Client's REST api returns blank after switching keycloak to HTTPS
by Orestis Tsakiridis
Hello,
I had a working setup of a Java web application running on machine A
secured by keycloak on machine B (login.restcomm.com). The application
running on A provides a REST api is used from the UI. The application also
contains a UI (angular) that accesses the REST api. login.restcomm.com is
the keycloak running on docker and resolves to 172.17.42.1 (overriden in
/etc/hosts). I'm using keycloak 1.2.0.Final. Both the UI and the REST api
have been secured and the application worked fine with "ssl-required" ->
"external".
I switched keycloak configuration to HTTPS (using "all") and i'm experience
the following:
Login seems to work fine. When trying to access the UI i'm redirected to
https://login.restcomm.com, i login and back to the UI. BUT, the request to
A's services though succesfull (200 OK) return blank content. As if the
adapter get in the way and overrides the response. I'm also getting the
following message in A's log:
12:21:55,083 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(http-/192.168.1.39:8080-4) adminRequest
http://192.168.1.39:8080/restcomm-rvd/api/projects
12:21:55,085 WARN [org.keycloak.adapters.RequestAuthenticator]
(http-/192.168.1.39:8080-4) SSL is required to authenticate
http://192.168.1.39:8080/restcomm-rvd/api/projects is the endpoint that is
supposed to return a block of JSON.
The same happens when trying to access the endpoint directly using an
independent REST client. I get back a 200 OK and the same message appears
in the log but there is no content in the response.
Keep in mind that HTTPS is only enabled for accessing keycloak. The web
application still runs on HTTP. Is this supported?
I have also made various experiments in keycloak.json (for the REST api)
starting from this:
{
"realm": "restcomm",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"bearer-only": true,
"auth-server-url": "https://login.restcomm.com/auth",
"ssl-required": "all",
"disable-trust-manager": true,
"resource": "restcomm-rvd",
"enable-cors": true
}
down to this:
{
"realm": "restcomm",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
"bearer-only": true,
"auth-server-url": "https://login.restcomm.com/auth",
"ssl-required": "all",
"allow-any-hostname":true,
"disable-trust-manager": false,
"truststore": "/tmp/trusted_keycloak.jks",
"truststore-password" : "password",
"resource": "restcomm-rvd"
}
Any pointers will be great help.
Thanks in advance
Orestis
11 years
Keycloak
by Chen Keong Yap
Hi,
please share your ideas.
1) i have 1 app is secured using PL SP Filter. Once login successful, there
is a session created in keycloak idp and we called it as sp session and app
http session is created too. Is the app http session is stored in keycloak
db?
2) when global logout is performed, it will call admin url for all the apps
to do application logout. So the question is we need the app http session.
Is it stored in memory or keycloak db?
3) we have requirement to hard kill the sp session and the app http session
if is active for more than 24 hours. Do you think is better to implement in
keycloak idp as servlet or from PL SP filter?
4) we need to implement session fixation. Which means 1 client ip is
binding to 1 jsessionid and the other client ip cannot make http request
using this jsessionid
11 years
iss
by Fadi Abdin
Does anyone know how to control the "iss": value in the token ?
Seems there is a problem , in the last version it was the realm name i.e
"test" .. but now the full uri http:://server.8080/auth/realms/test and
this is causing a problem for me
11 years
SAML2 Identity provider Mappers
by Henk Laracker
Hi,
We have created a salesforce SAML2 identity provider, a part of the response xml from salesforce is added below.
Next to this we configured a tomcat with a json file with argument : "principal-attribute": “preferred_username”
When we do nothing more we get the NameID with the prefix in Tomcat as the logged in user.
We like to map the SAML Attribute Name=“email” to the “preferred_username”
How do we do this?
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">henk.laracker(a)p*n.nl</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ID_e44eedb6-2f93-4c7e-aecd-90f355e3cbc3"
NotOnOrAfter="2015-06-02T08:12:07.080Z"
Recipient="https://fr-authtest.planoncloud.com/auth/realms/ciwwa-test/broker/salesfo..."
