May 2015 - keycloak-user - Jboss List Archives

by Stian Thorgersen

No major changes since 1.2.0.CR1 only some minor bug fixes. For full details see https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12313920&versi... and to download go to https://sourceforge.net/projects/keycloak/files/1.2.0.Final/.

5 years, 8 months

2
2
0 / 0

LDAP configuration

by Ayrton Araújo

I'm trying do add a new user federation provider for integrate keycloak with a ldap server. The parameters: Console display name -> Active Directory Priority -> 0 Edit Mode -> READ_ONLY Sync Registrations -> OFF Vendor -> Active Directory Username LDAP attribute -> sAMAccountName User Object Classes -> person, organizationPerson, user Connection URL -> ldap://dom.example.com:389 Base DN -> DC=dom,DC=example,DC=com User DN Suffix -> CN=Users Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com Bind Credential -> ******** Connection pooling -> ON Pagination -> ON Enable Account After Password Update -> OFF Batch Size -> 100 Periodic Full Sync -> OFF Periodic changed users sync -> ON Changed users sync period -> 86400 I tried change User DN Suffix to only Users, but it not works. The log always saying: LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR) And it says this when it tries to parse the User DN Suffix. Theres something wrong with my conf?

5 years, 8 months

2
3
0 / 0

Update user when "Email as username" enabled

by Scott Rossillo

If I’m using email as username, I can update the email address on a user via the admin API, but the username doesn’t update even when explicitly setting a new username. This is true in the KC admin console as well. How do I update the username to match the new email address? Thanks, Scott

5 years, 9 months

2
2
0 / 0

IDP SAMLV2.0 with Salesforce

by Henk Laracker

Hi, I like to use Salesforce as Identity Provider, the metadata provided by salesforce can be imported. But I need to specify the Service Provider in salesforce, I have to fill in a couple of fields, but two of them I don’t understand (and are mandatory). Does someone have any clue 1. entity id , remark of salesforce : get this value from your serviceprovider 2. ACS URL, remark of slaesforce : The assertion consumer service. Get this value from your service provider. I have tried a lot of values but every-time I click the saml button on my app, it redirects to salesforce but I get a page with the error : Error: Unable to resolve request into a Service Provider Henk

5 years, 9 months

4
21
0 / 0

keycloak Identity broker for Custom Authentication

by Raghu Prabhala

Hi, I am wondering if anyone implemented an Identity Broker for custom authentication? If so, would appreciate some input on how to achieve that? I tried implementing one using the existing OIDC broker as the starting point but the option to select this custom broker doesn't appear in the GUI. So my question is, what changes must be made in the GUI to make the custom broker visible? Appreciate any pointers Thanks,Raghu

5 years, 9 months

2
3
0 / 0

Cancel button handling on keycloak login page

by Roman Usatenko

Hello, I am trying to implement POC with keycloak as auth* server. Here is my set up / use case: - Tomcat server with keycloak adapter - Web app with a URL *http://x.y/app/secure <http://x.y/app/secure>* protected by a security constraint. - An unauthenticated user goes to the URL and gets redirected by the adapter to the keycloak login page. - The user clicks Cancel button and gets redirected back to the URL with parameters ?error=access_denied&state=1%2Fxxxx - This redirect is intercepted by the adapter and user's browser gets 400 error from the adapter. My application never receives the request. So my questions are: 1. Is this correct description of what's going on or am I missing something? 2. If this is the behavior by design wouldn't it be better instead of the 400 error to redirect user to some themed page on the keycloak server with a nice explanation, like "We're sorry, but you cannot access this resource without authentication, blablabla " Thank you, Roman Usatenko.

5 years, 9 months

2
1
0 / 0

Cors not working Final 1.2

by Henk Laracker

Hi, Cors headers missing during login procedure of keycloak =============================== Step 1 - Prepare keycloak realm: =============================== Create a simple keycloak realm for testing, =============================== Step 2 - Create a user =============================== Add a user and a client to the realm The client should be configured as follows: Client Protocol openid-connect Access Type public Valid redirect uri's: http://localhost/* http://localhost Web origins: http://localhost/* http://localhost =============================== Step 3 - Create test application on tomcat =============================== On a given tomcat server (I'm using localhost for this example) add 2 web applications: app1 with a simple index.html cors with a simple test.txt with the content "Some data" The following url's are now available: http://localhost/app1/index.html http://localhost/cors/test.txt In http://localhost/app1/index.html create javascript which loads data from http://localhost/cors/test.txt If you go to http://localhost/app1/index.html now, a GET will be performed to http://localhost/cors/test.txt and the data is displayed =============================== Step 4 - Adding keycloak to the applications =============================== Add keycloak configuration on "app1". Add keycloak configuration on "cors" Additionally, add "enable-cors": "true" to the json file. =============================== Step 5 - Log in to app1 =============================== If you log in to app1 in a new browser the data from app "cors" will not be loaded. The following error will be displayed in the console of your browser (using chrome) XMLHttpRequest cannot load http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access. If it loaded the data, make sure that you're logged out, or try it in private browsing mode. =============================== Expected result =============================== We expected "Access-Control-Allow-Origin" to be set to the "Web origins", allowing for cross-application requests without editing existing applications. Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement, Henk Laracker

