Resource server implementation best practices?
by Guus der Kinderen
Hello,
When implementing one or more services that, based on an access token,
expose data related to the user that's identified in the access token, is
there a "best practice" in regards to handling the available scopes?
I'm debating between having one resource server that exposes all data to
which the token grants access to, versus have a resource server "per
claim", that either returns data, or an error code, based on the presence
of a particular scope within the access token.
Is there a common approach / best practice that covers this?
Regards,
Guus
7 years, 4 months
Access Token and email address
by Guus der Kinderen
Hello,
Is it possible to withhold the email address of a user from a token (unless
a specific claim/role is granted)?
Regards,
Guus
7 years, 4 months
Session timeouts for SPA + bearer backend
by Andy Yar
Hello,
I'm having a problem with my SPA Anuglar based application.
TD;DR
The app's session seems to be valid (cookies) although requests to backend
fail since its token has expired - openid-connect/token = HTTP 400
(Refreshing token: token expired).
=========================
The app itself is protected with keycloak.js (Access Type: public +
Standard Flow: ON + login_required) and the backend is built with Spring
Security adapter (Access Type: bearer-only).
Everything works fine until I leave the app idle for some time and then
resume using it (requesting from backend). When I do so, the backend starts
to respond with an eror as its session had timed out - openid-connect/token
returns 400. Although, obviously, the session for the app itself hadn't
expired yet.
As far as I know, there is for instance a KEYCLOAK_SESSION cookie which is
checked periodically by keycloak.js. When I remove the cookie manually, it
gets checked and the app gets redirected to its login screen.
KC version used is 2.2.1.Final. My realm token settings:
* Revoke Refresh Token: OFF
* SSO Session Idle: 30mins
* SSO Session Max: 6days
* Offline Session Idle: 30days
* Access Token Lifespan: 15mins
* ditto for Implicit Flow: 18mins
How should I set my app/token settings up to solve this? Should I just
force my client to relog as soon as Refreshing token: token expired? Don't
know what is the proper way to handle this...
Thanks in advance.
7 years, 4 months
How to configure Keycloak in case of Reverse Proxy with NAT?
by Michael Furman
Hi all,
I need to configure Keycloak to work behind Reverse Proxy with Network Address Translation
I have servers that have the external IP to access from a browser and internal IP for inter process access.
Also, it is not possible to access from internal IPs to external IPs.
Therefore, the following configuration should be returned upon the call of http://<external IP>/auth/realms/master/.well-known/openid-configuration<http://%3cexternal%20IP%3e/auth/realms/master/.well-known/openid-configuration>:
"issuer":"http://<external IP>/auth/realms/master<http://%3cexternal%20IP%3e/auth/realms/master>",
"authorization_endpoint":"http://<external IP>/auth/realms/master/protocol/openid-connect/auth<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/auth>",
"token_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/token<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/token>",
"userinfo_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/userinfo<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/userinfo>",
"jwks_uri":"http://<internal IP>/auth/realms/master/protocol/openid-connect/certs<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/certs>",
"end_session_endpoint":"http://<external IP>/auth/realms/master/protocol/openid-connect/logout<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/logout>",
"check_session_iframe":"http://<external IP>/auth/realms/master/protocol/openid-connect/login-status-iframe.html<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/login-status-iframe.html>",
"token_introspection_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/token/introspect<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/token/introspect>",
Will happy for any insights.
Michael
7 years, 4 months
Re: [keycloak-user] Keycloak user registration
by JAYAPRIYA ATHEESAN
Keeping the list in loop.
So how can we proceed with his?
Wont we be able to verify or use that user id again?
Will the user who we created and missed to verify within 60mins will be
invalid always.. Isn't there anyways by which we can re verify the user?
Thanks,
Jayapriya Atheesan
From: JAYAPRIYA ATHEESAN [mailto:jayapriya.atheesan@gmail.com]
Sent: Friday, November 25, 2016 5:48 PM
To: 'abhishek raghav'
Subject: RE: [keycloak-user] Keycloak user registration
So how can we proceed with his?
Wont we be able to verify or use that user id again?
Thanks,
Jayapriya Atheesan
From: abhishek raghav [mailto:abhi.raghav007@gmail.com]
Sent: Friday, November 25, 2016 2:09 AM
To: JAYAPRIYA ATHEESAN
Subject: Re: [keycloak-user] Keycloak user registration
<https://tr.cloudmagic.com/h/v6/emailtag/tag/1480019919/785dcb113a471a962e2f
748b73f9be3c/d1f2b524aafcb7088af912ac8a7123fa/9864e6ea0b421de33cfa6f5cd7bdf4
11/9efab2399c7c560b34de477b9aa0a465/ufo.gif>
In your use case you are trying to verify the email of the registered user
through a link. Since a link is already generated by keycloak as a required
user action and sent to the user's email id that means the user is already
created in keycloak.
