Implement the Authorization Code Flow using KeyCloak
by Cristi Cioriia
Hi guys,
I've just installed Keycloak 2.3.0.Final and I would like to ask you how I
can implement an "Authorization Code Flow" using it.
I've looked at the Keycloak basics tutorial from youtube which explained
pretty well how thigns should work, but the 2.3 version has user interface
that is pretty different.
In the 2.3 UI, unlike in the 1.5 version that is used in the youtube
tutorial, there is no OAuth Client section and the Clients interface seems
to contain both the configuration for the Resource Server that contains the
protected resources that I want to access and for the third-party
application that I want to develop and that will call the protected
resources from the Resource Server. So the questions that I have in this
regard are :
1) How do I define several third-party applications that use the same
Resource Server?
2) Which are the configurations that are specific to the Resource Server
and which ones are the configurations that are specific to the third-party
application?
It seems to me that the Enable Authorization flag is specific to the
Resource Server because it allows me to manage resources through the
Authorization tab while Credentials tab is specific to the third-party
application, because it contains a Client-Id and a Secret that I can use to
request from the Authorization-Server an access token. More over, in the
Scope tab, I could use the "Client Roles" to define the scopes that I need
for my thrid-party app to request from a user of the Reosurce Server by the
authorization server and the Installation tab can be used by both types of
application to generate the Keycloak file that is used for configuring both
types of applications.
All the other settings seem to belong to the Resource Server application,
is this correct?
3) Is there a way to configure the consent screen for the user? E.g. I'd
like to allow the resource owner to enter some data, like "allow
transactions only for amounts below a X value", where X is the data entered
by the user.
Thanks,
Cristi
7 years, 6 months
Implement the Authorization Code Flow using KeyCloak
by Cristi Cioriia
Hi guys,
I've just installed Keycloak 2.3.0.Final and I would like to ask you how I
can implement an "Authorization Code Flow" using it.
I've looked at the Keycloak basics tutorial from youtube which explained
pretty well how thigns should work, but the 2.3 version has user interface
that is pretty different.
In the 2.3 UI, unlike in the 1.5 version that is used in the youtube
tutorial, there is no OAuth Client section and the Clients interface seems
to contain both the configuration for the Resource Server that contains the
protected resources that I want to access and for the third-party
application that I want to develop and that will call the protected
resources from the Resource Server. So the questions that I have in this
regard are :
1) How do I define several third-party applications that use the same
Resource Server?
2) Which are the configurations that are specific to the Resource Server
and which ones are the configurations that are specific to the third-party
application?
It seems to me that the Enable Authorization flag is specific to the
Resource Server because it allows me to manage resources through the
Authorization tab while Credentials tab is specific to the third-party
application, because it contains a Client-Id and a Secret that I can use to
request from the Authorization-Server an access token. More over, in the
Scope tab, I could use the "Client Roles" to define the scopes that I need
for my thrid-party app to request from a user of the Reosurce Server by the
authorization server and the Installation tab can be used by both types of
application to generate the Keycloak file that is used for configuring both
types of applications.
All the other settings seem to belong to the Resource Server application,
is this correct?
3) Is there a way to configure the consent screen for the user? E.g. I'd
like to allow the resource owner to enter some data, like "allow
transactions only for amounts below a X value", where X is the data entered
by the user.
Thanks,
Cristi
7 years, 6 months
Having difficulty logging out in a 2 client scenario
by Chris Savory
Our application has 2 clients:
1. A Confidential Client that uses the Spring Security Adapter
2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.
Everything between the two is working fine until I try to logout under certain conditions.
Logout works fine if I first: deep link into a protected page in my app. The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1. If I logout under this scenario via the SpringSecurity adapter it works fine.
In Scenario #2 I first hit an Angular page in my app. Then I log in from the JS Adapter in client #2. Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat. When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token. I can also see that the token was issued for client #2. When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout.
I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via “window.location = keycloak.createLogoutUrl({ redirectUri: “/site-url”) }). This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I’m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder.
Any advice on how to proceed from either of these two scenarios?
--
Christopher Savory
Software Engineer | EdLogics
7 years, 6 months
Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy
by Guy Bowdler
hi all,
We have the following set up with two DMZ boxes, one running a single
KeyCloak security proxy and sending requests to a local NGINX proxy
which farms out requests to internal applications. This should allow us
to maintain a single namespace for all applications (<hostname>/appname
redirects to appname.local) and gives authenticated visibility of who's
accessing what at the front end proxy.
DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various
applications]
---> TRUST: [Various
applications]
Keycloak runs on its own server and is published via an NGINX proxy in
the DMZ
DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
and then after logging in, we get an "invalid Redirect URI" error from
Keycloak. We've found that for some reason, the redirect URL from
KeyCloak is appending the :8080 port value from the KeyCloak Security
proxy (verified as if we change this port number, the value changes in
the redirect URL). It's like KeyCloak is redirecting back to the
NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
which is what we were expecting. This is possibly by design, or
possibly a bug, or possibly a side effect of our configuration.
Has anyone tried using the KeyCloak security proxy in this manner? It's
clear that the intended use is as a single instance adapter for a single
local application, whereas our application happens to be an nginx proxy
redirecting to different applications using location directives.
7 years, 6 months
Losing some sessions during clustering
by Chris Hairfield
Hello Keycloak users,
We're seeing strange behavior with the session handling when starting up a
new node. Keycloak doesn't retain all sessions. Here's our experiment:
1. start with 1 node containing a few dozen sessions
2. start node 2 (nodes clustered via JGroups Ping table + infinispan)
3. wait for 10 minutes
4. stop node 1
End result: *some* of the clients connected are forced to log back in. Most
sessions remain.
We're still investigating, so I cannot infer beyond this point at the
moment. I'm simply curious whether anyone knows the following:
- are *all* sessions meant to be migrated to new nodes?
- how long does it take to migrate sessions?
- does a new node wait until sessions are migrated before it enables the
admin interface?
- is there any logic to prune sessions on clustering?
Any thoughts would be greatly appreciated.
Thanks,
Chris
7 years, 6 months
Infinite loop on one of our service's home page
by Ian Lachance
Hi,
We are running Keycloak in production on one of our servers. For now, Keycloak is used to connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.
Do you have any idea what it can be?
We are using Keycloak version 2.2.1 FINAL.
Thank you,
Ian
Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. Communication by email is not a secure medium and, as part of the transmission process, this message may be copied to servers operated by third parties while in transit. If you received this message in error, please immediately contact the sender by reply email and delete it from your computer, including any attachments.
7 years, 6 months
Infinite loop on one of our service's home page
by Eric Matte
Hi,
We are running Keycloak in production on one of our servers. For now, Keycloak is used to connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.
Do you have any idea what it can be?
We are using Keycloak version 2.2.1 FINAL.
Thank you,
Eric
Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. Communication by email is not a secure medium and, as part of the transmission process, this message may be copied to servers operated by third parties while in transit. If you received this message in error, please immediately contact the sender by reply email and delete it from your computer, including any attachments.
7 years, 6 months
Infinite loop on one of our service's home page
by Eric Matte
Hi,
We are running Keycloak in production on one of our servers. For now, Keycloak is used to connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.
Do you have any idea what it can be?
We are using Keycloak version 2.2.1 FINAL.
Thank you,
Eric
Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. Communication by email is not a secure medium and, as part of the transmission process, this message may be copied to servers operated by third parties while in transit. If you received this message in error, please immediately contact the sender by reply email and delete it from your computer, including any attachments.
7 years, 6 months
