October 2016 - keycloak-user - Jboss List Archives

Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse

by Charles Moulliard

Hi, I would like in a project to perform the following scenario A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm where the address URL ("/rest/say") of the endpoint is secured using Keycloak WildFly plugin (keycloak.json contains the OIC). In order at the client side to get the OpenID token that I must send next to the endpoint using "Authentication: Bearer", is it this class that I must use to get an instance of Keycloak Keycloak.getInstance("http/localhost:8080/auth",realm, username, password, clientId) & next the token to send Keycloak.tokenManager().grantToken(); ? Class --> https://github.com/keycloak/keycloak/blob/2.2.1.Final/integration/admin-c... Regards Charles

7 years, 6 months

3
5
0 / 0

Problems with bearer-only client

by Christoph Guse

Hi, currently I have some trouble getting an Access Token using a bearer-only client in combination with Keycloak 2.2.1. In my Proof Of Concept realm (sso-poc) I created a client which was configured to accept bearer-only authentication. If I got this right no user login is needed and this client type is perfect for technical users. Then I do a HTTP Post like this: curl -X POST -F "grant_type=client_credentials" -F "client_id=auth-app2" -F "client_secret=2fd7033a-1971-4855-b64c-b9783f1ff14d" https://web-sso/auth/realms/sso-poc/protocol/openid-connect/token <https://web-sso.services.emea.dir/auth/realms/sso-poc/protocol/openid-con...> Unfortunately the response is not an AccessToken but the error message { "error": "invalid_client", "error_description": "Bearer-only not allowed" } As I configured the client as bearer-only authentication, I'm a little helpless and I ran out of ideas what I could do. Any ideas? Thank you in advance, Christoph

7 years, 6 months

2
1
0 / 0

JWT token auth. advice

by Mohan.Radhakrishnan＠cognizant.com

Hi, I have a general question about how we use JWT tokens. Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains. That seems to be our scenario. AFAIK there is no OAuth/OpenID in this system. Our JWT token from the browser is sent in a header to Rest Endpoint-1. This endpoint isn't secured. I mean that it can't verify the claims in the token. The claims don't represent any information related To this endpoint. It just passes the token along to Endpoint-2 which is capable of verifying the token. Is this Endpoint-1 considered insecure now ? It is just a mediator but anyone with the token can access it. How do I make Endpoint-2 trust Endpoint-1 ? Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.

7 years, 6 months

2
1
0 / 0

Custom Adapter Logout logic

by Jared Blashka

Is it currently possible to hook into the adapter's logout logic to trigger some custom behavior without interrupting the logout flow? For example, if I want to audit logout activity on a particular SP or delete some cookies (if it was a front-channel logout request) without stopping the normal federated logout process. Jared

7 years, 6 months

3
3
0 / 0

Prevent JS Adapter from redirecting if already logged in

by Gregor Jarisch

Hi there, we have a single page application using the JS adapter. Once the user is logged in and a page redirect occurs, the SPA loads, but immediately reloads once again when keycloak adapter authenticates. Since the user was logged in before already, we would have assumed that no further page refresh has to be made. Interestingly, when we manually pass on all the token values in the init method (for testing purposes), the page doesn't refresh a second time and the user is authenticated. As we would have expected it to be. This might be just a misunderstanding of how this adapter is supposed to work, but from our understanding the purpose of the iframe and the set cookie is to make sure the user stays authenticated. Thus, shouldn't the keycloak adapter "store" the tokens and use them on a page refresh if they are valid in order to authenticate without the need for an additional page refresh? Would be nice if somebody can explain this mechanism a bit further and maybe even give a hint on what we are doing wrong here.. We are puzzled at the moment. Thanks Gregor

7 years, 6 months

4
7
0 / 0

Exceptions when including 'keycloak-spring-boot-adapter' under Jetty

by Bas Dalenoord

Hello, I'm trying to secure a Spring Boot-based application using Keycloak, but as soon as I include the 'keycloak-spring-boot-adapter' artifact, my application does not start anymore, throwing seemingly unrelated exceptions. I'm following this tutorial <http://slackspace.de/articles/authentication-with-spring-boot-angularjs-a...>for the backend part, but I upgraded all version numbers to the latest final releases available. I've created a stripped down version of the application with which I can reproduce the errors. It can be found on my GitHub <https://github.com/bdalenoord/keycloak-spring-boot-issue>. If I remove the adapter-artifact, everything starts normally. I'm guessing it has to do with Spring Boots autoconfiguration, but I cannot figure out what I should change to get everything working. Can anyone tell me what I'm doing wrong and what I can do to fix the problem? Thanks, Bas

