Keycloak and WildFly authorization
by Marcin Wilk
I need to use wildfly as a stateless REST provider (no sticky sessions) so
I configured keycloak wildfly adapter to use cookie as a token store. User
roles in keycloak servers are imported from LDAP (LDAPProvider) and it is a
common situation that a single user belongs to multiple ldap groups (say
30+). Many of these groups decide about users authorization to specific
application functionality so they can't be simply filtered at keycloak
server level. On the other hand passing so many roles (mapped from ldap
groups) in the cookie (KEYCLOAK_ADAPTER_STATE cookie) causes the cookie to
be over 4096 bytes big and exceeds popular browsers' cookie size limit. The
cookie is simply discarded in such situation.
Hance I thought that using keycloak adapter to authentication only and
passing authorization to ldapextended login module at wildfly for
authorization could be a circumvention. However I doubt if such an idea
would work as it doesn't look like there is a fall back from keycloak
adapter to other authorization methoda on wildfly.
I would appreciate any piece of information if such a configuration is
available without redeveloping keycloak adapter or writting my own login
module for wildfly.
Thanks in advance for help.
7 years, 3 months
example: authenticator-required-action-example
by Christian Froehlich
Hi,
I read the documentation of the Authentication SPI and I tried to get
the example running like it is described in the README.md file but I got
the following error when I deploy it to my local keycloak server:
-----------------------------------
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli)
on project authenticator-required-action-example: Failed to execute goal
deploy: {"WFLYC
TL0062: Composite operation failed and was rolled back. Steps that
failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"authenticator-required-action-
example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in
service
jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE:
WFLYSRV0153: Failed to process ph
ase POST_MODULE of deployment
\"authenticator-required-action-example.jar\"
[ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link
org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory
(Module \"deployment.authenticator-required-action-exam
ple.jar:main\" from Service Module Loader):
org/keycloak/authentication/RequiredActionFactory"}}}}
-----------------------------------
What I did:
Download and unzip the current version of keycloak 2.5.0.Final and start
the server
checkout the master branch of the keycloak repo, navigate to the
corresponding sub directory of the example
execute mvn clean install wildfly:deploy like it is described in the
README.md of the artifact
I also tried to get it running with the git revision that is tagged with
"2.5.0.Final", but with the same error.
Do I miss something? Any help is welcome!
Kind Regards and thanks in advance
Christian
7 years, 3 months
(no subject)
by Metehan Selvi
Hello,
I have got a Problem with Keycloak 2.5.0 Final on Wildfly with an war
deployed on a Tomcat 7 and registered
org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve and generated
keycloak-saml.xml from AARealm ( just a name)
After navigating to the Ressource , I got a correct redirect with
SAML-AuthnRequest to Wildfly with Keycloak.
I can login with a user successful, a correct SAML-Response is created, but
then I got a *loop *on requests
on the same ressource on Wildfly (!),
so there is no outcome till I close the window again.
What's wrong?
- Are the Redirects wrong?
- Why are the cookies expiring again? (see below)
Here are the details:
- AA.war is deployed on tomcat with port 8280 , inside there is just an
jsp-Page
- Keycloak runs on 8080
- A RealmAA is created with Client registration and SAML Protocol on
Keycloak
- Valid Redirect URIs is http://localhost:8280/AA/*
- Base URL is http://localhost:8280/AA
- no other URLs are registered
- loop on requests go on
http://localhost:8080/auth/realms/AARealm/login-actions/authenticate?code=
<changing_every_time> HTTP/1.1
- Output on Wildfly is (again and again, the loop!)
2017-01-13 20:31:23,645 WARN [org.keycloak.events] (default task-45)
type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
2017-01-13 20:31:23,645 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-45) AUTHENTICATE
2017-01-13 20:31:23,645 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-45) AUTHENTICATE ONLY
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) processFlow
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: auth-cookie requirement: ALTERNATIVE
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) authenticator: auth-cookie
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) invoke authenticator.authenticate
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) authenticator SUCCESS: auth-cookie
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: auth-spnego requirement: DISABLED
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) execution is processed
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: identity-provider-redirector
requirement: ALTERNATIVE
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) Skip alternative execution
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: null requirement: ALTERNATIVE
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) Skip alternative execution
2017-01-13 20:31:23,647 DEBUG [org.keycloak.protocol.oidc.TokenManager]
(default task-45) Using full scope for client
2017-01-13 20:31:23,647 DEBUG [org.keycloak.events] (default task-45)
type=LOGIN, realmId=AARealm, clientId=AA,
userId=1b24603d-c9e8-4317-995a-b42b0f91bae1,
ipAddress=127.0.0.1, auth_method=saml, consent=no_consent_required,
code_id=7ed8cc51-6c7e-4ffc-8d2a-261b9f03559d, username=user
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Create login cookie - name: KEYCLOAK_IDENTITY, path:
/auth/realms/AARealm, max-age: -1
2017-01-13 20:31:23,648 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Expiring remember me cookie
2017-01-13 20:31:23,648 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Expiring cookie: KEYCLOAK_REMEMBER_ME path:
/auth/realms/AARealm
2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-45) JtaTransactionWrapper commit
2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-45) JtaTransactionWrapper end
2017-01-13 20:31:23,815 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-46) new JtaTransactionWrapper
2017-01-13 20:31:23,816 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-46) was existing? false
2017-01-13 20:31:23,818 WARN [org.keycloak.events] (default task-46)
type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
2017-01-13 20:31:23,819 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-46) AUTHENTICATE
2017-01-13 20:31:23,819 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-46) AUTHENTICATE ONLY
If I register http://localhost:8280/AA/saml as "Master SAML Processing URL"
on Keycloak, then I got a 403 Forbidden.
