Validate Implicit token
by Mohan.Radhakrishnan@cognizant.com
Hi,
I have the standalone keycloak server issuing tokens. Client is going to be JavaScript. I enabled 'implicit' and issued
http://localhost:8080/auth/realms/MyRealm/protocol/openid-connect/auth?re... MyRealm &client_id= MyRealm &scope=user
I get the id_token. I am used to getting the 'access token' in other IDP's. Are they the same in Keycloak ?
How do I verify the token inside my Tomcat ?
In other installations we run the IDP separately. So I am doing the same with Keycloak.
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
8 years, 4 months
Keycloak support for T&C?
by Richard Lavallee
Does Keycloak support new Keycloak user login general acceptance of Terms & Conditions?
Use Case: New user logs in to Keycloak and is presented with Terms & Conditions to accept or reject. Accepting permits user access to any Keycloak client for the Realm. Rejecting prevents user login from proceeding into any Realm client at all.
-Richard
8 years, 4 months
Initiation of Registration form instead of Login form from OIDC client Java adapter
by Vlastimil Elias
Hi,
we use OIDC client Java adapter to authenticate our java app deployed in
EAP 6 with keycloak. Now we have a requirement to show Keycloak's
Registration form instead of Login form.
Is this somehow possible with java client adapter (as it is possible
with javascript adapter). I was not able to find this feature in
documentation.
Ideal solution should be if client java app should be able to
dynamically request which form to show, but hard config solution which
will always point reg form may work also.
Thanks a lot in advance for your help
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
Red Hat Developer | Engineering
8 years, 5 months
Re: [keycloak-user] Implicit Flow
by Mohan.Radhakrishnan@cognizant.com
Didn't check the newer version. Got that working. Sorry to send without checking.
Mohan
From: Radhakrishnan, Mohan (Cognizant)
Sent: Tuesday, July 26, 2016 3:59 PM
To: keycloak-user(a)lists.jboss.org
Subject: Implicit Flow
Hi,
I get a 'code' using this URL. How do I use the implicit flow and get the access token for my ReactJS client ? Is there doc. For this ?
curl 'http://localhost:8080/auth/realms/master/protocol/openid-connect/auth?res...'
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
8 years, 5 months
Keycloak Admin Client Jar - 1.9.8/ 2.0.0 are not working properly
by Jitendra Chouhan
I am using keycloak-admin-client jar for provisioning users in keycloak
server instance but facing issue if using keycloak-admin-client version
higher than 1.8.0.Final. Please find detailed informations about issue and
configurations used to provision user as below:
1) keycloak-server version: 1.9.8.Final or 2.0.0.Final
2) keycloak-admin-client version: 1.9.8.Final or 2.0.0.Final
Sample Code Snippet:
Keycloak kc = KeycloakBuilder.builder() //
.serverUrl("http://localhost:8080/auth") //
.realm("master")//
.username("admin") //
.password("admin") //
.clientId("admin-cli") //
// .clientId("security-admin-console") //
.resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build())//
.build();
// 1. User
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue("test123");
credential.setTemporary(false);
UserRepresentation user = new UserRepresentation();
user.setUsername("testuser");
user.setFirstName("Test");
user.setLastName("User");
user.setCredentials(asList(credential));
user.setEnabled(true);
user.setRealmRoles(asList("admin"));
// create a user
//Response result = kc.realm("master").users().create(user);
Response result = kc.realm("demo").users().create(user);
if (result.getStatus() != 201) {
if(result.getStatus() == 409){
System.err.println("Couldn't create user since user already exist.");
System.exit(0);
}
System.err.println("Couldn't create user.");
System.exit(0);
}
System.out.println("test user created.... verify in keycloak!");
Error stack trace::
Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized
field "access_token" (Class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
at [Source: org.apache.http.conn.EofSensorInputStream@6f3c660a; line: 1,
column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:140)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:58)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
at com.sun.proxy.$Proxy19.grantToken(Unknown Source)
at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:85)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:65)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:60)
at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:384)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
at com.sun.proxy.$Proxy27.create(Unknown Source)
