Refresh token - should it expire?
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I'm building a secret store application that will sit in front of
Hawkular and will be responsible for replacing API keys into actual
Keycloak authentication data.
Based on the suggestions from Stian, the current code does the following
:
- - User logs in Hawkular via Keycloak
- - Once the user wants to create a new application key/secret, the user
is redirected to /secret-store/tokens/create , which takes the KC
authentication data and stores the refresh_token into the database,
creating a new key/secret
- - User configures an external application (like a monitoring agent in
a server), adding this key/secret to its configuration
- - The agent makes a call to the Hawkular backend, sending this key/secre
t
- - An undertow filter gets this key/secret from the request, fetches
the refresh_token from the database, gets a bearer token from Keycloak
based on this refresh_token and sets it to the request's context (ie:
replacing the Authorization header)
- - Keycloak uses this bearer token to perform what it needs to do
- - Request reaches the Hawkular backend
It all works, but the session from the *user* (second step) eventually
expires, causing the refresh_token to be invalid[1].
So, the question is whether this token is indeed supposed to be
attached to an user session, or if it's a bug. If the behavior I'm
seeing is the correct one, what could be a proper way to store a token
so that it can be replaced at a later time?
1 - http://git.io/vLAtF
Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/
j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk
SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa
f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ
WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7
1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI=
=EA+F
-----END PGP SIGNATURE-----
9 years, 2 months
Distributed Keycloak user sessions using Infinispan
by Nair, Rajat
Hi,
I'm in the process of setting up distributed user sessions using Infinispan on my Keycloak cluster. This is the configuration I use -
<cache-container name="keycloak" jndi-name="java:jboss/infinispan/Keycloak">
<transport lock-timeout="60000"/>
<invalidation-cache name="realms" mode="SYNC"/>
<invalidation-cache name="users" mode="SYNC"/>
<distributed-cache name="sessions" mode="SYNC" owners="2"/>
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
</cache-container>
And in server.logs, I can see my servers communicate -
2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t7) ISPN000310: Starting cluster-wide rebalance for cache users, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t10) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=57, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=56, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 57
2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 56
2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache realms, topology id = 57
2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 57
I can successfully login, get a token and fetch user details with this token.
Problem is, if one of the nodes on the cluster goes down and if we try to reuse a token which was already issued (so workflow is - user logins in, get token, (a node in the cluster goes down) and then fetch user details using token) - we see an internal server exception. From the logs -
2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /auth/realms/scaletest/protocol/openid-connect/userinfo: java.lang.RuntimeException: request path: /auth/realms/scaletest/protocol/openid-connect/userinfo
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
at io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
... 31 more
Caused by: java.lang.NullPointerException
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:128)
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:101)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
... 42 more
The user guide says -
If you need to prevent node failures from requiring users to log in again, set the owners attribute to 2 or more for the sessions cache
Questions -
1. Have we configured Infinispan incorrectly? We don't want the users to login again if any of the nodes in the cluster go down.
2. Will changing distributed-cache to replicated-cache help in this scenario?
3. Any way we can see the contents of the cache?
-- Rajat
9 years, 5 months
Error during LDAP syncing on Keycloak 1.4.0
by Nair, Rajat
Hi,
As part of testing another issue (Distributed Keycloak user sessions using Infinispan), I upgraded my nodes to Keycloak 1.4.0 (grabbed release from here - http://central.maven.org/maven2/org/keycloak/keycloak-server-dist/1.4.0.F...). I wiped out our Keycloak database and recreated it. After configuring our LDAP server (similar configuration which worked against Keycloak 1.3.1 Final), when we try to sync users we get following exception -
2015-07-29 09:00:42,062 ERROR [io.undertow.request] (default task-25) UT005023: Exception handling request to /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync: java.lang.RuntimeException: request path: /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
... 29 more
Caused by: java.lang.NullPointerException
at org.keycloak.models.cache.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:149)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory$2.run(LDAPFederationProviderFactory.java:294)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:242)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241)
at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200)
at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
at org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:143)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
... 37 more
Could this be a regression?
