Re: [keycloak-user] Spring boot and spring security adapters
by Brian Schwartz
When i do that i get error
org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException:
Failed to bind 'keycloak.configurationFile' from 'applicationConfig:
[classpath:/application.properties]' to 'configurationFile' property on
'org.keycloak.adapters.springboot.KeycloakSpringBootProperties'
On Dec 2, 2016 2:30 PM, "Matt H" <tsdgcc2087(a)outlook.com> wrote:
Since you are using Spring Boot, I'm going to assume you have a properties
file. Just have the file in your classpath and you can set the following
property.
keycloak.configurationFile: classpath:keycloak.json
If you don't have a properties file, you can just set it manually:
System.setProperty("keycloak.configurationFile", "classpath:keycloak.json");
------------------------------
*From:* keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists.
jboss.org> on behalf of Brian Schwartz <schwartzbj17(a)gmail.com>
*Sent:* Friday, December 2, 2016 2:09 PM
*To:* keycloak-user
*Subject:* [keycloak-user] Spring boot and spring security adapters
I'm using keycloak 2.3.0.final spring boot and spring security adapters.
The spring security adapter requires a keycloak.json file to be in web-inf
but i don't have that or web.xml. How do I change where the keycloak
adapter looks for keycloak.json?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the
keycloak-user Archives. Using keycloak-user: To post a message to all the
list members ...
7 years, 4 months
Re: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter
by Sebastien Blanc
On Fri, Dec 2, 2016 at 3:31 PM, Matt H <tsdgcc2087(a)outlook.com> wrote:
> Where does the KeycloakDeployment come from? I looked through the service
> account example that uses the method below, but it only shows how to get it
> from an HttpServlet which still comes from a user interaction.
>
I haven't tried it but in KeycloakWebSecurityConfigurerAdapter that you
probably subclass in your app to configure the security there is an
adapterDeploymentContext() method and from the returned context you can get
the KeycloakDeployment object.
>
> One idea could be to extend the KeycloakRestTemplate to allow for a flag
> to use service accounts then obtain a token for it.
>
>
> Another idea would be to have another class that could be autowired (I'm
> using Spring) that takes care of getting a service account access token,
> storing it, and refreshing it if it expires. It would need to read the
> keycloak.json (or the same properties that are set for it) to get the
> client and secret.
>
These are really great suggestions and will make sure to add them in the
ticket, thx.
>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc(a)redhat.com>
> *Sent:* Friday, December 2, 2016 1:04 AM
>
> *To:* Matt H
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] How to access secured REST endpoint from
> keycloak-spring-security-adapter
>
> There is one way you can leverage the adapter for this , is using this
> method :
>
> ClientCredentialsProviderUtils.setClientCredentials(deployment,
> reqHeaders, reqParams);
>
> This way, you don't have to worry about passing your credentials. But it's
> worth thinking on how we can enhance the developer experience in this area,
> if you have some ideas feels free to share them and I will also open a
> ticket to track this.
>
>
>
> On Thu, Dec 1, 2016 at 10:58 PM, Matt H <tsdgcc2087(a)outlook.com> wrote:
>
>> Yes, I was looking at that guide. I knew how to go to the keycloak token
>> endpoint and get a token. I wasn't sure if this is the way it needed to be
>> done, or if It could be done through the provided adapters.
>>
>>
>> When the adapters are already being used, and it knows of your client and
>> secret already, it seemed like a lot of overhead to go out to keycloak some
>> other way and make sure that token is not expired (along with re-issuing a
>> token logic), then make the call. If this is the required way, that's fine.
>>
>> ------------------------------
>> *From:* Sebastien Blanc <sblanc(a)redhat.com>
>> *Sent:* Thursday, December 1, 2016 3:45 PM
>> *To:* Matt H
>> *Cc:* keycloak-user(a)lists.jboss.org
>> *Subject:* Re: [keycloak-user] How to access secured REST endpoint from
>> keycloak-spring-security-adapter
>>
>> (including mailing list)
>>
>> On Thu, Dec 1, 2016 at 8:31 PM, Matt H <tsdgcc2087(a)outlook.com> wrote:
>>
>>> I have a suite of spring applications that are using keycloak for
>>> authentication. I'm using the Keycloak spring security adapter and have my
>>> successfully secured the endpoints that I want to. I have situations where
>>> I need Application A to make a call to a secured endpoint on Application
>>> B. I am able to do this client to client communication by using the
>>> KeycloakRestTemplate but only when a user calls Application A with a valid
>>> token.
