Multivalued user attributes mapping
by Sascha Skorupa
Hi,
we are currently evaluating Keycloak as IDM solution for our company. In doing so we encountered the following questions according to storing authorization data:
1) In the "Mapper" section it is possible to configure how user attributes are mapped to tokens/claims. It is also possible to turn on "Multivalued" mapping, so that every value of one attribute is set as claim. But, how you can configure multiple values for one attribute? If you save another value with the same key the existing one is overwritten.
2) One of requirements is to persist custom authorization data hierarchically and to map this data into access tokens. Is there any recommendation how to realize this in keycloak or is the only way to use flat user attributes (key/value).
Thanks, Sascha
9 years, 1 month
Refresh token - should it expire?
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I'm building a secret store application that will sit in front of
Hawkular and will be responsible for replacing API keys into actual
Keycloak authentication data.
Based on the suggestions from Stian, the current code does the following
:
- - User logs in Hawkular via Keycloak
- - Once the user wants to create a new application key/secret, the user
is redirected to /secret-store/tokens/create , which takes the KC
authentication data and stores the refresh_token into the database,
creating a new key/secret
- - User configures an external application (like a monitoring agent in
a server), adding this key/secret to its configuration
- - The agent makes a call to the Hawkular backend, sending this key/secre
t
- - An undertow filter gets this key/secret from the request, fetches
the refresh_token from the database, gets a bearer token from Keycloak
based on this refresh_token and sets it to the request's context (ie:
replacing the Authorization header)
- - Keycloak uses this bearer token to perform what it needs to do
- - Request reaches the Hawkular backend
It all works, but the session from the *user* (second step) eventually
expires, causing the refresh_token to be invalid[1].
So, the question is whether this token is indeed supposed to be
attached to an user session, or if it's a bug. If the behavior I'm
seeing is the correct one, what could be a proper way to store a token
so that it can be replaced at a later time?
1 - http://git.io/vLAtF
Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/
j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk
SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa
f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ
WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7
1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI=
=EA+F
-----END PGP SIGNATURE-----
9 years, 2 months
Re: [keycloak-user] Role to claim mapping
by Gonzalo López
testuser has some roles in host B (testrole in this example), I want to put
the roles as a claim in the token so when host A receives the token it maps
the claim to roles in host A
I already did the second part (mapping in host A), but I still can't find
out how to put the roles in a claim.
>
>
>
> On 9/29/2015 3:42 PM, Gonzalo L?pez wrote:
> > I'm trying to test the Identity broker to achieve cross domain sso, this
> > is what I have done:
> >
> > 1 - Installed jboss 6.4 eap + keycloak + keycloak eap6 adapter in host A
> > 2 - Installed jboss 6.4 eap + keycloak in host B
> > 3 - In host A, I added an oidc Identity Provider (importing host B
> > openid connect configuration).
> > 4 - In host A, I created an application (appa.war) that will try to use
> > the broker to authenticate. I added security to the app (only user with
> > role "user" will be able to access some parts)
> > 5 - In host B, I added 2 oidc clients (the broker from host A and appb,
> > appb (appb.war) is a simple application developed to log in using oidc)
> > 6 - In host B, I created a role "testrole" inside appb and a user
> > "testuser", then I added that role to the user.
> >
> > I couldn't find out how to map the role "testrole" to a claim that will
> > be sent to the broker once the user has authenticated. Is there a way to
> > do that?
> >
> > After I accomplish that I plan to map that claim to the role appa.user.
> >
>
> OIDC and SAML Identity Providers have mappers. Host A broker will
> receive the token from Host B. You can map the testrole to whatever
> claim you want.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
>
9 years, 2 months
Support for Implicit Flow
by Raghuram Prabhala
Hi Keycloak Dev team,
When can we expect support for Implicit flow and OpenID Connect certification for keycloak?
Thanks,Raghu
9 years, 2 months
Login by mobile number.
by Revanth Ayalasomayajula
Hi all,
I have an application that is secured by Keycloak. I am able to login using
username/email and password. I also want to implement login via phone
number. Could anybody help me how to store the phone number for a user and
also how to use it to login the user.
9 years, 2 months
UT010039: Unknown authentication mechanism KEYCLOAK
by Hristo Stoyanov
Hi all
I am getting the below message with KeyCloak 1.5.0/WF9.0.1 overlay
installation. My configuration file looks exactly the same as the stock
one, e.g:
<extensions>
...
