JavaScript client, iframe and IE
by Thomas Raehalme
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
7 years, 1 month
External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 2 months
keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
by jazz
Hi,
I have wildfly 10 installed using nginx as https proxy server [1,
standalone-full.xml]. Works great when using weak ciphers in nginx. In
that case keycloak can connect back to the app after authentication
(redirect SSL). When using strong ciphers in nginx [2] is fails the ssl
handshake [4]. JCE seems enabled since the deployed app reports 2016-
04-13 21:41:33,304 INFO [stdout] (ServerService Thread Pool -- 83) max
allowed keylength = 2147483647
My question is: does keycloak use a limited set of ciphers? SNI works
fine according to the log. I was digging in the code, but could not
find something obvious [5]
Best regards, Jazz
[1] wildfly standalone-full.xml
<subsystem xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> [... snip ...] <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8444}"/>
<socket-binding name="proxy-https" port="443"/>
[2] nginx ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-
ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
[3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service
[4]
2016-04-13 21:41:46,495 INFO [stdout] (default task-7) default task-7,
setSoTimeout(0) called
2016-04-13 21:41:46,498 INFO [stdout] (default task-7) Allow unsafe
renegotiation: false
2016-04-13 21:41:46,500 INFO [stdout] (default task-7) Allow legacy
hello messages: true
2016-04-13 21:41:46,502 INFO [stdout] (default task-7) Is initial
handshake: true
2016-04-13 21:41:46,503 INFO [stdout] (default task-7) Is secure
renegotiation: false
2016-04-13 21:41:46,505 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,506 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,508 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,509 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 21:41:46,511 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,512 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,514 INFO [stdout] (default task-7) %% No cached
client session
2016-04-13 21:41:46,518 INFO [stdout] (default task-7) ***
ClientHello, TLSv1.2
2016-04-13 21:41:46,522 INFO [stdout] (default task-7)
RandomCookie: GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130,
99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12,
171, 41, 74, 46, 186, 180, 88 }
2016-04-13 21:41:46,523 INFO [stdout] (default task-7) Session ID: {}
2016-04-13 21:41:46,525 INFO [stdout] (default task-7) Cipher Suites:
[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-04-13 21:41:46,526 INFO [stdout] (default task-7) Compression
Methods: { 0 }
2016-04-13 21:41:46,527 INFO [stdout] (default task-7) Extension
signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
2016-04-13 21:41:46,529 INFO [stdout] (default task-7) Extension
server_name, server_name: [type=host_name (0),
value=keycloak.example.com]
2016-04-13 21:41:46,530 INFO [stdout] (default task-7) ***
2016-04-13 21:41:46,531 INFO [stdout] (default task-7) default task-7,
WRITE: TLSv1.2 Handshake, length = 138
2016-04-13 21:41:46,533 INFO [stdout] (default task-7) default task-7,
READ: TLSv1.2 Alert, length = 2
2016-04-13 21:41:46,534 INFO [stdout] (default task-7) default task-7,
RECV TLSv1.2 ALERT: fatal, handshake_failure
2016-04-13 21:41:46,535 INFO [stdout] (default task-7) default task-7,
called closeSocket()
2016-04-13 21:41:46,536 INFO [stdout] (default task-7) default task-7,
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
2016-04-13 21:41:46,537 INFO [stdout] (default task-7) default task-7,
called close()
2016-04-13 21:41:46,538 INFO [stdout] (default task-7) default task-7,
called closeInternal(true)
2016-04-13 21:41:46,539 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
failed to turn code into token: javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja
va:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:543)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFac
tory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnectio
n(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java
:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooled
ConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRe
questDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReque
stDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpCl
ient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReque
st.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthReques
tAuthenticator.java:314)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReque
stAuthenticator.java:260)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenti
cator.java:112)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloa
kAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(Ser
vletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Sec
urityContextImpl.java:121)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityCo
ntextImpl.java:96)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityCont
extImpl.java:89)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.
handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCa
cheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleReq
uest(AuthenticationConstraintHandler.java:51)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequ
est(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintH
andler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.
handleRequest(ServletSecurityConstraintHandler.java:56)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReq
uest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler
.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest
(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler
.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handl
eRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleReque
st(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(S
ervletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Serv
letInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIn
itialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Serv
letInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793
)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja
va:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j
ava:617)
at java.lang.Thread.run(Thread.java:745)
[5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adap
ter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
7 years, 10 months
custom user federation syncAllUsers
by Juan Diego
I was checking the example for federation-properties-example. In both
examples when you sync all users, it just checks for the users in the
properties file and adds it to keycloak if it doesnt exist.
If I want to do it both ways, so it adds users from keycloak to my
database, and users from my database to keycloak. Should I add them here?
