Edit userneme on first time social login
by Alessandro Segatto
Hi, on first login we need to allow the new user to update his username
while updating his profile info. Is this achievable by editing the
login-update-profile freemarker template? If it's not we'd like to ask for
this feature.
Thank you in advance,
Alessandro
--
Ing. Alessandro Segatto
Software Engineer
Research and Development
*ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com
Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.
8 years, 7 months
Delegating SAML 2.0 Authentication to ADFS on Windows Server 2012
by Peter Donald
Hi,
I am trying to use Keycloak 1.4.0.Final to delegate authentication to
ADFS and I am having trouble getting the combination to work. I have
tried to locate the information in manuals/docs but can't seem to
figure it out.
I tried to get keycloak to load the configuration for ADFS by using
the "Import External IDP Config" section when creating the identity
provider. Keycloak claimed success but populated none of the fields so
I manually entered the data.
The SSL/communication keys of both sides seem fine. I am assuming that
I have populated encryption/signature keys appropriately.
Then grabbed the exported data from the export tab. This is not valid
according to ADFS but if I add an xmlns to the top level element I can
load the file into ADFS and it seems to load most of the file but
ultimately the back and forth communication does not seem to work. I
had to manually enter a bunch of data into ADFS - mostly to add
endpoints that keycloak uses but does not declare?
Even then I get problems. Assuming I have "Want AuthnRequests Signed"
set to true I get an error like
MSIS7000: The sign in request is not compliant to the WS-Federation
language for web browser clients or the SAML 2.0 protocol WebSSO
profile.
If I set "Want AuthnRequests Signed" set to false then keycloak will
fail with NullPointer exception as ADFS will return a message with no
assertions.
So is delegating to ADFS supported or expected to work? Is there a
manual/blog/mailing list post I should read. Happy to RTFM :)
--
Cheers,
Peter Donald
8 years, 7 months
Use refresh token for authentication
by Sebastian Olscher
Hello guys,
we ´re using the "Direct Grant Access" flow described in chapter 15 in the keycloak users documentation. As we understood, the following steps are necessary:
1.: Do the token request with "username/password" and "grant_type=password" to the token server (keycloak).
2.: The token response from keycloak contains an "access_token" and a "refresh_token".
3.: Normally, the client uses the "access_token" within the HTTP-Header (Authorization Bearer *access_token*) to do the authentication.
Everything works as expected. We have found that you can also use the "refresh_token" instead of the "access_token" in step 3 to do the authentication and it will be still successful. From our point of view, this is possible, because the keycloak-wildfly-security-module does not check the token-type. But, from our understanding the "refresh_token" is not intended to do the authentication, so this should not work, right? So my two questions are:
1.: Why is the authentication with the "refresh_token" successful?
2.: The "refresh_token" in the token response is defined as an optional element within the OAUth-2.0 specification, so is there any possibility to prevent keycloak returning it?
Thanks,
Sebastian
8 years, 7 months
Different token timeouts for clients under the same realm
by robinfernandes .
Hi All,
Is there a possibility where we can set different token timeouts for
clients under the same realm?
The use case why we are trying to achieve this is basically we have 2
applications which require 2 different timeout settings.
We want the web client timeouts to be short since there would be human
intervention there always, however we want our Agent timeouts to be very
large since there might not be anyone to log into it again.
Using Keycloak we have seen that the timeout settings can be applied only
at the realm level though, which forces us to have each application in a
different realm.
Can we have the timeout settings at the client(application) level rather
than the realm level so that we can put both the applications in the same
realm?
Thanks & Regards,
Robin
8 years, 7 months
Customizing themes
by Bhanu Kiran
Hello,
Please provide input for below query.
1.We are customizing login, forgot password, registration screens. Let us
know how we can override java functionality and pass user entered data to
service provider ?
Thanks,
Bhanu
8 years, 7 months
Keycloak and Spring MVC (boot-less)
by Allen Lester Sandiego
Hi,
I've been trying to get my Spring web application to work with Keycloak without any luck. I have created a post in stackoverflow.com regarding this. Also posted in one of the keycloak blog but was advised to send an email here.
I'll be posting the URL of the stackoverflow thread here as it is quite lengthy. Let me know if you want me to copy and paste the content here instead.
How to integrate Keycloak with Spring (boot-less)?

How to integrate Keycloak with Spring (boot-less)?
I've been trying to get my Spring web application to work with Keycloak without any luck for days now. I followed the instructions mentioned in their documentation ...
View on stackoverflow.com
Preview by Yahoo
Thanks,
Allen
8 years, 7 months