7 years, 6 months

2
2
0 / 0

Attribute / Session persistence in IdP-initiated SAML + OIDC authentication setup

by Chris Brandhorst

I have the following situation: a user has an application (AppSource) for which he has credentials and which can act as a SAML IdP. He also uses another application (AppTarget) for which he has credentials and which can act as a OIDC IdP. Finally I have Keycloak which can give the user access to a number of other applications. [[AppSource]] ------ IdP-initiated SAML ------> [[Keycloak]] <------ OIDC ------> [[AppTarget]] I’ve got the basics running: I can login to Keycloak using both IdPs and can adjust the behaviour using the Authentication Flows. The initial situation however is that the users are not present in Keycloak yet. I would like the following: 1. User access Keycloak from AppSource through the IdP-initiated SAML POST binding (the only one AppSource supports). With this call, a unique ID is sent from AppSource. AppSource is trusted (signed SAML etc); 2. Keycloak checks if this AppSource ID is known for a user. If so, it retrieves that user and sets it in the context: we have a successful login! 3. If the AppSource ID is not known, it should present the user with some instructions and methods for signing in, including signing in with their AppTarget account through OIDC. The AppSource ID is somehow remembered; 4. The user clicks that IdP, enters his credentials and once he is redirected back to Keycloak, Keycloak collects the user profile from AppTarget, creates a Keycloak user with that data, sets the AppSource ID on this account and sets this user in the context: we have login! I’ve got steps 1 and 2 working using a scripted Authentication flow. If I set this one to optional and add an alternative Username Password Form or Identity Provider Redirector, I am able to continue to the AppTarget IdP when the AppSource ID is not known (using context.attempted in the script). However I do not know how to link the two logins once the user comes back from AppTarget to Keycloak. I tried storing the AppSource ID in the session in the script (context.getSession.setAttribute), but this value is gone after coming back from the AppTarget federated login. Can anybody shed some light on how I am able to achieve what I want? Maybe my approach is flawed? Thanks for any ideas! Regards, Chris Brandhorst

7 years, 6 months

1
0
0 / 0

FW: Custom User Attributes

by Bruno Palermo

Hi, I'm trying to implement some custom user attributes on the registration page. I followed the steps on: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/... It works fine, but when the user submits a form with an error, the custom attribute value is not saved. There's any way to save it between invalid submissions? Maybe use something like: value="${(account.attributes.mobile!'')?html}" Thanks, Bruno

7 years, 6 months

1
0
0 / 0

Resources: create/remove by app (resource server)?

by Timo Pulkkinen

Hello, in your opinion, what is the best way to manage dynamically changing resources within Keycloak - is it by hooking the Authorization Client Java API to the resource server server-side page add/change/remove events/event handlers ? A good example of this kind of system could be a CMS system in which the content admins add/remove content nodes(pages) dynamically, and the resource read/write access would be controlled using Keycloak. br, Timo

7 years, 6 months

2
1
0 / 0

Looking for a non Admin Java client

by Chris Savory

We need to make several types of calls to KeyCloak from the server side of our application. Some are in the context of a logged in user and others are not. We have the latter case handled right now by using the KeyCloak Admin Client. But we are unable to locate another Java client for the purposes of making calls to KC for the currently authenticated user. I have found the AuthZ Client, but that appears to just be for authenticating. The particular use case I’m researching now is we have an endpoint like /profile-service/users/current, which will return the currently logged in user profile. Some of that information comes from KC and some comes from the local app database. Currently we the app configured to make the server-side call as a KC admin while it is orchestrating this data, but I’d prefer for the user to use the same credentials as it did when it came to the server with a BEARER token. This will help us when it comes to auditing, especially for updates. Does such a java client exist? Or do I need to use the KeycloakRestTemplate to make those calls to KC? -- Christopher Savory Software Engineer | EdLogics

7 years, 6 months

2
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2016