Keycloak redirect to wrong destination
by Andrey Saroul
Recently I encountered with unexpected behavour of Keycloak.
I did a simple rest service and had deployed Keycloak on one the same
machine.
I'm using keycloak 1.7.0 with WildFly 9.0.2
My root URL of rest service is: /rest
In Keycloak admin console I have configured my rest service this way:
Client Protocol: openid-connect, Valid Redirect URIs: /rest/*
I tried to access my test page of rest service by url:
http://localhost:8080/rest/test?id=1
I got redirect to login form, entered my login and password. That's fine,
browser got valid jsessionid from Keycloak, BUT at the end of redirect
chain I end up with root url of my webapp (http://localhost:8080/rest), but
I tried to access different location (http://localhost:8080/rest/test?id=1)
I expect to be redirected to the url I entered in the first place.
I wonder, is this a bug or a misconfiguration issue?
8 years, 2 months
Default client for a realm
by Thomas Darimont
Hi group,
I have multiple realms and a list of clients registered within each realm.
For each realm I'd like to configure
a "default" client that can be used as a redirect fallback if no client or
redirect_uri was specified in requests.
The usecase is to provide some kind of "home" or "launchpad" service where
users are redirected to in case
they don't know or didn't specify where to go.
The launchpad would then present a "fancy selection" of all the apps
(clients) that are available to the current user,
somewhat comparable to the https://www.google.de/intl/de/about/products/
page.
Is this already possible or considered as a feature?
A default "default" client could be the account application.
A quick hack I could think of would be to define a client with the name
"default" (or another well-known name)
and register a custom endpoint in Keycloak that would accept the client_id
as a url parameter and redirect to the
configured client base url.
Cheers,
Thomas
8 years, 2 months
Information in Access Token
by Boken Lin
Hi all,
Is there a way to define what kind of information gets encoded in the
access token? Right now I'm looking for a way to reduce the length of
the access token.
Any help would be greatly appreciated!
Thanks.
Boken.
8 years, 2 months
Adding additional security questions for forgotten password.
by Reed Lewis
I am implementing Keycloak and need to have the ability to have user questions that can be stored, and asked randomly if the user forgets their password.
Can Keycloak store this content, or do I need a separate instance? How do I integrate this into Keycloak?
Thank you,
Reed Lewis
8 years, 2 months
Re: [keycloak-user] Establish session by ajax request
by Andrey Saroul
No more actual.
I fixed it by using bearer type auth instead of confidential.
I generated token and set its value to front-end ExtJs.
2016-02-09 18:25 GMT+03:00 Andrey Saroul <andrey.saroul(a)gmail.com>:
> Is there any way to establish session with client (webapp with browser
> enabled authn, not a Bearer type) by XMLHttpRequest?
> I have central webapp which provide access to other services (restful).
> The problem is that when I login into central app I establish session with
> jsessionid connected to it. That works fine until I try to access other
> services. I have front-end as a single page (ExtJS) which issue
> XMLHttpRequest to service (separate web app in the same server). By the
> time I login into central app browser has its jsessionid, but to access
> other service, I need to establish another session and keycloak has to
> generate another jsessionid for me to access this service. And I can't get
> it supposedly because of XMLHttpRequest not a HttpRequest.
>
> For example, for this request (with jsessionid of central webapp):
> GET /rest/test HTTP/1.1
> Host: localhost:8080
> *X-Requested-With: XMLHttpRequest*
> Cookie: JSESSIONID=XAVXi...
> Connection: keep-alive
>
> Response is (I ommited some unimportant headers):
> *HTTP/1.1 401 Unauthorized*
> Expires: 0
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Powered-By: Undertow/1
> Server: WildFly/9
> Pragma: no-cache
> Connection: keep-alive
>
>
> *WWW-Authenticate: Bearer realm="Unknown"*
> And when I change request to generic http, I got correct jsessionid and
> can access my rest service.
>
8 years, 2 months
Establish session by ajax request
by Andrey Saroul
Is there any way to establish session with client (webapp with browser
enabled authn, not a Bearer type) by XMLHttpRequest?
I have central webapp which provide access to other services (restful). The
problem is that when I login into central app I establish session with
jsessionid connected to it. That works fine until I try to access other
services. I have front-end as a single page (ExtJS) which issue
XMLHttpRequest to service (separate web app in the same server). By the
time I login into central app browser has its jsessionid, but to access
other service, I need to establish another session and keycloak has to
generate another jsessionid for me to access this service. And I can't get
it supposedly because of XMLHttpRequest not a HttpRequest.
