Login or authenticate methods in keycloak
by Emil Posmyk
Hello all again
how to login or authenticate to keycloak but not using frontend like it was
in eg customer-portal.war from examples but through for example REST, I saw
the REST API but please can anyone show me how to do that via POST method
using SAML ?
*please help*
*regards*
*--*
*Emil Posmyk*
10 years, 10 months
Validate access-token
by Yoni Moses
Is there a way (using the admin rest api?) to validate an access token?
Went over the list of methods but couldn't find anything ..
Cheers,
Yoni
10 years, 10 months
Enabling CORS
by Christopher Wallace
I am seem to have a singifigant challenge getting CORS enabled in Tomcat
for Keyloak. I have taken the following step:
*enabled CORS in keycloak.json as follows:*
"enable-cors" : true,
"cors-max-age" : 1000,
"cors-allowed-methods": "POST, PUT, DELETE, GET"
*enabled CORS in web.xml as follows:*<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
*installed JARs in $CATALINA_HOME/lib: *
27723 Feb 22 11:02 cors-filter-2.3.jar
7847 Feb 22 11:04 java-property-utils-1.9.1.jar
*recieve the following error *GET
http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 403 Forbidden
11ms]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at http://localhost:8082/auth/realms/worktrac/account. This
can be fixed by moving the resource to the same domain or enabling CORS.
*request URL is*http://localhost:8080/mprworktrac/userinfo.html
--
Chris Wallace
cjwallac(a)gmail.com
10 years, 10 months
Keycloak and Tomcat 8 deserialize cors-allowed-methods
by Christopher Wallace
Keycloak Users,
I am attempting to configure Keycloak with Tomcat 8 and have deployed the
following:
/WEB-INF/web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/
xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>customer-portal</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>mprworktrac</web-resource-name>
<url-pattern>/mprworktrac</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/mprworktrac</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
/META-INF/content.xml
<Context path="/mprworktrac">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
/WEB-INF/keyloak.json
{
"realm" : "worktrac",
"resource" : "customer-portal",
"realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB",
"auth-server-url" : "https://localhost:8443/auth",
"ssl-required" : "external",
"use-resource-role-mappings" : false,
"enable-cors" : true,
"cors-max-age" : 1000,
"cors-allowed-methods" : [ "POST", "PUT", "DELETE", "GET" ],
"bearer-only" : false,
"expose-token" : true,
"credentials" : {
"secret" : "234234-234234-234234"
},
"connection-pool-size" : 20,
"disable-trust-manager": false,
"allow-any-hostname" : false,
"truststore" :
"/opt/keycloak-appliance-dist-all-1.1.0.Final/keycloak/standalone/configuration/secret.jks",
"truststore-password" : "secret",
"client-keystore" :
"/opt/keycloak-appliance-dist-all-1.1.0.Final/keycloak/standalone/configuration/secret.jks",
"client-keystore-password" : "secret",
"client-key-password" : "secret"
}
Extracted keycloak-tomcat8-adapter-dist-1.1.0.Final.zip to
$CATALINA_HOME/lib
I receive the following in catalina.out on startup:
java.lang.RuntimeException: org.codehaus.jackson.map.JsonMappingException:
Can not deserialize instance of java.lang.String out of START_ARRAY token
at [Source: java.io.FileInputStream@7ff0e2e8; line: 9, column: 22]
(through reference chain:
org.keycloak.representations.adapters.config.AdapterConfig["cors-allowed-methods"])
at
org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:104)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:93)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:116)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:65)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:168)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1069)
at
org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1719)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.codehaus.jackson.map.JsonMappingException: Can not
deserialize instance of java.lang.String out of START_ARRAY token
at [Source: java.io.FileInputStream@7ff0e2e8; line: 9, column: 22]
(through reference chain:
org.keycloak.representations.adapters.config.AdapterConfig["cors-allowed-methods"])
at
org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163)
at
org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219)
at
org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:44)
at
org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:13)
at
org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:299)
at
org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet(SettableBeanProperty.java:414)
at
org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:697)
at
org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:580)
at
org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2732)
at
org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1909)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:102)
... 17 more
Your help is greatly appreciated as I am excited to get this working :-)
--
Chris Wallace
cjwallac(a)gmail.com
10 years, 10 months
SAML Broker in Keycloak 1.2 Snapshot
by Raghu Prabhala
Hi,
I tested out the SAML broker functionality that is listed in the below examplehttps://github.com/keycloak/keycloak/tree/master/examples/broker/s...
