January 2017 - keycloak-user - Jboss List Archives

by Marcin Wilk

I need to use wildfly as a stateless REST provider (no sticky sessions) so I configured keycloak wildfly adapter to use cookie as a token store. User roles in keycloak servers are imported from LDAP (LDAPProvider) and it is a common situation that a single user belongs to multiple ldap groups (say 30+). Many of these groups decide about users authorization to specific application functionality so they can't be simply filtered at keycloak server level. On the other hand passing so many roles (mapped from ldap groups) in the cookie (KEYCLOAK_ADAPTER_STATE cookie) causes the cookie to be over 4096 bytes big and exceeds popular browsers' cookie size limit. The cookie is simply discarded in such situation. Hance I thought that using keycloak adapter to authentication only and passing authorization to ldapextended login module at wildfly for authorization could be a circumvention. However I doubt if such an idea would work as it doesn't look like there is a fall back from keycloak adapter to other authorization methoda on wildfly. I would appreciate any piece of information if such a configuration is available without redeveloping keycloak adapter or writting my own login module for wildfly. Thanks in advance for help.

9 years, 2 months

1
0
0 / 0

example: authenticator-required-action-example

by Christian Froehlich

Hi, I read the documentation of the Authentication SPI and I tried to get the example running like it is described in the README.md file but I got the following error when I deploy it to my local keycloak server: ----------------------------------- [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) on project authenticator-required-action-example: Failed to execute goal deploy: {"WFLYC TL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action- example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process ph ase POST_MODULE of deployment \"authenticator-required-action-example.jar\" [ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory (Module \"deployment.authenticator-required-action-exam ple.jar:main\" from Service Module Loader): org/keycloak/authentication/RequiredActionFactory"}}}} ----------------------------------- What I did: Download and unzip the current version of keycloak 2.5.0.Final and start the server checkout the master branch of the keycloak repo, navigate to the corresponding sub directory of the example execute mvn clean install wildfly:deploy like it is described in the README.md of the artifact I also tried to get it running with the git revision that is tagged with "2.5.0.Final", but with the same error. Do I miss something? Any help is welcome! Kind Regards and thanks in advance Christian

9 years, 2 months

3
5
0 / 0

(no subject)

by Metehan Selvi

Hello, I have got a Problem with Keycloak 2.5.0 Final on Wildfly with an war deployed on a Tomcat 7 and registered org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve and generated keycloak-saml.xml from AARealm ( just a name) After navigating to the Ressource , I got a correct redirect with SAML-AuthnRequest to Wildfly with Keycloak. I can login with a user successful, a correct SAML-Response is created, but then I got a *loop *on requests on the same ressource on Wildfly (!), so there is no outcome till I close the window again. What's wrong? - Are the Redirects wrong? - Why are the cookies expiring again? (see below) Here are the details: - AA.war is deployed on tomcat with port 8280 , inside there is just an jsp-Page - Keycloak runs on 8080 - A RealmAA is created with Client registration and SAML Protocol on Keycloak - Valid Redirect URIs is http://localhost:8280/AA/* - Base URL is http://localhost:8280/AA - no other URLs are registered - loop on requests go on http://localhost:8080/auth/realms/AARealm/login-actions/authenticate?code= <changing_every_time> HTTP/1.1 - Output on Wildfly is (again and again, the loop!) 2017-01-13 20:31:23,645 WARN [org.keycloak.events] (default task-45) type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true 2017-01-13 20:31:23,645 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-45) AUTHENTICATE 2017-01-13 20:31:23,645 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-45) AUTHENTICATE ONLY 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) processFlow 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: auth-cookie requirement: ALTERNATIVE 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) authenticator: auth-cookie 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) invoke authenticator.authenticate 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) authenticator SUCCESS: auth-cookie 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: auth-spnego requirement: DISABLED 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) execution is processed 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: identity-provider-redirector requirement: ALTERNATIVE 2017-01-13 20:31:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) Skip alternative execution 2017-01-13 20:31:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: null requirement: ALTERNATIVE 2017-01-13 20:31:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) Skip alternative execution 2017-01-13 20:31:23,647 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-45) Using full scope for client 2017-01-13 20:31:23,647 DEBUG [org.keycloak.events] (default task-45) type=LOGIN, realmId=AARealm, clientId=AA, userId=1b24603d-c9e8-4317-995a-b42b0f91bae1, ipAddress=127.0.0.1, auth_method=saml, consent=no_consent_required, code_id=7ed8cc51-6c7e-4ffc-8d2a-261b9f03559d, username=user 2017-01-13 20:31:23,647 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-45) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/AARealm, max-age: -1 2017-01-13 20:31:23,648 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-45) Expiring remember me cookie 2017-01-13 20:31:23,648 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-45) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/AARealm 2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-45) JtaTransactionWrapper commit 2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-45) JtaTransactionWrapper end 2017-01-13 20:31:23,815 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-46) new JtaTransactionWrapper 2017-01-13 20:31:23,816 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-46) was existing? false 2017-01-13 20:31:23,818 WARN [org.keycloak.events] (default task-46) type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true 2017-01-13 20:31:23,819 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-46) AUTHENTICATE 2017-01-13 20:31:23,819 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-46) AUTHENTICATE ONLY If I register http://localhost:8280/AA/saml as "Master SAML Processing URL" on Keycloak, then I got a 403 Forbidden. Thanks in advance Metehan Selvi

