June 2016 - keycloak-user - Jboss List Archives

Listing all realm users programmatically

by Haim Vana

Hi, Is there a way to list all realm users programmatically via the API ? also is there a way to delete all of them ? I think I should use the below, however what should I insert in the search method for getting all the users ? keyCloakClient.realms().realm(realmName).users().search() Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

9 years, 6 months

4
4
0 / 0

How to restore session for UI to REST API

by Chris Pitman

Hey everyone, I'm running into an issue with an application that I've ported over to using Keycloak. I believe that the token issued by keycloak is expiring, which causes XMLHttpRequest's from my front end to be redirected to KeyCloak which then tries to redirect to Google (my identity provider). By the time it gets to google, there have been redirects across two different domains causing the browser to not set an origin header in the request to google, which then causes the browser to not process the response. What is the general way of handling a javascript ajax request when a token expires? Or to have a UI get a new token without requiring the entire ui to refresh to force the browser to redirect? For further background, here is my setup: I am using Google OpenID Connect as the identity provider. The application is protected with keycloak-proxy, which then passes requests on to the application. keycloak-proxy is the piece detecting the token is no longer valid and redirecting the ui to keycloak. Chris Pitman Architect, Red Hat Consulting

9 years, 6 months

3
5
0 / 0

reverse proxy support of Keycloak saml filter adapter

by ROMELOT Didier

Hi, we deploy applications that use keycloak SAML filter to handle SAML authentication. We face some trouble when configuring the app acting behind a reverse proxy. In that situation keycloak library raises an exception : WebBrowserSsoAuthenticationHandler ERROR Request URI does not match SAML request destination We try to fix it with configuration on reverse proxy but whithout success. Does anyone faced with such problem ? regards [http://collaboration2010.sharepoint.renault.fr/is/fsc/places/blog/Lists/P...] Didier ROMELOT DIA-AT - Technical Architecture API : FR EQV NOV 3 39 13, avenue Paul Langevin 92359 Le Plessis Robinson Cedex - FRANCE Tél. : +33 1 76 84 95 28 -- Disclaimer ------------------------------------ Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme. *** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.

9 years, 6 months

2
1
0 / 0

Email timeout error

by LEONARDO NUNES

Hi, i'm getting the error below when sending the verification email. An error page is shown, but I always receive the email. Most of the times it works fine, but sometimes it returns the error. Around 7 out of 10 times it works. I use the same SMTP host for other applications and I don't have this problem. For the Email configuration I only have Host and From configured. Is there a way to configure the timeout? 15:51:47,736 ERROR [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default task-4) Failed to send verification email: org.keycloak.email.EmailException: Failed to template email at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156) at org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73) at org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:573) at org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504) at org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426) at org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302) at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856) at org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:849) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.keycloak.email.EmailException: javax.mail.MessagingException: Exception reading response; nested exception is: java.net.SocketTimeoutException: Read timed out at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:128) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185) at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177) ... 57 more Caused by: javax.mail.MessagingException: Exception reading response; nested exception is: java.net.SocketTimeoutException: Read timed out at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2351) at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2228) at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2027) at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1242) at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125) ... 59 more Caused by: java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at java.net.SocketInputStream.read(SocketInputStream.java:170) at java.net.SocketInputStream.read(SocketInputStream.java:141) at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:124) at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) at java.io.BufferedInputStream.read(BufferedInputStream.java:265) at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:92) at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2331) ... 63 more -- Att, Leonardo Nunes Analista de Sistemas leo.nunes(a)gjccorp.com.br<mailto:leo.nunes@gjccorp.com.br> Skype: leonardo.puc +55 (62) 3250-1462 Grupo Jaime Câmara www.gjccorp.com.br<applewebdata://B0E38BB5-8499-4F51-929B-00F21C9F6683/www.gjccorp.com.br> ________________________________ Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

9 years, 6 months

3
4
0 / 0

Typo in Client Registration documentation

by Orestis Tsakiridis

All, it seems there is a typo in the Client Registration documentation lying at: http://keycloak.github.io/docs/userguide/keycloak-server/html/client-regi... Existing snippet: String initialAccessToken = "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M...."; ClientRepresentation client = new ClientRepresentation(); client.setClientId(CLIENT_ID); ClientRegistration reg = ClientRegistration.create().url(" http://keycloak/auth/realms/myrealm/clients").build(); reg.auth(Auth.token(initialAccessToken)); client = reg.create(client); String registrationAccessToken = client.getRegistrationAccessToken(); Corrected snippet: String initialAccessToken = "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M...."; ClientRepresentation client = new ClientRepresentation(); client.setClientId(CLIENT_ID); ClientRegistration reg = ClientRegistration.create().url(" http://keycloak/auth/realms/myrealm/*clients-registrations*").build(); reg.auth(Auth.token(initialAccessToken)); client = reg.create(client); String registrationAccessToken = client.getRegistrationAccessToken(); Please confirm and if valid, take care with that.

