Additional additional parameters and processing them
by Reed Lewis
First, I want to thank all the Keycloak developers for your great help. This is by far one of �the best supported and documented open source products I have used in a long time.
My next question:
Say I have the redirect to login using the following URI:
https://<server>/auth/realms/<realm>/protocol/openid-connect/auth?response_type=code&client_id=broker&redirect_uri=http://localhost:5000/oauth2callback&scope=offline_access&nonce=fa7757e5-697c-4f3a-9760-610a6d19893b-d5c888df-3dd3-4a06-8ea0-7525fc9894de
And I wish to add additional parameters to the request which I can put into the JWT, or use the values as session attributes or the like.
How do I do that?
Thank you,
Reed Lewis
8 years, 5 months
Re: [keycloak-user] Admin Console: Clients Configuration: Displaying of "attributes" from Client Representation
by Bystrik Horvath
Hi,
I went through the example (
https://github.com/keycloak/keycloak/tree/master/examples/providers/authe...).
The security questions are written in secret-question.ftl
and secret-question-config.ftl files. From my point of view, the security
questions are know in advance and they can be "hardcoded" in ftl files. My
case is that security questions are defined during the runtime (preferably
via admin REST API). The admin REST API does not provide the functionality
to store attributes on realm level. I agree that security questions belongs
to realm, but how to provision them - *.ftl files are not an option for me.
Best regards,
Bystrik
On Mon, Feb 22, 2016 at 12:55 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> If you look at our security questions example it stores the configuration
> on the authenticator itself.
>
> On 22 February 2016 at 12:46, Bystrik Horvath <bystrik.horvath(a)gmail.com>
> wrote:
>
>> Hi,
>>
>> what would be a recommended way to provision a security question on realm
>> base if the question is not known in advance? May be it is an misuse of
>> client representation for provisioning that.
>>
>> Best regards,
>> Bystrik
>>
>> On Mon, Feb 22, 2016 at 12:28 PM, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> I don't understand how you can have security questions that are
>>> particular to a client. A user logs-in to a realm, not a client.
>>>
>>> On 22 February 2016 at 10:20, Juraj Janosik <juraj.janosik77(a)gmail.com>
>>> wrote:
>>>
>>>> @ Stian:
>>>> generally said, I did not find any description, that the client
>>>> attributes are for internal use only.
>>>> Parameter "attributes" is propagated in ClientRepresentation in the
>>>> REST Admin API,
>>>> therefore should be used for CRUD admin operations.
>>>> We plan to attach Security Answers to the user (Security questions are
>>>> common for particular client).
>>>>
>>>> Best Regards,
>>>> Juraj
>>>>
>>>> 2016-02-22 10:18 GMT+01:00 Bystrik Horvath <bystrik.horvath(a)gmail.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I think the case here is to provision the text of security question to
>>>>> the client attributes when it is not known in advance.
>>>>>
>>>>> Best regards,
>>>>> Bystrik
>>>>>
>>>>> On Mon, Feb 22, 2016 at 10:06 AM, Thomas Darimont <
>>>>> thomas.darimont(a)googlemail.com> wrote:
>>>>>
>>>>>> Interesting - do you need client specific security questions?
>>>>>>
>>>>>> The keycloak examples contain a custom provider for user specific
>>>>>> security questions - perhaps this would suit your needs better.
>>>>>>
>>>>>> https://github.com/keycloak/keycloak/tree/master/examples/providers/authe...
>>>>>>
>>>>>> Cheers,
>>>>>> Thomas
>>>>>>
>>>>>> 2016-02-22 10:02 GMT+01:00 Juraj Janosik <juraj.janosik77(a)gmail.com>:
>>>>>>
>>>>>>> Hi Thomas,
>>>>>>>
>>>>>>> for example security questions.... :-)
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Juraj
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2016-02-22 9:12 GMT+01:00 Thomas Darimont <
>>>>>>> thomas.darimont(a)googlemail.com>:
>>>>>>>
>>>>>>>> Hello Juraj,
>>>>>>>>
>>>>>>>> I wondered about that too a while ago - may I ask what client
>>>>>>>> attributes you are planning to store?
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>> 2016-02-22 8:17 GMT+01:00 Juraj Janosik <juraj.janosik77(a)gmail.com>
>>>>>>>> :
>>>>>>>>
>>>>>>>>> The user configuration has the possibility to
>>>>>>>>> Create/Read/Update/Delete of "custom" attributes in the Admin Console.
>>>>>>>>>
>>>>>>>>> (/auth/admin/master/console/#/realms/demo/users/{uid}/user-attributes)
>>>>>>>>> The client does not. I think, the logic and the focus is the same
>>>>>>>>> for both.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Juraj
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2016-02-19 15:40 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
>>>>>>>>>
>>>>>>>>>> We don't. Why would we add it though?
>>>>>>>>>> On 18 Feb 2016 12:43, "Juraj Janosik" <juraj.janosik77(a)gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> is there any plan to support for displaying of "attributes" from
>>>>>>>>>>> Client Representation
>>>>>>>>>>> (like users configuration) in Admin Console?
>>>>>>>>>>>
>>>>>>>>>>> Thanks.
>>>>>>>>>>>
>>>>>>>>>>> Best Regards,
>>>>>>>>>>> Juraj
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
8 years, 5 months
Forgot password flow
by Bystrik Horvath
Hello,
it is perfectly possible to reset the forgotten password via
execute-actions-email on UsersResource which leads to generation of email
containing the link for completing the password reset action (e.g:
http://localhost:8080/auth/realms/publicRealm/login-actions/execute-actio...
