duplicate security-constraints for the same url-pattern (/*).
This used to be in one of the older versions of the documentation but was updated with https://issues.jboss.org/browse/KEYCLOAK-1724.
Try just removing the second <security-constraint> in your web.xml and retest to see if it is the problem.
Cheers,
Nic
>
>Message: 4
>Date: Sun, 1 Nov 2015 21:12:23 -0700
>From: harsh mahey <harshmahey(a)gmail.com>
>Subject: [keycloak-user] Issue with Tomcat 8 adapter ?
>To: keycloak-user(a)lists.jboss.org
>Message-ID:
> <CA+YyFz5s=CEYn7PsqnyutMXUYhXzGr3yWbNtEXRJaEuOv01zRw(a)mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>Hi guys,
>Has any one faced any issue with tomcat 8 adapters.
>For some reason i am not get keycloak login screen on my web app,Here is my
>scenario
>
>1. Latest version of Keycloak runs on wildfly
>2. A war runs on tomcat.I put all the jar files under tomcat/lib dir.Below
>is the keycloak.json and my web.xml file which goes under my WEB-INF
>3. When i login , i directly gets my webapp page and it does not redirects
>me to keycloak login page.
>4. My webapp is build using angularjs
>
>keycloak.json
>********************
>
>{
>
> "realm": "SnrAppsRealm",
>
> "realm-public-key":
>"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAutb9hlKhbZvIm6RDPPFFpR1RcNAt/NpzCWemJOveG1Ve5eu2AwPKwmqvkhTaMWUW990BFPIkBRPv13Grt9AVTMTgU10IeK/PM9CGN05eFr6S3KMSSTskpszIN3opiRQ5r8/eCYjC4Bk6qFkbtrlp6ORvUkLS7nMLwVLh9JDo2Fx9nWd+l1oLq1YpYMYeLDcaOAW/vdjYSfyLueu2wESjY9oSEs8x43ZyIhNKGRmW3oDXYL8X5guiqalZD5gbhWv6v3WpeTqdi0sLv4GI2B3oSG76Z/x2On/Sc2r3szfM8kUllyV7K8uYoMgD7DFVOZX5g6Bi6xntzkJHwLMJtW4UPwIDAQAB",
>
> "auth-server-url": "http://xxxxx.com:9322/auth",
>
> "ssl-required": "none",
>
> "resource": "snrapps-web",
>
> "credentials": {
>
> "secret": "dda19c87-efee-4c33-a1b3-8b64ad545s0f"
>
> },
>
> "use-resource-role-mappings": true
>
>}
>
>*****************************
>
>web.xml
>
><web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="
>http://www.w3.org/2001/XMLSchema-instance"
>
>xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
>
> <module-name>snrapps-web</module-name>
>
>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>/snrapps-web</web-resource-name>
>
> <url-pattern>/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>user</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <url-pattern>/*</url-pattern>
>
> </web-resource-collection>
>
> <user-data-constraint>
>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
> </user-data-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>BASIC</auth-method>
>
> <realm-name>this is ignored currently</realm-name>
>
> </login-config>
>
> <security-role>
>
> <role-name>admin</role-name>
>
> </security-role>
>
> <security-role>
>
> <role-name>user</role-name>
>
> </security-role>
>
></web-app>
>
>
>***************
>
>META-INF/context.xml
>
>
><?xml version="1.0" encoding="UTF-8"?>
>
> <Context path="/snrapps-web">
>
> <Valve className=
>"org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
>
> </Context>
>
>
>***********
>
8 years, 6 months
Accessing authenticated user's details
by Tim Dudgeon
In the case of a web application (e.g. Tomcat app secured by the
keycloak adapter) the web app might need to access details of the
authenticated user (e.g. full name or email).
I've found that this information is available from the session like this:
KeycloakSecurityContext session =
(KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName());
IDToken idToken = session.getIdToken();
String email = idToken.getEmail();
One issue with this is that all your web apps are tied to keycloak.
Is this the right way to handle this?
Are there alternatives?
Tim
8 years, 6 months
(Sugest) Add item in keycloak.json to redirect after login successful
by Victor Neves Evangelista
Good afternoon,
I'm having problems with keycloak redirect after login using j_security_check.
I have many applications and i can't change JAAS authentication. So, i'm using keycloak JAAS (chapter 8 , p. 35 , version 1.6.0).
After login, keycloak redirect me to http://<application>/j_security_check !!!
But i need that keycloak redirect me to other URI !
I tried many configurations in keycloak client ID, and dont work.
I suggest create a item in keycloak.json where you say to where redirect after login successful; and a item to redirect when token expire.
My problem is posted in http://lists.jboss.org/pipermail/keycloak-user/2015-November/003528.html
8 years, 6 months
