May 2016 - keycloak-user - Jboss List Archives

Update roles at login time between 2 realms

by Thibault Vernadat

Hello, What I am trying to achieve is the following : I have two realms with one client each. Let's call them realm A and realm B. Users from realm B can access my application of realm A, because I added realm B as a keycloak openid connect identity provider in realm A. First time a user from real B access my realm A client, this creates a user in realm A for this client, and I map some roles for this client. So far so good. My issue now is : let's say my client initially had a role R in realm B, and at first login this role was mapped for this user in realm A, if the realm B admin remove role R from this user, I want this role to be removed as well in realm A. Or added if a new role that should be mapped was added. Is there a way to update roles next time this user try to authenticate in the realm A app ? Or should I use another mechanism to keep my roles consistent between my realms ? Thanks a lot in advance for your help.

7 years, 11 months

2
2
0 / 0

Integrate Keycloak 1.9.4 with Openshift Origin

by Charles Moulliard

Hi, According to Openshift Doc ( https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authent...) and this blog article ( http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html), we can integrate Keycloak as IdentiyProvider with Openshift. So, I have configured the master-config.yaml to use Keycloak 1.9.4.Final as Identity Provider. See hereafter the config oauthConfig: > > alwaysShowProviderSelection: false > > assetPublicURL: https://192.168.99.100:8443/console/ > > grantConfig: > > method: auto > > identityProviders: > > - challenge: true > > login: true > > name: keycloak > > provider: > > apiVersion: v1 > > kind: OpenIDIdentityProvider > > ca: keycloak-ca.cert > > clientID: openshift > > clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5 > > claims: > > id: > > - sub > > preferredUsername: > > - preferred_username > > name: > > - name > > email: > > - email > > urls: > > authorize: >> https://192.168.1.80:8443/auth/realms/openshift/tokens/login > > token: >> https://192.168.1.80:8443/auth/realms/openshift/tokens/access/codes > > But, when I try to log on to the Openshift console, I'm redirected to Keycloak Server which returns this Error 404 --> GET https://192.168.1.80:8443/auth/realms/openshift/tokens/login?client_id=op... 404 (Not Found) According to this thread ( http://stackoverflow.com/questions/28658735/what-are-keycloaks-oauth2-ope... ), the urls to be used are these authorize: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth token: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/t... FYI, I can get a token --> curl -k -s -X POST > https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/t... -H > "Content-Type: application/x-www-form-urlencoded" -d 'username=test-user' > -d 'password=password' -d 'grant_type=password' -d 'client_id=openshift' -d > 'client_secret=fbde8b27-3342-4494-b3a3-7db645e9dfe5' | jq -r '.access_token' > eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1ODExNGExZi1mMTQwLTQwYTctODAwOS1hNGU2 Can you confirm that the correct urls to be used are ? authorize: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth token: https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/t... Regards, Charles

7 years, 11 months

2
2
0 / 0

Last Login Time of User

by Lohitha Chiranjeewa

Hi, Is there a way to retrieve the last login time of a given user? I checked the Admin Console, Rest specification and the mysql DB structure but couldn't find a place where that bit of information could be stored and retrieved from. Have I missed a place or is that feature not available (yet)? Regards, Lohitha.

7 years, 11 months

3
5
0 / 0

Spring Security Adapter - Custom Parameter to KeyCloak

by Frank Herrmann

Hello, Our app is using openid-conntect and the Spring Security Adapter to authenticate to a KeyCloak IDP. The KeyCloak server has custom AuthenticatorFactory and UserFederationProviderFactory. We have also customized some of the KeyCloak/Spring code on the app. At this point, I need a custom query parameter included with the redirect call to KeyCloak. I cannot find in the KeyCloak/Spring Security Adapter code any way to set an additional query parameter. Is there a way to set an additional parameter, or another way to pass a custom map of information to KeyCloak as part of the redirect? For now I am using the "login_hint" parameter to pass additional information. I was just wondering if there is a better way. Thanks, -Frank -- FRANK HERRMANN SOFTWARE ENGINEER T: 561-880-2998 x1563 E: frank.herrmann(a)modmed.com [image: [ Modernizing Medicine ]] <http://www.modmed.com/> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image: [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image: [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [ Twitter ]] <https://twitter.com/modmed_EMA> [image: [ Blog ]] <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]] <http://instagram.com/modernizing_medicine>

7 years, 11 months

2
1
0 / 0

Tempates - login.ftl - How is login.username being set?

by Frank Herrmann

In the template, login.ftl, the parameter login.username is begin used to fill back in the username field after a failed login. In our custom template, I have additional fields I wound not want a user to have to refill after a failed login. Some of these fields are pre-populated via the form authenticator with context.form().setAttribute, which works fine. However, on a failed login, the login page changes and this context is lost. Is it possible to set additional fields to save their data during failed login? Thanks, -Frank -- FRANK HERRMANN SOFTWARE ENGINEER T: 561-880-2998 x1563 E: frank.herrmann(a)modmed.com [image: [ Modernizing Medicine ]] <http://www.modmed.com/> [image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image: [ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image: [ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [ Twitter ]] <https://twitter.com/modmed_EMA> [image: [ Blog ]] <http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]] <http://instagram.com/modernizing_medicine>

7 years, 11 months

1
1
0 / 0

Version 2.0.0.CR1

by LEONARDO NUNES

Hi, when version 2.0.0.CR1 will be released? -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

7 years, 11 months

2
1
0 / 0

Downloads archive ordering

by Guus der Kinderen

If reversing the order on the download archive page ( http://keycloak.jboss.org/downloads-archive.html) is a trivial task, I'd be happy to see that occur. Most users are interested in the most recently released stuff. For brownie points: add a link to the changelog? Regards, Guus

7 years, 11 months

2
1
0 / 0

Email format

by Bruno Palermo

Hi, How can I choose between text and html for the e-mail messages? Also is possible to include some custom fields on the template, such as user first name? Thanks, Bruno

7 years, 11 months

2
1
0 / 0

Captive Portal with Keycloak for Wireless Routers

by Daniel Fuchs

Hi, I’m starting to read about Keycloak and it’s functionalities and I’m wondering how can we make it act as the Captive Portal for our Wireless Network? Since the users will have different services with a customer, Keycloak seems perfect because we can authenticate multiple applications with multiple identity providers aside of having internal registered customers, but one of these services will be the network access. Maybe Keycloak can become a central point in my architecture. Thanks in advance, Daniel

7 years, 11 months

2
1
0 / 0

Keycloak for Client services behind loadbalancers

by Subhrajyoti Moitra

Hello, I have a client application, that will be using Keycloak for authentication and authorization. There are 2 instances of this application running on (lets say) service1 and service2. These 2 service instance are behind the load balancer. The load balancer has sticky sessions on. Now a user browses to the loadbalancer url, which in turn serves the service instances, service1 or service2. Now when the service instance pages are using keycloak.js to verify the login, I dont get the loadbalancer URL as the redirect url value, rather the redirect url is of the actual service instance URL on which the service is hosted. How do i use Keycloak for loadbalanced services? Is there some specific setting, or setup of the server? Please help and guide, Thanks and cheers, Subhro.

7 years, 11 months

2
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2016