So you can not create that user again with the same email id.
via Newton Mail
<https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.2.5&pv=10.1.1&source=email_fo
oter_2>
On Thu, Nov 24, 2016 at 3:54 PM, JAYAPRIYA ATHEESAN
<jayapriya.atheesan(a)gmail.com> wrote:
Hi Team,
If I don't verify the email id which I signed up with keycloak and if the
email verification link is expired, how to proceed about it.
If I try to signup using the same email Id, I get an error saying mail id
already exists.
Do we have any solution for this issue?
Thanks,
Jayapriya Atheesan
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 4 months
Keycloak - force session revalidation (update?)
by Mariusz Chruscielewski - Info.nl
Hi,
In our case, when customer pays for subscription, we add subscription number and additional role to his account in KC. During this process customer is logged in, is there a way to smoothly update his session details, to include new role (without logout/login) ?
We use Java adapter to secure our webapp. Is there a way to update Keycloak Context from java (API call?)
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz(a)info.nl<mailto:mariusz@info.nl> | LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530 9113<tel:+31205309113%20>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
7 years, 4 months
Token introspection
by venito camelas
Is it possible to have an app making token introspection requests for
tokens not issued for it? I'll try to explain:
Keycloak issues tokens to be used in a specific Resource server, the RS
then validates the token (self contained info or token introspection
endpoint). The situation is something like this:
1 3
--------------- KK---------------
| |
| 2 |
Client ----------------------------- RS
1 - Client gets token to use with RS
2 - Client uses token to make a request to RS
3 - RS makes a token introspection request
Now, I want to add a router in the middle, I'd like the router to make the
token introspection request (with the token issued for the RS) and then
allow to go to the RS if everything is ok:
1
--------------- KK---------------
| | |
| 3| |
| 2 | 4 |
Client ---------Router---------- RS
1 - Client gets token to use with RS
2 - Client uses token to make a request to RS
3 - Router intercepts the request and validates token (expiration and stuff
like that)
4 - If validation is ok, the router allows the request to go to the RS, the
RS then validates scopes and specific stuff.
Thank you
7 years, 4 months
Issue Configuring HTTP Reverse Proxy to Keycloak
by Colin Ritchie
Hello,
I am having trouble getting keycloak to work behind a reverse proxy.
I have installed Keycloak on the same server as our existing web
application running in Tomcat, with keycloak listening on 8081 and Tomcat
listening on 8080. I have configured an HTTP reverse proxy in Tomcat
using https://github.com/mitre/HTTP-Proxy-Servlet. I am forwarding /auth
to the reverse proxy, which in turns connects to keycloak (
http://localhost:8081/auth).
When I visit "http://localhost:8080/auth", the first page in this scenario
works: the "Welcome to Keycloak" page appears. But when I click on the
"Administration Console" link, the first redirect works, to
"/auth/admin/master/console". But it then quickly redirects the browser
directly to the keycloak port:
http://localhost:*8081*/auth/realms/master/protocol/openid-
connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%
2Flocalhost%3A8080%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&
state=a36dd30e-6268-4545-9a4f-a397169917b6&nonce=79d7099d-
10df-471f-96e9-b13a8da17b55&response_mode=fragment&response_type=code&scope=
openid
The reverse proxy sets the X-Forwarded-For and X-Forwarded-Proto headers.
And I have configured keycloak according to https://keycloak.gitbooks.
io/server-installation-and-configuration/content/topics/
clustering/load-balancer.html, setting the proxy-address-forwarding
attribute.
I am also seeing, on the final redirected page, the error "Invalid
parameter: redirect_uri".
Any help would be very appreciated.
--
*Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*
7 years, 4 months
Does refreshing the token extend the session?
by Chris Stephens
We have an angular app and are using the keycloak js adapter. We refresh the token if it expires within 5 seconds. We also refresh the token every 15 minutes. Our users can jump in and out of our angular app. When they come back in the initialization logic goes to the key cloak server to make sure they are logged in. What our QA team is telling us is after 2-3 hours of clicking on the site the user is no longer logged in, but some of the calls with bearer tokens still go through. We need to know if refreshing the token or doing the 'check-sso' extends the session.
Christopher Stephens
7 years, 4 months
Creating an user by rest api
by Celso Agra
Hi all,
I'm configuring keycloak to perform some actions with rest api. I'm trying
to create an user using the register action (like register page), but when
I call the rest api:
curl -H "Accept: application/json" -H "Content-Type:application/json" -X
> POST -d "{'username' : 'bburke', 'enabled': true, 'email' : '
> bburke(a)redhat.com', 'firstName': 'Bill', 'lastName': 'Burke',
> 'credentials' : [{ 'type' : 'password', 'value' : 'password' } ],
> 'realmRoles': [ 'user', 'offline_access' ], 'clientRoles': {'account': [
> 'manage-account' ] } }"
> http://localhost:8080/admin/realms/servlet-authz/users
I got an 404 error. Would be possible to create an user just using the rest
API?
Thank you.
best regards,
Celso Agra.
7 years, 4 months