External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 11 months
How to add Admin User
by Andrej Prievalsky
Hi,
I would like to summary information about How to add Admin User - chapter
3.2.1.
My questions are:
1.) From which version (including) is new concept, that there is no built
in user?
2a.) What is exact command via add-user script (add-user.sh) for create
admin user ?
2b.) Same question like in 2a, but in keycloak-overlay (add-user-keycloak.sh
)?
Thanks and Best Regards,
Andrej.
8 years, 8 months
SSO amongst two realms
by Sarp Kaya
Hi,
I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to an app1 that auths against realm1, then user 1 tries to use app2 which auths against realm2 which should work fine as user 1 logged into realm1 before and it should SSO into app2 fine.
If this is possible then what would be the setup like?
Kind Regards,
Sarp
8 years, 9 months
Arquillian / Remote Container / EJB Security
by Lauer Markus
Hello,
We'd like to access secured EJBs (@RolesAllowed) from Arquillian tests.
While it is no problem to get a valid access token, we stuck at howto
"inject" the token into the session to actual access the secured EJBs.
Is it possible to use the JAAS LoginModule (LoginContext etc.) for this?
Can someone provide an example?
Please note: There is a solution with @RunAs. But this only allows to
specify one role at once.
Regards,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm
8 years, 9 months
@SecurityDomain for wildfly 10?
by Hristo Stoyanov
Do we still need @SecurityDomain for wildfly 10 ejbs in addition for the
older jboss server?
If so, I think in section 8.2.1, the example ejb code has the wrong import
for that annotation. It should be : import
org.jboss.annotation.security.SecurityDomain?
/Hristo Stoyanov
8 years, 9 months
GMail throws suspicious error when sending email.
by Revanth Ayalasomayajula
Hi,
I am using keycloak1.5.0 for my product and when i am sending email for
execute actions, gmail throws me the following warning in the image
attached below. However, when i do forget password from my login screen the
email sent does not contain this warning. Can i help me debug as to why
this is happening. Execute actions is an important part of my product and
any help reg this would be highly appreciated.
Thanks.
8 years, 9 months
Is Keycloak client admin thread safe?
by Hristo Stoyanov
Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as a
single admin client for the entire app ...
/Hristo Stoyanov
8 years, 9 months
req.getUserPrincipal() returns NULL before navigating to a restricted url (after login)
by LEONARDO NUNES
Hi everyone,
I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1.
After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment.
If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object.
I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page.
The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page.
https://issues.jboss.org/browse/KEYCLOAK-2518
--
Leonardo
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 9 months
Which OpenID Connect Flow to Use?
by Jared Sprague
Hello!
We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other?
Here is the general use case we are trying to solve.
1. A user logs in and receives an access_token.
1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token.
2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request.
3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app.
The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid?
Standard Flow
http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
Implicit Flow
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
Thank you!
- Jared Sprague
access.redhat.com
8 years, 9 months
EJB Invalid User + Log Out not working
by Firdos Ali
Hello,
I am having a few problems with Keycloak. Let me first start with the
environment information:
Keycloak version: 1.9.0
Keycloak wildfly version: 10.0.0
Application wildfly version: 8.0.0
Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid
User
I have followed the documentation by adding the keycloak adapter to the
application wildfly 8.0 and by server.xml has the following:
<extensions>
..
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:security:1.2">
..
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
.
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
</profile>
MyEJB:
@Stateless
@Local(MyInt.class)
@SecurityDomain("keycloak")
public class MyBean implements MyInt
...
@PermitAll
@TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
public boolean myMethod(...) throws Exception {
}
At the moment I am not using jboss-ej3.xml as I reference the security
domain in my EJB class. I added it and it did not help out
Stacktrace:
ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB
Invocation failed on component MyBean for method public abstract boolean
com.at.ejb.MyInt.myMethod(.) throws java.lang.Exception:
javax.ejb.EJBAccessException: JBAS013323: Invalid User
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI
nterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI
nterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(Secu
rityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.proces
sInvocation(ShutDownInterceptorFactory.java:64)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocatio
n(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(Name
spaceContextInterceptor.java:50)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processI
nvocation(AdditionalSetupInterceptor.java:55)
[wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(Context
ClassLoaderInterceptor.java:64)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at
org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurit
yManager.java:448)
at
org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheck
ingInterceptor.java:61)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
at
org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(Pri
vilegedWithCombinerInterceptor.java:80)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor
.java:61)
at
org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescriptio
n.java:182)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
Is there something I am missing from the documentation? Any thoughts how to
resolve this issue?
Problem 2: Unable to log out a user from keycloak administration console:
After I click "Logout" on the administration console in Keycloak, I see the
following error on the keycloak server:
ERROR [io.undertow.request] (default task-26) UT005023: Exception handling
request to
/auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c4
29ab: org.jboss.resteasy.spi.UnhandledException:
java.lang.NoSuchMethodError:
org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava
/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder;
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(Exceptio
nHandler.java:76)
Best regards,
<http://www.affordabletours.com/> AffordableTours.com
Firdos Ali
Senior Project Manager
11150 Cash Road
Stafford, TX 77477
Toll Free (800) 935-2620 X181
Direct (281) 269-2681
Fax (281) 269-2691
E-mail: <mailto:ali@affordabletours.com> ali(a)affordabletours.com
My Working Hours: Mon - Fri: 09:00AM - 05:00PM CST
NOTICE: This e-mail message, including any attachments, is for the use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the recipient, please contact the sender by reply
e-mail and destroy all copies of the original message
8 years, 9 months