-- Rajat
9 years, 5 months
Angular app, login on click and not on load.
by Fabio Monteiro
Hi ,
I'm looking for a simple way to login to keycloak with an AngularJS app. If i use the example (angular-produt-app) one can find with the keyCloak appliance, the js adapter redirects the user to the Keycloak login pase "onload " (keycloakVar.init({onLoad: 'login-required'})...)
But i want to login only when I specifically click on some button. From what I can gather the method keycloakVar.login() from the docs & JS reference is the way to go.. but replacing the .init() method with the .login() method doesn't seem to work...
Also, in the "normal" case, the init() regular example itself lets me, after logging-in succesfully, with still empty Javasript objects once I am successfully redirected to my app page. (the auth global variable)
The official angular + js-adapter : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...
Could you help me ? I must be missing something.
Thanks a lot
Fabio M
9 years, 5 months
Having trouble with LDAP attribute mapping in 1.3.1
by Kevin Thorpe
Thanks to the team for 1.3.1. We were eagerly waiting for that to add LDAP
attribute mappings which I see has now been done. Unfortunately I can't
seem to get it to work.
I have added a user attribute mapper to my ldap federation. This maps the
LDAP atribute 'applications' which exists on my LDAP user record to
'applications' in Keycloak.
I have also added a user attribute token mapper to my Keycloak client
definition to map user attribute 'applications' to token claim
'applications'. I've also asked to add to both id and access token.
However this attribute is not present in either the ID or access token when
testing. Is there something I've missed?
Something that may be an issue though is that I'm using a home written
openid-connect Lua client based on your javascript one. This uses the
endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
openid-connect endpoint doesn't support these attributes yet?
*Kevin Thorpe*
CTO, PI ltd
9 years, 5 months
Re: LDAP with Kerberos, login with different user
by Michael Gerber
Should I create a Jira issue for that task?
Or will you anyway implement something in this direction?
Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian(a)redhat.com>:
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Raghu Prabhala" <prabhalar(a)yahoo.com>, "Bill Burke" <bburke(a)redhat.com>
Cc: "Stian Thorgersen" <stian(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Friday, 24 July, 2015 9:49:45 AM
Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user
Support for prompt=select_account will be cool. Another suggestion for
adding query parameter for skip some mechanisms (like
skipAuthMechanism=cookie,kerberos ) might be good too.
That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters.
Not sure if we need to support both, but IMO it will be good to have
solution not tightly coupled to Kerberos. I can imagine similar
situation with other login mechanisms as well. For example with
authenticating users by certificate, admin may also want to skip
automatic login with the certificate from his browser and instead login
with username/password form.
Marek
On 23.7.2015 17:43, Raghu Prabhala wrote:
> The select account prompt wouldn't work for us as some of our applications
> require that the user login only by entering userid/pw but your other
> suggestion might work as long as we do the Kerberos authentication using
> Id/ow
>
> Sent from my iPhone
>
>> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke(a)redhat.com> wrote:
>>
>> All this interaction is defined by the SAML and OIDC specifications.
>> Logout redirects you back to the application and its up to the
>> application what to do next. We could add a query param that if it is
>> set, to not do kerberos. This could be in addition to the "login
>> automatically" flag.
>>
>>
>>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote:
>>> Why can't we have two separate authentication mechanisms - one IWA, in
>>> which case the user is logged in automatically and on logout he is taken
>>> to a login page where a diff userid can be entered and two, a login page
>>> that allows userid/password? That would address our use case.
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
>>>>
>>>> Maybe it can be configurable for the kerberos mechanism? Just the flag
>>>> "login automatically" . If it's off, another confirmation screen for the
>>>> user will be displayed?
>>>>
>>>> Marek
>>>>
>>>>> On 23.7.2015 16:36, Stian Thorgersen wrote:
>>>>> "Is this you?"
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: keycloak-user(a)lists.jboss.org
>>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM
>>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different
>>>>>> user
>>>>>>
>>>>>> With the new flows, we could detect a kerberos login then ask if they
>>>>>> want to login as that user or another.
