October 2016 - keycloak-user - Jboss List Archives

Organization Based Accounts and Permissions

by Charles Henck

Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin

4 years, 10 months

6
19
0 / 0

Best setup to extend Keycloak

by Francis Zabala

Hello, What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly? Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification. Regards,Francis

5 years, 6 months

1
1
0 / 0

Offline tokens with external IDP

by Haim Vana

Hi, We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token: 1. The user log in to the UI 2. Generates offline token by entering his password again 3. Put the offline token in his script 4. Executes the script Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ? Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ? Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

5 years, 7 months

3
6
0 / 0

User impersonation - JWT

by Harry Trinta

Dears, I need a help with user impersonation on keycloak. I am authenticating users through the "/realms/test/protocol/openid-connect/token". As expected, it returns a token JWT. In my app, all requests go through apiman, which validates the JWT. Now, I need to personification of user. I'm calling the service "/admin/realms/test/users/USER_ID/impersonation", sending the token in the header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...). The service /impersonation creates the user session on keycloak, however doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified user instead of cookie.* It's possible? Best regards Harry Costa

5 years, 7 months

3
4
0 / 0

Refreshing Tokens

by Christopher Davies

I adding keycloak into a legacy application that uses GWT and Jetty. I have managed to get add Keycloak application using Spring-security. Because this is GWT I am doing the authorisation in the application myself. Sping just provides a way to get access to the KeycloakSecurityContext. The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed. Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly. I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed. Thanks Chris

5 years, 7 months

3
5
0 / 0

No state cookie returned from the keycloak adapter

by Sarp Kaya

Hello, A use case I have noticed is: 1) User tries to use the web application. Say http://www.app.com 2) The application redirects you to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 3) Before logging in, user bookmarks this page. 4) User logs in and then gets redirected to http://www.app.com 5) All works fine up till now Now user logs out, closes browser etc. Now user starts the workflow from bookmarked page (http://www.keycloaklogin.com/auth…) 1) User sees a login page 2) User logs in 3) User gets redirected to http://www.app.com?state=… 4) At this point this below code: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... is executed and user sees a 400 page due not having OAuth_Token_Request_State . So far you can argue that, well we didn’t want user not to have OAuth_Token_Request_State in the first place, but the next step that user can do is: 5) User goes to http://www.app.com page and then gets a redirect back to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 6) Keycloak sees that user is already logged in so redirects back to the same page 7) User now can see http://www.app.com<http://www.app.com/> due to the OAuth_Token_Request_State created in step 5 So to me it seems like this check is obsolete, however I’m curious whether this has a user case or prevents anything. If not, then it might be worth fixing at the step 4 where user actually gets to see the page (or re issue OAuth_Token_Request_State ) instead of showing 400 page. Thanks, Sarp

5 years, 8 months

3
2
0 / 0

Spring security adapter for SAML

by Pulkit Gupta

Hi Team, I have a application with Spring security configured. We are trying to migrate the same to keycloak. Do we have a spring security adapter for keycloak with SAML. I went through the documentation and can see that we have a spring adapter but that is for open ID connect. -- Thanks, Pulkit AMS

6 years, 4 months

2
2
0 / 0

Support for transactional email providers like SendGrid, Mailgun or Mandrill

by Vineet Reynolds

Hi everybody, Has anyone managed to configure Keycloak 2.0.0.Final to use a transactional email API instead of configuring an SMTP server? I would prefer to have Keycloak send emails using a rest API like Sendgrid, Mandrill, Mailgun or Amazon SES (the cloud-native way) instead of running an SMTP server. I'd also appreciate if this is possible through the SPI providers. * Should I implement both EmailSenderProvider and EmailTemplateProvider SPIs ? * I cannot get my custom EmailSenderProvider SPI implementation to work, as the FreemarkerEmailTemplateProvider implementation fails to obtain the implementation of the EmailSenderProvider. Stack trace is below 13:17:53,991 ERROR [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default task-39) Failed to send verification email: org.keycloak.email.EmailException: Failed to template email at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156) at org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73) at org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:559) at org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:490) at org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:412) at org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299) at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853) at org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177) ... 57 more Thanks, Vineet

6 years, 4 months

3
3
0 / 0

JavaScript client, iframe and IE

by Thomas Raehalme

Hi! Has anyone encountered any problems with a JavaScript client running on Internet Explorer? It seems that IE applies some restrictions regarding <iframe /> and cookies. Unless the Keycloak server in question returns a P3P header, IE does not allow any cookies to be set by Keycloak inside the <iframe> on a JavaScript client. Here's Microsoft's blog post regarding the issue: https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/ If I have understood correctly IE doesn't really care about the header's value as long as it has been set. For example Google returns: P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info." What do you think, should Wildfly in the Keycloak distribution add the P3P header by default? Best regards, Thomas

6 years, 6 months

4
18
0 / 0

External Username, Password, Email... dataset with Keycloak

by Reed Lewis

Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis

6 years, 7 months

4
16
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2016