We have a very important use case that is similar to the above except that the SAML Identity broker is ADFS and a few issues are preventing me from testing it out:
1) The ADFS IDP requires that I upload the KC SAML broker information (SAML metadata) which is not available currently. Perhaps I can generate my own metadata using the above example but would prefer KC to provide one that is similar to IDP metadata that is listed in the documentation.2) The ADFS IDP metadata has RoleDescriptor element that is not currently being parsed by the KC SAML broker. I logged my issues in the JIRA https://issues.jboss.org/browse/KEYCLOAK-8833) The roles and other claims need to passed back to the client applications using OIDC (I am aware that Bill is making some functionality available over the next few days and hopefully it will address my requirement)
Any suggestions on how I handle the first two?
Thanks,Raghu
10 years, 10 months
installing keycloak on an wildfly domain cluster
by Christoph Machnik
Hallo all,
i try to install keycloak on a wildfly domain cluster. The Cluster uses the domain.xml as configuration with the full-ha profile and not the standalone.xml. Is there anithing special to look for and to do other than in the documentaiton ? I have deployed the things in the deployment folder and copy paste the configuration folder. But when i try to go to the keycloak administration console (http://[Server-IP]:8080/auth/admin/index.html) i got "404 - Not Found" as answer.
Is there anythig i have to do, after i have done the configuration of the used profile and the installation of the adapter, to run keycloak on a wildfly domain cluster ?
Christoph
10 years, 10 months
IPhone turns off local storage by default and that causes Keycloak.js to fail.
by Dean Peterson
IPhones are in private mode by default. When in private mode, they do not
allow localstorage. Any application secured with the pure js keycloak file
fails. When I turn private mode off, the application works. Will Keycloak
be supporting IPhones with the pure javascript client in the future without
requiring users turn private mode off?
I get the following error in private mode. The highlighted code is what
causes the error:
QuotaExceededError: DOM Exception 22: An attempt was made to add something
to storage that exceeded the quota.
Jessicakc.createLoginUrl = function(options) {
var state = createUUID();
var redirectUri = adapter.redirectUri(options);
if (options && options.prompt) {
if (redirectUri.indexOf('?') == -1) {
redirectUri += '?prompt=' + options.prompt;
} else {
redirectUri += '&prompt=' + options.prompt;
}
}
sessionStorage.oauthState = state;
var url = getRealmUrl()
+ '/tokens/login'
+ '?client_id=' + encodeURIComponent(kc.clientId)
+ '&redirect_uri=' + encodeURIComponent(redirectUri)
+ '&state=' + encodeURIComponent(state)
+ '&response_type=code';
if (options && options.prompt) {
url += '&prompt=' + options.prompt;
}
if (options && options.loginHint) {
url += '&login_hint=' + options.loginHint;
}
return url;
}
10 years, 10 months
Using KeyCloak as the Teiid JDBC LoginModule
by Joe Strathern
Hello KeyCloak Community,
I am attempting to use KeyCloak to authenticate JDBC in JBoss (Teiid) and are experiencing issues.
I have already posted the issue on the Teiid forums:
https://developer.jboss.org/thread/252411
But wanted to get a KeyCloak perspective to see what the problem might be.
With the details in the thread above, is there a reason we cannot authenticate with KeyCloak for JDBC?
