Authentication from spring security without redirection
by Dekel Aslan
Hi,
I'm looking for a way of exposing REST services with Keycloak authentication.
Does Keycloak have a bean that handles authentication for spring security without filter / redirection?
Further details: I use spring security adapter, but I can't use it for http calls because it redirects to Keycloak login page.
I want to get the user credentials and invoke Keycloak service in the server (with REST "/token"), but then I won't have an authentication object as the processing filter creates.
Thanks,
Dekel.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 4 months
HTTP-Redirect binding for SAML
by Brian Thai
Hi,
The php SAML libraries that I am using are HTTP-Redirect binding only for
the single logout service. I have tried a few different configurations but
I seem to be missing something with by 2.5.0-Final configuration. If I do
not configure a HTTP-Post binding for the SLS, I get the error
"KC-SERVICES0051: Failed to logout client, continuing:
java.lang.NullPointerException". Can Keycloak support HTTP-Redirect binding
for SAML logout? If so, do you know where I can get a working configuration
to see what I am missing?
Thanks!
- Brian
8 years, 4 months
MariaDB / MySQL / Postgres-BDR / Postgres-XL
by Santosh Haranath
Any database of choice for multi-site deployment? Our initial research
points towards Postgres. For MMR, Postgres has two choices
Postgres-BDR and Postgres-XL. Any experience with these technologies
to build multi-site session replicated access mgmt infrastructure.
Thanks.
8 years, 4 months
AngularJS or react App for login
by santosh.haranath@gmail.com
Can we use an angularJS or React based application to render login pages?
I have noticed administration APIs but did not see authentication APIs to build upon.
- Santosh
8 years, 4 months
CORS setup
by Zeus Arias Lucero | BEEVA
Hi,
Is it possible to configure cors? Which are the steps?
My config client is (json):
{
"realm": "name",
"realm-public-key": "...",
"auth-server-url": "https://example:8443/auth",
"ssl-required": "all",
"resource": "name",
"enable-cors": true,
"cors-allowed-methods": "GET, HEAD, OPTIONS",
"cors-allowed-headers": "Origin, Accept, X-Requested-With, Content-Type,
Access-Control-Request-Method, Access-Control-Request-Headersl",
"credentials": {
"secret": "...."
},
"principal-attribute": "preferred_username"
}
And error the application is:
XMLHttpRequest cannot load
https://keycloak_url:8443/auth/realms/name/protocol/open…gin&state=1%2tok....
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'https://url_app' is therefore not allowed access.
The Keycloak Response Header is:
Cache-Control:no-store, must-revalidate, max-age=0
Connection:keep-alive
Content-Length:5257
Content-Security-Policy:frame-src 'self'
Content-Type:text/html;charset=utf-8
Date:Fri, 02 Dec 2016 09:37:15 GMT
Server:WildFly/10
Set-Cookie:KC_RESTART=COOKIE; Version=1; Path=/auth/realms/name; Secure;
HttpOnly
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Undertow/1
Do I have to modify the file standalone.xml?
8 years, 4 months
Re: [keycloak-user] Policies seem to go corrupt, version 2.5.0
by Pedro Igor Silva
I see. I'm going to check what is happening. Can't understand why it works
after re-creating the policies.
So, you were using which version before migrating to 2.5.0 ? Did you also
try a build from upstream ?
On Tue, Jan 24, 2017 at 11:04 AM, Ushanas Shastri <ushanas(a)gmail.com> wrote:
> Hello Pedro,
>
> Policies created by us stop working. For example, without any change the
> Evaluation API shows Deny, and we can't investigate why, as the policy
> results in Resource not found.
>
> Interestingly, while the Evaluation API in the administration console
> says denied, the protected application gets a permit when using the
> Authorization API.
>
> We then recreate the policies, permissions and all is good again.
>
> Regards, Ushanas.
>
>
> On 24-Jan-2017 5:05 PM, "Pedro Igor Silva" <psilva(a)redhat.com> wrote:
>
> HI Ushanas, recently we made a specific change to update policies types
> from "drools" to "rules". But that was in 2.5.1, so I think it is not case.
>
> Can you elaborate more what are those random instances of policies ? Are
> they being created somehow but not by you ?
>
> Regarding the resource not found, I think I have fixed this with this PR
> https://github.com/keycloak/keycloak/pull/3766/. It should be available
> on 2.5.1.
