Fwd: Questions about Themes and JS Validation in the Keycloak instance
by Celso Agra
Hi,
I'm new on keycloak. I need some help to understand some features, please.
So, I'd like to know about themes. Would be possible to visualize the built
template before deploy it, in the keycloak instance? I'd like to see it
before publish.
Also, I'd like to know if Can I add some javascripts validation on pages,
such as 'user-profile-registration.ftl'.
I searched some examples of templates, but I didn't find examples with that
validation.
Thanks a lot.
Best regards,
Celso Agra
7 years, 5 months
URI in User EMails
by Uli SE
Hi,
because we are behind a firewall with a reverse proxy, the hostname, the
users are using is not the hostname of our keycloak server.
The mails, generated by our keycloak are linking to the internal host
and not to the external domain.
Is there a way to specify the domain, which should be used in the mails?
Thanls,
Uli
7 years, 5 months
Max Login Failures and username_login_failure table
by Andrey Saroul
Hello!
I used to think that table username_login_failure stores data of login
failures, but I noticed that when user get blocked by incorrectly entering
password, the aformentioned table is still empty. When I searched source
code for table usage I found none. The same trouble for many other tables,
like user_session, offline_user_session... etc. This kinda confuses my
expectations...
Is there any configuration steps I need to make in order to view
corresponding data for this tables? Does this data store only in Infinispan
cache?
7 years, 5 months
Spring Boot Adapter and SSL Termination Issues
by Brian Watson
Hey all,
I am having a problem related to the Spring boot adapter and SSL
termination at the load balancer level. I am using Keycloak
2.1.0.Final.
Locally, when not using HTTPS and setting "keycloak.ssl-required =
none", everything, including using google and facebook as identity
providers, works as expected.
However, I am now trying to deploy my demo to AWS. I am terminating
SSL at the ELB level, and that seems to be causing issues. Here is my
full config (with ... added for secrets & such):
----------
server.port = 8080
keycloak.realm = social
keycloak.realmKey = MIIB...
keycloak.auth-server-url = https://sso...
keycloak.ssl-required = all
keycloak.resource = adapter-client
keycloak.token-store = cookie
keycloak.credentials.secret = ...
keycloak.securityConstraints[0].securityCollections[0].name = secure
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /secure/*
----------
The issue I am having seems to be related to terminating SSL at the
ELB level. When tracing though a login request, all requests from the
browser seem proper. However, I get the following error in the demo
app:
----------
2016-11-28 04:44:59.829 ERROR 2531 --- [nio-8080-exec-5]
o.k.adapters.OAuthRequestAuthenticator : Adapter requires SSL.
Request: http://keycloakdemo.devcloud.applause.com/secure/index.html?state=...
----------
So, it appears that the adapter is expecting an SSL request, but the
ELB is terminating SSL, so the adapter just sees a HTTP request, and
errors out.
Is there a way to configure the adapter to tell it SSL termination is
happening at the load balancer? I know that keycloak itself has such
configuration, but do the adapters?
Thank you,
Brian Watson
7 years, 5 months
spring sec/boot:: SPA -> Bearer_1 -> Bearer_2
by java_os
What's the best practice on this scenario:
--
SPA (has the token from keycloak.js) -->Rest call--> Bearer_1 -->Rest call
--> Bearer_2
Bearer_1 and Bearer_2 are spring sec/boot enabled.
Rest calls between Bearer_1 and Bearer_2 using resttemplates and injecting
into "Authorization" header the "Bearer token_long_string"
Bearer_1 has the KeycloakAuthenticationToken object.
Bearer_2 needs to be feed in with a valid non-expired token somehow - but
how? Not sure if one can get this out from KeycloakAuthenticationToken and
pass it in onto the header calls to bearer_2.
Is this the right approach for in-flight rest calls between 2 bearers?
What's the best practice on this scenario?
Anyone has done this for real?
- thx.
7 years, 5 months
Suggestions and fix for e-directory user federation provider
by Tomas Tikovsky
Hello everyone,
im using e-directory federation ldap provider and came to this bug
KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
experiencing the same problem.
e-Directory sends guid attribute as byte[] so it needs to be declared as
binary the same way as its done for activeDirectory.
Sending simple diff to fix this issue if you consider this as helpfull.
Novell was acquired by microfocus and their product has been renamed to
netIQ eDirectory so i incorporated that change as well.
Another thing i noted were 2 incorrect attribute mappings in administration
console.
"username" -> "uid"
correct as long as users are enabled for linux (not default) otherwise cn.
So cn should work for more cases than uid.
"firstname" -> "cn"
wrong, should be "givenname"
Cheers
Tom
7 years, 5 months
keycloak logout.js on brokering idp mode
by java_os
Anyone here be able to say what really happens behind the scenes when
using keycloak.js LOGOUT?
Need to know how it relates to the following 2 configs:
- Single Logout Service URL
- Backchannel Logout
My thought is that if the above 2 settings are left empty, keycloak will
kill its current browser session and redirect to the IDP login page? Y/N?
If SLSU is set will call into the IDP logout url, kill browser session and
display IDP login page.
What is Backchannel Logout ON/OFF doing.
Keycloak devs, anyone can explain in details around logout through
keycloak.js?
Problem I see, when brokering Shibboleth, it fires request on shib and it
returns AuthFailed response- no idea why.
Same flow, when IDP is ADFS runs just fine.
I know shib I am forced to use is an outdated one: 2.3.3
Thanks
7 years, 5 months
Keycloak user registration
by JAYAPRIYA ATHEESAN
Hi Team,
If I don't verify the email id which I signed up with keycloak and if the
email verification link is expired, how to proceed about it.
If I try to signup using the same email Id, I get an error saying mail id
already exists.
Do we have any solution for this issue?
Thanks,
Jayapriya Atheesan
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
7 years, 5 months