Server to Server communication with Spring
by Christoph Guse
Hi everybody,
I'm quite new to Keycloak and currently I'm creating some POCs to test
if Keycloak works properly with my Spring Boot applications. It does
quite well so far, thanks a lot for your work!
At the moment I'd like to create a POC which simulates the secured
server-to-server communication. One server provides an API secured by
spring-security an Keycloak, the other server needs to consume the
secured API using a technical user. I searched the web and the
documentation and found this blog entry:
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
and I think I understood it so far.
Is there already some code implemented to automate "Obtain Token and
Invoke Service" somehow? I would like to use the KeycloakRestTemplate,
give the credentials (maybe as username/password) and I'm ready to go.
I had a running example, but in this example the user needed to
authenticate him-/herself via the Keycloak redirect, but in my usecase
only server communicate and there is no user who gives the credentials.
Any help is highly appreciated,
Christoph
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
8 years, 8 months
silent ssl error in debug level
by Jukka Sirviö
Hello,
Anybody have any clue what could be causing this "silent exception" when DEBUG level logging is used, to SP's log. IOException is written to log all the time. Thus SAML authentication is working ok / normally. Using SSL (https) public addresses both with IDP and SP, along with signed & encrypted SAML assertions. Public certificates are good and ok!
2016-04-19 13:25:26,441 DEBUG [io.undertow.request.io] (default I/O-8) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577)
at io.undertow.protocols.ssl.SslConduit.terminateReads(SslConduit.java:178)
at org.xnio.conduits.ConduitStreamSourceChannel.close(ConduitStreamSourceChannel.java:168)
at org.xnio.IoUtils.safeClose(IoUtils.java:134)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.forceTermination(ReadReadyHandler.java:58)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.forceTermination(SslConduit.java:1091)
at org.xnio.nio.NioSocketConduit.forceTermination(NioSocketConduit.java:105)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:492)
Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575)
... 7 more
________________________________
Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista tietoa, joka on tarkoitettu
vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin lähettäjälle tapahtuneesta
virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen, kopioiminen, jakelu tai muu
käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti kielletty.
This message (including any attachments) may contain confidential information intended for
the person or entity to which it is addressed. If you are not the intended recipient, notify the
sender and delete this message immediately. Notice that disclosing, copying, distributing or any
other use of the message and its information, or taking any action based on it, is strictly prohibited.
________________________________
8 years, 8 months
Admin client
by Bruno Palermo
Hi,
I'm trying to implement a REST API for some basic user actions, like change password and would like to know if there's any way to validate the current user password before reset his password using the provide java API.
Thanks,
Bruno
8 years, 8 months
FAILED TO TURN CODE INTO TOKE
by Paa Kojo Konduah Amos
Hello, Any leads on how to resolve this? ; This is happening only when you
try to access the application from a public IP.
NOTE:
- Everything works as expected within the LAN.
- I have not obtained a CERTIFICATE yet; I am still using the
self-generated one.
- I have set "disable-trust-manager":true,
-
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
failed to turn code into token: java.net.ConnectException: Connection timed
out.
8 years, 8 months
Adding libraries from my provider
by Juan Diego
Is there a recommended way to add a custom library to a provider or should
I just added as a module in my wildfly?
Thanks
8 years, 8 months
Re: [keycloak-user] Configure Self User Registration at Client Level
by Thomas Raehalme
+1 for the possibility to restrict users' access to specific clients. Then
you would not need to implement this common usecase in every client
separately.
Best regards,
Thomas
On Apr 25, 2016 11:42 AM, "Stian Thorgersen" <sthorger(a)redhat.com> wrote:
This may actually we a valid use-case. Consider a setup where you have:
* Two applications - one that support self-registration (let's call it
public-app) the other that only admins can give access to (let's call it
internal-app)
* Registration enabled - default roles only give access to the public-app,
but no roles for internal-app
In the way it currently works the registration link is shown when user
comes from either app. However, the problem is that if a user visits
internal-app and clicks on register the user won't actually be able to
access the application afterwards.