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-06-02T08:06:37.080Z"
NotOnOrAfter="2015-06-02T08:12:07.080Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:AudienceRestriction>
<saml:Audience>https://fr-authtest.planoncloud.com/auth/realms/ciwwa-test</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-06-02T08:07:07.080Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute Name="userId"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>005b0000000jBgI</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>henk.laracker(a)p*n.nl</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>henk.laracker(a)c*e.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="is_portal_user"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>false</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,
Henk Laracker
11 years
Single app, multiple realm
by Nishi Kant
Hi,
I'm new to keycloak, have tried few samples only.
I have a requirement where, a single application/client is used with multiple realm. Users belonging to different organization (realm) uses same app to login, realm information is passed in URL. I want keycloak to authenticate the users against the specified realm. Samples I have seen, takes the realm information from keycloak.json file, here I have requirement for dynamically provided the realm information and redirecting to keycloak server for authentication.
Any pointer will be really useful.
Thanks,
Nishi
Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom
More information can be found at www.csr.com. Keep up to date with CSR on our technical blog, www.csr.com/blog, CSR people blog, www.csr.com/people, YouTube, www.youtube.com/user/CSRplc, Facebook, www.facebook.com/pages/CSR/191038434253534, or follow us on Twitter at www.twitter.com/CSR_plc.
You can now access the wide range of products powered by aptX at www.aptx.com
11 years
Update user when "Email as username" enabled
by Scott Rossillo
If I’m using email as username, I can update the email address on a user via the admin API, but the username doesn’t update even when explicitly setting a new username. This is true in the KC admin console as well.
How do I update the username to match the new email address?
Thanks,
Scott
11 years
Not able to forward to error page.
by John
I am trying to integarte keycloak authentication for securing my application.
My server and client has different error status code mapping.
In case of accessToken expires keycloak sends 401 directly to client
where I have mapped token expiration to status code 5401.
I do not wish to change this mapping as code is already in production phase.
I found very helpful way to handle this situaltion by providing
error-page in my server web.xml as
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>winterfell</realm-name>
<form-login-config>
<form-error-page>/error</form-error-page>
</form-login-config>
</login-config>
But somehow I am not able to get this error page.
Can someone please suggest correct way of doing this.
Note : Following way didn't worked for me
<error-page>
<error-code>404</error-code>
<location>/error</location>
</error-page>
-TR
John
11 years
keycloak with angular/restfull
by Juan Diego
Hi
I am doing an app with angularjs with keycloak. There a few things that I
dont know how to do it, I have being seing the videos and reading
documentation so I have 2 questions.
Regarding the model of the database, how am I supposed to link Users to
Tables. How do you recommend to work on the model, I am kind of cluless
there.
For example before I had a table User and a Table Pictures. Now my users
are in the KeyCloak database, how are you supposed to handle tables that
would have been linked to a user.
My second question is about my front and backend. I am just allowing my
users to upload pictures it is a small app. I am doing the front end with
AngularJS so it is basically html+javascript, and the backend handles the
services. Should I create a client in my KeyCloak for the frontend and
another for the backend. It seems to my that I should create a client only
for the backend , and the front end needs to validate against that.
Thanks
Juan Diego Calle
11 years
IDP SAMLV2.0 with Salesforce
by Henk Laracker
Hi,
I like to use Salesforce as Identity Provider, the metadata provided by salesforce can be imported.
But I need to specify the Service Provider in salesforce, I have to fill in a couple of fields, but two of them I don’t understand (and are mandatory). Does someone have any clue
1. entity id , remark of salesforce : get this value from your serviceprovider
2. ACS URL, remark of slaesforce : The assertion consumer service. Get this value from your service provider.
I have tried a lot of values but every-time I click the saml button on my app, it redirects to salesforce but I get a page with the error : Error: Unable to resolve request into a Service Provider
Henk
11 years
