January 2017 - keycloak-user - Jboss List Archives

Tracing back-channel logout requests/responses

by Josh Cain

Hi all, I'd like to be able to generate errors on failed back-channel logout requests/responses as well as analyze and enumerate back-channel logout requests/responses that are sent. Does Keycloak provide a way to do this? I poked through the source some and couldn't find anything. There was an old issue[0] that dealt with some failure cases around back-channel logout, but that's about all I could see with a cursory search. If not supported, would you be open to a PR that hooks logout event details into the existing EventListener architecture? [0] https://issues.jboss.org/browse/KEYCLOAK-782 -- Josh Cain | Software Applications Engineer Identity and Access Management Red Hat +1 256-452-0150

7 years, 11 months

2
1
0 / 0

Re: [keycloak-user] Red Hat SSO supported version

by Haim Vana

Can you please advise what is the difference between RH-SSO 7.0 and KC 1.9.8 ? The support will be valid for both ? Or only for the RH-SSO ? Haim. -------- Original message -------- From: Sebastien Blanc <sblanc(a)redhat.com> Date: 1/15/17 12:10 (GMT+02:00) To: Haim Vana <haimv(a)perfectomobile.com> Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Red Hat SSO supported version Hi, RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade. Seb On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv(a)perfectomobile.com<mailto:haimv@perfectomobile.com>> wrote: Hi, Currently we are using keycloak 1.9.3, could we get support for that version ? or we will have to upgrade ? if so to which version ? Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

7 years, 11 months

3
4
0 / 0

Changing password & existing sessions (via forgot password email)

by Adrian Verhagen

It appears that refresh tokens are not expired when the password is reset via the password reset email. This seems to work when resetting the password from the account self-maintenance console, but not the recovery email. I'm imagining a case where, if I've been told by an administrator to reset my password (because the account/password was compromised) and I have not used the service in some time and so change my password using the "Forgot Password" email, I would assume my password has been changed and my account now secured. I wouldn't know that I needed to change it again from the self-maintenance console in order to clear out logged in sessions. I'm wondering what everyone else thinks about this.

7 years, 11 months

1
0
0 / 0

User Group in the response header by proxy

by abhishek raghav

Hi, I am maintaining a legacy application where i can not install keycloak adapter. This is secured behind the keycloak proxy. Keycloak proxy inject some identity headers by default keycloak_subject, name, username, email and access token. My requirement is such that that i need role and group should also be going as part of injected headers. I know for the fact that this information exists in the access token itself but then i need to add a depency/plugin on application side to parse the token info and get the roles/groups. Is there a way on the proxy side, i can add these two headers which can also be sent along with the identity headers. Secondly, is it a good approach or breaking the secured design patter. *- Best Regards* Abhishek Raghav

7 years, 11 months

1
0
0 / 0

Keycloak - multiple registration pages, each with own role?

by Anton

Hello Is it possible to create additional keycloak registration pages, with custom themes, and each with a role? Im familiar with the OOTB registration page that comes with Keycloak, that is described on https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/us... . Is it possible to have more than one registration page, each with their own associated role? For example, /registration/artist.html registers a user with an "artist" role and /registration/user.html registers a user with the "user" role. Thanks and regards

7 years, 11 months

2
1
0 / 0

HashAlgorithm

by Dekel Aslan

Hi, In your password policy docs you state "See the Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how to plug in your own algorithm". Server dev guide does not have that information, where is it? On another note, I'm not familiar with ratings of hashing algorithms, what is a preferred one? Thanks, Dekel. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

7 years, 11 months

2
1
0 / 0

Anyone using nginx-jwt proxy instead of Keycloak Proxy?

by Guy Davis

Good day, I am looking to secure legacy web services behind a security proxy. Our current services are reversed proxied by Nginx out front. I've been able to put the Keycloak Proxy <https://keycloak.gitbooks.io/server-installation-and-configuration/conten...> in front of Nginx to add security, however our architects are asking if we can use the nginx-jwt <https://github.com/auth0/nginx-jwt> module in Nginx to replace the redirection feature of Keycloak Proxy. Their goal is to have only one proxy (Nginx) out front, not a chain of two (Keycloak Proxy to Nginx to backend services). Anyone able to get this or another plugin module working? Perhaps in HAProxy instead of Nginx? Thanks much, Guy

7 years, 11 months

1
0
0 / 0

Customizing error Pages(for example client logo)

by rony joy

Hi All, We are trying to customize the error pages based on the realm id. We are able to do the basic modification by extending the error pages in our custom theme. But in our error pages we wanted the have more realm specific customization(for example customer logo) by fetching the logo from external services based on the realm Id. Currently we don't see a way by looking at the code. Any help is appreciated Thanks Rony Joy

7 years, 11 months

2
4
0 / 0

It's possible to generate an offline token using only CURL?

by max.catarino＠rps.com.br

It's possible to generate an offline token using only CURL? Someone have an example? Best regards, Maximiliano Catarino

7 years, 11 months

2
1
0 / 0

user storage provider (non-importing strategy) - examples causing Nullpointer-Exceptions

by Matuszak, Eduard

Hello I am struggling to make the user storage provider examples run in Keycloak 2.5.0 Final: Taking the "old" imported strategy runs fine, but whether the user-storage-simple (readonly) nor the user-storage-jpa example succeeds to build up a complete login, crashing with Nullpointer-Exceptions. Perhaps you have a hint or can confirm that the examples are not running because of Keycloak's behaviour being solved in future? Thanks in advance for any comment, Eduard Matuszak For completion, the source code is attached .. and these are the stack-traces: user-storage-simple (readonly) --------------------------------------- 16:35:44,569 ERROR [org.keycloak.keys.FailsafeHmacKeyProvider] (default task-39) No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported. 16:35:44,569 WARN [org.keycloak.keys.FailsafeHmacKeyProvider] (default task-39) Keys expired, re-generated kid=dbeb665e-c67f-4041-a2ac-4dfe6375d1e8 16:35:53,626 WARN [org.keycloak.services] (default task-45) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException at org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:86) at org.keycloak.credential.PasswordCredentialProvider.onCache(PasswordCredentialProvider.java:215) at org.keycloak.credential.UserCredentialStoreManager.onCache(UserCredentialStoreManager.java:302) at org.keycloak.models.cache.infinispan.UserCacheSession.onCache(UserCacheSession.java:409) at org.keycloak.models.cache.infinispan.UserCacheSession.cacheUser(UserCacheSession.java:369) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserAdapter(UserCacheSession.java:280) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:258) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:205) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:133) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401) .. user-storage-jpa (adapted version) ------------------------------------------- 16:38:36,780 INFO [org.ccp.provider.ccp_augmented_file.CcpAugmentedFileUserStorageProvider] (default task-45) getUserByUsername: adm_eduard 16:38:36,781 WARN [org.keycloak.services] (default task-45) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException at org.keycloak.storage.adapter.AbstractUserAdapterFederatedStorage.getFirstAttribute(AbstractUserAdapterFederatedStorage.java:359) at org.ccp.provider.ccp_augmented_file.UserAdapter.getFirstAttribute(UserAdapter.java:112) at org.keycloak.storage.adapter.AbstractUserAdapterFederatedStorage.getCreatedTimestamp(AbstractUserAdapterFederatedStorage.java:324) at org.keycloak.models.cache.infinispan.entities.CachedUser.<init>(CachedUser.java:55) at org.keycloak.models.cache.infinispan.UserCacheSession.cacheUser(UserCacheSession.java:342) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserAdapter(UserCacheSession.java:280) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:258) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:205) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:133) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401) ..

7 years, 11 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user January 2017