Configuring Keycloak to not allow login using the built in login when a user is configured using an external IDP
by Reed Lewis
We have decided to use Keycloak for our identity services. The current flow will be as follows:
1. We will have an external system that creates users. User will not be created by Keycloak, but instead will be created be an external service which calls the Admin API to add users.
2. We would like some sort of notification sent to the user by keycloak (if it cannot be done that would be OK) that the user was added
3. If we add the user, and configure an external IDP account for the user (We will be pulling user records using Microsoft’s Azure AD Oauth2 client), we want to make sure that when the user types their username, it will not allow them to even attempt to login using Keycloak’s login, but instead forces them to go to the external IDP login screen.
We have two workflows for adding users. The first is to have the user added independent of any sort of external IDP. This is the case where we need some sort of email that goes to the user with a password or link to validate their account. The second method is to have the customer’s admin login to the external IDP (we will handle this), and we will pull down a list of all users in their directory and add them to keycloak ourselves. We will assign a link to the IDP in keycloak. We would also like a welcome message, but since the external IDP is managing the password, we do not need them to change their password.
Is this possible?
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
7 years, 11 months
Could not find class org.keycloak.adapters.jaas.BearerTokenLoginModule
by Christian Froehlich
Hello,
I try to use the login module
"org.keycloak.adapters.jaas.BearerTokenLoginModule" and I just get it
running when I add the module as “global module” in my standalone.xml.
What I did to secure my wildfly in detail:
-> Install the keycloak wildfly adapter to my application server
-> Add the login module to my security domain:
<login-module code="org.keycloak.adapters.jaas.BearerTokenLoginModule"
flag="sufficient" module="org.keycloak.keycloak-adapter-core">
<module-option name="keycloak-config-file"
value="${jboss.server.config.dir}/keycloak.json"/>
</login-module>
When I try to login, the login fails and I see the following log in my
server.log (see below). I also get the error when I remove the module
attribute from the login-module element. I only get it running when I
define the “org.keycloak.keycloak-adapter-core” module as a global module.
Do you have any idea what’s going wrong? I normally expect that the
LoginModule is found without defining it as global module.
DEBUG [org.jboss.security] (default task-10) () PBOX00206: Login failure:
javax.security.auth.login.LoginException: LoginModule-Klasse kann nicht
gefunden werden: org.keycloak.adapters.jaas.BearerTokenLoginModule from
[Module "deployment.orbis-framework.war:main" from Service Module Loader]
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at
javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at
org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at
org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
at
io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Regards and thanks in advance
Christian
7 years, 11 months
Unable to reset password of user from keycloak-2.5.0 in MS ActiveDirectory
by Jitendra Chouhan
Password value is *Welcome@123* that adheres to AD password policies.
We are using MS active directory with keycloak-2.5.0 for storing user
information. We are facing a issue while updating/resetting user password
from keycloak UI getting issue like "*Invalid password: Failed to match
regex pattern(s)*" but if use same password to reset password directly in
AD using ADAM AD tool then able to reset user password. No logs are also
getting logged even enabled DEBUG mode.
Anybody is facing this issue.
Thanks & Regards,
Jitendra Chouhan
7 years, 11 months
How to best deal with changes in the Keycloak realm JSON files during upgrades?
by Edgar Vonk - Info.nl
Hi,
The structure of the Keycloak realm JSON files changes sometimes with new versions of Keycloak. Since we use these realm JSON files to manage all our custom settings in Keycloak (we store them in Git etc) in a fully automated way (continuous delivery) this is quite problematic for us since we need to figure out exactly what has changed. E.g. I think in Keycloak 2.3.0 the structure of the LDAP federations changed considerably.
How do other people deal with this? Or do people usually not manage their Keycloak settings this way?