)
Reset password flows ends in account client where the user changes the
password to the one he likes.
How would it be possible to finish the flow without with interacting with
account client? E.g. directly set new credential via REST call?
Best regards,
Bystrik
8 years, 5 months
Our (customised version of) Keycloak 1.9.0.Final fails to start up
by Edgar Vonk - Info.nl
hi,
Starting from 1.9.0.Final (it was working ok in 1.9.0.RC1) our Keycloak Docker image no longer starts up. We get the following exception. We have made a number of customisations so I am guessing the issue is somewhere there. Maybe someone already has an idea where to look from this stack trace? We based our Docker image on https://hub.docker.com/r/jboss/keycloak/ but customised it quite a bit.
cheers
Edgar
16:49:50,851 INFO [org.keycloak.services] (ServerService Thread Pool -- 46) KC-SERVICES0050: Initializing master realm
16:49:52,621 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 46) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory.lazyInit(InfinispanCacheUserProviderFactory.java:58)
at org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory.create(InfinispanCacheUserProviderFactory.java:50)
at org.keycloak.models.cache.infinispan.InfinispanCacheUserProviderFactory.create(InfinispanCacheUserProviderFactory.java:38)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:101)
at org.keycloak.services.DefaultKeycloakSession.getUserProvider(DefaultKeycloakSession.java:64)
at org.keycloak.services.DefaultKeycloakSession.userStorage(DefaultKeycloakSession.java:90)
at org.keycloak.models.UserFederationManager.getUsersCount(UserFederationManager.java:286)
at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:50)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:134)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
16:49:52,628 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.NullPointerException"}}
8 years, 5 months
403 when loading user info
by Adrian Matei
Hi everybody,
Could you help me please with a hard nut to crack? We have the following
situation:
When calling the userinfo endpoint over an enterprise proxy server (js
adapter loadUserInfo() method):
https://hostname/auth/realms/realmname/protocol/openid-connect/userinfo
we get 403 Forbidden with no Access-Controls headers set. Here is the funny
part - it happens only in Chrome, Firefox and Opera. With Safari and IE11
it seems to be working.
The stacktrace from server.log does not tell me much....:
11:30:31,906 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
(http-/159.232.186.74:8443-6) RESTEASY000105: Failed to execute:
org.keycloak.services.ErrorResponseException
at
org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:130)
[keycloak-services-1.7.0.Final.jar:1.7.0.Final]
at
org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:103)
[keycloak-services-1.7.0.Final.jar:1.7.0.Final]
at sun.reflect.GeneratedMethodAccessor342.invoke(Unknown Source)
[:1.8.0_66]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_66]
at java.lang.reflect.Method.invoke(Method.java:497)
[rt.jar:1.8.0_66]
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:106)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:153)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:561)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:543)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:128)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.12.Final-redhat-1.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
[keycloak-services-1.7.0.Final.jar:1.7.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_66]
Thanks,
Adrian
8 years, 5 months
Is there any way to allow only session per account?
by Mai Zi
Suppose we have an angular-js client which is controlled by keycloak server.
Is there any way to kick the first user off if the second user logins in with the same account ?
or if the first has login-ed then the second can not be allowed in again?
In short, is it possible to only allow one session per account ?
Thanks
8 years, 5 months
Hybrid SSO access and custom user database
by Stefano Cossu
Hello,
I am currently evaluating Keycloak to resolve an SSO scenario that we
are unable to resolve with our current setup.
We have a SAML2 environment made up of a Shibboleth SP and a
SimpleSamlPHP IdP. The IdP authenticates requests against a custom
identity database exposed via a very simple REST API. The IdP sends
usersname and password to the REST API, which either responds
with a 401 or sends a JSON object with the authenticated user's
attributes and membership information.
So far so good, but now we need to authenticate an API client in the
system. SAML2 is not great for this, so I am looking for an alternative
SSO solution, either based on SAML or not.
Our requirements are:
1. The SSO system needs to be able to authenticate against the custom
REST API. This seems to be possible in Keycloak by defining a custom
federation provider.
2. The SSO system needs to be able to authenticate both browser- and
API-based clients and let a client authenticated via API use the same
SSO token in a browser.
3. The SSO system needs to pass the identity information to the web
server (Apache) so that they are available as environment variables, in
a similar way Shibboleth does.
I have installed and started testing Keycloak locally but I am unsure
which scenario I should look at within Keycloak to accomplish what I am
looking for. Can someone give me some directions?
Thanks,
Stefano
--
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Avenue
Chicago, IL 60603
8 years, 5 months
Accurate description of Keycloak's capabilities?
by Marc Boorshtein
All,
I'm going to be presenting OpenUnison at an OpenShift briefing tomorrow and
have been asked to include a slide on how OpenUnison and Keycloak relate to
each other. Based on getting Keycloak running and looking at the website
and following the list I'm planning on breaking down KC's features as such:
Authentication
* OIDC
* SAML2
* Social
* TOTP
* IdP "Proxy" for both SAML2 and OIDC
User Data Sources
* LDAP
* AD
* Custom
Role Management
* Local database
* Mapped to external data source
Application Integration
* SAML2
* OIDC/OAuth2
* Reverse Proxy with header injection
UI Pages
* Themed
I want to make sure this is accurate, so I'd appreciate any feedback that
you have.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
<marc.boorshtein(a)tremolosecurity.com>
8 years, 5 months
