December 2015 - keycloak-user - Jboss List Archives

by Jérôme Blanchard

Hi, I'm trying to integrate keycloak into a the french research federation of identity (renater) and I'm facing some problems. Actually, when IdP respond to keycloak i'm getting the following error : PL00084: Writer: Unsupported Attribute Value:org.keycloak.dom.saml.v2.assertion.NameIDType It seems that this IdP is using transient NameID policy only and using the unspecified field in the idp config in keycloak generate this exception as a return. Log of the keycloak server is joined. I have no idea of what happening because when I was using the test federation, everything was working but no I'm in the production federation, login fails. The renater federation is using Shibolleth and keycloak is not supported by federation moderators so I'm alone in the dark now... Renater provides an IdP list that I have to parse and synchronized with IdP in keycloak. As a return I provide a list of all endpoints for each keycloak registered IdP to allow federation IdP to answear correctly to the right endpoint. All of this is done by a small web app deployed aside keycloak and using REST API to synchronize all the IdP. One of the IdP entity descriptor is joined. As you can see, only transient nameid policy is supported and if I configure keycloak to use email or persistent, I received a response saying that the nameid is not supported : <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL=" https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa..." Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination=" https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa..." ID="_9d03761957aade819b6823c35bbab278" InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required NameID format not supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response> Any help would be gracefully appreciated. Thanks a lot, Jérôme.

7 years, 8 months

2
15
0 / 0

KEYCLOAK w/ NGINX Reverse Proxy

by Christopher Wallace

Community, I have spent a decent amount of time attempting to get KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work without the proxy, but I need the proxy to handle certificates. I think I am pretty close to having it working, but somethings seems to be missing... I have done the following. I appreciate any insight you may have as I think I have exhausted other resources. *1. Configure a server in NGINX* server { listen 443; ssl on; ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; ssl_certificate_key /etc/ssl/certs/*.domain.key; server_name sso2. domain.com; access_log /var/log/nginx/nginx.sso.access.log; error_log /var/log/nginx/nginx.sso.error.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; proxy_pass http://internalip:8080; } } *2. Enable SSL on a Reverse Proxy* First add proxy-address-forwarding and redirect-socket to the http-listener element: <subsystem xmlns="urn:jboss:domain:undertow:1.1"> ... <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/> ... </subsystem> Then add a new socket-binding element to the socket-binding-group element: <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> ... <socket-binding name="proxy-https" port="443"/> ... </socket-binding-group> *RECIVE THE FOLLOWING ERROR in TOMCAT:* 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - failed to turn code into token org.apache.http.conn.HttpHostConnectException: Connection to https://sso2.domain.com refused at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) ~[httpclient-4.2.1.jar:4.2.1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) [lib/:na] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) [lib/:na] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [lib/:na] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) [lib/:na] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [lib/:na] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) [lib/:na] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) [tomcat-coyote.jar:8.0.18] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) [tomcat-coyote.jar:8.0.18] at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) [tomcat-coyote.jar:8.0.18] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) [tomcat-coyote.jar:8.0.18] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) [tomcat-coyote.jar:8.0.18] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_25] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_25] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.18] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] Caused by: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) ~[na:1.8.0_25] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_25] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_25] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25] at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) ~[na:1.8.0_25] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) ~[httpclient-4.2.1.jar:4.2.1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) ~[httpclient-4.2.1.jar:4.2.1] ... 29 common frames omitted

7 years, 8 months

2
5
0 / 0

retrieving group membership info from LDAP/AD

by Mahantesh Prasad Katti

Hi All, In our application, we integrate with Microsoft AD for authenticating users. As part of the authentication result, we also fetch group information for the user authenticated. We also have a pre-defined group-role mapping defined in the application server [This is a JEE configuration file]. This helps decide whether a particular user based on the role he belongs to can access a resource or not. I read another thread "Apply group membership filter on ldap login <http://lists.jboss.org/pipermail/keycloak-user/2015-December/003982.html> " on similar lines. Couple of clarifications. 1. Based on what I read there is no feature to get roles and map them to specific roles in keycloak and would be available in a future release. I just wanted to understand if my reading of this is on the right lines. Also, wanted to know if there's a workaround for this in the short term. 2. Also does keycloak provide fine grained access control on the lines of apache shiro? Thanks Prasad

