Policy by Client (microservices)
by Ignacio Ocampo
Hello Team,
I'm new in Keycloak authorization, I've read all the documentation already.
I would like to know if there is a kind of *Policy that can match Client
name* (maybe thru Rule based JavaScript).
I'm creating an API Gateway and I want to validate who is trying to reach
who other (restrict by ClientId).
Thanks a lot.
Regards.
--
Ignacio Ocampo Millán
7 years, 5 months
Is there a way to include a link within an error message?
by Ben Quirk
My scenario: A user requests a password reset but their link expires. When
they click the link, they're shown an error message that comes from the
message property: "invalidCodeMessage".
Is it possible to include a new password reset link here so they can easily
request a new one?
I figured could do this in the template, however it looks like error.tpl is
used for all errors and the message is being rendered with
"${message.summary}" so I can't easily pass a message parameter through via
the template.
Thanks in advance,
Ben
7 years, 5 months
Package "keycloak-server-spi-private" in KC 2.4.x
by Niko Köbler
Hi Team,
with KC 2.4.0.CR1 you introduced a new package "keycloak-server-spi-private“ and moved some classes to this package from the „keycloak-server-spi“, especially the KeycloakModelUtils class, which I used so far in an SPI.
Is it intended to use and depend on the „private“ package in own SPIs/implementations or is it just for Keycloak private usage?
Thanks,
- Niko
7 years, 5 months
Extending admin interface
by johannes Larsson
Hi,
It would be great to extend the admin interface with some more list options. For example, for me it would be awesome to see all fields for the users in the manage users section and also sort the list by the different columns. For now it is difficult to get an overview over how many users that has accepted the terms, verified the email, when they signed up etcetera.
Is this possible to solve or is the idea to use the api to make this type of analysis?
Thanks and kind regards,
Johannes
7 years, 5 months
looking for samples and howto's
by lists
Hi,
I have been playing with keycloak for the last two days, and while it
looks beatiful and has all the features (plus many more!) we (think)
we're looking for, we're having a hard time getting any client to work,
with one exception: the builtin 'account' client.
We
- setup apache2 reverse proxy so keycloak runs on regular https port
- configured Let's Encrypt SSL
- added our realm & configured our samba AD, synced users/groups
- configured HAProxy for AD DC failover
- configured and tested kerberos authentication
everything works great, but it's all within the keycloak system.
(specifically: the builtin 'accounts' client)
We've not had much luck at all making an external product authenticate
using keycloak IdP / SAML. We thought an easy client would be perhaps
simplesamlphp, or wordpress plugins ("miniOrange SSO using SAML 2.0" and
"SAML 2.0 Single Sign-On") but there are no examples / step-by-step
guides specific to keycloak that we can find.
There is a lot of keycloak-related talk on jboss, war, wildfly,
keycloak's client adapters, etc, but to us, these all seem to be more
'advanced usage', rather than using a 'regular' SAML capable client.
Or we're beginning to think that perhaps we misunderstand what keycloak
can do for us...
Hence our request here: Does anyone have a list of simple steps
("provide this, check this, fill in this here, etc, etc") for some
well-known external mainstream easily obtainable SAML clients?
We would be very grateful :-)
7 years, 5 months
Keycloak with EZproxy
by Bill Kuntz
Has anyone successfully used Keycloak with OCLC's EZProxy? We have been experimenting with Keycloak, and have been able to get it working with other SPs, but not EZProxy.
OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO systems if and only if that system uses an authentication sequence identical to a standard Shibboleth Identity Provider (IDP)."
Thanks,
Bill
7 years, 5 months
Out of memory error on Keycloak cluster
by robinfernandes .
Hi,
We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3
keycloak nodes behind it.
For the first time in about 4-6 months we received errors that java heap
space out of memory and the nodes just went down.
We had around 100k users as well as 35k active connections at the time.
We have around 512MB heap space assigned.
I am not able to reproduce it after restarting the nodes.
Is there any reason that this could happen?
7 years, 5 months
Create user with admin client - throws socket exception..
by Mustafa Kuru
Hi,
We are using admin client to create an keycloak user.
Socket exception occures sometimes on a test stage. Unfortunatelly i can
not reproduce it locally. The stage is clustered.
>From the keycloak logs i can not find much information about this problem.
This produces blocking sessions in keycloak database. We have to kill them
every time. Otherwise hanging every following call about 5 min. and then
throws exception.
It is very annoying.
Until we upgrade from the version 1.8.1 to 2.x.x we have to find a
temporary solution.
I need to know why the "create user" call causes blocking sessions in
database.
Exceptions looks like:
javax.ws.rs.ProcessingException: Unable to invoke request
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
...
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at
org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:158)
thanks in advance.
Kind regards.
Mustafa Kuru
7 years, 5 months
keycloak auth-method changes to BASIC
by Filip Bielejec
Putting an webservice EJB annotated with WebContext changes the (already
configured) authorization method from KEYCLOAK to BASIC and effectively
locks the client out.
I modified the keycloak product-demo example to demonstrate the problem:
https://github.com/fbielejec/keycloak-demo
Please note that the bean isn't called anywhere it is *just* on the
classpath. I'm not sure if this is the desired behaviour.
Best,
fbielejec
7 years, 5 months
Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource
by Grant Marrow
Ok below is a step by step of events:
1. User navigates to web application at http://localhost:9000
2. Use clicks the sign in button at http://localhost:9000/login
3. User is redirected to keycloak at http://localhost:8080 to login
4. Once signed in the user ia redirected to http://localhost:9000
5. Authenticated User navigates to registrations page at
http://localhost:9000/registrations. During this step a http GET request is
done to http://localhost:8081/leap-service/resouces/private/registrations.
At the above step the error occurs. Please let me know if you need more
information. Thanks
Regards
Grant
On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow(a)gmail.com> wrote:
> Hi Chris
>
> Thanks for getting back to me. I have done that and it didnt work. I
> have also tired adding *. That did not work as well. What else can I try?
>
> Please let me know. Thanks
>
> Regards
> Grant
> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory(a)edlogics.com> wrote:
>
>> In the admin, click on Clients, then select your client. Do you have any
>> values for “Web Origins” there? If not, you need to add
>> ‘http://localhost:9000’
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com <http://www.edlogics.com/>
>>
>> <http://www.edlogics.com/>
>> <https://www.linkedin.com/company/edlogics> <
>> https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf
>> of Grant Marrow" <keycloak-user-bounces(a)lists.jboss.org on behalf of
>> grantmarrow(a)gmail.com> wrote:
>>
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth",
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xmlns="
>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the
>> META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth",
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries
>> navigates to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while
>> executing the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>> login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange
>> because
>> I have the same setup but using an older version of keycloak (1.9*),
>> which
>> worked fine. I know this might be a silly problem, but if you have
>> some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
7 years, 5 months
