Token cant be decoded with base64
by Pavel Hora
Hi,
we are using Keycloak 1.7.0 Final and for users with national characters in lastname (Očenášek) is not possible to decode generated token with base64. ...firstname is Lukáš
String[] splited = src_bad.split("\\.");
String srcToEnc = splited[1];
Decoder d = Base64.getDecoder();
d.decode(srcToEnc);
...Illegal base64 character
Any suggestion?
thx,
pH.
8 years, 8 months
Login works sometimes, sometimes doesn't
by Jesse Chahal
Hi,
So it looks like the previous fix to the logout URL did the trick.
I've now run into a much harder to solve problem (and harder to
describe). We are inconsistently able to login to our client
applications using keycloak for authentication. Trying the same
username+password has about an 80% chance of logging you in correctly.
It has a 15% chance of logging you in correctly if a keycloak node
within a keycloak cluster dies. I made up the %'s but its based on
what we are observing. So a user is actually able to login in the
sense of putting in a username+password and getting redirected to the
client applications, after that things may or may not go wrong. Often
times they will access the client application with the correct role
and everything will work ok. Sometimes though if something goes wrong
they will be redirected back to the client and will not be able to
access the client correctly. The below stacktraces usually show up in
those cases. I think it might be related to keycloak cache + browser
cache having weird issues as the only way to I've seen to resolve this
issues is to destroy the session cache within keycloak and get rid of
the browser cache (browser cache is more of a fault of the client app
probably). Even with this it can take multiple attempts before a user
regains the ability to go to the keycloak admin page and still may or
may not lead to a successful redirect to the client with a correctly
authenticated account (could start this whole weird loop again with
the stracktraces below). I don't know if anyone has come into an issue
like this. I was also hoping to find examples of client applications
that have their own accounts which somehow get mapped to keycloak
accounts but I haven't seen any.
Environment
------------------------
- keycloak 1.9.1.Final
- running using standalone-HA.xml
- using JGroups+JDBC_Ping
- postgres database
- on AWS
- some global roles (set on user accounts)
Client
------------
- running on Wildfly10
- using keycloak subsystem
- client protocol = openid-connect
- access type = confidential
- standard flow enabled
- client authenticator = client id and secret
Keycloak 1.9.1 server error
-------------------------------------------
2016-04-14 01:20:11,112 WARN [org.keycloak.events] (default task-17)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890,
clientId=some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=b2744ba1-7f74-4849-8077-b17659af3095,
client_auth_method=client-secret
2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=
some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=58a57076-1f8e-404e-813b-13c31abe8efb,
client_auth_method=client-secret
2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2)
type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=
some_wildfly_client, userId=null, ipAddress=123.456.789.0,
error=invalid_code, grant_type=authorization_code,
code_id=58a57076-1f8e-404e-813b-13c31abe8efb,
client_auth_method=client-secret
Wildfly 10 client server error:
-----------------------------------------
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] failed to turn
code into token
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] status from
server: 400
01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-13) [gwt_pc3q14cr_101 blah(a)example.com ]
{"error_description":"Code not found","error":"invalid_grant"}
8 years, 8 months
Connecting custom user federation provider to database
by Juan Diego
Hi,
What is proper way to connect my user federation provider to my database.
I was reading something online about adding a connectionsJpa another
DataSource, I could add my app datasource. Does anybody has an example on
how to do this.
Thanks
8 years, 8 months
Authenticator provider config properties
by Aikeaguinea
I've just implemented a new authenticator, following the instructions
here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.ht...
In my implementation of the authenticator factory, I have a
ProviderConfigProperty set up in a static block as is done in the
example. My impression was that the value of this property would be set
as a config option in the admin console. Right now I'm not seeing my
property in the admin console, but it's possible I'm not looking in the
right place. I was able to create a new flow and add my authenticator to
it as a new execution, but I don't see anywhere to add this
configuration property.