>>>>>>
>>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote:
>>>>>>> Do you want that for normal users or just for admin users? Just
>>>>>>> trying
>>>>>>> to understand the usecase. Because AFAIK the point of kerberos is,
>>>>>>> that
>>>>>>> you login into the desktop and then you're automatically logged into
>>>>>>> integrated web applications without need to deal with any login
>>>>>>> screens
>>>>>>> and username/password. When user has just one keycloak account
>>>>>>> corresponding to his kerberos ticket, then why he need to login as
>>>>>>> different user?
>>>>>>>
>>>>>>> I can understand the usecase for admin, when you want to login as
>>>>>>> different user for testing purpose etc. For this, isn't it possible
>>>>>>> in
>>>>>>> windows to do something like "kdestroy" to be able to login without
>>>>>>> kerberos?
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote:
>>>>>>>> Isn't it possible to create a cookie or add an url parameter after
>>>>>>>> the
>>>>>>>> logout, so the user is not logged in automatically?
>>>>>>>>
>>>>>>>> It's crucial for us to be able to log in as a different user,
>>>>>>>> otherwise we can not use kerberos at all :(
>>>>>>>>
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda
>>>>>>>>> <mposolda(a)redhat.com>:
>>>>>>>>>
>>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and
>>>>>>>>> logout from the web application won't destroy the kerberos ticket -
>>>>>>>>> similarly like it can't logout your laptop/desktop session. So when
>>>>>>>>> you visit the secured application next time, you are automatically
>>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket.
>>>>>>>>>
>>>>>>>>> Hence you need to remove kerberos ticket manually (For example
>>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows +
>>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login
>>>>>>>>> screen and login as different user.
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again
>>>>>>>>>> with a different user (no kerberos login, just keycloak username
>>>>>>>>>> and
>>>>>>>>>> password dialog).
>>>>>>>>>> Is that possible?
>>>>>>>>>>
>>>>>>>>>> cheers
>>>>>>>>>> Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 5 months
problems getting started with tomcat
by Tim Dudgeon
a couple of weeks back I posted about having problems getting started
with tomcat, but not had any response.
The post is here, along with an example:
http://lists.jboss.org/pipermail/keycloak-user/2015-July/002652.html
I'm still struggling with this, and think I have followed the
instructions here correctly:
http://keycloak.github.io/docs/userguide/html/ch08.html#tomcat-adapter
Basically I think I'm having problems with the valve not doing anything.
I have copied the appropriate keycloak jars to $TOMCAT_HOME/lib and a
web app with META-INF/context.xml containing this:
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/sampleapp">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
and a WEB-INF/web.xml pretty well as described in the docs, but I'm not
getting any authentication challenge.
Any ideas what's wrong?
Thanks
Tim
9 years, 5 months
Re: [keycloak-user] Having trouble with LDAP attribute
by Nair, Rajat
> Sorry to bother you but where has the user federation mapper option gone in
> 1.4.0.final?
> IIRC there was a page user federation > my_ldap > mapper to map LDAP
> attributes to
> keycloak user attributes. I can't find it now at all.
We are using Keycloak 1.4 and we can see Mapper tab, under our LDAP settings, inside User Federation section.
Note - Mapper tab is displayed only after LDAP settings are saved.
Hope this helps.
-- Rajat
9 years, 5 months
Customer Properties in Registration Page
by Mike Hills
Is there way to validate a "custom" property? My use case is that I am
registering a customer for a portal application. I want to validate the
entered customer # (custom property) against a table that maps the email
address with a customer. This validation must pass in order to allow a user
to be registered.
Thank you
--
Michael J. Hills
Sr. CRM Architect
Mobile: 603.475.5093
Email : mike.hills(a)sematree.com
Skype : mhills_sematree
9 years, 5 months
Keycloak Release 1.4.0 for OPENSHIFT ONLINE
by Mike Hills
Are there instructions for upgrading from 1.3 to 1.4 for OPENSHIFT ONLINE?
--
Michael J. Hills
Sr. CRM Architect
Mobile: 603.475.5093
Email : mike.hills(a)sematree.com
Skype : mhills_sematree
9 years, 5 months