Thanks,
Joe
----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
10 years, 10 months
Re: [keycloak-user] Extract Subjectid from token in JaxRS Service
by Mike Love
Thank you Stian.
RSATokenVerifier.verifyToken has done the trick
Regards,
Mike Love
On 2015/02/18, 15:38, "Stian Thorgersen" <stian(a)redhat.com> wrote:
>
>
>----- Original Message -----
>> From: "Mike Love" <mike.love(a)symbiotics.co.za>
>> To: keycloak-user(a)lists.jboss.org
>> Sent: Wednesday, February 18, 2015 2:33:14 PM
>> Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service
>>
>> Hi,
>>
>> I am successfully authenticating an AngularJS client calling REST
>>Services.
>>
>> The token is validated as expected after login. On calling the REST
>>service,
>> the authorization hearer (Bearer token) is available as HTTP Header as
>> expected.
>>
>> Now, in the REST Service processing I want to extract the UserId
>>(SubjectId)
>> so that I can lookup additional information before continuing with
>> processing.
>>
>> I have seen that the JS adapter has a keycloak object that provides
>>access
>> the this information, is there a similar Java helper class to extract
>>this
>> information?
>
>You can either use one of our adapters or
>org.keycloak.RSATokenVerifier.verifyToken
>
>>
>>
>> Regards,
>> Mike Love
>>
>>
>>
>>*************************************************************************
>>*******
>> This email and any accompanying attachments may contain confidential and
>> proprietary information. This information is private and protected by
>>law
>> and, accordingly, if you are not the intended recipient, you are
>>requested
>> to delete this entire communication immediately and are notified that
>>any
>> disclosure, copying or distribution of or taking any action based on
>>this
>> information is prohibited.
>>
>> Emails cannot be guaranteed to be secure or free of errors or viruses.
>>The
>> sender does not accept any liability or responsibility for any
>>interception,
>> corruption, destruction, loss, late arrival or incompleteness of or
>> tampering or interference with any of the information contained in this
>> email or for its incorrect delivery or non-delivery for whatsoever
>>reason or
>> for its effect on any electronic device of the recipient.
>>
>>
>>*************************************************************************
>>*******
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
********************************************************************************
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.
********************************************************************************
10 years, 10 months
keycloak proxy server
by Chen Keong Yap
Hi,
When i access my app from http://localhost:8080/customer-portal and it was
redirected to keycloak login page (https://192.168.1.10:8443/auth). After
login is successful, the request is redirected back to
http://localhost:8080/customer-portal instead of
http://localhost:9080/customer-portal. Can someone advise what's wrong with
the settings?
keycloak proxy server hosted on localhost:8080
customer-portal application hosted on localhost:9080
proxy.json configuration shown below.
{
"target-url": "http://localhost:8082",
"bind-address": "localhost",
"http-port": "8080",
"https-port": "8443",
"keystore": "classpath:ssl.jks",
"keystore-password": "password",
"key-password": "password",
"send-access-token": true,
"applications": [
{
"base-path": "/customer-portal",
"error-page": "/error.html",
"adapter-config": {
"realm": "demo",
"resource": "customer-portal",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"auth-server-url": "https://192.168.1.10:8443/auth",
"ssl-required" : "external",
"enable-cors" : true,
"principal-attribute": "KEYCLOAK_NAME",
"credentials": {
"secret": "password"
}
}
,
"constraints": [
{
"pattern": "/users/*",
"roles-allowed": [
"user"
]
},
{
"pattern": "/*",
"roles-allowed": [
"user"
]
},
{
"pattern": "/call-bearer/*",
"roles-allowed": [
"user"
]
},
{
"pattern": "/bearer/*",
"roles-allowed": [
"user"
]
},
{
"pattern": "/admins/*",
"roles-allowed": [
"admin"
]
},
{
"pattern": "/users/permit",
"permit": true
},
{
"pattern": "/users/deny",
"deny": true
}
]
}
]
}
10 years, 10 months