We could add an option that hides the registration link for certain
applications. In the example above if a user tries to go to "public-app" to
later register for "internal-app" the user won't be able to access the app.
There may even be a case for a further option that allows marking what
clients a user is allowed to access. If a user tries to login to an client
that the user doesn't have access to Keycloak could block the login.
On 22 April 2016 at 23:15, Bill Burke <bburke(a)redhat.com> wrote:
> What's stopping somebody from visiting a client that allows registration,
> registering, then visiting the client that doesn't allow registration?
>
> THis is not soething we support
>
>
> On 4/22/2016 4:57 PM, Everson, David (MNIT) wrote:
>
> Hi,
>
>
>
> We have several clients within a single realm. Some of these clients
> allow for self user registration, others do not.
>
>
>
> The self user registration is enabled at the realm level. Is there a way
> to override the realm setting at a client level?
>
>
>
> What’s your recommendations for implementing these requirements?
>
>
>
> Using Keycloak 1.8.0.Final.
>
>
>
> Thanks,
>
> Dave
>
>
>
>
>
> *Dave Everson | * DIVISION OF ENVIRONMENTAL HEALTH
>
> MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH
>
> 651-201-5146 (w) *| * *david.everson(a)state.mn.us
> <david.everson(a)state.mn.us>*
>
> *[image: cid:image001.jpg@01CE4005.70B223E0]* <http://www.mn.gov/oet>
>
>
>
> Information Technology for Minnesota Government *|* mn.gov/oet
> <http://www.mn.gov/oet>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 8 months
Configure Self User Registration at Client Level
by Everson, David (MNIT)
Hi,
We have several clients within a single realm. Some of these clients allow for self user registration, others do not.
The self user registration is enabled at the realm level. Is there a way to override the realm setting at a client level?
What's your recommendations for implementing these requirements?
Using Keycloak 1.8.0.Final.
Thanks,
Dave
Dave Everson | DIVISION OF ENVIRONMENTAL HEALTH
MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH
651-201-5146 (w) | david.everson(a)state.mn.us<mailto:david.everson@state.mn.us>
[cid:image001.jpg@01CE4005.70B223E0]<http://www.mn.gov/oet>
Information Technology for Minnesota Government | mn.gov/oet<http://www.mn.gov/oet>
8 years, 8 months
Keycloak Interoperability
by Uli SE
Hi,
as I understood, keycloak is based on openid connect with some
extensions. Is there any docu, what this extensions are? Could I run a
keyloak secured applications agains other identity servers (like WSO2)?
Many thanks,
Uli
8 years, 8 months
User attribute update issue when using dentity provider
by Xiao Ma
Hi,
I have a custom user attribute (telephone number) for the users in my
identity provider. When this user attribute for a given user is updated in
my identity provider,, the corresponding user attribute for that user in
the keycloak database doesn't update automatically.
I have to delete the user from keycloak database and force a user
recreation in the next new user login (using First Broker Login
Authentication Flow), then my updated customer attribute will show up. Is
there a way to update user attribute automatically without a user
recreation?
Thanks a lot,
Xiao
8 years, 8 months
Fwd: Keycloak login/logout on Android
by Emanuel Couto
Didn't send to all.
---------- Forwarded message ---------
From: Emanuel Couto <emanuel.amaral.couto(a)gmail.com>
Date: Fri, Apr 22, 2016 at 3:12 PM
Subject: Re: [keycloak-user] Keycloak login/logout on Android
To: Summers Pittman <supittma(a)redhat.com>
Hello.
