OAuth
by Fadi Abdin
I just created a simple javascript app to test my oauth keycloak
connections and implemented the calls to do the basic things ( except
revoke the token) .
My code is on github https://github.com/fadiabdeen/keycloak-oauth
<https://github.com/fadiabdeen/keycloak-oauth>
I was able to get a authorization code.
get a token
refresh the token
get the user information though validate
logout ( which only clears the session
I cant figure out how to revoke my access_token .. if anybody can help with
this then its great.
Thanks
10 years, 11 months
Cordova on IOS error
by Rodrigo Del Canto
Hello guys,
I work a lot with cordova and Wildfly, usually I do my implementations of
the authentication using JAAS and ajax, sending a auth token in the http
request.
I really love Keycloak's goals and how fast the project is growing, I would
love to integrate it to my projects.
The problem I have now is I have tried the cordova example that comes with
keycloak's examples, it works fine on Android, but I couldn't make it work
on iOS, it's like the "new Keycloack()" instance cannot be initialized.
I don't know if I'm doing something wrong but this looks so simple, I added
the inappbrowser plugin on android and it just worked there but I didn't
have the same luck on IOS.
Have anyone tested it on iOS? is there any extra step I have to do in order
to make it work?
My environment:
- Wildfly 8.2
- Keycloak 1.2.0.Beta1
- Cordova 4.1.2
Thanks,
Rodrigo
10 years, 11 months
Re: [keycloak-user] Batch import of accounts into Keycloak
by Eugene Chow
Hi Marek,
Thanks for the link. Looks like it came up shortly before I posted.
I would like to first try the REST API as I can quickly whip up a BASH
script to perform the batch import. In 1.2.0.CR1's REST API
documentation, there doesn't seem to be an option to login as admin and
get the token.
Could you point out which URL I should call to login via curl on the CLI?
Thanks!
On 6/5/2015 10:33 PM, Marek Posolda wrote:
> Hi,
>
> we have some admin REST API documented and the operations you mentioned
> should be available there:
> http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/overview-index.html
>
> Maybe easiest solution for you would be to use our admin-client, which
> allows to easily invoke REST endpoints as java methods and handles
> obtain the accessToken for admin authentication too. If your
> command-line has Java available, you can just run simple Java program,
> which will use admin-client to invoke REST endpoints. The example for
> admin client is here:
> https://github.com/keycloak/keycloak/tree/master/examples/admin-client
>
> Marek
>
>
> On 5.5.2015 17:30, Eugene Chow wrote:
>> Hi,
>>
>> First of all, a big thank you to the developers for an SSO that's simple
>> to use and a beautiful interface to boot.
>>
>> I'm running Keycloak for an app in development. For UAT purposes, I need
>> to batch import accounts from a CSV file via the command-line. I'm
>> looking for the REST API to login as admin, get token, create new
>> account, update new acct's password, and then logout. I haven't found
>> any documentation on this.
>>
>> If the REST API is not equipped for this purpose, what would be the
>> correct method to bulk import users?
>>
>> Thanks!
10 years, 11 months
Salesforce connection
by Ben Bazian
We are doing a proof of concept to use Keycloak for our SSO environment. As a test case I would like to connect our Salesforce sandbox with Keycloak. Has anyone successfully made this connection? Is there any documentation available?
Thanks
-Ben
10 years, 11 months
Batch import of accounts into Keycloak
by Eugene Chow
Hi,
First of all, a big thank you to the developers for an SSO that's simple
to use and a beautiful interface to boot.
I'm running Keycloak for an app in development. For UAT purposes, I need
to batch import accounts from a CSV file via the command-line. I'm
looking for the REST API to login as admin, get token, create new
account, update new acct's password, and then logout. I haven't found
any documentation on this.
If the REST API is not equipped for this purpose, what would be the
correct method to bulk import users?
Thanks!
10 years, 11 months
Re: [keycloak-user] Application Management
by Thiago Presa
Hi there,
I'm Alex's coworker and I'll be working on this too.
We were just discussing your idea, and it seems to fit our requirements.
As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
realm master.
We are currently thinking if we could mimic this structure for
applications. What do you think?
> I had an idea a while back that is a simple way to achieve what you're asking for. Th> e idea would be to only allow an admin to grant roles that the admin has access to.
> Basically:> * A user with admin (super user) role can grant any roles (we would need to add a per-> realm super user role)
> * A user with the role manage-users and some roles on app1 can only grant other users > the roles on app1
> * A user with the role manage-users and some roles on app2 can only grant other users > the roles on app2
>
> This is something we should add in either case (to prevent users granting
themselves more access). Would it solve your problems?
10 years, 11 months
OIDC - ID Token's nonce validation
by Iván Perdomo
Hi,
It seems that if a client sends the optional `nonce` parameter as part
of the authentication request, the server should return it as `nonce`
claim part of the ID Token
> The value is passed through unmodified from the Authentication
> Request to the ID Token. If present in the ID Token, Clients MUST
> verify that the nonce Claim Value is equal to the value of the nonce
> parameter sent in the Authentication Request. If present in the
> Authentication Request, Authorization Servers MUST include a nonce
> Claim in the ID Token with the Claim Value being the nonce value sent
> in the Authentication Request. Authorization Servers SHOULD perform
> no other processing on nonce values used. The nonce value is a case
> sensitive string.
http://openid.net/specs/openid-connect-core-1_0.html#IDToken
As of Keycloak 1.2.0.Beta1 if a client sends a `nonce`, the ID Token
doesn't include the `nonce` claim.
Should I log this as an defect? Or is something already solved in 1.2.0RC1 ?
Thanks,
--
Iván
10 years, 11 months
Re: [keycloak-user] Clarification on Remember Me Functionality
by Lohitha Chiranjeewa
Thanks for the suggestion. I will have to adjust both timeouts according to
my needs.
So is this the expected behavior of Keycloak or is there room for an
improvement? In my view, Remember Me functionality should work independent
of SSO Session Idle Timeout.
10 years, 11 months
How touser Servlet OAuth Client
by Jérôme Blanchard
Hi all,
I'm trying to protect a servlet application which can be accessed either as
anonymous user and as authenticated user. Some resources are protected and
my application takes in charge the access control (not role based) so I
can't use the war protection using role user constraint.
In this case I've removed the role constraint in the web.xml and the
keycloak wildfly (undertow) adapter let me access the application as
unauthentified user (anonymous) which is perfect.
What I want to handle on some AccessDeniedException is to redirect the user
to the authentication server manually. In this case, user authentified an
come back to the protected URL but is no more anonymous but a authentified
user.
Is ther is a way to handle this redirection to the authentication server
manually (I don't know where to store the state variable allowing keycloak
wildfly adapter to handle properly the auth redirect that include the code).
Best regards, Jérôme.
10 years, 11 months
