Confidential RESTful client
by Bruce Shaw
I have a AngularJs single page web-app that makes RESTful API calls to get
secured data from our server (Play Framework). I originally set it up to
be a public client using the keycloak.js adapter but I’m wondering if
there’s a more secure way.
Instead of having the redirect response (with the authorization code) come
back to the keycloak.js followed by the request to get the access token,
wouldn’t it be more secure to have the javascript post the returned
authorization code to our server or just set the redirect url to an
endpoint on our server to make the backchannel request (with client secret
and id) for the access token? Then we can redirect the user to the
appropriate location with the access token in the response?
I guess I’m trying to make my RESTful api a confidential client, any input
or direction would help.
thanks.
9 years, 2 months
Blacklisting/whitelisting of domains for email entered during user registration
by Vlastimil Elias
Hi,
Is there this feature (i was not able to find it) in Keycloak or is it
planned (I was not able to find it in JIRA)?
It is extremely useful (mainly blacklisting) in some cases. Eg.
yesterday we fought spammers in one of our public systems. Spammers
registered lots of new users using disposable email service and then
used them to create spam content. We blacklisted domains used by the
disposable email service from registration, which stopped spammers
immediately.
We do not use Keycloak there yet, but maybe in future. Current system we
use has blacklisting available OOTB.
Registration email whitelisting may be useful if you create service for
eg. your employees only, and want them to register there with company
emails only.
I think it should be possible to add new step into "Registration" flow
to perform this blacklisting, we can do it yourself probably, but it
should be cool to have this very useful feature present in the Keycloak
out of the box.
WDYT about this feature, can I create jira feature request for it?
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
9 years, 2 months
Issue with logout.
by Satyajit Das
Hi Team we are facing the below issue with logout.
i use login/logout restful service:
after login
i get tokenid say "t1" and refreshtokenid say "rt1"
1) We have registered a webservice as a keycloak client (example demo123)
with access type as bearer.
2) When I call the logout rest service:
if (isPublic()) { // if client is public access type formparams.add(new
BasicNameValuePair(OAuth2Constants.CLIENT_ID, "demo123")); }
URI logoutUri = KeycloakUriBuilder.fromUri(getBaseUrl(request) + "/auth")
.path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) .build("RealmName");
the logout gives 204 for client's access type as open.
but when i again hit the service with the token id "t1" after logout.
Still i can get the response. *Note this response doesnt hit keycloak*.
Regards,
Satya
9 years, 2 months
Getting username for Logout Event
by Maciek Dawidowicz
Hello,
I am trying to log information about successful login and logouts in my
application. I've written a simple event listener to pass data to my
application audit logger in correct format. In case of Login event there
are following details available:
auth_method: openid-connect
auth_type: code
redirect_uri:
http://localhost:8080/auth/admin/master/console/?redirect_fragment=%2Frea...
consent: no_consent_required
code_id: 28e74ada-cb0e-4901-91bb-2915f1a3b8e0
*username: admin*
however in logout event details there is only:
redirect_uri:
http://localhost:8080/auth/admin/master/console/#/realms/master/events
This means all i get in this event related to User is his id:
*User: a680de68-1c9a-40dd-a642-c56d5912b7b6*
Is there a simple way for my event listener to get username based on User
Id? Or perhaps a way to enable putting username in logout event details?
thanks,
Maciej Dawidowicz
9 years, 2 months
Re: [keycloak-user] Custom user attribute documentation correct?
by Jason Axley
2 seconds after I found that there were custom attribute template examples in examples/themes that gave me the nuance that is missing or lost on me in the documentation.
You need to use the format “user.attributes.mobile” everywhere except when rendering the value from the model. There you use ${account.attributes.mobile} for the interpolation. Any chance those could match and both be account.attributes.<blah> rather than be different?
<div class="form-group ${messagesPerField.printIfExists('user.attributes.mobile','has-error')}">
<div class="col-sm-2 col-md-2">
<label for="user.attributes.mobile" class="control-label">${msg("mobile")}</label> <span class="required">*</span>
</div>
<div class="col-sm-10 col-md-10">
<input type="text" class="form-control" id="user.attributes.mobile" name="user.attributes.mobile" value="${(account.attributes.mobile!'')?html}"/>
</div>
</div>
-Jason
From: <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Jason Axley <jaxley(a)expedia.com<mailto:jaxley@expedia.com>>
Date: Tuesday, February 23, 2016 at 9:02 PM
To: "keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] Custom user attribute documentation correct?
Is the documentation here accurate for v1.9.0-Final? http://keycloak.github.io/docs/userguide/keycloak-server/html/custom-user... It says (for the user account profile pages, for example) that attributes must be of the form like “user.attributes.mobile” but if you do this, Freemarker can’t render the template. I can render it if I use “account.mobile”, however it’s not displaying the data that is definitely there on the user profile (I can see it as an administrator on the Attributes tab).
<div class="form-group ${messagesPerField.printIfExists('account.mobile','has-error')}">
<div class="col-sm-2 col-md-2">
<label for="account.mobile" class="control-label">${msg("mobile")}</label> <span class="required">*</span>
</div>
<div class="col-sm-10 col-md-10">
<input type="text" class="form-control" id="account.mobile" name="account.mobile" value="${(account.mobile!'')?html}"/>
</div>
</div>
-Jason
Jason Axley
Sr. Security Engineer, Expedia Worldwide Engineering Team
425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
333 108th Ave NE, 9S-282, Bellevue, WA 98004
EWE Security Wiki<https://confluence/display/POS/EWE+Security>
9 years, 2 months
keycloak 1.8.1 to 1.9.0 upgrade failed
by Michael Mok
Hi there.