at
com.samba.security.keycloak.KeycloakAdminClientExample.main(KeycloakAdminClientExample.java:79)
Caused by: javax.ws.rs.ProcessingException:
org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized
field "access_token" (Class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
at [Source: org.apache.http.conn.EofSensorInputStream@6f3c660a; line: 1,
column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:282)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:181)
at
org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:211)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:104)
... 13 more
Caused by: org.codehaus.jackson.map.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (Class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
at [Source: org.apache.http.conn.EofSensorInputStream@6f3c660a; line: 1,
column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
org.codehaus.jackson.map.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:53)
at
org.codehaus.jackson.map.deser.StdDeserializationContext.unknownFieldException(StdDeserializationContext.java:267)
at
org.codehaus.jackson.map.deser.std.StdDeserializer.reportUnknownProperty(StdDeserializer.java:673)
at
org.codehaus.jackson.map.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:659)
at
org.codehaus.jackson.map.deser.BeanDeserializer.handleUnknownProperty(BeanDeserializer.java:1365)
at
org.codehaus.jackson.map.deser.BeanDeserializer._handleUnknown(BeanDeserializer.java:725)
at
org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:703)
at
org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:580)
at org.codehaus.jackson.map.ObjectMapper._readValue(ObjectMapper.java:2704)
at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1315)
at
org.codehaus.jackson.jaxrs.JacksonJsonProvider.readFrom(JacksonJsonProvider.java:419)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:59)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:51)
at
org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:248)
Same sample code with keycloak-admin-client version: 1.8.0 is working fine
and able to provision user in keycloak server. Hence there is some issue
with higher version of keycloak-client-admin bundle than 1.8.0. Please find
attached pom file for project.
Thanks,
Jitendra Chouhan
8 years, 5 months
Implicit Flow
by Mohan.Radhakrishnan@cognizant.com
Hi,
I get a 'code' using this URL. How do I use the implicit flow and get the access token for my ReactJS client ? Is there doc. For this ?
curl 'http://localhost:8080/auth/realms/master/protocol/openid-connect/auth?res...'
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
8 years, 5 months
Composite roles and user federation with LDAP as external user storage
by FREIMUELLER Christian
Dear all,
I've a question regarding the User Storage Federation (https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top...) with respect of LDAP as external user database and the available mappers.
Current situation:
Right now I'm able to map roles assigned to users and defined in LDAP to Keycloak with the existing Role Mapper. e.g. Administrator/User role for a specific application
The JWT output contains then a section like this:
"resource_access": {
"myApp": {
"roles": [
"Administrator"
]
}
Desired solution:
Is it out of the box possible to use the existing Role Mapper as described in chapter https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top... to map composite roles defined in Keycloak to LDAP?
The thing is I want in the end to define composite roles in LDAP to collect finer user rights for certain "container" roles - like Users, Editors, Administrator - and map them to Keycloak and respectively the finer grained rights to provide the granted user rights in the JWT.
e.g.
Rights/Roles:
- read page
- edit page
- delete page
- create page
Composite Roles:
- User = {read page}
- Editor = {read page, create page, edit page}
- Administrator = {read page, delete page}
The final result in the JWT should then contain a section something like where the composite role is automatically resolved with the more specific single rights:
"resource_access": {
"myApp": {
"roles": [
"read page",
"delete page"
]
}
Or is Keycloak designed in that way that the finer rights can be stored in LDAP but the composition is afterwards done in Keycloak?
Thanks,
Christian
8 years, 5 months
.NET Core OIDC auth
by Rafael Soares
I'm trying to integrate an ASP .NET Core client web app with Keycloak using
the .NET Core native OIDC Support.
For this I'm using a sample project available in the IdentityServer Github
repo [1]. IdentityServer is an OIDC Auth Server/Framework implementation
for .NET platform.