7 years, 8 months

2
4
0 / 0

Adapter 1.3.1 on EAP 6.3.2

by Mitja Strojanšek

We have REST services on EAP 6.3.2 with adapter 1.3.1 and gateway server WF 8.2 with 1.3.1 server. This configuration doesn't work. Our test case works on WF 8.2 server with adapter 1.3.1. Does anybody has idea, why it shouldn't work also with EAP 6.3.2? Are there any incompatibilities? -- *Mitja*

7 years, 8 months

2
2
0 / 0

Re: [keycloak-user] Different theme for each client

by Travis De Silva

Hi, My vote is to provide this feature at a client level as per the original request. I think realms should be used for completely different domains when we want to isolate users etc. Should not try and use it for something that it was not intended in the design. The reason why you might need theming at client level is iif you really think that clients which are essentially different applications most of the time and each of these applications might have different look and feel themes (either due to different development teams or vendors building different applications). So when someone logins via KeyCloak, its true that we are logging into a realm but for an end user, it is really logging into a application and there is a need for the login page theme to look similar to the application look and feel. Also I have a use case where I have a back office application that requires login for admin users and then I have the front office of this application where in addition to the admin users, you also can have other users as well who can self register and login to the front end which is a consumer facing site. How I handle this is by having two clients in the same realm. This works fine if you are happy with the same backend login theme to be there for the consumer facing frontend. But we cannot do that as the front end is a consumer facing SaaS site, so each front end needs to have the client's website theme. This becomes very hard to do if we don't have theming at a client level. I came across this post from Bill a few months ago http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html I am thinking to make use of the client variable that is available in login.ftl and load different freemarker fragments that will then theme it differently for each client. As mentioned by Bill, having many if conditions might not be ideal but it might meet the requirement. Cheers Travis

7 years, 8 months

8
15
0 / 0

RestTemplate support for service account access

by Aritz Maeztu

At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo <https://github.com/keycloak/keycloak/blob/master/examples/demo-template/s...>seems to do it manually. Regards -- Aritz Maeztu Otaño Departamento Desarrollo de Software <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

7 years, 8 months

3
5
0 / 0

Additional jpaConnectionProvider for UserFederation via database

by Matuszak, Eduard

Hello I am trying to implement a userfederation-provider based on a jpa-connection. My approach was: According to an additional datasource-defintion for the federated DB in the standalone.xml <datasource jta="true" jndi-name="java:jboss/datasources/CCPDS" pool-name="CCPDS" enabled="true" use-ccm="true"> <connection-url>jdbc:oracle:thin:@servername:1521:schemaname</connection-url> .. , I tried to register this datasource as an additional connectionJpa-entry in keycloak-server.json as follows: .. "connectionsJpa": { "default": { "dataSource": "java:jboss/datasources/CCPKCDS", "databaseSchema": "update" }, "FED-DB": { "dataSource": "java:jboss/datasources/CCPDS" } }, .. According to these configuration I hoped to be able to establish the appropriate entity manager by coding: // Get the appropriate entity manager from the KeycloakSession EntityManager em = session.getProvider(JpaConnectionProvider.class, "FED-DB").getEntityManager(); This did not work, indeed there is still only one (default) JpaConnectionProvider available in the session (JpaConnectionProviderList size is 1): Set<JpaConnectionProvider> JpaConnectionProviderList = session.getAllProviders(JpaConnectionProvider.class); My question is: isn't it in principle possible to register a second jpaConnector additionally to the default one or is there something missing or wrong in my approach? Thanks for any help in advance. Best regards, Eduard Matuszak Dr. Eduard Matuszak Worldline, an atos company T +49 (211)399 398 63 M +49 (163)166 23 67 F +49(211) 399 22 430 eduard.matuszak(a)atos.net<mailto:eduard.matuszak@atos.net> Max-Stromeyer-Straße 116 78467 Konstanz Germany de.worldline.com<http://worldline.com/de/1/Home.html> worldline.jobs.de<http://worldline.jobs.de> facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere> Worldline GmbH Geschäftsführer: Wolf Kunisch Aufsichtsratsvorsitzender: Christophe Duquenne Sitz der Gesellschaft: Frankfurt/Main Handelsregister: Frankfurt/Main HRB 40 417 * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted. * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *

7 years, 8 months

3
6
0 / 0

Spring Security annotation problem

by Andrey Saroul

Hello! I'm just a begginer in Spring Security, but I would like to know is it possible to configure keycloak in a way that I can use @PreAuthorize, @PostAuthorize, @Secured and other annotations. For example, I've configured the keycloak-spring-security-adapter and Spring Security in my simple Spring Rest webapp so that I have access to Principal object in my controller, like this: @RestController public class TMSRestController { @RequestMapping("/greeting") public Greeting greeting(Principal principal, @RequestParam(value="name") String name) { return new Greeting(String.format(template, name)); } ... } But when I try this (just an example, actually I want to execute custom EL expression before authorization): @RestController public class TMSRestController { @RequestMapping("/greeting") @PreAuthorize("hasRole('ADMIN')") public Greeting greeting(Principal principal, @RequestParam(value="name") String name) { return new Greeting(String.format(template, name)); } ... } ... I get exception: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext What do I need to make this spring security annotations work?

7 years, 8 months

2
2
0 / 0

Login Rest Service Service Delay

by Satyajit Das

Hi Team, We are using login restful service of 1.4.0 final version. Sometimes the login takes quite some time(around 15 secs) to fetch the token id given back by login service. On subsequent call for login rest service takes very less time(75 milisecs) This is a complete random behavior. Kindly let me know how to overcome this issue. below is the snap of Token timeouts. [image: Inline image 1] Regards, Satya.

7 years, 8 months

2
1
0 / 0

Re: [keycloak-user] keycloak-user Digest, Vol 24, Issue 111

by Niels Bertram

+1 we have similar requirements where we like to use different themes for hybrid mobile app clients and traditional responsive web (site) clients Date: Thu, 31 Dec 2015 10:49:28 +0200 From: Thomas Raehalme <thomas.raehalme(a)aitiofinland.com> Subject: Re: [keycloak-user] Different theme for each client To: keycloak-user <keycloak-user(a)lists.jboss.org> Message-ID: <CAPyAMobFqJRKzfJdN9=-EUTxUKPr68vCwuwuKzQ9rwaoO6tuoA(a)mail.gmail.com> Content-Type: text/plain; charset="utf-8" +1 as I have a similar use-case from a customer. On Thu, Dec 31, 2015 at 10:46 AM, Travis De Silva <traviskds(a)gmail.com> wrote: > Hi, > > My vote is to provide this feature at a client level as per the original > request. > > I think realms should be used for completely different domains when we > want to isolate users etc. Should not try and use it for something that it > was not intended in the design. > > The reason why you might need theming at client level is iif you really > think that clients which are essentially different applications most of the > time and each of these applications might have different look and feel > themes (either due to different development teams or vendors building > different applications). > > So when someone logins via KeyCloak, its true that we are logging into a > realm but for an end user, it is really logging into a application and > there is a need for the login page theme to look similar to the application > look and feel. > > Also I have a use case where I have a back office application that > requires login for admin users and then I have the front office of this > application where in addition to the admin users, you also can have other > users as well who can self register and login to the front end which is a > consumer facing site. > > How I handle this is by having two clients in the same realm. This works > fine if you are happy with the same backend login theme to be there for the > consumer facing frontend. But we cannot do that as the front end is a > consumer facing SaaS site, so each front end needs to have the client's > website theme. This becomes very hard to do if we don't have theming at a > client level. > > I came across this post from Bill a few months ago > http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html > > I am thinking to make use of the client variable that is available in > login.ftl and load different freemarker fragments that will then theme it > differently for each client. As mentioned by Bill, having many if > conditions might not be ideal but it might meet the requirement. > > Cheers > Travis

7 years, 9 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user December 2015