Keycloak 1.9.0 is working but this error keeps appearing in the log every
time I restart keycloak. :<
23:41:51,546 INFO [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak
container
23:41:51,551 INFO [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 47) WFLYCLINF0002: Started realms cache from keycloak
container
23:41:51,684 INFO [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 46) WFLYCLINF0002: Started realmVersions cache from keycloak
container
23:41:52,827 INFO [org.keycloak.services] (ServerService Thread Pool --
50) KC-SERVICES0001: Loading config from
/opt/keycloak/standalone/configuration/keycloak-server.json
23:41:56,771 INFO [org.hibernate.jpa.internal.util.LogHelper]
(ServerService Thread Pool -- 50) HHH000204: Processing PersistenceUnitInfo
[
name: keycloak-default
...]
23:41:56,844 INFO [org.hibernate.Version] (ServerService Thread Pool --
50) HHH000412: Hibernate Core {5.0.7.Final}
23:41:56,846 INFO [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 50) HHH000206: hibernate.properties not found
23:41:56,848 INFO [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 50) HHH000021: Bytecode provider name : javassist
23:41:56,894 INFO [org.hibernate.annotations.common.Version]
(ServerService Thread Pool -- 50) HCANN000001: Hibernate Commons
Annotations {5.0.1.Final}
23:41:57,063 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
Pool -- 50) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect
23:41:57,114 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl]
(ServerService Thread Pool -- 50) Envers integration enabled? : true
23:41:57,965 INFO [org.hibernate.validator.internal.util.Version]
(ServerService Thread Pool -- 50) HV000001: Hibernate Validator 5.2.3.Final
23:41:58,990 INFO
[org.hibernate.hql.internal.QueryTranslatorFactoryInitiator]
(ServerService Thread Pool -- 50) HHH000397: Using ASTQueryTranslatorFactory
23:42:00,007 ERROR [org.keycloak.services] (ServerService Thread Pool --
50) KC-SERVICES0002: Failed to migrate datamodel:
java.lang.NullPointerException
at
org.keycloak.migration.migrators.MigrateTo1_9_0.migrate(MigrateTo1_9_0.java:42)
at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:93)
at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:152)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:94)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
23:42:00,214 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService
Thread Pool -- 50) RESTEASY002225: Deploying javax.ws.rs.core.Application:
class org.keycloak.services.resources.KeycloakApp
lication
23:42:00,216 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService
Thread Pool -- 50) RESTEASY002200: Adding class resource
org.keycloak.services.resources.JsResource from Application class o
rg.keycloak.services.resources.KeycloakApplication
23:42:00,217 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService
Thread Pool -- 50) RESTEASY002205: Adding provider class
org.keycloak.services.filters.KeycloakTransactionCommitter from App
lication class org.keycloak.services.resources.KeycloakApplication
23:42:00,217 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService
Thread Pool -- 50) RESTEASY002200: Adding class resource
org.keycloak.services.resources.ThemeResource from Application clas
s org.keycloak.services.resources.KeycloakApplication
23:42:00,217 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService
Thread Pool -- 50) RESTEASY002200: Adding class resource
org.keycloak.services.resources.QRCodeResource from Application cla
ss org.keycloak.services.resources.KeycloakApplication
23:42:00,217 INFO [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService
Thread Pool -- 50) RESTEASY002220: Adding singleton resource
org.keycloak.services.resources.WelcomeResource from Applicatio
n class org.keycloak.services.resources.KeycloakApplication
9 years, 2 months
Same user with different "sub" in JWT Token?
by Sylvain Auger-Léger
Hi,
Is it possible to setup keycloak so that:
the JWT "sub" attribute would be different in every client for the same
user ?
This is to prevent from crossing information between clients.
Thank you.
9 years, 2 months
Custom user attribute documentation correct?
by Jason Axley
Is the documentation here accurate for v1.9.0-Final? http://keycloak.github.io/docs/userguide/keycloak-server/html/custom-user... It says (for the user account profile pages, for example) that attributes must be of the form like “user.attributes.mobile” but if you do this, Freemarker can’t render the template. I can render it if I use “account.mobile”, however it’s not displaying the data that is definitely there on the user profile (I can see it as an administrator on the Attributes tab).
<div class="form-group ${messagesPerField.printIfExists('account.mobile','has-error')}">
<div class="col-sm-2 col-md-2">
<label for="account.mobile" class="control-label">${msg("mobile")}</label> <span class="required">*</span>
</div>
<div class="col-sm-10 col-md-10">
<input type="text" class="form-control" id="account.mobile" name="account.mobile" value="${(account.mobile!'')?html}"/>
</div>
</div>
-Jason
Jason Axley
Sr. Security Engineer, Expedia Worldwide Engineering Team
425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv)
333 108th Ave NE, 9S-282, Bellevue, WA 98004
EWE Security Wiki<https://confluence/display/POS/EWE+Security>
9 years, 2 months