I'm not seeing any errors in the Keycloak console log, so I'm assuming
that I have things set up right. Any ideas?
--
http://www.fastmail.com - Faster than the air-speed velocity of an
unladen european swallow
8 years, 8 months
Authentication failure logs at ERROR level
by Aikeaguinea
I'm implementing a custom authenticator, and I'm noticing that whenever
I get an authentication failure I get a long exception in the log at
level ERROR as well as one at level WARN:
19:08:16,592 WARN [org.keycloak.events] (default task-7)
type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account,
userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials,
auth_method=openid-connect, auth_type=code,
redirect_uri='http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect',
code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19
19:08:16,593 ERROR [org.keycloak.services] (default task-7)
KC-SERVICES0013: failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380)
...many more lines
This seems open to a DOS vulnerability that would fill up logs by
bombing the system with failed login attempts. In addition, logging the
failure at ERROR means that the only way to keep the second log entry
from showing up is to turn off all logging for org.keycloak.services.
In my ideal world, we could set Keycloak so that login failures were
simply recorded as events but don't show up in the server log at all. Is
there a way to do that?
--
http://www.fastmail.com - A fast, anti-spam email service.
8 years, 8 months
Default clients for a new realm
by Aikeaguinea
When I create a new realm, I see that the following clients are
automatically created in that realm:
account
admin-cl
broker
realm-management
security-admin-console
It's hard for me to tell whether or not to delete these clients without
knowing what they're for, and I haven't successfully found documentation
on the subject. Might someone explain what these are about?
--
http://www.fastmail.com - Accessible with your email software
or over the web
8 years, 8 months
Re: [keycloak-user] Guidelines for protecting Keycloak Endpoints
by Aikeaguinea
+1 for being able to disable exposing admin links to the outside world.
On Tue, Mar 24, 2016, at 6:48 AM, Thomas Darimont wrote:
> Hello group,
>
> I'm about to configure our Web Application Firewall for Keycloak where
> I want to implement
> the following scenario:
>
> CLIENT_ENDPOINTS:
> All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as
> well as the account and
> login/totp/registration/forgot password pages should be accessible
> from the public internet.
>
> ADMIN_ENDPOINTS:
> Admin endpoints like the Admin Console, Admin REST API etc. should
> only be accessible
> from the internal network.
>
> Are there any guidelines for which URL pattern applies to which
> category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)?
>
> To me, it seems that:
> - "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category.
> - "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category.
> Have I missed anything else?
>
> Btw. it turns out that some endpoints (unnecessarily) expose internal
> links like:
> "admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/
>
> {
> realm: "my-realm",
> public_key: "...",
> token-service: "
> http://localhost:8080/auth/realms/my-realm/protocol/openid-connect",
> account-service: "http://localhost:8080/auth/realms/my-realm/account",
> admin-api: "http://localhost:8080/auth/admin",
> tokens-not-before: 0
> }
>
> Can this be disabled?
>
> Cheers,
> Thomas
>
--
http://www.fastmail.com - Faster than the air-speed velocity of an
unladen european swallow
8 years, 8 months
Rest api execute-actions-email does not redirect
by Dirk Franssen
Hi all,
I have created a user via the REST api with userActions RESET_PASSWORD and
VERIFY_EMAIL. Subsequently I use the endpoint 'execute-actions-email' with
the query-params 'client_id' and 'redirect_uri' for the action
RESET_PASSWORD and VERIFY_EMAIL. The email is sent to the user, but it
seems it does not take into account the query params. If the user sets his
password via the link in the email, the page "Your account has been
updated" is displayed without redirection nor a link to go to the
application?
Do I miss something?
Kind regards,
Dirk
8 years, 8 months
Uniqueness of user properties
by Guus der Kinderen
Hello,
Keycloak uses a UUID value to identify a uses. Basic questions: through
some form of configuration:
- Can more than two users exist that have an identical username?
- Can more than two users exist that have an identical email address?
Regards,
Guus
8 years, 8 months
