Adding role to existing users
by Guus der Kinderen
What options are available when one would need to add one or two new roles
to every pre-existing user of a realm? The existing user base can be pretty
large any thousands of users), which makes a one-user-at-a-time approach
sound inefficient.
- Guus
7 years, 4 months
Spring boot + keycloak
by Ondra Pala
Hello We use this example: https://github.com/foo4u/keycloak-spring-demo
(for Spring boot and Keycloak)
I have keycloak.json(realm in this file exists) file in my WEB-INF folder,
but when I run my application, I get exception:
java.lang.RuntimeException: Must set 'realm' in config
Full stack of this exception:
java.lang.RuntimeException: Must set 'realm' in config
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:53)
~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final]
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final]
at
org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37)
~[keycloak-spring-boot-adapter-2.4.0.Final.jar:2.4.0.Final]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88)
~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final]
at
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final]
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:183)
~[keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
~[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[na:1.8.0_101]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[na:1.8.0_101]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-embed-core-8.5.5.jar:8.5.5]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
Our configuration of security looks like:
/**
* Application security configuration.
*
*
* @author Scott Rossillo
*/
@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth
.authenticationProvider(keycloakAuthenticationProvider());
}
@Autowired
public KeycloakClientRequestFactory keycloakClientRequestFactory;
@Bean
public CacheControlHandlerInterceptor
cacheControlHandlerInterceptor() {
return new CacheControlHandlerInterceptor();
}
@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
KeycloakAuthenticationProcessingFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Bean
@Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public KeycloakRestTemplate keycloakRestTemplate() {
return new KeycloakRestTemplate(keycloakClientRequestFactory);
}
@Bean
@Override
protected SessionAuthenticationStrategy
sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new
SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
System.out.println("config");
super.configure(http);
http
.authorizeRequests()
.antMatchers("/*").denyAll();
}
}
Can you please tell me, where it could by mistake.
Thanks for your answer and time.
Ondrej Pala
7 years, 4 months
How to check if keycloak has been restarted since last visit
by Mariusz Chruscielewski - Info.nl
Hi,
Is there a way to check, if Keycloak has been restarted since last visit? Some unique ID that is created when keycloak starts and doesn't change until you restart keycloak. I would like to use it to verify if cookie has been created by "this" keycloak instance, or keycloak instance before restart.
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz(a)info.nl<mailto:mariusz@info.nl> | LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530 9113<tel:+31205309113%20>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
7 years, 4 months
Keycloak connecting to Microsoft Azure Active Directory?
by Reed Lewis
I am attempting to use Microsoft Azure Active Directory with Keycloak.
It is not working correctly.
Here is how I have it configured:
OpenID Connect V1.0
Enabled: On
Store Tokens: On
Store Tokens Readable: On
Trust Email: On
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Token URL: https://login.microsoftonline.com/common/oauth2/token
Logout URL: <none>
Backchannel Logout: Off
User Info URL: <blank>
First Login Flow: First Broker Login
It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it only has the first and last name, but no email address.
Is there something I have configured incorrectly?
I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory.
Thank you,
Reed Lewis
7 years, 4 months
Enabling a public rest service
by Juan Diego
Hi,
Maybe I am looking at this the wrong way. I have 2 web pages on separate
domains. One page is public, so you don't need to log and the other is
private and you need a user and a password.
Both should connect to my Rest API.
I am using java and wildfly 10 for my back end, and Angularjs for my
frontend. In my private web page I dont have any problems connecting to my
backend.
In my public page I am getting cors error and I kind of know why it happens
but I do not know how to solve it.
I created this in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>ramonapublic</web-resource-name>
<url-pattern>/listaPublica</url-pattern>
<url-pattern>/listaPublica/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>ramona</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>usuarios</role-name>
</auth-constraint>
</security-constraint>
ramonapublic is the public rest service. If I use curl I get this and I
have no problem,
curl http://ramona.localdomain:8080/ramona-backend/listaPublica -X POST -H
'ramonaclient.localdomain',
I get this
[{"codigo":1006,"titulo":"Avengers2.mp4","paths3":"archivos/1006/","nombreArchivo":"Avengers2.mp4","tamano":13977910,"bitrate":null,"duracion":null,"hash":null,"mimeType":"video/mp4","fechaSubida":1480518881829,"tipoArchivo":
..............
If I use firefox or chrome I get this
XMLHttpRequest cannot load http://localhost:8080/ramona-backend/listaPublica.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://ramonaclient.localdomain' is therefore not allowed
access.
For what I can tell the browsers are blocking the response because there
is no Access-Control. (This only happens with my public page, my private
page with keycloak works perfect)
So for what I can tell is that listaPublic is being called in the backend
but because it is a public security constrain that is not using keycloaks
tokens it is not getting a proper header.
If I add this to my JaxRxActivator
private Set<Object> singletons = new HashSet<Object>();
private Set<Class<?>> classes = new HashSet<Class<?>>();
public JaxRsActivator() {
// no instance is created, just class is listed
classes.add(PublicPlaylistRest.class);
CorsFilter corsFilter = new CorsFilter();
corsFilter.getAllowedOrigins().add("http://ramonaclient.localdomain
");
corsFilter.setAllowedHeaders("Content-Type");
singletons.add(corsFilter);
}
@Override
public Set<Class<?>> getClasses() {
return classes;
}
@Override
public Set<Object> getSingletons() {
return singletons;
}
It works on the public side but it messes up the headers on the private
side so I cannot use this. It interferes with keycloaks own cors.
7 years, 4 months
have keycloak validate a SAML uid / token combination
by mj
Hi,
Is it possible to configure keycloak to validate SAML obtained uid / token?
I have an application authenticate via SAML on keycloak. The result is
an authenticated user with a uid and a token. (log string of characters)
Can I, in a different process, check with keycloak that this uid/token
is still a valid combination?
What kind of client (if any) would I have to configure in keycloak to do
this?
MJ
7 years, 4 months
Still active token after logout
by ruiwp13
Hello,
I am trying to log out of my application through keycloak but when I call
the logout function for a certain user it does delete the user session in
keycloak but somehow the token is still active and I can access the
information. I have set a base and admin url as the absolute path to my
application which is hosted in a server. Did I set this the right way? If
so, what is the problem?
By the way, if I set a root and base URL I get the path duplicated in the
clients page.
Best Regards,
Rui Neves
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 4 months
Facebook login + Remember me
by Mariusz Chruscielewski - Info.nl
Hi, is it possible to set remember me cookie and identity cookie from Keycloak when we use Facebook Login Provider?
I did debug, and I found that in AuthenticationManager.java#createLoginCookie check:
if(session.isRememberMe()) returns false.
Is there a way to setup this somewhere (remember all facebook logins?)
I tried to create my own custom Authenticator but I can't set remember me from there. Is there any way to build that?
Thanks in advance
Mariusz Chruścielewski
7 years, 4 months