>
> Thanks.
>
> On Tue, Jan 24, 2017 at 12:51 AM, Ushanas Shastri <ushanas(a)gmail.com>
> wrote:
>
>> Hello,
>>
>> I've created scope based permissions tied to role based policies. Any new
>> permission or policy we create, all looks right, but we find random
>> instances of policies that deny authorization, and when we want to
>> investigate, we can't even see the details of the policy. It shows up in
>> the list, but clicking on it takes us to a resource nor found page.
>> Any ideas on what may be happening here?
>>
>> Regards, Ushanas.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
8 years, 4 months
Prevent token expiring when using spring-security-adapter
by Diego Diez
Hi all,
I have two applications configured with the spring-security-adapter.
What I need to accomplish is to prevent the token expiration to be able to
jump from one app to the other without introduce again my credentials in
the keycloak server.
Since both applications only communicate with the keycloak server in the
login and logout (once logged in, the application only checks if there is
an Authentication object in the session) , the token could be expired if I
go to the application 2 after a while navigating the application 1.
For example:
Keycloak config:
- access token idle timeout 45 minutes.
Http session config:
- Timeout 30 minutes.
1. Log in app1
2. Introduce user/pass in keycloak and create http session with
Authentication object in app1
3. Navigate and do stuff for 1 hour
- At this moment, I have an http session with a logged in user while
the keycloak session has been invalidated due to the idle timeout
4. Go to app2
5. Keycloak requires again user/pass because the token is expired.
Am I missing something? I need to refresh the access token before it is
expired in the keycloak server (step 3) but I could find a way.
Thanks in advance,
Diego.
8 years, 4 months
Re: [keycloak-user] Brokering with OIDC and Direct Access Grant
by Marek Posolda
We have support for identity brokering, but not sure if that helps with
your usecase. As if I understand correctly, you have token for B and you
want to access API protected by A with the B-token, right?
If you don't want to use multitenancy for some reason, I think you may
have to validate token by yourself and your application side instead of
using our adapters. As even if A and B use the same publicKey for token
verification, the issuer in the B-Token will be different though, so our
adapter (which verifies the issuer) will fail.
Also you can implement your own directGrant authenticator in the
Keycloak-A, which will allow you to authenticate with the b-token (sent
to it in some parameter) and then return you back the a-token, which you
can then validate. Defacto exchange b-token for a-token. See
Authentication SPI docs for more details.
Marek
On 24/01/17 12:14, Alexander Chriztopher wrote:
> Actually, we dont' want our API to know the B instance.
>
> Is there any other solution (am thinking about brokering between A and
> B and creating a client for instance B in instance A etc.) ?
>
> And yes, A and B are not in a cluster for organisation matters.
>
> On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>> wrote:
>
> I assume that Keycloak instances A and B are not in cluster? If
> you can put them in cluster, you will have this supported OOTB.
>
> Also did you see our multitenancy feature and multi-tenant
> example? This allows that application (API) is protected by both
> instance A or B. So based on the token from the request, you will
> see if you should use keycloak A or B to validate token.
>
> Marek
>
>
> On 24/01/17 11:05, Alexander Chriztopher wrote:
>
> Hello,
>
> Am looking for the flow to get an access token with OIDC and 2
> Keycloak
> instances (A and B).
>
> User is Known by instance B and gets an access token from
> instance B then
> needs to access an API protected with instance A.
>
> What would be the best way to do it ?
>
> Thanks for any help.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
8 years, 4 months
Synchoronising TOTP with LDAP
by Liam Maruff
My organisation is transitioning from a legacy authentication mechanism to
OpenID Connect using Keycloak. The current system stores TOTP data in an
LDAP store under a field named ssoTotpValue.
Is it possible for us to allow users to continue using their existing TOTP
configuration by mapping the ssoTotpValue from the existing LDAP store into
Keycloak? If not, how what other mechanism are available for us to
accomplish this goal?
Regards,
Liam M
8 years, 4 months
Brokering with OIDC and Direct Access Grant
by Alexander Chriztopher
Hello,
Am looking for the flow to get an access token with OIDC and 2 Keycloak
instances (A and B).
User is Known by instance B and gets an access token from instance B then
needs to access an API protected with instance A.
What would be the best way to do it ?
Thanks for any help.
8 years, 4 months
