Offline tokens with external IDP
by Haim Vana
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
6 years, 9 months
User impersonation - JWT
by Harry Trinta
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
Best regards
Harry Costa
6 years, 9 months
Support for transactional email providers like SendGrid, Mailgun or Mandrill
by Vineet Reynolds
Hi everybody,
Has anyone managed to configure Keycloak 2.0.0.Final to use a
transactional email API instead of configuring an SMTP server? I would
prefer to have Keycloak send emails using a rest API like Sendgrid,
Mandrill, Mailgun or Amazon SES (the cloud-native way) instead of running
an SMTP server.
I'd also appreciate if this is possible through the SPI providers.
* Should I implement both EmailSenderProvider and EmailTemplateProvider
SPIs ?
* I cannot get my custom EmailSenderProvider SPI implementation to work,
as the FreemarkerEmailTemplateProvider implementation fails to obtain the
implementation of the EmailSenderProvider. Stack trace is below
13:17:53,991 ERROR
[org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
task-39) Failed to send verification email:
org.keycloak.email.EmailException: Failed to template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at
org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at
org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:559)
at
org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:490)
at
org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:412)
at
org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299)
at
org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
at
org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Thanks,
Vineet
7 years, 6 months
JavaScript client, iframe and IE
by Thomas Raehalme
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
7 years, 8 months
External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 10 months
Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy
by Guy Bowdler
hi all,
We have the following set up with two DMZ boxes, one running a single
KeyCloak security proxy and sending requests to a local NGINX proxy
which farms out requests to internal applications. This should allow us
to maintain a single namespace for all applications (<hostname>/appname
redirects to appname.local) and gives authenticated visibility of who's
accessing what at the front end proxy.
DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various
applications]
---> TRUST: [Various
applications]
Keycloak runs on its own server and is published via an NGINX proxy in
the DMZ
DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
and then after logging in, we get an "invalid Redirect URI" error from
Keycloak. We've found that for some reason, the redirect URL from
KeyCloak is appending the :8080 port value from the KeyCloak Security
proxy (verified as if we change this port number, the value changes in
the redirect URL). It's like KeyCloak is redirecting back to the
NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
which is what we were expecting. This is possibly by design, or
possibly a bug, or possibly a side effect of our configuration.
Has anyone tried using the KeyCloak security proxy in this manner? It's
clear that the intended use is as a single instance adapter for a single
local application, whereas our application happens to be an nginx proxy
redirecting to different applications using location directives.
8 years
Allow google login without reauthentication
by Harits Elfahmi
Hello,
Currently we use google login using the identity provider in keycloak. The
first broker login states that we must verify existing account and then
reauthenticate using user password form. Is it possible to use the already
available executions/flows and skip the reauthentication part?
So if the google email already exist in a keycloak account, we allow them
to login without the form.
Or must we create a custom execution? Is it possible using custom execution?
Thanks
--
Cheers,
*Harits* Elfahmi
8 years, 2 months
Getting 401 if trying to access app via loadbalancer
by KASALA Štefan
Hello,
we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks.
Stefan Kasala
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
8 years, 2 months