What does somewhat surprise me is that even though we did not upgrade our realm JSON files for this particular LDAP federations change our old files could still be imported in Keycloak 2.5.0 fine. I guess Keycloak is backwards compatible to importing the old JSON structure for a few releases? As soon as you export the realm files of course the new structure is used.
cheers
7 years, 11 months
External Registration and SSO
by Deepu Laghuvaram
I have a question related to External Registration and achieving SSO after
registration similar to
http://lists.jboss.org/pipermail/keycloak-user/2015-April/001925.html but
it looks like we cant achieve it with out going to Keycloak login
page/registration page
My flow would be
1. Visit app
2. Click on registration link within app
3. Fill out registration info
4. App calls keycloak webservices to create user and set password
5. User is logged in and SSO is also achieved
I see that the same flow is achieved in Red Hat Registration as well, when
we try to register to RedHat thru link
https://www.redhat.com/wapps/ugc/register.html;jsessionid=VE12s0McKzTHqAZ...
(I think this is not on KeyCloak pages and its a registration page with in
app) and after registration the user is logged in and SSO is also achieved.
I couldnt find a way to implement it similarly, could you please help us
with that?
Thanks,
Raghu
7 years, 11 months
Create Test Users - IT
by Dana Danet
There must be something I am missing as I can’t get the Credentials to set when programmatically creating a test user for integration tests to a running Keycloak 2.5.0 instance with a known realm. The user is created.
When setting a breakpoint in my code I see that my user is created but no credentials are created. This returns 0 tuples.
select * from credential c where c.user_id = (select u.id from user_entity u where u.username = 'test-user’)
Below is my code:
@Before
public void setup() {
log.debug("Setting up test harness user.");
keycloak = KeycloakBuilder.builder()
.serverUrl(authServerUrl)
.realm(realm)
.username(adminUser)
.password(adminPassword)
.clientId("admin-cli")
.resteasyClient(new ResteasyClientBuilder()
.connectionPoolSize(10)
.build()
).build();
setupTestUser();
}
private void setupTestUser() {
log.debug("\nSetting up test harness user.");
/*
Create the credentials via test config values
*/
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue(password);
credential.setTemporary(false);
/*
Create the user via test config values
*/
user = new UserRepresentation();
user.setUsername(username);
user.setFirstName("Test");
user.setLastName("User");
user.setCredentials(Arrays.asList(credential));
user.setEnabled(true) ;
Response result = keycloak.realm(realm).users().create(user);
final String locationHeader = result.getHeaderString("Location");
final String userId = locationHeader.replaceAll(".*/(.*)$", "$1");
user.setId(userId);
log.debug("\n\nTest Harness UserId ************** {}\n", userId);
}
@After
public void tearDown() {
keycloak.realm(realm).users().get(user.getId()).remove();
}
7 years, 11 months
In Keycloak 2.4.0 the keycloak-ldap-federation library misses the org.keycloak.federation.ldap package?!
by Edgar Vonk - Info.nl
Hi,
We have our own custom Keycloak LDAP federation mappers and for this purpose we use the keycloak-ldap-federation.jar library.
In Keycloak 2.4.0.Final this library suddenly seems to be missing the entire org.keycloak.federation.ldap package?! Only the org.keycloak.storage.ldap package seems to be in there now.
We use this package heavily and I think we need to because I don’t know of another way to create custom LDAP federation mappers?
E.g. our custom federation mapper extends from the org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper class and overrides various methods and therefore needs these classes:
import org.keycloak.federation.ldap.LDAPFederationProvider;
import org.keycloak.federation.ldap.idm.model.LDAPObject;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper;
Is there another library that contains this package?
cheers
7 years, 11 months
Keycoak- SQL server partnership
by abhishek raghav
Hi
As you all know, Keycloak is saying that they wont support mongo as it
lacks transactional support.
Hence I was thinking of using SQL server as a potential candidate.
Few queries which I have as below:
1. We am envisioning an environment where we will have a lot of keycloak
instances. Each keycloak instance will require its own database. The way we
do it right now, is that we just bring up a new keycloak instance on DCOS
and then specific a new database name resident on the database host and
then the instance comes up. We are not sure whether we can do this with SQL
server much the same way.
2. Not sure what performance characteristics we will get into with a remote
SQL Server..?
3. These are linux based container instances that we are setting up for
keycloak.
Mixing deployment architectures between DCOS containers vs traditional
scaling architectures for databases, can it a issue.?
Is there anyone here using SQL server as their backend in keycloak. Did
anyone face any bad experiences while using SQL server with Keyclak.?
Any suggestions for the same are most welcome.
*- Best Regards*
Abhishek Raghav
7 years, 11 months