I managed to get logout working with another client:
https://github.com/openid/AppAuth-Android
---
It is easy to get the demo working with Keycloak. In the Keycloak admin page
:
1. Create a Realm (e.g., "test")
2. Create a Client with redirect URI (e.g., "com.mypackage:/oauth2Callback")
In the demo application, update the "idp_configs.xml" file:
1. Update the value of "google_client_id" (e.g, "test-third-party)
2. Update redirect scheme (e.g., "com.mypackage")
3. Update the "google_auth_redirect_uri" (e.g.,
"com.mypackage:/oauth2Callback")
Finally update the "idp_configs_optional.xml":
1. Update "google_discovery_url" (e.g.,
http://localhost:8080/auth/realms/test/.well-known/openid-configuration)
---
The tricky part is adding logout, since it's not part of Open ID Connect
yet.
What I did was use the same mechanism appauth-android uses for
authentication. Instead of using a webview this client uses custom tabs or
a new browser session. The code is not designed to support other "browser
requests" other than authentication so a lot of copy/pasting was required.
Anyway it should give an idea how to make it work.
On Wed, Apr 20, 2016 at 11:17 PM Emanuel Couto <
emanuel.amaral.couto(a)gmail.com> wrote:
> Ok, this is what I have to far. I confirmed that deleteAccount isn't
> enough. By deleting the account and attempting to connect again, the login
> webview shows up but disappears right afterwards. I suspect the Android
> application knows that you are still logged in because the webview stores
> cookies somehow.
>
> If I call GET <logout_url> with an HTTP client, nothing happens. The
> keycloak administration page shows that I'm still logged in. I believe
> logout would only work if everything was being executed in the same HTTP
> client instance.
>
> I'm trying another client that seems to give more control over current
> status. Hopefully logout will work.
>
> Thanks.
>
> On Wed, Apr 20, 2016 at 1:51 PM Summers Pittman <supittma(a)redhat.com>
> wrote:
>
>> On Wed, Apr 20, 2016 at 5:20 AM, Emanuel Couto <
>> emanuel.amaral.couto(a)gmail.com> wrote:
>>
>>> Does that mean I should send the bearer token if I want to logout a
>>> specific user? If that's it how do I do it?
>>>
>>
>> OAuth2 (which is what the AG Authz lib implements) doesn't specify a
>> logoff procedure so it isn't supported directly in the library.
>>
>> Your best out of the box option is to delete the account using the deleteAccount
>> method on your module. This will remove the local access to the account
>> and eventually your tokens will expire on the server.
>>
>> As a note : delete account does NOT guarantee to delete session cookies
>> for the third party sign in. IE if you use Chrome to sign into your google
>> account to sign into keycloak, delete your account, and then log in again
>> you will not be prompted for your google credentials because that sign in
>> is part of Chrome's session and not the app's.
>>
>>
>>>
>>> The customer and products demos are here:
>>>
>>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/c...
>>>
>>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/p...
>>>
>>> In the documentation page there is a 3 part tutorial (The Basics)
>>> explaining how to install these apps:
>>> http://keycloak.jboss.org/docs
>>>
>>> Everything is web based.
>>>
>>> Thanks.
>>>
>>> On Tue, Apr 19, 2016 at 6:31 PM Summers Pittman <supittma(a)redhat.com>
>>> wrote:
>>>
>>>> On Tue, Apr 19, 2016 at 1:01 PM, Emanuel Couto <
>>>> emanuel.amaral.couto(a)gmail.com> wrote:
>>>>
>>>>> Hello.
>>>>>
>>>>> I'm trying to login and logout to KeyCloak through an Android
>>>>> application. So far I was able to login using AeroGear Authz. What happens
>>>>> is that a web view is created every time login is required. However I don't
>>>>> understand how logout works. In the documentation it states that you should
>>>>> point to 'auth/realms/.../logout'. How does it figure out which client am
>>>>> I? Through a session or maybe cookies?
>>>>>
>>>>
>>>> It has been a while since I looked at the code, but IIRC AeroGear authz
>>>> stores the bearer token that has been exchanged with the webview.
>>>>
>>>>
>>>>
>>>>> The other question is how would customer-portal and product-portal be
>>>>> implemented in android, theoretically?
>>>>>
>>>> I'm not familiar with those, could you link me?
>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
8 years, 8 months