9 years, 2 months

1
0
0 / 0

using in production

by Avinash Kundaliya

Hello, After a lot of going to and fro, we are about to make a conclusion if we want to use keycloak in production. We are a little worried about updating keycloak and how does one receive/keep track of security updates. Because of the nature of keycloak, security is of paramount. It would be helpful if the community can help as how they update keycloak and keep track of security updates. Regards, Avinash

9 years, 2 months

2
1
0 / 0

Is Brute Force Detection Extensible or can be Customized?

by Deepu Laghuvaram

Our current functionality is that if the user provides wrong password for 5 times or more then we want to display on the login page itself that the user is locked out and they have to reset the password (User is Locked until they reset password) I am trying to achieve the same functionality in KeyCloak. Is it possible? And as of now the failed login attempts count is in our Database and I want to make Brute Force Detection to be based on the failed login attempts from my database and update the failed login attempts to my DB, basically combining Brute Force Detection and Custom UserStorageProvider to achieve both the functionalities? Thanks, Deepu

9 years, 2 months

2
2
0 / 0

Forgot Password Error with Our own UserStorageProvider

by Deepu Laghuvaram

I am using my own DB2UserStorageProvider and my Login and Registration are working as expected but forgot password is not working as expected (When I remove User Federation then Forgot Password is working as expected). I am having the flow for Reset Credential as Choose User REQUIRED Send Reset Email REQUIRED Reset Password REQUIRED I used an existing user in my DB2 database, with which I am able to login and when I try that user to reset password, I am not receiving any email and below are the logs 14:40:31,755 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-14) action: reset-credentials-choose-user 14:40:32,908 INFO [DB2UserStorageProvider] (default task-14) Inside getUserByUsername: testmail(a)gmail.com 14:40:32,914 INFO [DB2UserStorageProvider] (default task-14) Entity.ID = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278 14:40:32,914 INFO [DB2UserStorageProvider] (default task-14) Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-14) authenticator SUCCESS: reset-credentials-choose-user 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-14) processFlow 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-14) check execution: reset-credential-email requirement: REQUIRED 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-14) authenticator: reset-credential-email 14:40:32,949 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-14) JtaTransactionWrapper commit 14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-13) AUTHENTICATE 14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-13) AUTHENTICATE ONLY 14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) getUserById: f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278 14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) entity.getID: 9bcff1bd-2ac9-4e63-b113-7061bd3f0278 14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) Entity.ID = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278 14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) processFlow 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: reset-credentials-choose-user requirement: REQUIRED 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) execution is processed 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: reset-credential-email requirement: REQUIRED 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) authenticator: reset-credential-email 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) invoke authenticator.authenticate *14:40:33,030 WARN [org.keycloak.events] (default task-13) type=RESET_PASSWORD_ERROR, realmId=TestRealm, clientId=TestClient, userId=f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278, ipAddress=127.0.0.1, error=invalid_email, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8090/account/account.jsp <http://localhost:8090/account/account.jsp>, code_id=857a3ff7-837f-4e8d-8b4d-dabd8b38a89e, username=testmail(a)gmail.com <testmail(a)gmail.com>* 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) reset browser login from authenticator: reset-credential-email 14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-13) AUTHENTICATE 14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-13) AUTHENTICATE ONLY 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) processFlow 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: auth-cookie requirement: ALTERNATIVE 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) authenticator: auth-cookie 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) invoke authenticator.authenticate 14:40:33,030 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-13) Could not find cookie: KEYCLOAK_IDENTITY 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) authenticator ATTEMPTED: auth-cookie 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: auth-spnego requirement: DISABLED 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) execution is processed 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: identity-provider-redirector requirement: ALTERNATIVE 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) authenticator: identity-provider-redirector 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) invoke authenticator.authenticate 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) authenticator ATTEMPTED: identity-provider-redirector 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: null requirement: ALTERNATIVE 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) execution is flow 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) processFlow 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) check execution: auth-username-password-form requirement: REQUIRED 14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) authenticator: auth-username-password-form 14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-13) invoke authenticator.authenticate It looks like the user is not in context, I am not sure why the user is not in context as both getUserByUsername and getUserById are successful and even it says "authenticator SUCCESS: reset-credentials-choose-user". Could you please help me with this issue, I am using Keycloak 2.3.0 Final. Thanks, Deepu