9 years, 6 months

2
1
0 / 0

Productized Keycloak now available from Red Hat

by Stian Thorgersen

For nearly 4 years ago Bill Burke and myself started two individual proof of concepts, both focusing on making it easier for developers to securing applications and services. Keycloak was born out of combining these two proof of concepts. There was barely any overlap and the two perfectly complemented each other. Fast forward to today and we now have a huge community with over 100 contributors and over 400 forks of our Github repository. It's no longer just myself and Bill working on Keycloak, we now have a strong team working on it and I'm very exited about the future of the project. You may have noticed that lately we've stopped adding new features and focused on improvements and testing. There's a good reason behind that! We've been working on creating a productized and supported version of Keycloak. I'm extremely pleased to announce that Red Hat now offers a productized and supported version of Keycloak! For more details on how to get support for Keycloak check out the product pages at: https://access.redhat.com/products/red-hat-single-sign-on Finally, I'd like to thank everyone that's been involved. All the core developers, quality engineers, others at Red Hat and last but not least our community!

9 years, 6 months

9
11
0 / 0

Keycloak single sign on with Keberos(AD)

by Zhou, Limin (Ray)

Hello everyone I am new to Keycloak and new to here Our web application is running on Jboss EAP 7, We have configured KeyCloak standalone server 1.9.7 running on different port(same server box) to manage the user authentication and authorization, behind KeyCloak we have configured Keberos in User Federation to talk our company AD server, we are able to login by using our AD account, but not in single sign on way, each time when we hitting the our app URL, the Keycloak login page will show up. It looks like the TGT or ST hand shake was not successful, is there any document I can reference it to debug the issue? Any comments or suggestion would be very welcome thanks in advance raymond ________________________________ Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. ________________________________ Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...>. Veuillez consulter la Politique de confidentialité de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...>. Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).

9 years, 6 months

2
1
0 / 0

Tomcat WebApp and MS AD

by Rodrigo Del Canto

Hello All, Can anyone tell me how to find a documentation on how to integrate Keycloak with MS Active Directory (if there is anything specific to Tomcat it will be very nice!). All the reference on google to documentation about LDAP or MSAD are broken. If I am going to be switching over to Keycloak I would like to use the latest stable release and its corresponding documentation. But I couldn't find any reference on http://www.keycloak.org/documentation.html Thanks a lot for your time!! Rod.

9 years, 7 months

2
1
0 / 0

Keycloak 2.0.0.CR1 Released

by Stian Thorgersen

We're finally back to adding new features. This release is just the beginning and we've planned loads of existing new features in the coming months. I'm really exited to introduce the authorization services we've just added. Through the authorization services you can centrally define and manage fine-grained permissions for your services. For more details check out the Authorization Services Guide <https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.0/>. There's a brand new website at www.keycloak.org. Finally we've also completely reworked and significantly improved our documentation <http://www.keycloak.org/documentation.html>. For the full list of resolved issues check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> and to download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Before you upgrade refer to the migration guide <https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top...>

9 years, 7 months

2
1
0 / 0

Need help: Configuring keycloak to work with IBM Websphere Application Server

by T, Suseendhiran (Nokia - IN/Bangalore)

Hello All, I am trying to configure Keycloak as openID connect provider and IBM Websphere Application Server as Relying Party. During authentication, keycloak sends the JWT. But IBM Websphere Application Server could not verify the token. Below Exception is thrown: com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception. at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:428) ...<skipping trace> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881) Caused by: com.ibm.ws.security.oidc.client.RelyingPartyException: Failed to validate id token, exception thrown during verify [key is invalid] at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:352) at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:411) ... 28 more Caused by: java.lang.IllegalStateException: key is invalid at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:45) at com.ibm.ws.security.openidconnect.token.JWT.getJsonTokenParser(JWT.java:1017) at com.ibm.ws.security.openidconnect.token.JWT.verify(JWT.java:881) at com.ibm.ws.security.openidconnect.token.IDToken.verify(IDToken.java:578) at com.ibm.ws.security.oidc.client.SessionData.setIdToken(SessionData.java:294) at com.ibm.ws.security.oidc.client.SessionData.update(SessionData.java:131) at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:343) ... 29 more Caused by: java.security.InvalidKeyException: No installed provider supports this key: (null) at java.security.Signature$Delegate.chooseProvider(Signature.java:1139) at java.security.Signature$Delegate.engineInitVerify(Signature.java:1172) at java.security.Signature.initVerify(Signature.java:462) at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:41) ... 35 more . Make sure that the setup is correct and that the user credentials are valid. [6/7/16 8:58:30:493 IST] 000002bb WebCollaborat A SECJ0056E: Authentication failed for reason CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception. ------------------------------------------------------------------------------------------------------------------------------------------- I have attached the Websphere log during authentication, Could someone help me analyse the issue? Versions used: Keycloak -1.9.4.Final IBM WebSphere Application Server Network Deployment - Version 8.5.5.8 Please let me know if any information needed. Regards, Suseendhiran T

9 years, 7 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2016