Login multiple times
by Dan Østerberg
Hi,
It's possible (and sometimes likely) to have multiple browser tabs or windows showing the login screen for the same realm. This could for example happen after working with different systems in different tabs, and then timing out the whole SSO session. If the user then logs in from both / all tabs, then the last login will seemingly win, destroy all the other sessions (rather than all of them contributing to the same session). This implies that the other tabs will not have a valid session, and e.g. fetching a new access token will fail.
Is this a bug, a limitation, or is it intentional? And what's the recommended approach for dealing with this issue?
~Dan
7 years, 4 months
Re: [keycloak-user] Spring + keycloak - cannot get auth username
by Sebastien Blanc
How do you retrieve the principal ?
Something like this ?
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String handleAdminRequest(Principal principal, Model model) {
model.addAttribute("principal", principal);
return "admin";
}
On Thu, Dec 15, 2016 at 5:17 PM, Ondra Pala <pala.ondra(a)gmail.com> wrote:
> This attribute I has set ....
>
> 2016-12-15 17:11 GMT+01:00 Sebastien Blanc <sblanc(a)redhat.com>:
>
>> Set "principal-attribute":"preferred_username" in your keycloak.json and
>> you should be able to get your username from the Principal object.
>>
>>
>> On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala <pala.ondra(a)gmail.com> wrote:
>>
>>> Hello,
>>>
>>> Why I can´t get username of logged user? I can try get this information
>>> from Principal, HttpServletResponse ... but still null.
>>>
>>> Our application use for authentification Keycloak, after successfull
>>> login,
>>> user is redirect to another url (on the same server) in Java Spring MVC
>>> application.
>>>
>>> Thanks for your answers.
>>>
>>> Ondra
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
7 years, 4 months
Create user by api
by Sven Kilchenmann
try to create a new user:
Keycloak kc = Keycloak.getInstance(
"http://192.168.11.55:8080/auth",
"master", // the realm to log in to
"admin", "pass", // the user
"security-admin-console");
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue("test123");
UserRepresentation user = new UserRepresentation();
user.setUsername("testuser");
user.setFirstName("Test");
user.setLastName("User");
user.setCredentials(Arrays.asList(credential));
kc.realm("master").users().create(user);
It returns a HTTP 400 Bad Request. Keycloak log says:
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "origin" (class
org.keycloak.representations.idm.UserRepresentation), not marked as
ignorable (22 known properties: "federatedIdentities", "enabled",
"lastName", "emailVerified", "clientConsents", "self", "socialLinks",
"applicationRoles", "createdTimestamp", "groups", "username",
"attributes", "id", "firstName", "email", "federationLink",
"serviceAccountClientId", "requiredActions", "realmRoles",
"clientRoles", "totp", "credentials"])
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@250fdbe0;
line: 1, column: 37] (through reference chain:
org.keycloak.representations.idm.UserRepresentation["origin"])
I'm using Keycloak 2.3.0.Final and Keycloak Admin REST Client 2.4.0.Final API.
Thanks for your support.
Cheers
7 years, 4 months
Configure Keycloak with Apache2
by Celso Agra
Hi all,
I'd like to know if would be possible to configure Apache2 with keycloak.
So, I'm using a simple webpage with HTML and javascripts, only to get some
informations (not big deal). But when I tried to access the page, all HTML
is loaded and then keycloak acts to ask for authentication.
Ok! This is working as I expected, but I'd like to know if there is a way
to configure the keycloak in Apache2. In other words, before to load all
HTML.
So I found this link
https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
I'd like to know if would be possible to use the authentication in the
Apache2. It can be a public api without secret ID?
Thanks a lot!
--
---
*Celso Agra*
7 years, 4 months
Discourse-Keycloak OIDC connector
by Rashiq
Hi there,
I've been working on an OpenID Connect authentication/authorization plugin for
Discourse in order to connect it to Keycloak, and well -- it's finally here:
https://github.com/occrp/discourse-oidc-basic
It still needs code clean-ups, documentation, there's a few bugs that I'm also
going to fix within the next few weeks, but we're using it in production
already and it gets the job done.
