Making Login URL configurable Spring Security Filter
by Jeff Macomber
Hi,
Would it be possible to request a change to the
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
so that it allows providing a different DEFAULT_LOGIN_URL? Right now you
can change it in your Spring bean config for
org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint
but not for the Processing filter. So you must extend the class to
configure it. This is just a nice to have and not a blocker.
Jeff
8 years, 4 months
Could my application know when a user is removed?
by Jairo Alonso Henao Rojas
Hello,
Could my application know when a user is removed ?, Can I put something to listen?
I need to clean multiple records when a user is removed in Keycloak
Thanks,
Jairo Henao Rojas
IT ROI Solutions
8 years, 4 months
Infinispan caching issues because of unserializable classes
by Lohitha Chiranjeewa
When Infinispan caching is enabled in ASYNC mode, exceptions get logged at
startup due to serialization issues. Basically the following classes have
to implement the Serialiazable interface:
org.keycloak.models.OTPPolicy
org.keycloak.models.
RequiredActionProviderModel
There could be other classes as well.
Is this already fixed in 1.7.0 code or shall I put a JIRA?
Regards,
Lohitha.
8 years, 4 months
WILL_NOT_PERFORM update of password in Active Directory
by Adrian Matei
hi,
has anybody got the following type of error when trying to add/passwords
using AD as user federation:
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code
53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 *(WILL_NOT_PERFORM)*,
data 0
]; remaining name
'CN=ama,OU=Keycloakmanaged,OU=Test,DC=extnett,DC=xxx,DC=yy'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1478)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:179)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:386)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:383)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:519)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:383)
... 64 more
I get the same error when I try to "manually" add the *unicodePwd *via the
ApacheDirectoryStudio for example...
The connection is over SSL and both parties trust each other...
Thanks,
Adrian
8 years, 4 months
Publicly available SAML Service Provider SSO Descriptor (SPSSODescriptor)
by Ton Swieb
Hi,
I am wondering if it is possible to access the SPSSODescriptor of an
identity provider on a public available URL.
Not to be confused with the IdPSSODescriptor
(/auth/realms/{realm}/protocol/saml/descriptor) which is publicly
available.
I found the API call
/auth/admin/realms/{realm}/identity-provider/instances/{identity-provider}/export
, but this API call requires authentication.
The IdP on the other end of the line needs to be able to retrieve this
descriptor without authentication.
I found a thread on the mailing list from earlier this year where the
existence of this feature is discussed, but the current status is
unclear to me.
Regards,
Ton
From: Pedro Igor Silva <psilva at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
To: Raghu Prabhala <prabhalar at yahoo.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
Cc: Keycloak-user <keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
Sent: Thursday, February 19, 2015 6:33 AM
Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
----- Original Message -----
>* From: "Raghu Prabhala" <prabhalar at yahoo.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>>
*>* To: "Keycloak-user" <keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
*>* Sent: Thursday, February 19, 2015 12:20:00 AM
*>* Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
*> >* Hi,
*> >* I tested out the SAML broker functionality that is listed in the below
*>* example
*>* https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-bro...
<https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-bro...>
*> >* We have a very important use case that is similar to the above except that
*>* the SAML Identity broker is ADFS and a few issues are preventing me from
*>* testing it out:
*> >* 1) The ADFS IDP requires that I upload the KC SAML broker
information (SAML
*>* metadata) which is not available currently. Perhaps I can generate my own
*>* metadata using the above example but would prefer KC to provide one that is
*>* similar to IDP metadata that is listed in the documentation.
*
In this case you need a SPSSODescriptor, right ? I think we can easily
implement an endpoint to retrieve SP metadata for SAML applications.
[RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great.
Looking forward to see it near term.
>* 2) The ADFS IDP metadata has RoleDescriptor element that is not currently
*>* being parsed by the KC SAML broker. I logged my issues in the JIRA
*>* https://issues.jboss.org/browse/KEYCLOAK-883
<https://issues.jboss.org/browse/KEYCLOAK-883>
*
I've already fixed our parsers. However, the RoleDescriptor you have
in that metadata are describing WS-Federation entities that will just
be ignored.
[RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are
described under RoleDescriptor - so I will have to build something to
handle that. Any advice on where I should start?
>* 3) The roles and other claims need to passed back to the client applications
*>* using OIDC (I am aware that Bill is making some functionality available over
*>* the next few days and hopefully it will address my requirement)
*> >* Any suggestions on how I handle the first two?
*> >* Thanks,
*>* Raghu
*> > >* _______________________________________________
*>* keycloak-user mailing list
*>* keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>* https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*
8 years, 4 months
How to validate required for custom fields
by Jairo Alonso Henao Rojas
Hello,
I added several custom fields in the registration form, how I can do for them to be required?
See attached fields in register form.
Thanks
Jairo Henao Rojas
8 years, 4 months
Spring Security Tags after login redirection to non-protected resource
by Adrian Matei
hi guys,
any ideas how to make Spring security tags in jsp recognize that I am
logged in after being redirected from keycloak to a non-protected resource?
Thanks,
Adrian
On Mon, Nov 30, 2015 at 10:07 AM, Adrian Matei <adrianmatei(a)gmail.com>
wrote:
> Hi Bill,
>
> Thank you for the reply. Yes I am using the Spring security adapter (xml
> configuration). I have received a private reply from Pavel Maslov regarding
> the sign in url:
>
>
> {{keycloakBaseUrl}}/realms/{{realmName}}/protocol/openid-connect/auth?client_id={{client_id}}&response_type=code&redirect_uri={{your-web-app}}
>
> which works great.
>
> Another problem that I am having now is that when I am logging in from a
> "not"-protected resource (permitAll in securityContext), and want to be
> redirected back to the same resource, it logs me in indeed, but the spring
> security tags in my jsps don't recognize that, until I am accessing a
> secured resource defined in security context.... Any thoughts there?
>
> Thanks,
> Adrian
>
>
> Message: 2
> Date: Fri, 27 Nov 2015 13:02:32 -0500
> From: Bill Burke <bburke(a)redhat.com>
> Subject: Re: [keycloak-user] Sign In button URL
> To: keycloak-user(a)lists.jboss.org
> Message-ID: <56589AB8.5030708(a)redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> How is your Spring web app handling OpenID Connect or SAML
> requests/respones? We do have a Spring security adapter.
>
> Initial OAuth2 request:
>
> /realms/{realm-name}/protocol/openid-connect/auth
>
> Code to Token request:
> /realms/{realm-name}/protocol/openid-connect/token
>
>
> On 11/27/2015 11:19 AM, Adrian Matei wrote:
> > hi guys,
> >
> > can still help a poor guy Friday in the afternoon?
> >
> > What is the url I need to have the sign in button pointing to, in my
> > Spring web app, that will ask me to login via keycloak and redirect me
> > back exactly to the page I made the request from?
> >
> > Thanks,
> > Adrian
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
8 years, 4 months
Problem with HA configuration
by Paul Blair
I've been using Docker with the HA configuration as described here: http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html
I ran into the same problem as David Willson describes in the comments, namely a NullPointerException at org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25). Looking at the code, it seems as though a UserSessionPersister was coming back null.
I added to keycloak-server.json the following:
"userSessionPersister": {
"provider" : "jpa"
},
and now everything starts ok. Is this the appropriate fix for a clustered configuration?
8 years, 4 months