I forked that sample repo and changed the configuration to use the Keycloak
OIDC endpoints.
The code snippet changed to use keycloak endpoint is this one
<https://github.com/rafaeltuelho/IdentityServer4.Samples/blob/dev/MVC%20an...>.
I was able to run this code on my RHEL 7 box using .NET Core for Linux [2].
In the KC side I just created a new realm and a client (see the
dotnetcore.json realm config attached). The web app starts and the secured
pages/resources redirects the user to the Keycloak endpoint, but after the
user authenticates and KC responds the request the following error occurs
on .NET client side:
"OpenIdConnectProtocolInvalidCHashException: IDX10307: *The 'c_hash' claim
was not found in the id_token*, but a 'code' was in the
OpenIdConnectMessage, id_token:
'{"alg":"RS256","typ":"JWT"}.{"jti":"cae47265-327e-4961-aeb2-6615713cc6f8","exp":1469508079,"nbf":0,"iat":1469507779,"iss":"
http://localhost:8080/auth/realms/dotnetdemo","aud":"dotnetcore","sub":"b8a10870-3abd-487b-802e-e57307eafc14","typ":"ID","azp":"dotnetcore","nonce":"636051045638599850.NTdmY2FhNWQtYzNmYi00Zjg1LWFlZjItYmViYzBmZTgwMjYzZDMwMDdlYzYtMGJiMS00OWY1LTlhZTQtY2VjNWYyMzM2Yzhl","session_state":"b3010cce-24ac-426b-969a-cccefe41711f","name":"dot
NET","preferred_username":"dotnetuser","given_name":"dot","family_name":"NET","email":"
donetuser(a)localhost.com"}'"
Searching for this message "*The 'c_hash' claim was not found in the
id_token*" I found the issue *KEYCLOAK-3286* [3]. Does this error have
something to do with the *KEYCLOAK-3286?*
Does some one tried to integrate a .NET app with Keycloak using OIDC
protocol?
[1] https://github.com/IdentityServer/IdentityServer4.Samples
[2] https://www.microsoft.com/net/core#redhat
[3] https://issues.jboss.org/browse/KEYCLOAK-3286
--
___
Rafael T. C. Soares
8 years, 5 months
Keycloak subsystem is not in standalone.xml?
by Martin Min
Hello,
I am following the tutorial here:
https://keycloak.gitbooks.io/getting-started-tutorials/content/v/2.0/topi...
to configure the demo KeyCloak server 2.0 and Wildfly 10 Final.
The tutorial says to search for this section:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
However, there is no such an entry in standalone.xml of Wildfly 10's
configuration/standalone.xml.
I manually added this part, then it gives me an error as I start the
application server.
Is this because the tutorial is not updated to the Wildfly 10 final
release? Thank you.
Error message:
22:22:33,022 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049:
WildFly Full 10.0.0.Final (WildFly Core 2.0.10.Final) starting
22:22:33,535 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)
at org.jboss.as.server.ServerService.boot(ServerService.java:356)
at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[216,2]
Message: Unexpected element '{urn:jboss:domain:keycloak:1.1}subsystem'
at
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108)
at
org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
at
org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546)
at
org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242)
at
org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49)
at
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
at
org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
... 3 more
22:22:33,536 FATAL [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
See previous messages for details.
8 years, 5 months
Invalid credentials for ldap
by Robert van Loenhout
I have added a novell ldap user federation. When I try to login I get an error page displaying:
Unexpected error when handling authentication request to identity provider.
In the server log it shows a WARN message with "error=invalid_user_credentials"
If I try to login with an incorrect user the message contains "error=user_not_found", so the user must have been found.
It seems that some unexpectec error occurs while verifying the password. I'm sure it is correct. And I'm assuming that I would not get an unexpected error page if the password is just incorrect.
Any help would be appreciated.
8 years, 5 months
