AngularJS Example for execute-actions-email REST Request
by Roger Turnau (US - Advisory)
Hi all,
Can someone show me a quick example of how to create (preferably in
AngularJS) the PUT request to send an execute-actions-email to a user?
I'm building a service in AngularJS to call the Admin REST service. I can
get the access token and make GET requests just fine, but the PUT request
on execute-actions-email is giving me errors.
Here's what I have so far:
$http.put("
http://localhost:8380/auth/admin/realms/realm1/users/bob/execute-actions-...
",
{
actions: 'VERIFY_EMAIL&UPDATE_PASSWORD'
},
{
headers: {
Authorization: "Bearer eyJhb...",
Content-type: "application/json"
}
});
But this gets the following error in Keycloak:
16:46:15,961 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-25) RESTEASY002005: Failed executing PUT
/admin/realms/realm1/users/bob/execute-actions-email:
org.jboss.resteasy.spi.ReaderException:
com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
instance of java.util.ArrayList out of START_OBJECT token
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@10fb0244;
line: 1,column: 1]
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
at
org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
...
It seems not to like that second parameter, but I can't tell why. I
appreciate any help you can give on this one. I have no idea how this
request is supposed to look.
Thank you,
Roger Turnau
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
7 years, 4 months
Retrieve number of times users have logged in?
by Edgar Vonk - Info.nl
hi,
It is possible somehow to get the stats about the number of times users have logged into/authenticated from Keycloak somehow? Maybe from the database? Or is this information not stored?
cheers
7 years, 4 months
Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?)
by Edgar Vonk - Info.nl
hi,
Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following behaviour:
1/ create a new user in Keycloak from the Keycloak admin UI
2/ set a password in the Credentials tab and leave the ‘Temporary’ flag set to on
3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls) the users’s userAccountControl attribute is now set to 546. This means: 'Disabled, Password Not Required’
4/ when the user attempts to log in she gets an error message saying that the account is inactive; also the ‘User Enabled’ flag in Keycloak now suddenly changes from enabled to disabled
This is the process we used to follow in Keycloak 2.0.0.Final to create users but it stopped working in 2.3.0.Final.
After having spent quite some time tracking the issue down we found out that it was the ‘Temporary’ flag in de Credentials tab that causes this issue. When we set this flag to false (i.e. not a temporary password) we see that in AD the userAccountControl attribute is set to its normal value 512 as we would expect. Now the user can log in normally.
Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not find a JIRA issue regarding this change.
PS: we are confused about the ‘Temporary’ flag in any case. Exactly what is it meant for? The fact that a user needs to change her password on first login does not seem to be controlled by this flag in any case but rather by the Required User Action with value ‘Change password’?
cheers,
Edgar
7 years, 4 months
Keycloak Memory Settings
by Chris Savory
We are using RH SSO 7.0 and I am performing a loadtest for our site. Currently I’m stuck at going above 200 virtual users because keycloak gets to slow at that point and the long running login threads on our site begin to bog down the rest of the site functions.
Currently we are using SSO Standalone, and are planning to run in cluster mode as soon as we upgrade to 7.0.2 because of the cluster bug.
https://access.redhat.com/solutions/2427361
While our operations guys are working on getting the cluster functionality working, I wanted to verify the memory settings on our standalone instance are optimized and that there wasn’t something we could do there as well. Here are the current startup settings.
JAVA_OPTS: -server -verbose:gc -Xloggc:"/opt/eap/standalone/log/gc.log" -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.logmanager,jdk.nashorn.api -Djava.awt.headless=true -Xbootclasspath/p:/opt/eap/jboss-modules.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.0.3.Final-redhat-1.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/javax.json-1.0.4.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/jboss-logmanager-ext-1.0.0.Alpha2-redhat-1.jar -Djava.util.logging.manager=org.jboss.logmanager.LogManager -javaagent:/opt/eap/jolokia.jar=port=8778,protocol=https,caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,clientPrincipal=cn=system:master-proxy,useSslClientAuthentication=true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false -Djava.security.egd=file:/dev/./urandom
I’m not sure where all these settings came from as the guy that set it up is no longer here.
We are running SSO inside a docker container inside of OpenShift
OpenShift Master: v1.2.1
Kubernetes Master: v1.2.0-36-g4a3f9c5
--
Christopher Savory
Software Engineer | EdLogics
7 years, 4 months
client IP not real one with openshift
by LIEVRE Olivier
Hi,
We are using keycloak under Openshift (with a passthrough TLS route), unfortunately, the IP address of the client connecting to keycloak is always 11.1.0.1 instead of his real one.