<extension module="org.keycloak.keycloak-server-subsystem"/>
...
</extensions>
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
</subsystem>
</profile>
The module jars are properly put in the WF folders
My web.xml also seems right too:
=========================================
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<!-- Default page to serve -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- This error page rule responds with the GWT Host page for
pushstate Errai Navigation URLs -->
<error-page>
<error-code>404</error-code>
<location>/</location>
</error-page>
<!-- Erray Keycloak security -->
<filter>
<filter-name>ErraiLoginRedirectFilter</filter-name>
<init-param>
<param-name>redirectLocation</param-name>
<param-value>/index_draft.jsp</param-value>
</init-param>
</filter>
<!-- JAX-RS configuration-->
<servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
<filter-mapping>
<filter-name>ErraiUserCookieFilter</filter-name>
<url-pattern>/index_draft.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ErraiLoginRedirectFilter</filter-name>
<url-pattern>/app-login</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/app-login</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>whatever</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
</web-app>
I can access the KC admin console and configure realms/users/roles no
problem in the WF 9.0.1 server.* I am out of ideas of what could be causing
it. Any hints? Thanks*
=============================
11:47:54,444 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 78) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.de
fault-host./draft: org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./draft:
java.lang.RuntimeException: jav
a.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown
Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
UT010039: Unknown authentication mechanism KEYCLOAK
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:224)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: UT010039: Unknown authentication
mechanism KEYCLOAK
at
io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:326)
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:200)
... 8 more
11:47:54,471 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deploy
ment" => "draft.war")]) - failure description: {"WFLYCTL0080: Failed
services" =>
{"jboss.undertow.deployment.default-server.default-host./draft" =>
"org.jboss.
msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./draft:
java.lang.RuntimeException: java.lang.RuntimeException: UT01
0039: Unknown authentication mechanism KEYCLOAK
Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
UT010039: Unknown authentication mechanism KEYCLOAK
Caused by: java.lang.RuntimeException: UT010039: Unknown authentication
mechanism KEYCLOAK"}}
11:47:54,478 ERROR [org.jboss.as.server] (management-handler-thread - 2)
WFLYSRV0021: Deploy of deployment "draft.war" was rolled back with the
following failur
e message:
{"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./draft" =>
"org.jboss.msc.service.StartException in service jboss.und
ertow.deployment.default-server.default-host./draft:
java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK
Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
UT010039: Unknown authentication mechanism KEYCLOAK
Caused by: java.lang.RuntimeException: UT010039: Unknown authentication
mechanism KEYCLOAK"}}
11:47:54,488 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 79)
WFLYJPA0011: Stopping Persistence Unit (phase 2 of 2) Service
'draft.war#s4g'
9 years, 2 months
Unable to get required user data from facebook and store the data in keycloak
by Revanth Ayalasomayajula
Hi,
I am using keycloak 1.5.0 and want to use login via facebook. So i created
a facebook app and provided all the details in the keycloak facebook
identity provider settings. When i login from facebook, the user is created
if not existing in keycloak and is authenticated.
But the created user details are all null and in the server log, the
response from facebook contains only the name and id but not the email but
the default scope of my application is email. Also, when trying to store
the returned details using mappers is not happening.
Could anyone please help me on how to return more details from facebook and
also store those details using mappers.
9 years, 2 months
Multi-tenant REST api
by Vito Vessia
Hi all,
I have to create some multi-tenant rest apis secured by keycloak, following
the multi-tenant example provided by the keycloak documentation.
So, in the same way the example shows, I have some rest api like:
/rest/api1/name/{id}
and I wold like to let these api to be multi tenant using urls like this
one:
/tenant1/rest/api1/name/{id} or /tenant2/rest/api1/name/{id}
I am using Jersey as Jax-RS implementation and the AS is Wildfly 9.
My KeycloakConfigResolver derived implementation seems to work well,
because it receives the requests from KC and returns the
correct KeycloakDeployment instance, but the rest service is never called.
If I temporary disable the resolver and I define a fixed realm, everything
is ok calling the url without the tenant name part.
Please. do you have some idea?
Where do I can get a complete example?
--Vito
9 years, 2 months
FIPS compliant
by Bhanu Kiran
Team,
Please let us know if Keycloak is FIPS complained or how we can implement
FIPS in keycloak ?
Thanks
9 years, 2 months