>>>
>>>
>>> Application A also has a process that will call Application B without
>>> user interaction. When this is done I get an error
>>> "java.lang.IllegalStateException: Cannot set authorization header
>>> because there is no authenticated principal". This makes sense since I
>>> don't have a valid user token.
>>>
>>>
>>> Application A and Application B use the same client in keycloak and it
>>> is set to be a confidential client. I have tried it with and without
>>> having service accounts enabled.
>>>
>> When you say "with service accounts enabled", have you followed all the
>> instructions from here https://keycloak.gitbooks.io/s
>> erver-adminstration-guide/content/topics/clients/oidc/servic
>> e-accounts.html , meaning also calling the
>> /{server-root-usualy-auth}/realms/{realm-name}/protocol/openid-connect/token
>> endpoint in order to retrieve a valid token ?
>>
>>>
>>>
>>> Some questions I have are:
>>>
>>> 1. How do I have applications (not users) call a secured REST endpoint?
>>>
>>> 2. Do the provided keycloak adapters (like the spring security adapter)
>>> provide this functionality?
>>>
>>> 3. Do I need an additional client account to do this?
>>>
>>> 4. Are there any libraries that handle refreshing these tokens or
>>> automatically obtaining one if it doesn't exist?
>>>
>>>
>>> I see lots of examples on how a user can access a secured service, but
>>> not much on an application accessing a secured service.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
7 years, 4 months
"convert OID to names"
by mj
Hi,
Trying to use keycloak as an IdP, saml2, and my application tells me:
"When using SimpleSAMLphp, make sure the convert OID to names by
modifying your metadata/saml20-idp-hosted.php to contain something like
this:
> 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
> 'authproc' => array(
> 100 => array('class' => 'core:AttributeMap', 'oid2name'),
> ),
Could anyone give a pointer how to make keycloak use names instead of OID?
MJ
7 years, 4 months
2.4.0 Unable to register new user when LDAP is enabled
by Michael Anthon
We have recently upgraded to 2.4.0 and are currently unable to create new users while LDAP is enabled. Stack trace below.
The LDAP provider is configured with "Sync Registrations" turned off but this option seems to be ignored?
Any advice on this would be appreciated.
Thanks,
Michael
20:30:20,205 ERROR [io.undertow.request] (default task-6) UT005023: Exception handling request to /auth/admin/realms/identify/users: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalStateException: Registration is not supported by this ldap server
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: Registration is not supported by thi
at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProv
at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.ja
at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCac
at org.keycloak.models.UserFederationManager.addUser(UserFederationManag
at org.keycloak.services.resources.admin.UsersResource.createUser(UsersR
at sun.reflect.GeneratedMethodAccessor795.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
... 37 more
7 years, 4 months
Keycloak Even when user is authenticated
by Mario Peck
I am working on a web application (war) that uses keycloak for
authentication/roles.
The application is running on Wildfly 10. Using the wildfly keycloak
adapter.
I need to listen/detect when a user is authenticated by keycloak. There is
some work the application must perform when a user is logged in for the
first time.
Is there some event (Observable message) , or some type of listener that I
can register to get notified of this? (when a user is authenticated).
Thanks to any tips/help
Mario
7 years, 4 months
How i can use keycloak-admin-client in Apache Tomcat
by tecnologia@growingup.com.co
Hello,
How i can use keycloak-admin-client in Apache TomEE 7.0.2?
Below the specifications:
Apache TomEE 7.0.2 -> Apache Tomcat 8.5.6
JAX-RS - Apache CXF (I understand that resteasy is needed)
JAX-WS - Apache CXF
keycloak-admin-client ¿Does it only work on a wildfly server?
7 years, 4 months
Social Login Fails
by Srikar Nuvvula
Hi,
I am new to using keycloak. I am trying to get social login work with my angularjs app but I am having issues that I can't see to get over. Here are steps I followed but login failed.