I am not managing any password on my database, so i just need user id and
username and maybe email.
Also when I add a new user I can tell that syncronizeRegistrations() is
being called but it is null. In order to create a new user in my database,
should I call a create user function to my database here.
Thanks,
7 years, 12 months
Authorization code flow without a browser
by Aikeaguinea
As I understand it, using the authorization code flow rather than the
implicit flow is recommended where possible.
We have a server-side client application, but the user agents making
requests are not browsers, but instead our own code.
I'm not entirely sure how to make the authorization code flow work
without a browser. For instance, if on the command line I request
curl
'http://host:port/auth/realms/foo/protocol/openid-connect/auth?response_ty...'
Then (assuming the parameters are correct) I get back an HTML login page
with a form. In order to submit the credentials, I would need to dig the
URL out of the action of the form and then submit a request like
curl -X POST -d 'username=test-user' -d 'password=test1234'
'http://host:port/auth/realms/foo/login-actions/authenticate?code=Ctr79aRs...'
Three questions:
1. Is there some reason I shouldn't be trying to implement the
authorization code flow like this?
2. Is there a way to get the proper login action back without having to
dig it out of an HTML form? I've tried adding --header "Accept:
application/json" to the command but this has no effect.
3. Is there a way of submitting credentials other than by using form
parameters? I've tried HTTP basic auth but it doesn't work for me.
--
Aikeaguinea
aikeaguinea(a)xsmail.com
--
http://www.fastmail.com - Same, same, but different...
7 years, 12 months
Role Attributes
by Brian Watson
Hi all,
I know this may be a long shot, but is there any plan to support attributes
for roles? Use case: I am replacing a pre-existing home-grown auth system
with Keycloak. There is metadata associated with the existing roles that is
required by the services consuming the JWS. I have a very hacky plan to
support what I need via role descriptions, but having role attributes would
allow me to implement this need is a cleaner fashion.
Thoughts?
Thanks!
8 years
PRODUCTION support of Keycloak
by Richard Lavallee
Regarding Production use of Keycloak, does anyone have a list of who uses Keycloak in PRODUCTION?And is any third-party support available for it? Concern is if bug occurs in PROD how best to turnaround a fix for it.
-Richard
8 years
clients behind load balancer issues
by Rodrigo Gonzalez Asensio
All local environment
1 keycloak 1.7 & 1.9 listening on port 8080
2 tomcat 7 with java webapp using Keycloak filter (not the adapter)
1 nginx load balancing the 2 tomcats. Nginx config below
upstream jeremy {
server localhost:8082;
server localhost:8999;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://jeremy/;
proxy_redirect off;
proxy_set_header Host $host;
}
}
My Keycloak client all defaults, 1 only valid redirect_uri.
As soon as I validate the login in keycloak it gets crazy with
ERR_TOO_MANY_REDIRECTS
The same thing happen in AWS having a ELB > tomcats or ELB > NGINX >
tomcats.
Anyone had a similar issue ?
8 years
(no subject)
by Luke Holmquist
I have a use case, that i think could be pretty common, but i'm not
entirely sure how to setup it up.
The following is a little bit of a thought dump, so pardon me if i ramble a
little bit.
There are i think 3 components involved here:
1. a pure HTML/JS web app
2. A node.js REST API server
3. Keycloak server
The app in this case, would not be served by the node server or the KC
server(wildfly), but with something like nginx(or even something like
'python simpleHTTPServer')
Basically the flow would be something like this[1]:
The web app, using the js adapter, authenticates against the KC server.
Now the web app would like to call the node API server(a restricted
endpoint) to get some data
The web app probably adds the token stuff that it got from KC during it;s
login to the request to the node server
***This next part is where i'm getting a little confused, i'm aware that
code to do this might not be written yet****
I'm thinking the node server takes the token from the web app request, and
would hit an endpoint on the KC server to make sure that token is valid.
If things go ok, then node server returns the data.
I've seen the recent post on doing token introspection and abstracj was
nice enough to make that into a gist,
https://gist.github.com/abstractj/4cd2231a472069d8b6f63b4008c74061
but this would also mean the web client access_type would need to be
confidential(which i don't think is secure for a web app) to make a service
account that the node server could use to do the token introspection.
I was thinking of maybe creating a client also for the node server, but is
it possible for 1 client to lookup/validate tokens from another client.
Perhaps i'm thinking about this all wrong too, which is very possible.
In this example there is only 1 node api server, but there could be
multiple node/go/rust/<insert cool kid tech here> servers too
Any guidance would be appreciated and sorry for the ramble
-Luke
[1]
https://docs.google.com/drawings/d/1BngijxAV2j0rjz18P0XcXeY9CClCg1mwQhROY...
8 years