5 years, 9 months

2
7
0 / 0

Sharing FTLs between login and account themes

by Libor Krzyžanek

Hi, is it possible to have some “common” FTL that could be imported in login FTLs and account FTLs? Use case is having list of countries defined in one FTL and share it in login and account themes. Thanks, Libor Krzyžanek jboss.org <http://jboss.org/> Development Team

5 years, 9 months

2
2
0 / 0

Re: [keycloak-user] Some Help to Write a Federation Provider

by pubudu gunawardena

Thanks Bill for your help. > Date: Thu, 28 May 2015 08:51:41 -0400 > From: Bill Burke <bburke(a)redhat.com> > Subject: Re: [keycloak-user] Some Help to Write a Federation Provider > To: keycloak-user(a)lists.jboss.org > Message-ID: <55670F5D.4010103(a)redhat.com> > Content-Type: text/plain; charset=windows-1252; format=flowed > > > > On 5/28/2015 7:30 AM, pubudu gunawardena wrote: >> Hi All, >> >> I am writing a federation provider which performs authentication >> against an RDBMS. >> I am using keycloak 1.2.0.Final. I have looked at the sample >> properties provider and would like to know a few things. >> >> In UserFederationProviderFactory >> 1. UserFederationProviderFactory#create returns null in the example. >> Do we not need to implement that? > > No. This method is not called. > >> 2. When is the UserFederationProviderFactory#close method called? Is >> it when the server is shut down? > > Yes. > >> 3. When is the init method called? Is it called once per object instance? > > It Factory.init() is only called once when the server boots. The config > is pulled in from keycloak_server.json > >> 4. Is it only one instance of a given type >> UserFederationProviderFactory that is created for the system? >> > > Only one Factory instance is created for the server. > >> UserFederationProvider >> 5. The javadoc for UserFederationProvider#getUserByUsername says >> "Required to import into local storage any user found." does it mean >> that I have to call keyCloakSession.userStorage().addUser(realm, >> userName)? Do I have to do that even if the user has been already >> previously imported into the system? Do I have to synchronize the user >> data in that method? > > You do not have to test to see if the username exists in local storage. > Keycloak will do that before calling this method. > >> 6. Same as question 5 for methods getUserByEmail and searchByAttributes. > > getUserEmail does not require that you check to see if the user exists > in local storage. searchByAttribute, unfortunately does. The way you > should implement is: > > 1. do your query > 2. Loop on results > 3. if result is not in local storage, import to local storage > 4. add result to returned List<UserModel> > >> 7. When should I return false from method "isValid". What does >> returning false from that method prevent? Is it importing/prevent user >> from logging in/not show user in user list? > > Keycloak may call this method to determine if a user is still exists or > is still enabled in federated storage. > >> 8. In validCredentials(RealmModel realm, UserCredentialModel >> credential) the javadoc says "Validate credentials of unknown user.". >> When should I implement that method? How can an unknown user be >> validated? > > This method is really only used for kerberos authentication against an > LDAP database. > >> 9. When is the UserFederationProvider# close method called? >> > > UserFederationProviders are created and closed once per request. > >> Any help is highly appreciated. If possible please mention how those >> questions will relate to an RDBMS backed provider implementation. >> > > Thanks, I'll add all this to the javadoc. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Thanks, Pubudu

5 years, 9 months

1
0
0 / 0

Some Help to Write a Federation Provider

by pubudu gunawardena

Hi All, I am writing a federation provider which performs authentication against an RDBMS. I am using keycloak 1.2.0.Final. I have looked at the sample properties provider and would like to know a few things. In UserFederationProviderFactory 1. UserFederationProviderFactory#create returns null in the example. Do we not need to implement that? 2. When is the UserFederationProviderFactory#close method called? Is it when the server is shut down? 3. When is the init method called? Is it called once per object instance? 4. Is it only one instance of a given type UserFederationProviderFactory that is created for the system? UserFederationProvider 5. The javadoc for UserFederationProvider#getUserByUsername says "Required to import into local storage any user found." does it mean that I have to call keyCloakSession.userStorage().addUser(realm, userName)? Do I have to do that even if the user has been already previously imported into the system? Do I have to synchronize the user data in that method? 6. Same as question 5 for methods getUserByEmail and searchByAttributes. 7. When should I return false from method "isValid". What does returning false from that method prevent? Is it importing/prevent user from logging in/not show user in user list? 8. In validCredentials(RealmModel realm, UserCredentialModel credential) the javadoc says "Validate credentials of unknown user.". When should I implement that method? How can an unknown user be validated? 9. When is the UserFederationProvider# close method called? Any help is highly appreciated. If possible please mention how those questions will relate to an RDBMS backed provider implementation. -- Thanks, Pubudu

5 years, 9 months

2
1
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2015