July 2015 - keycloak-user - Jboss List Archives

by Juraci Paixão Kröhling

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, I'm building a secret store application that will sit in front of Hawkular and will be responsible for replacing API keys into actual Keycloak authentication data. Based on the suggestions from Stian, the current code does the following : - - User logs in Hawkular via Keycloak - - Once the user wants to create a new application key/secret, the user is redirected to /secret-store/tokens/create , which takes the KC authentication data and stores the refresh_token into the database, creating a new key/secret - - User configures an external application (like a monitoring agent in a server), adding this key/secret to its configuration - - The agent makes a call to the Hawkular backend, sending this key/secre t - - An undertow filter gets this key/secret from the request, fetches the refresh_token from the database, gets a bearer token from Keycloak based on this refresh_token and sets it to the request's context (ie: replacing the Authorization header) - - Keycloak uses this bearer token to perform what it needs to do - - Request reaches the Hawkular backend It all works, but the session from the *user* (second step) eventually expires, causing the refresh_token to be invalid[1]. So, the question is whether this token is indeed supposed to be attached to an user session, or if it's a bug. If the behavior I'm seeing is the correct one, what could be a proper way to store a token so that it can be replaced at a later time? 1 - http://git.io/vLAtF Best, Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/ j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7 1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI= =EA+F -----END PGP SIGNATURE-----

10 years, 7 months

5
11
0 / 0

Distributed Keycloak user sessions using Infinispan

by Nair, Rajat

Hi, I'm in the process of setting up distributed user sessions using Infinispan on my Keycloak cluster. This is the configuration I use - <cache-container name="keycloak" jndi-name="java:jboss/infinispan/Keycloak"> <transport lock-timeout="60000"/> <invalidation-cache name="realms" mode="SYNC"/> <invalidation-cache name="users" mode="SYNC"/> <distributed-cache name="sessions" mode="SYNC" owners="2"/> <distributed-cache name="loginFailures" mode="SYNC" owners="1"/> </cache-container> And in server.logs, I can see my servers communicate - 2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t7) ISPN000310: Starting cluster-wide rebalance for cache users, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]} 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t10) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]} 2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=57, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]} 2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=56, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]} 2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 57 2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 56 2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache realms, topology id = 57 2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 57 I can successfully login, get a token and fetch user details with this token. Problem is, if one of the nodes on the cluster goes down and if we try to reuse a token which was already issued (so workflow is - user logins in, get token, (a node in the cluster goes down) and then fetch user details using token) - we see an internal server exception. From the logs - 2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /auth/realms/scaletest/protocol/openid-connect/userinfo: java.lang.RuntimeException: request path: /auth/realms/scaletest/protocol/openid-connect/userinfo at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62) at io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) ... 31 more Caused by: java.lang.NullPointerException at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:128) at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:101) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 42 more The user guide says - If you need to prevent node failures from requiring users to log in again, set the owners attribute to 2 or more for the sessions cache Questions - 1. Have we configured Infinispan incorrectly? We don't want the users to login again if any of the nodes in the cluster go down. 2. Will changing distributed-cache to replicated-cache help in this scenario? 3. Any way we can see the contents of the cache? -- Rajat

10 years, 10 months

3
19
0 / 0

Error during LDAP syncing on Keycloak 1.4.0

by Nair, Rajat

Hi, As part of testing another issue (Distributed Keycloak user sessions using Infinispan), I upgraded my nodes to Keycloak 1.4.0 (grabbed release from here - http://central.maven.org/maven2/org/keycloak/keycloak-server-dist/1.4.0.F...). I wiped out our Keycloak database and recreated it. After configuring our LDAP server (similar configuration which worked against Keycloak 1.3.1 Final), when we try to sync users we get following exception - 2015-07-29 09:00:42,062 ERROR [io.undertow.request] (default task-25) UT005023: Exception handling request to /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync: java.lang.RuntimeException: request path: /auth/admin/realms/test/user-federation/instances/3ccbe831-2d9b-4253-8fe7-343d7ead505d/sync at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59) ... 29 more Caused by: java.lang.NullPointerException at org.keycloak.models.cache.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:149) at org.keycloak.federation.ldap.LDAPFederationProviderFactory$2.run(LDAPFederationProviderFactory.java:294) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:242) at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:286) at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:241) at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:200) at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50) at org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:143) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 more Could this be a regression? -- Rajat

10 years, 10 months

3
3
0 / 0

Angular app, login on click and not on load.

