Using Keycloak with Microsoft Azure Active Directory
by Reed Lewis
I am attempting to use Microsoft Azure Active Directory with Keycloak.
It is not working correctly.
Here is how I have it configured:
OpenID Connect V1.0
Enabled: On
Store Tokens: On
Store Tokens Readable: On
Trust Email: On
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Token URL: https://login.microsoftonline.com/common/oauth2/token
Logout URL: <none>
Backchannel Logout: Off
User Info URL: <blank>
First Login Flow: First Broker Login
It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address.
Is there something I have configured incorrectly?
I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory.
Thank you,
Reed Lewis
7 years, 4 months
Fwd: Error when session expired and ajax request execute in Keycloak?
by Adam Daduev
After login, i get in my app, and for all my ajax request from page to
backing bean, i receive response 401 even if the session is still alive.
If removed autodetect-bearer-only option, all work fine, but going back to
the old error.
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
---------- Forwarded message ---------
From: Adam Daduev <daduev.ad(a)gmail.com>
Date: вт, 10 янв. 2017 г. в 14:08
Subject: Re: [keycloak-user] Error when session expired and ajax request
execute in Keycloak?
To: <stian(a)redhat.com>
I tried, but does not work.
Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
not started, he not know autodetect-bearer-only option, then, i added via
json, wildfly started and app was deployed.
Secondly, on my ajax request to backing bean, i receive response 401 and
does not happend.
This is my keycloak.json
{
"realm": "azovstal",
"auth-server-url": "http://dc09-apps-06:8090/auth",
"ssl-required": "none",
"resource": "web-test",
"public-client": true,
"use-resource-role-mappings": true,
"autodetect-bearer-only": true
}
вт, 10 янв. 2017 г. в 10:19, <daduev.ad(a)gmail.com>:
Ok, I try, thanks.
10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
In that case take a look at the new autodetect-bearer-only option. You'll
need 2.5.0.Final for that.
On 9 January 2017 at 19:18, <daduev.ad(a)gmail.com> wrote:
No, I have jsf 2 app with richfaces framework, which deploy on wildfly
10.1.
9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
[Adding list back]
A web app redirects the user to a login page if not authenticated, while a
service should return a 401.
It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.
On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Thanks for the answer.
Yes i have confidential client, i have web application, that asks
Keycloak server
to authenticate a user for them. As I understand, bearer-only is for web
services clients.
I probably something do not understand?
2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
Looks like your services are configured as confidential clients rather than
bearer-only and hence is sending a login request back rather than a 401.
You should either swap your service war to be a bearer-only client or use
the new autodetect-bearer-only option in adapters if you have both web
pages and services in the same war.
On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 6 months
Spring security adapter for SAML
by Pulkit Gupta
Hi Team,
I have a application with Spring security configured.
We are trying to migrate the same to keycloak.
Do we have a spring security adapter for keycloak with SAML.
I went through the documentation and can see that we have a spring adapter
but that is for open ID connect.
--
Thanks,
Pulkit
AMS
7 years, 7 months
Support for transactional email providers like SendGrid, Mailgun or Mandrill
by Vineet Reynolds
Hi everybody,
Has anyone managed to configure Keycloak 2.0.0.Final to use a
transactional email API instead of configuring an SMTP server? I would
prefer to have Keycloak send emails using a rest API like Sendgrid,
Mandrill, Mailgun or Amazon SES (the cloud-native way) instead of running
an SMTP server.
I'd also appreciate if this is possible through the SPI providers.
* Should I implement both EmailSenderProvider and EmailTemplateProvider
SPIs ?
* I cannot get my custom EmailSenderProvider SPI implementation to work,
as the FreemarkerEmailTemplateProvider implementation fails to obtain the
implementation of the EmailSenderProvider. Stack trace is below
13:17:53,991 ERROR
[org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
task-39) Failed to send verification email:
org.keycloak.email.EmailException: Failed to template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at
org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at
org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:559)
at
org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:490)
at
org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:412)
at
org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299)
at
org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
at
org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Thanks,
Vineet
7 years, 7 months
JavaScript client, iframe and IE
by Thomas Raehalme
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
7 years, 9 months
Export
by Brian Schwartz
Is the keycloak export functionality broken since the last couple of
versions?
https://keycloak.gitbooks.io/server-adminstration-guide/
content/v/2.4/topics/export-import.html
I run this command:
./standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=
demokeycloak.json
I get this error:
14:00:33,664 INFO
[org.keycloak.exportimport.singlefile.SingleFileExportProvider]
(ServerService Thread Pool -- 48) Exporting model into file
/Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json
14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server
shutdown has been requested.
14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-4) WFLYJCA0010: Unbound data source
[java:jboss/datasources/KeycloakDS]
14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 48) MSC000001: Failed to start service jboss.undertow.deployment.
default-server.default-host./auth: org.jboss.msc.service.StartException in
service jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.
construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.
createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.
createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(
ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.
ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.
HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.
proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.
RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.
proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$
DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(
ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(
DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at org.keycloak.models.utils.ModelToRepresentation$2.
compare(ModelToRepresentation.java:431)
at org.keycloak.models.utils.ModelToRepresentation$2.
compare(ModelToRepresentation.java:428)
at java.util.TimSort.countRunAndMakeAscending(
TimSort.java:356)
at java.util.TimSort.sort(TimSort.java:220)
at java.util.Arrays.sort(Arrays.java:1512)
at java.util.ArrayList.sort(ArrayList.java:1454)
at java.util.Collections.sort(Collections.java:175)
at org.keycloak.models.utils.ModelToRepresentation.
exportAuthenticationFlows(ModelToRepresentation.java:428)
at org.keycloak.models.utils.ModelToRepresentation.
toRepresentation(ModelToRepresentation.java:372)
at org.keycloak.exportimport.util.ExportUtils.exportRealm(
ExportUtils.java:87)
at org.keycloak.exportimport.singlefile.
SingleFileExportProvider$1.runExportImportTask(
SingleFileExportProvider.java:65)
at org.keycloak.exportimport.util.ExportImportSessionTask.
run(ExportImportSessionTask.java:35)
at org.keycloak.models.utils.KeycloakModelUtils.
runJobInTransaction(KeycloakModelUtils.java:236)
at org.keycloak.exportimport.singlefile.
SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58)
at org.keycloak.exportimport.ExportImportManager.runExport(
ExportImportManager.java:102)
at org.keycloak.services.resources.KeycloakApplication.
<init>(KeycloakApplication.java:149)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorI
mpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.
newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.
construct(ConstructorInjectorImpl.java:150)
... 19 more
This has not worked for me since version 2.1.0.
I’m currently using version 2.4.0.Final.
Thanks
7 years, 10 months
web origins of clients and using wildcards
by Christian Froehlich
Hi,
the tool tip of Web Origins at the client administration ui says: "...To
permit all origins add '*'.", but it doesn't work. It seems that wildcards
in web origins does not work at all. Using wildcards would be great in our
development sides where we often works with ips instead of real dns names.
So currently we have to add a set of web origins with the possible ips
like https://192.168.99.100, https://192.168.99.101,...
Is it a bug or just a wrong tool tip or am I completely wrong with my
assumption?
Regards Christian
7 years, 10 months
OAuth token introspection
by Jason B
Hi,
I am trying to understand the OAuth 2.0 capabilities of Keycloak server and
I have a few questions with respective to the implementation of OAuth
introspection spec.
This is how a sample introspection response looking like
{
"jti": "7e0a2c4b-9725-432b-a0fd-594f21686108",
"exp": 1485492229,
"nbf": 0,
"iat": 1485491929,
"iss": "http://localhost:8080/auth/realms/nkadali",
"aud": "proxy",
"sub": "e89175d5-94fd-453a-8abb-9953d59d04cf",
"typ": "Bearer",
"azp": "proxy",
"auth_time": 1485487408,
"session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7",
"name": "",
"preferred_username": "jason",
"acr": "0",
"client_session": "5d761332-97eb-404d-8624-3de4eca967cd",
"allowed-origins": [],
"realm_access": {
"roles": [
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"client_id": "proxy",
"username": "jason",
"active": true
}
I have two question based on this response.
1. According to the OAuth OAuth 2.0 Token Introspection (
https://tools.ietf.org/html/rfc7662) the json response body may contain
"token_type" member. But why keycloak representing "token_type" as "typ"?
Is there any specific reason?
2. I don't see any "scope" attribute in the response body even though I
supplied scope parameter while requesting for the access token. Any idea on
how to get scopes associated with the supplied access token?
Thanks!
7 years, 10 months
Client setup recommandation
by David Delbecq
Hello,
we have a javascript web application we are migrating to keycloak. I am not
sue what are the recommandations on setting up configuration for that
client with the following requirement:
Once user triggers the "login" and gets keycloak authenticated, we should
get a bearer token to use later on REST services.
The user should not be requested again to login, unless he logs out. Even
if he closes his browser. So we need a way to keep or replace token on a
regular basis. Is there some keycloak REST service we can poll on a regular
basis for this?
Sometimes the user goes "off grid" (no network communication) for several
hours. How can we ensure we still keep logged in?
My first idea was to just increase the SSO timeout and token validity to 30
days. But it seems like a bad idea from my reading of keycloak
documentation. So i tried to use an offline token instead, but it seems the
implicit flow doesn't allow you to get an offline token. All token i get
after login are marked as expiring within 15 minutes.
What's the recommended way to get long lived refresh token, using implicit
flow?
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
7 years, 10 months
