propagate user credential from fat client to browser
by Michael Gerber
Hi all,
I have got a fat client and a web application. The fat client uses the keycloak login in a build in browser. After that I am using the access token to get data from rest services from the web application.
Is it possible to open the web application from the fat client in a new browser and propagate the user credentials, so that the user does not have to reauthenticate?
kind regards
Michael
8 years, 7 months
Session time out
by Christopher Davies
I using an openid-connect call to get a set of tokens from KeyCloak.
The expiry time of the access_token is based upon the "Access Token
Lifespan" which I understand. However is there any way to pass the SSO
Session Max, and SSO Session Idle inside the access token.
Chris
8 years, 7 months
Proxying and changing port.
by Kevin Thorpe
Still struggling with wrapping Keycloak under nginx. Keycloak runs on our
internal infrastructure
on port 8443 because it's a right pain to get it on port 443.
Now some of our clients have restrictive firewalls that only allow 80 and
443 so I'm trying to
proxy it on port 443 in Nginx so we have a single pont of contact. It
doesn't work.
Chrome is giving ERR_RESPONSE_HEADERS_TRUNCATED and I'm not sure why.
Redirect is happening properly as shown from an AWS client:
52.21.xxx.xxx - - [18/Sep/2015:14:23:49 +0100] xxxx.pibenchmark.com "GET /
HTTP/1.1" 009 7 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36" "10.20.13.184:8443"
Can Keycloak not handle the difference in ports? I'm really struggling to
understand here.
nginx config:
# login-uat server
server {
listen 10.20.13.11:443;
server_name xxxx.pibenchmark.com;
ssl on;
# ssl key bits
client_max_body_size 10G;
location / {
proxy_pass http://login-uat-cluster;
}
}
# only one of these will be working but nginx should be able to work out
which
upstream login-uat-cluster {
server keycloak.pibenchmark.com:8443;
}
*Kevin Thorpe*
CTO
8 years, 7 months
Appending Domain To Username At Login
by Kenyatta Clark
Is there a way to append the domain to the username when logging in? Our usernames are look like ‘username’(a)example.com. In our other authentication system we append the domain to whatever the user enters in for look up in AD and we were wondering if there was a setting in Keycloak that allowed this functionality.
8 years, 7 months
Keycloak is FIPS compliant (Federal Information Processing Standard) ?
by Bhanu Kiran
Hi Team,
1.According to our company standards Identity provider which we are going
to us should be of FIPS compliant. Let us know if Keycloak is FIPS
compliant or not.
If 'NO' let us know if we can pass encrypted token between service
provider and Keycloak and how we can implement this.
Thanks,
Bhanu
8 years, 7 months
Keycloak is FLIPS compliant (Federal Information Processing Standard) ?
by Bhanu Kiran
Hi Team,
1.According to our company standards Identity provider which we are going
to us should be of FLIPS compliant. Let us know if Keycloak is FLIPS
compliant or not.
If 'NO' let us know if we can pass encrypted token between service
provider and Keycloak and how we can implement this.
Thanks,
Bhanu
8 years, 7 months
Validating keycloak access tokens
by Nicholaos Petalidis
Hi,
I would like to ask what is the recommended way for validating a token I
received from a keycloak server.
Specifically, I have the following.
1. A keycloak server running v. 1.0.4Final.
2. A javascript client using the js adapter provided for 1.0.4Final
3. REST services on a wildfly server using 1.4.0 adapter for wildfly 9.
I use the JS adapter to receive a token from keycloak server.
The token seems to be a JWT, but when it is included in the Authorization
header for the REST request I make to the REST service that is on wildfly I
get back an 'invalid signature' response.
I also fail to verify the token if I enter the relevant info on jwt.io
(token and public key).
So my question is
1. Does the 1.0.4Final version sign the tokens?
2. What is the recommended way for the REST service to validate the token
present on the Authorization/Bearer header of a REST request?
Thanks in advance for any answers
--
Nikos
8 years, 7 months
Programmatic access control with no <security-constraints/> in web.xml
by Orestis Tsakiridis
Hello,
Is it possible to apply programmatic access control i.e. retrieve
KeycloakSecurityContext, get token, roles etc, when the
<security-contraint/> elements have been removed from web.xml?
The reason for that is that when <security-constraints/> are present the
requests get dropped by the keycloak adapter before reaching the REST
endpoints implementation in case they are not carrying a token. I'm trying
to support an alternative authorization mechanism using a custom API Key
parameter in case the Oauth token header is missing.
Regards
Orestis
8 years, 7 months