For example, for this request (with jsessionid of central webapp):
GET /rest/test HTTP/1.1
Host: localhost:8080
*X-Requested-With: XMLHttpRequest*
Cookie: JSESSIONID=XAVXi...
Connection: keep-alive
Response is (I ommited some unimportant headers):
*HTTP/1.1 401 Unauthorized*
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Powered-By: Undertow/1
Server: WildFly/9
Pragma: no-cache
Connection: keep-alive
*WWW-Authenticate: Bearer realm="Unknown"*
And when I change request to generic http, I got correct jsessionid and can
access my rest service.
8 years, 2 months
Social Login, whitelist company domains (google)
by Jesse Chahal
Hi,
So I've been experimented with the social login, mostly the google one, and
am trying to figure out how to allow whitelisting of domains for people
using google apps for business. I think it is common practice to use social
login for companies if they are using services from said provider. Is there
a way to limit google's social login to only those who are using email's
from specific domains? If not would be the best way for me to go around
implementing this?
8 years, 2 months
access_token always contains JWT
by manfred.duchrow@caprica.biz
Hi,
I am trying to retrieve an access token from a Keycloak (1.8.0.Final)
service account by
POST /auth/realms/myrealm/protocol/openid-connect/token
with grant_type=client_credentials.
The result contains a signed JWT as value of field "access_token" rather
than a simple token
as described in chapter 18 (Service Accounts) of the user guide.
So what I expect (need) is a response like this:
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"bearer",
"expires_in":60,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
"session-state":"234234-234234-234234"
}
Is there a way to configure the account or the realm to return a simple
token
in "access_token" (and "refresh_token") rather than a JWT?
Cheers,
Manfred
8 years, 2 months
NoClassDefFoundError during Logout (Domain Mode)
by LEONARDO NUNES
Hi, i'm getting the exception below when I try to logout from my aplication or when I click Logout All from the Sessions menu at the admin console.
I'm using the Overlay keycloak-overlay-eap6-1.8.1.Final on our EAP 6.3.3 in Domain Mode with 2 hosts.
I copied the modules from the overlay zip to our modules in the EAP folder. Then, I did the installation with jboss-cli.
The Admin Console is working fine. I deployed the customer-app at another server and i'm able to register and login succssesfully.
Then, when I try to logout I get the error below.
>>>>>>>>
2016-02-06 11:47:13,502 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[eap-corp-dev].[/auth].[Keycloak REST Interface]] (ajp-/192.168.10.67:8019-2) JBWEB000236: Servlet.service() for servlet Keycloak REST Interface threw exception: java.lang.RuntimeException: request path: /auth/admin/realms/demo/logout-all
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.spi.ApplicationException: java.lang.NoClassDefFoundError: org/apache/http/conn/socket/LayeredConnectionSocketFactory
at org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:365) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:233) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:209) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:557) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
... 15 more
Caused by: org.jboss.resteasy.spi.ApplicationException: java.lang.NoClassDefFoundError: org/apache/http/conn/socket/LayeredConnectionSocketFactory
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:69) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at com.sun.proxy.$Proxy206.getProvider(Unknown Source)
at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:235) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at org.keycloak.services.managers.ResourceAdminManager.logoutClient(ResourceAdminManager.java:220) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at org.keycloak.services.managers.ResourceAdminManager.logoutAll(ResourceAdminManager.java:196) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at org.keycloak.services.resources.admin.RealmAdminResource.logoutAll(RealmAdminResource.java:338) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
... 24 more
Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/socket/LayeredConnectionSocketFactory
at org.keycloak.connections.httpclient.DefaultHttpClientFactory.lazyInit(DefaultHttpClientFactory.java:120)
at org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:36)
at org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:27)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:57) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
... 41 more
Caused by: java.lang.ClassNotFoundException: org.apache.http.conn.socket.LayeredConnectionSocketFactory from [Module "org.keycloak.keycloak-connections-http-client:main" from local module loader @543c6f6d (finder: local module finder @13eb8acf (roots: /opt/jboss-eap-6.3/modules,/opt/jboss-eap-6.3/modules/system/layers/base/.overlays/layer-base-jboss-eap-6.3.3.CP,/opt/jboss-eap-6.3/modules/system/layers/base,/var/opt/jboss_domains/modules))]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.5.Final-redhat-1]
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.5.Final-redhat-1]
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.5.Final-redhat-1]
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.5.Final-redhat-1]
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.5.Final-redhat-1]
... 50 more
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 2 months