Is there some configuration needed in keycloak to get the right IP address?
KR,
Olivier
7 years, 4 months
Keycloak adapter with policies returns bad request
by Richard van Duijn
I'm creating a POC application using playframework and angular. The
frontend will be protected using the keycloak javascript adapter and the
backend rest services will be a bearer-only application.
Without the policies turned on in the keycloak.json everything goes well.
But when I turn the policies by adding "policy-enforcer": { } on for the
rest services, I get an 400 Bad Request response from the Keycloak server
during initialization.
After some debugging I noticed it had to do with the initialization of the
PolicyEnforcer which attempts to call the following server keycloak
endpoint:
http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-conne...
Below you will find the stacktrace and request and response objects.
Hope someone can point me in the right direction. For instance how to
configure keycloak logging to get some more details on what the reason for
the 400 bad request is.
Many many thanks!
/Richard
*Stacktrace*:
at
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92)
at
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48)
at
org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112)
at
org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91)
at
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:57)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135)
at
security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53)
at com.google.inject.AbstractModule.configure(AbstractModule.java:62)
... many google guice calls ...
at
play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129)
at
play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121)
*Request object*:
builder = {RequestBuilder@12557}
method = "POST"
charset = {UTF_8@12563} "UTF-8"
version = null
uri = {URI@12564} "
http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-conne...
"
headergroup = {HeaderGroup@12565} "[Authorization: Basic
YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]"
entity = null
parameters = {LinkedList@12566} size = 1
0 = {BasicNameValuePair@12576} "grant_type=client_credentials"
config = null
*Response object*:
HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1,
Server: WildFly/10, Content-Type: application/json, Content-Length: 72,
Date: Tue, 06 Dec 2016 12:24:28 GMT]
org.apache.http.conn.BasicManagedEntity@1f8d1780
response = {$Proxy16@12554} "HTTP/1.1 400 Bad Request [Connection:
keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type:
application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]
org.apache.http.conn.BasicManagedEntity@1f8d1780"
h = {CloseableHttpResponseProxy@12583}
original = {BasicHttpResponse@12584} "HTTP/1.1 400 Bad Request
[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10,
Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016
12:24:28 GMT] org.apache.http.conn.BasicManagedEntity@1f8d1780"
statusline = {BasicStatusLine@12556} "HTTP/1.1 400 Bad Request"
ver = {HttpVersion@12586} "HTTP/1.1"
code = 400
reasonPhrase = "Bad Request"
entity = {BasicManagedEntity@12555}
reasonCatalog = {EnglishReasonPhraseCatalog@12588}
locale = {Locale@12589} "en_US"
headergroup = {HeaderGroup@12590} "[Connection: keep-alive,
X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type:
application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]"
params = {ClientParamsStack@12591}
7 years, 4 months
How Basic Authentication is implemented for Java adapters?
by Michael Furman
Hi,
We need to implement authentication for our REST APIs.
The issue is not simple since same APIs used for UI and for the CLI clients.
CLI clients access REST API using Basic Authentication.
For UI we want to access REST APIs after OIDC authentication.
Therefore we need to achieve the following:
* If a request comes without any authentication the server should respond with HTTP 401.
* If a request comes with the Basic Authentication header it is authenticated.
* If a request comes with Keycloak cookies it is authenticated (and HTTP 401 is not appear).
Is it possible to do it?
I will happy to clarify how Basic Authentication is implemented for Keycloak Java adapters.
I found the enable-basic-auth configuration here:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
Java Adapters Config | Securing Applications and Services ...<https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...>
keycloak.gitbooks.io
Each Java adapter supported by Keycloak can be configured by a simple JSON file. This is what one might look like: {
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...>
Questions:
1. Will Keycloak Java adapter prompt with HTTP 401 if a request without any authentication?
(we can not allow OIDC redirection in this case)
2. What happens a request comes with Basic Authentication header it is authenticated?
How Keycloak Java adapter validates the user name and password?
3. What happens a request comes with Keycloak cookies?
Best regards,
Michael
7 years, 4 months
Direct link to registration with Java ServletFilter Adapter
by Laghuvaram, Raghu
I am looking for a direct link to registration from my application, I am using Java Servlet Filter Adapter with Cookie tokenstore, is that even achievable?
Thanks,
Raghu
________________________________
Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.
7 years, 4 months