9 years, 2 months

1
2
0 / 0

forgot password from rest api?

by Dekel Aslan

Hi, I'm trying to find how to update the forgot password flag through the api (http://www.keycloak.org/docs/rest-api/ ), but I can't find it. Isn't the RealmRepresentation object suppose to have it? Thanks, Dekel. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

9 years, 2 months

2
1
0 / 0

about resource not found

by TheAzariturk .

hi i used LDAP for connection to active directory, and result being succesfull, but after 3 days working when i clicked on user identity or User Federation link message has trrown that " We could not find the resource you are looking for. Please make sure the URL you entered is correct. <http://10.255.145.16:8079/auth/admin/master/console/#/>" befor i get this error in 2.4.0 final version i googled problem and i understand that must upgrade to version 2.5.0, unfortunality at this version currently i got this error please help

9 years, 2 months

2
1
0 / 0

User groups empty attributes from GET /admin/realms/{realm}/users/{id}/groups (no api description)

by adam.michalski＠aol.com

Api docs for: GET /admin/realms/{realm}/users/{id}/groups returns list of GroupRepresentation array with empty attributes. In other rest returning this list there is description: only name and ids are returned but not in this one. How to get list of groups with attributes with single request?

9 years, 2 months

2
1
0 / 0

Testing/Integration testing

by Eriksson Fabian

Hello! I am currently implementing this feature described below. The feature is not really relevant for this question but I thought I could include it. I was wondering, before I make a PR, should I include integration tests even for the UI (the console module, which from what I can tell is not run with Travis)? And is there a way of testing a single arquillian integration test in an IDE (for the console module)? I don't know if this is the right forum to ask these questions but I thought I'll give it a try Thanks in advance Fabian Eriksson -----Original Message----- From: Bruno Oliveira [mailto:bruno@abstractj.org] Sent: den 11 januari 2017 19:18 To: Eriksson Fabian Cc: stian(a)redhat.com; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Brute force detector extension I believe the best is to create Jira as a feature request. And later you can attach your PR to that. On 2017-01-11, Eriksson Fabian wrote: > Do you want me to create a new feature request through the dev mailing list or could I immediately create a Jira-ticket? > > Best regards > Fabian Eriksson > > From: Stian Thorgersen [mailto:sthorger@redhat.com] > Sent: den 2 januari 2017 09:15 > To: Eriksson Fabian > Cc: keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] Brute force detector extension > > You can implement a custom provider for the brute force protection that would do what you want. It wouldn't be configurable through the admin console though. > > I don't see why we couldn't add it as an option to the built-in provider though so if you are happy to send a PR for it including tests we could accept it into 3.x. > > On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson(a)gi-de.com<mailto:fabian.eriksson@gi-de.com>> wrote: > Hi all! > > We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login. > > Does this sound interesting and could this then be something that we could contribute with to KeyCloak? > > Or is there a way to substitute the already existing brute force detector? > > Thanks in advance! > Fabian Eriksson > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj

9 years, 2 months

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user January 2017