Keycloak 1.3.0 release broken
by Stian Thorgersen
Sorry everyone,
Looks like I've pushed the button a bit to quick this time. The Keycloak 1.3.0 release is completely broken.
Fix coming and 1.3.1 will be released soon.
Cheers,
Stian
10 years, 9 months
Application and Realm Roles
by Edem Morny
Hi,
I've created a realm, and a default role in that realm called "user". I
then created a client and added an application role to the client. I've
set "use-resource-role-mappings" to true in the keycloak.json file
inside my war file.
I attempt to access a path that is protected by the role "user", and log
in with an account that has both the realm role "user" and the
application role "mdc-staff", and I'm redirected to my 403 page, meaning
the "user" role didn't seem to be available to the user. When I attempt
to access a path protected by the "mdc-staff" role, i don't get a 403,
meaning that the application specific role is available.
Is there something I need to do to enable both realm and application
level roles available to the user when I login? This is very key for us
to implementing SSO for different client secured by the same realm. I
thought "Full Scopes Allowed" was not enabled, but it was and still
things don't work as expected.
Cheers.
10 years, 9 months
Using Keycloak to build organization SSO server.
by Subhrajyoti Moitra
Hello,
My organization, is trying to implement a SSO service internally, so that
various business applications can authenticate against it. We also want
this SSO service to manage roles, groups,permissions, role-group
memberships etc.
Currently this authentication is happening using DB tables and Active
Directory server.
We want to hook up these with the keycloak server.
Can this be done using Keycloak? how does keycloak compare to shibboleth?
Will using picketlink in client applications help in anyway to speed up
development.
Thanks for your patience,
Subhro.
10 years, 9 months
Using OneLogin php-saml library with keycloak
by pubudu gunawardena
Hi All,
I am trying to use the OneLogin php-saml library[1] as a service
provider that uses keycloak as a SAML identity provider. The
"RelayState" parameter is sent properly form the SP to the IDP but in
the response, the forward slashes are missing from the RelayState.
For example in the post parameters of the authentication request, the
RelayState shows "http://phpsaml/demo1/" but in the response from
keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
library to throw exceptions. I'm using keycloak 1.2.0.Final.
How can I overcome this problem?
[1]https://github.com/onelogin/php-saml
--
Thanks,
Pubudu
10 years, 9 months
405 method not allowed
by Juan Diego
Hi
I get the following error
POST http://localhost:8080/unika/usuarios/login 405 (Method Not Allowed)
I think I did this right, after tinkering with my config for a while I
added unika.localdomain as a web origin. (unika.localdomain is set on my
/etc/hosts)
I also added to both keycloak.json files, backend and front end.
"enable-cors" : true,
I dont know if this is neccesary-
If I disable the security in my web.xml of the backend I can access
POST http://localhost:8080/unika/usuarios/login with no problems.
So I know it has something to do with keycloak. Is there anything
else I have to do allow CORS.
Before enabling keycloak, i added corsfilter to my resteasy app in the
backend, so it was working. Is this redundant? Does this causes
problems?
10 years, 9 months
Backup
by Fadi Abdin
Is there a way to export realm data and load them back in another server ?
Thanks,
10 years, 9 months
Authorizing Backend Services
by Carsten Saathoff
Hi,
we are currently struggling to find an elegant solution for the following
problem. We have a system consisting of a bunch of microservices. The UI
interacts with the system using an API Gateway. Authenticating the user is
done via OAuth using the password grant and probably using the implicit
grant in the future. While we initially planned to store user roles in
each microservice, we changed that approach to go for the token based
approach used by keycloak, i.e., we use the roles present in the access
token to determine the role of the user for a request. So far so good,
authentication works like a breeze and keycloak is also easy to use and
looks great.
However, besides the user facing processes (i.e. the user actually
interacting with the system via the UI), we also have offline processes.
E.g., a reporting service that needs to access data in other services in
order to generate a report once a day or a week. In these offline
service-to-service requests, we want to be able to enforce the same set of
access rules as for normal requests directly triggered by the user. In
other words, the reporting service would need an access token for the user
that contains the roles of the user. In order to obtain that access token,
however, either the user would need to be involved or we would need a
refresh token. Involving the user in a process that takes place in the
middle of the night is obviously not a viable solution, so I think we need
to authorize the user once somehow. But we are actually not sure how to
best do this. In an enterprise application it would be a bit uncommon to
pop up a "Please authorize Service X to access Service Y" window, when the
user doesn't really care about what services are involved. Furthermore,
it's also not absolutely clear how to best integrate this into a UI
anyway. So we are actually wondering, if this is right path anyway. How
are such cases are usually handled using keycloak? Is there a pattern or
any best practice? Am I completely on the wrong road and need to do
something completely different?
Are there any plans to extend keycloak with functionality that would ease
such scenarios? One idea we had was to allow for direct token generation
of backend services via some API and the means to configure what tokens
and roles are allowed by a service. In our problem above, I could imagine
that in keycloak there would be the possibility to allow the report
service to generate tokens with the GUEST role for all users for the data
service. Independently of the real role of the user, a token generated by
that means would only allow access with GUEST rights. Furthermore, the
report service would not be able to generate tokens for any other services
on its own. That would obviously be outside of OAuth and probably it
should be required to enable this feature explicitly, but I would greatly
ease such scenarios. Specifically, it would help in setting up a system
such that is secure without requiring the user to perform explicit grants
for services he shouldn't even know about.
Thanks and best regards
Carsten
--------------------------------------------------------------------------------------------------------------------------------------------
Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany
Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff(a)kisters.de | WWW: http://www.kisters.de
--------------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
10 years, 9 months
Kecloak support of .p12 or .pfx files
by Sanjib Bag
Hi,
Does Keycloack support integration using .p12 or .pfx files to do
authentication? If yes, is there an example which can be refereed.
Thanks
Sanjib
10 years, 9 months