1. Setup facebook auth provider in keycloak2. Created client id with public type in keyclock3. Setup an app in facebook and populated redirect url which is (http://localhost:8080/auth/realms/faceauth/broker/facebook/endpoint)4. Extracted clientid and secrect from facebook app and populated it on facebook id provider in keycloak 5. Using keycloack js adapter I invoked the login call (uses the following code)
***************************************************************************// on every request, authenticate user firstangular.element(document).ready(() => { window._keycloak = window._keycloak = Keycloak('keycloak/keycloak.json');//new Keycloak({ url: 'http://localhost:8080/auth', realm: 'faceauth', clientId: 'facedemo' }); window._keycloak.init({ onLoad: 'login-required' }) .success((authenticated) => { if(authenticated) { window._keycloak.loadUserProfile().success(function(profile){ angular.bootstrap(document, ['keycloak-tutorial']); // manually bootstrap Angular }); } else { window.location.reload(); } }) .error(function () { alert("auth failed") //window.location.reload(); });});********************************************************************************6. I am presented facebook login when I key in the details and login the control comes back to my app on localhost but goes into error block and displays "auth failed" message.
I don't know what's happening. I don't have any more error information to debug. What's the best way to understand what's going on? Please help.
Thanks much
7 years, 4 months
How to access secured REST endpoint from keycloak-spring-security-adapter
by Matt H
I have a suite of spring applications that are using keycloak for authentication. I'm using the Keycloak spring security adapter and have my successfully secured the endpoints that I want to. I have situations where I need Application A to make a call to a secured endpoint on Application B. I am able to do this client to client communication by using the KeycloakRestTemplate but only when a user calls Application A with a valid token.
Application A also has a process that will call Application B without user interaction. When this is done I get an error "java.lang.IllegalStateException: Cannot set authorization header because there is no authenticated principal". This makes sense since I don't have a valid user token.
Application A and Application B use the same client in keycloak and it is set to be a confidential client. I have tried it with and without having service accounts enabled.
Some questions I have are:
1. How do I have applications (not users) call a secured REST endpoint?
2. Do the provided keycloak adapters (like the spring security adapter) provide this functionality?
3. Do I need an additional client account to do this?
4. Are there any libraries that handle refreshing these tokens or automatically obtaining one if it doesn't exist?
I see lots of examples on how a user can access a secured service, but not much on an application accessing a secured service.
7 years, 4 months
Re: [keycloak-user] Accessing JGroups ports in Docker keycloak-ha-postgres
by Staffan
After lots of experimentation, I found keycloak-mysql to be more useful
than keycloak-ha-postgres for HA in Kubernetes. See
https://github.com/jboss-dockerfiles/keycloak/pull/62
There is some more background in the JGroups mailing list thread "Expose
JGroups ports in Docker keycloak-ha-postgres".
/Staffan
On Tue, Nov 8, 2016 at 11:29 AM, Staffan <solsson(a)gmail.com> wrote:
> Hi,
>
> I've tried in different docker environments (compose, kubernetes,
> standalone) to get a HA setup running using https://hub.docker.com/r/
> jboss/keycloak-ha-postgres/.
>
> Keycloak nodes start all right, but are unaware of each other. Curiously I
> fail to reach the JGroups ports from any other container or host system.
>
> When I try -Djboss.bind.address.private=0.0.0.0 there's an error during
> startup:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
> 0.0.0.0 is not a valid address on any local network interface
> at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
> ChannelBuilder.java:80)
> Caused by: java.security.PrivilegedActionException:
> java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any
> local network interface
> at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
> WildFlySecurityManager.java:640)
> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
> on any local network interface
> at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>
> ... or if I switch to stack="tcp" in the jgroups subsystem:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
> 0.0.0.0 is not a valid address on any local network interface
>
> I guess this is a generic Wildfly topic, but I'm curious how the official
> Keycloak docker containers are tested. In a docker context, the only two
> interfaces I can bind to are 0.0.0.0 and 127.0.0.1.
>
> regards
> Staffan Olsson
>
>
>
7 years, 4 months
