Default identity provider REST endpoint
by Sven Thoms
Is there a REST endpoint for setting the default, already set identity
provider at
Authentication - Authentication Flows - Browser - Identity Provider
Redirector - Default Identity Provider?
I could not find it under flows or flow executions.
7 years, 11 months
Reset OTP
by Dumitru Sbenghe
Hi,
Correct me if I'm wrong but as far as I see the the only way to reset your
OTP is part of the reset password via email - optional feature (or disable
otp for that user in the admin ui) which seems to make the OTP usage as 2sv
heaps less secure than it should be considering that it can be reset
together with the password via email.
>From reading the docs to make a reset OTP via sms for example, an
authentication spi needs to be implemented, isnt it? Any plans to implement
a more secure otp reset as standard feature in KeyCloak?
Thanks,
Dumitru
7 years, 11 months
Get token for JS UI
by Matt H
I have a situation where I need my javascript UI (all client side) to obtain a token from Keycloak. The token would not be specific to the user but for the UI itself. Looking at the documentation for the Javascript Adapter, it appears that it only works for getting a token for the user and is a public access type. Is it possible to get a token for the UI and treat the UI as a confidential client? It would need to then have a secret key, right? Is there a good way to store that secret key so that it can't be read by users who just browse the source from their browser?
The reason for doing this is I have another authentication engine that is used to access the UI. The users would then not have an account in Keycloak.
7 years, 11 months
Bug in User Federation pages in Keycloak admin UI? Bind credentials are incorrect - test authentication fails
by Edgar Vonk - Info.nl
Hi,
I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User Federation pages concerning the Bind Credential fields. The Bind Credential is fine in the Keycloak database (COMPONENT_CONFIG table these days) and everything works fine except the following scenario:
1/ Log in to Keycloak admin UI as an admin
2/ Go to a User Federation and select an LDAP user federation provider (assuming you have one of course). You already notice that the value of the Bind Credential field has too few characters.
3/ Now click on the ‘Test authentication’. This fails with 'Error! LDAP authentication failed.' The issue is that the bind credential is wrong.
4/ However click on ‘Synchronize all users’ and this works just fine. So the bind credential used here (the one in the database) is just fine.
5/ Now enter the correct bind credential in the Bind Credential field
6/ Test authentication now works fine
7/ Click Save
8/ Click Test authentication and it fails again, same as in step 3
I think the issue is with this admin page. It seems to do something with the bind credentials it gets from the database. Maybe it wants to unhash it or something but it is not hashed in the database at all (just plain text). Which maybe it is the real issue here?
Is this indeed a bug and if so shall I create a bug report for it?
cheers
7 years, 11 months
Re: [keycloak-user] Error when session expired and ajax request execute in Keycloak?
by Stian Thorgersen
[Adding list back]
A web app redirects the user to a login page if not authenticated, while a
service should return a 401.
It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.
On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote:
> Thanks for the answer.
> Yes i have confidential client, i have web application, that asks Keycloak server
> to authenticate a user for them. As I understand, bearer-only is for web
> services clients.
> I probably something do not understand?
>
> 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> Looks like your services are configured as confidential clients rather
>> than bearer-only and hence is sending a login request back rather than a
>> 401. You should either swap your service war to be a bearer-only client or
>> use the new autodetect-bearer-only option in adapters if you have both web
>> pages and services in the same war.
>>
>> On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote:
>>
>>> Hi, can you help me!
>>> When session expired and ajax request execute in Keycloak, i have error
>>> in
>>> browser console:
>>>
>>> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>>> realms/azovstal/protocol/openid-connect/auth?…ml&state=
>>> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>>> 'Access-Control-Allow-Origin' header is present on the requested
>>> resource.
>>> Origin 'http://localhost:8080' is therefore not allowed access.
>>>
>>> I add in Keycloak admin console, in the client setting, Web Origins=
>>> http://localhost:8080 (or *), and enabled cors in app, but still has
>>> error
>>> in console. I used Keycloak 2.5.0
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
7 years, 11 months
2FA via REST API
by Stefan Schlesinger
Hello Folks,
anyone knows how to verify an OTP (TOTP) token against the Keycloak Openid REST API for clients with direct access grants enabled? I cannot seem to find any hints on the correct API endpoints.
I’m trying to get a working freeradius setup for 802.1X/VPN authentication with 2FA enabled. The basic username/password authentication already works.
Best,
Stefan.
--
Stefan Schlesinger
sts(a)ono.at
7 years, 11 months
React Native App using Keycloak
by Grant Marrow
Hi everyone,
Could anyone point me in the right direction please. I am busy building a
react native mobile application and I would like to use keycloak for user
authentication and authorization. Has anyone else done this before, if yes
could you please give me some tips on how you implemented this?
Thanks in advance.
Regards
Grant
7 years, 11 months
Error when session expired and ajax request execute in Keycloak?
by Adam Daduev
Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0
7 years, 11 months
Documentation links broken
by Steve Sobol - Lobos Studios
Hey guys,
New to Keycloak. Loving how easy it is to set up and use. But the
documentation links on your website all seem to be broken.
I can browse to https://www.gitbook.com/@keycloak and find the docs, but
it'd be a little more convenient if I could use the links you've set up.
FYI and thanks :)
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer
Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets,
Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
steve(a)LobosStudios.com
7 years, 11 months
Error when upgrading from keycloak 2.1.0.Final to 2.5.0.Final
by Phil Evans
Hi all,
I'm trying to upgrade the version of Keycloak my application is using from
2.1.0.Final to 2.5.0.Final.
Unfortunately, when my app starts up I see...
[0m [31m00:35:14,234 ERROR
[org.jboss.as.controller.management-operation] (Controller Boot
Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) - failure description:
{"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.concurrent.ee.context.config.auth.auth is missing
[jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.module.auth.auth.InstanceName is
missing [jboss.infinispan.keycloak.keys]",
"jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
[jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.module.auth.auth.ModuleName is missing
[jboss.infinispan.keycloak.keys]",
"jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
is missing [jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.module.auth.auth is missing
[jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.module.auth.auth.Validator is missing
[jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.module.auth.auth.InAppClientContainer
is missing [jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.app.auth.AppName is missing
[jboss.infinispan.keycloak.keys]",
"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
is missing [jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.app.auth is missing
[jboss.infinispan.keycloak.keys]",
"jboss.naming.context.java.module.auth.auth.ValidatorFactory is
missing [jboss.infinispan.keycloak.keys]"
]}
[0m [0m00:35:14,344 INFO [org.jboss.as.server] (ServerService Thread
Pool -- 45) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name
: "keycloak-server.war")
[0m [0m00:35:14,348 INFO [org.jboss.as.controller] (Controller Boot
Thread) WFLYCTL0183: Service status report
WFLYCTL0184: New missing/unsatisfied dependencies:
service jboss.infinispan.keycloak.keys (missing) dependents:
[service jboss.naming.context.java.app.auth.AppName, service
jboss.deployment.unit."keycloak-server.war".jca.cachedConnectionManagerSetupProcessor,
service jboss.naming.context.java.module.auth.auth.InAppClientContainer,
service jboss.naming.context.java.module.auth.auth.ValidatorFactory,
WFLYCTL0208: ... and 9 more ]
What's changed to cause this error I'm not seeing with version
2.1.0.Final???
Thanks in advance,
Phil
7 years, 11 months