The plugin supports mapping roles (either realm or client, as configured in
Discourse settings) to Discourse groups, optionally creating missing groups in
Discourse if needed and removing users from Discourse groups not expressed in
terms of roles.
Please report any bugs on GitHub. If you have any questions (or better yet,
comments on the code!), happy to hear them!
--
Pozdravi,
rashiq
7 years, 4 months
What the URI of the Refresh Token HTTP request for Java Adapters?
by Michael Furman
Hi,
We use the SpringSecurity adapter.
I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter.
Can you tell me the URI of the Refresh Token HTTP request for Java Adapters?
Best regards,
Michael
7 years, 4 months
Google as SAML SP and Keycloak as IDP - invalid_signature
by Georgijs Radovs
Hello everyone!
I'm trying to configure SSO to Google Apps, using SAML protocol and
Keycloak as IDP and Google as SP.
Keycloak Version - 2.1.0-Final
In Keycloak, I've created a new saml client with following settings:
----------------------------------------------------------------
Client ID - google.com/a/*mydomain*.com
Enabled - On
Consent Required - Off
Include AuthnStatement - On
Sign Documents - On
Sign Assertions - On
Signature Algorithm - RSA_SHA256
Canonicalization Method - EXCLUSIVE
Encrypt Assertions - Off
Client Signature Required - On
Force POST Binding - On
Front Channel Logout - On
Force Name ID Format - Off
Name ID Format - email
Root URL - empty
Valid Redirect URIs - empty
Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps
Master SAML Processing URL - empty
IDP Initiated SSO URL Name - googleapps
IDP Initiated SSO Relay State - empty
Assertion Consumer Service POST Binding URL - empty
Assertion Consumer Service Redirect Binding URL -
https://google.com/a/*mydomain*.com/acs
logout-service-post-binding-url - empty
Logout Service Redirect Binding URL - empty
--------------------------------------------------------------
Google SSO Settings:
--------------------------------------------------------------
"Setup SSO with third party identity provider" checkbox - enabled
Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm
name*/protocol/saml
Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm
name*/protocol/saml
Change password URL - empty
Verification certificate - uploaded certificate from keycloak realm,
where Google SAML client is defined.
"Use a domain specific issuer" checkbox - enabled
---------------------------------------------------------------
The problem:
When I go to this link - https://mail.google.com/a/*mydomain*.com, to
authenticate, I'm redirected back to Keycloak with "Invalid Requester"
error and in Keycloak log I see this: "error=invalid_signature"
What signature is Keycloak complaining about?
What is wrong with my config?
--
<https://www.youtube.com/watch?v=bs0V2F06liw>
7 years, 4 months
Spring + keycloak - cannot get auth username
by Ondra Pala
Hello,
Why I can´t get username of logged user? I can try get this information
from Principal, HttpServletResponse ... but still null.
Our application use for authentification Keycloak, after successfull login,
user is redirect to another url (on the same server) in Java Spring MVC
application.
Thanks for your answers.
Ondra
7 years, 4 months
Roles in OIDC tokens
by Rashiq
Hi all,
I am trying to understand how Keycloak and OpenID Connect work, and the thing
that I am stumbling on right now is: are user (realm and client) roles --
assuming "Scope Param Required" on a given role is "off", and "Full Scope
Allowed" on a client is "on" -- automagically included in the token, or do we
have to explicitly add a (realm/client) role mapper each time we add a new
client?
>From my reading of the docs it seems that the roles should be automagically
included:
"The access token is digitally signed by the realm and contains access
information (like user role mappings) that the application can use to
determine what resources the user is allowed to access on the application."
-- https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/
topics/sso-protocols/oidc.html
...but that does not seem to be the case in our testing set-up. Am I missing
something?
--
Pozdravi,
rashiq
7 years, 4 months