by Fabio Monteiro

Hi , I'm looking for a simple way to login to keycloak with an AngularJS app. If i use the example (angular-produt-app) one can find with the keyCloak appliance, the js adapter redirects the user to the Keycloak login pase "onload " (keycloakVar.init({onLoad: 'login-required'})...) But i want to login only when I specifically click on some button. From what I can gather the method keycloakVar.login() from the docs & JS reference is the way to go.. but replacing the .init() method with the .login() method doesn't seem to work... Also, in the "normal" case, the init() regular example itself lets me, after logging-in succesfully, with still empty Javasript objects once I am successfully redirected to my app page. (the auth global variable) The official angular + js-adapter : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a... Could you help me ? I must be missing something. Thanks a lot Fabio M

10 years, 10 months

2
1
0 / 0

Having trouble with LDAP attribute mapping in 1.3.1

by Kevin Thorpe

Thanks to the team for 1.3.1. We were eagerly waiting for that to add LDAP attribute mappings which I see has now been done. Unfortunately I can't seem to get it to work. I have added a user attribute mapper to my ldap federation. This maps the LDAP atribute 'applications' which exists on my LDAP user record to 'applications' in Keycloak. I have also added a user attribute token mapper to my Keycloak client definition to map user attribute 'applications' to token claim 'applications'. I've also asked to add to both id and access token. However this attribute is not present in either the ID or access token when testing. Is there something I've missed? Something that may be an issue though is that I'm using a home written openid-connect Lua client based on your javascript one. This uses the endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the openid-connect endpoint doesn't support these attributes yet? *Kevin Thorpe* CTO, PI ltd

10 years, 10 months

2
13
0 / 0

Re: LDAP with Kerberos, login with different user

by Michael Gerber

Should I create a Jira issue for that task? Or will you anyway implement something in this direction? Am 24. Juli 2015 um 09:57 schrieb Stian Thorgersen <stian(a)redhat.com>: ----- Original Message ----- From: "Marek Posolda" <mposolda(a)redhat.com> To: "Raghu Prabhala" <prabhalar(a)yahoo.com>, "Bill Burke" <bburke(a)redhat.com> Cc: "Stian Thorgersen" <stian(a)redhat.com>, keycloak-user(a)lists.jboss.org Sent: Friday, 24 July, 2015 9:49:45 AM Subject: Re: [keycloak-user] LDAP with Kerberos, login with different user Support for prompt=select_account will be cool. Another suggestion for adding query parameter for skip some mechanisms (like skipAuthMechanism=cookie,kerberos ) might be good too. That'll only make sense if we also add support to allow multiple accounts, which could be fairly easy on the server-side, but much harder to support in adapters. Not sure if we need to support both, but IMO it will be good to have solution not tightly coupled to Kerberos. I can imagine similar situation with other login mechanisms as well. For example with authenticating users by certificate, admin may also want to skip automatic login with the certificate from his browser and instead login with username/password form. Marek On 23.7.2015 17:43, Raghu Prabhala wrote: > The select account prompt wouldn't work for us as some of our applications > require that the user login only by entering userid/pw but your other > suggestion might work as long as we do the Kerberos authentication using > Id/ow > > Sent from my iPhone > >> On Jul 23, 2015, at 11:28 AM, Bill Burke <bburke(a)redhat.com> wrote: >> >> All this interaction is defined by the SAML and OIDC specifications. >> Logout redirects you back to the application and its up to the >> application what to do next. We could add a query param that if it is >> set, to not do kerberos. This could be in addition to the "login >> automatically" flag. >> >> >>> On 7/23/2015 11:14 AM, Raghu Prabhala wrote: >>> Why can't we have two separate authentication mechanisms - one IWA, in >>> which case the user is logged in automatically and on logout he is taken >>> to a login page where a diff userid can be entered and two, a login page >>> that allows userid/password? That would address our use case. >>> >>> >>> >>> Sent from my iPhone >>> >>>> On Jul 23, 2015, at 10:50 AM, Marek Posolda <mposolda(a)redhat.com> wrote: >>>> >>>> Maybe it can be configurable for the kerberos mechanism? Just the flag >>>> "login automatically" . If it's off, another confirmation screen for the >>>> user will be displayed? >>>> >>>> Marek >>>> >>>>> On 23.7.2015 16:36, Stian Thorgersen wrote: >>>>> "Is this you?" >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" <bburke(a)redhat.com> >>>>>> To: keycloak-user(a)lists.jboss.org >>>>>> Sent: Thursday, 23 July, 2015 4:02:53 PM >>>>>> Subject: Re: [keycloak-user] LDAP with Kerberos, login with different >>>>>> user >>>>>> >>>>>> With the new flows, we could detect a kerberos login then ask if they >>>>>> want to login as that user or another. >>>>>> >>>>>>> On 7/23/2015 2:26 AM, Marek Posolda wrote: >>>>>>> Do you want that for normal users or just for admin users? Just >>>>>>> trying >>>>>>> to understand the usecase. Because AFAIK the point of kerberos is, >>>>>>> that >>>>>>> you login into the desktop and then you're automatically logged into >>>>>>> integrated web applications without need to deal with any login >>>>>>> screens >>>>>>> and username/password. When user has just one keycloak account >>>>>>> corresponding to his kerberos ticket, then why he need to login as >>>>>>> different user? >>>>>>> >>>>>>> I can understand the usecase for admin, when you want to login as >>>>>>> different user for testing purpose etc. For this, isn't it possible >>>>>>> in >>>>>>> windows to do something like "kdestroy" to be able to login without >>>>>>> kerberos? >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>>> On 23.7.2015 07:44, Michael Gerber wrote: >>>>>>>> Isn't it possible to create a cookie or add an url parameter after >>>>>>>> the >>>>>>>> logout, so the user is not logged in automatically? >>>>>>>> >>>>>>>> It's crucial for us to be able to log in as a different user, >>>>>>>> otherwise we can not use kerberos at all :( >>>>>>>> >>>>>>>> Michael >>>>>>>> >>>>>>>>> Am 22. Juli 2015 um 23:06 schrieb Marek Posolda >>>>>>>>> <mposolda(a)redhat.com>: >>>>>>>>> >>>>>>>>> I don't think it's doable. Kerberos is kind of desktop login and >>>>>>>>> logout from the web application won't destroy the kerberos ticket - >>>>>>>>> similarly like it can't logout your laptop/desktop session. So when >>>>>>>>> you visit the secured application next time, you are automatically >>>>>>>>> logged into Keycloak through SPNEGO due to the Kerberos ticket. >>>>>>>>> >>>>>>>>> Hence you need to remove kerberos ticket manually (For example >>>>>>>>> "kdestroy" works on Linux, but I guess you're using Windows + >>>>>>>>> ActiveDirectory? ) and then you will be able to see keycloak login >>>>>>>>> screen and login as different user. >>>>>>>>> >>>>>>>>> Marek >>>>>>>>> >>>>>>>>>> On 22.7.2015 15:38, Michael Gerber wrote: >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> I use LDAP with Kerberos and would like to logout and login again >>>>>>>>>> with a different user (no kerberos login, just keycloak username >>>>>>>>>> and >>>>>>>>>> password dialog). >>>>>>>>>> Is that possible? >>>>>>>>>> >>>>>>>>>> cheers >>>>>>>>>> Michael >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user(a)lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

10 years, 10 months

2
1
0 / 0

problems getting started with tomcat

by Tim Dudgeon

a couple of weeks back I posted about having problems getting started with tomcat, but not had any response. The post is here, along with an example: http://lists.jboss.org/pipermail/keycloak-user/2015-July/002652.html I'm still struggling with this, and think I have followed the instructions here correctly: http://keycloak.github.io/docs/userguide/html/ch08.html#tomcat-adapter Basically I think I'm having problems with the valve not doing anything. I have copied the appropriate keycloak jars to $TOMCAT_HOME/lib and a web app with META-INF/context.xml containing this: <?xml version="1.0" encoding="UTF-8"?> <Context path="/sampleapp"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/> </Context> and a WEB-INF/web.xml pretty well as described in the docs, but I'm not getting any authentication challenge. Any ideas what's wrong? Thanks Tim

10 years, 10 months

2
2
0 / 0

Re: [keycloak-user] Having trouble with LDAP attribute

by Nair, Rajat

> Sorry to bother you but where has the user federation mapper option gone in > 1.4.0.final? > IIRC there was a page user federation > my_ldap > mapper to map LDAP > attributes to > keycloak user attributes. I can't find it now at all. We are using Keycloak 1.4 and we can see Mapper tab, under our LDAP settings, inside User Federation section. Note - Mapper tab is displayed only after LDAP settings are saved. Hope this helps. -- Rajat

10 years, 10 months

2
1
0 / 0

Customer Properties in Registration Page

by Mike Hills

Is there way to validate a "custom" property? My use case is that I am registering a customer for a portal application. I want to validate the entered customer # (custom property) against a table that maps the email address with a customer. This validation must pass in order to allow a user to be registered. Thank you -- Michael J. Hills Sr. CRM Architect Mobile: 603.475.5093 Email : mike.hills(a)sematree.com Skype : mhills_sematree

10 years, 10 months

2
1
0 / 0

Keycloak Release 1.4.0 for OPENSHIFT ONLINE

by Mike Hills

Are there instructions for upgrading from 1.3 to 1.4 for OPENSHIFT ONLINE? -- Michael J. Hills Sr. CRM Architect Mobile: 603.475.5093 Email : mike.hills(a)sematree.com Skype : mhills_sematree

10 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2015