Thanks in advance
Metehan Selvi
7 years, 3 months
using in production
by Avinash Kundaliya
Hello,
After a lot of going to and fro, we are about to make a conclusion if we
want to use keycloak in production. We are a little worried about
updating keycloak and how does one receive/keep track of security
updates. Because of the nature of keycloak, security is of paramount. It
would be helpful if the community can help as how they update keycloak
and keep track of security updates.
Regards,
Avinash
7 years, 3 months
Is Brute Force Detection Extensible or can be Customized?
by Deepu Laghuvaram
Our current functionality is that if the user provides wrong password for 5
times or more then we want to display on the login page itself that the
user is locked out and they have to reset the password (User is Locked
until they reset password) I am trying to achieve the same functionality in
KeyCloak. Is it possible?
And as of now the failed login attempts count is in our Database and I want
to make Brute Force Detection to be based on the failed login attempts from
my database and update the failed login attempts to my DB, basically
combining Brute Force Detection and Custom UserStorageProvider to achieve
both the functionalities?
Thanks,
Deepu
7 years, 3 months
Forgot Password Error with Our own UserStorageProvider
by Deepu Laghuvaram
I am using my own DB2UserStorageProvider and my Login and Registration are
working as expected but forgot password is not working as expected (When I
remove User Federation then Forgot Password is working as expected).
I am having the flow for Reset Credential as
Choose User REQUIRED
Send Reset Email REQUIRED
Reset Password REQUIRED
I used an existing user in my DB2 database, with which I am able to login
and when I try that user to reset password, I am not receiving any email
and below are the logs
14:40:31,755 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) action: reset-credentials-choose-user
14:40:32,908 INFO [DB2UserStorageProvider] (default task-14) Inside
getUserByUsername: testmail(a)gmail.com
14:40:32,914 INFO [DB2UserStorageProvider] (default task-14) Entity.ID =
9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:32,914 INFO [DB2UserStorageProvider] (default task-14)
Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) authenticator SUCCESS: reset-credentials-choose-user
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) processFlow
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) check execution: reset-credential-email requirement:
REQUIRED
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) authenticator: reset-credential-email
14:40:32,949 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-14) JtaTransactionWrapper commit
14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE
14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE ONLY
14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) getUserById:
f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) entity.getID:
9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,008 INFO [DB2UserStorageProvider] (default task-13) Entity.ID =
9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,008 INFO [DB2UserStorageProvider] (default task-13)
Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) processFlow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: reset-credentials-choose-user
requirement: REQUIRED
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) execution is processed
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: reset-credential-email requirement:
REQUIRED
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: reset-credential-email
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
*14:40:33,030 WARN [org.keycloak.events] (default task-13)
type=RESET_PASSWORD_ERROR, realmId=TestRealm, clientId=TestClient,
userId=f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278,
ipAddress=127.0.0.1, error=invalid_email, auth_method=openid-connect,
auth_type=code, redirect_uri=http://localhost:8090/account/account.jsp
<http://localhost:8090/account/account.jsp>,
code_id=857a3ff7-837f-4e8d-8b4d-dabd8b38a89e, username=testmail(a)gmail.com
<testmail(a)gmail.com>*
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) reset browser login from authenticator:
reset-credential-email
14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE
14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE ONLY
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) processFlow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: auth-cookie requirement: ALTERNATIVE
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: auth-cookie
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
14:40:33,030 DEBUG [org.keycloak.services.managers.AuthenticationManager]
(default task-13) Could not find cookie: KEYCLOAK_IDENTITY
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator ATTEMPTED: auth-cookie
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: auth-spnego requirement: DISABLED
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) execution is processed
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: identity-provider-redirector
requirement: ALTERNATIVE
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: identity-provider-redirector
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator ATTEMPTED: identity-provider-redirector
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: null requirement: ALTERNATIVE
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) execution is flow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) processFlow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: auth-username-password-form requirement:
REQUIRED
14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: auth-username-password-form
14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
It looks like the user is not in context, I am not sure why the user is not
in context as both getUserByUsername and getUserById are successful and
even it says "authenticator SUCCESS: reset-credentials-choose-user".
Could you please help me with this issue, I am using Keycloak 2.3.0 Final.
Thanks,
Deepu
7 years, 3 months
forgot password from rest api?
by Dekel Aslan
Hi,
I'm trying to find how to update the forgot password flag through the api (http://www.keycloak.org/docs/rest-api/ ), but I can't find it.
Isn't the RealmRepresentation object suppose to have it?
Thanks,
Dekel.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
7 years, 3 months
about resource not found
by TheAzariturk .
hi
i used LDAP for connection to active directory, and result being
succesfull, but after 3 days working when i clicked on user identity or
User Federation link message has trrown that "
We could not find the resource you are looking for. Please make sure the
URL you entered is correct.
<http://10.255.145.16:8079/auth/admin/master/console/#/>"
befor i get this error in 2.4.0 final version i googled problem and i
understand that must upgrade to version 2.5.0, unfortunality at this
version currently i got this error
please help
7 years, 3 months
Testing/Integration testing
by Eriksson Fabian
Hello!
I am currently implementing this feature described below. The feature is not really relevant for this question but I thought I could include it.
I was wondering, before I make a PR, should I include integration tests even for the UI (the console module, which from what I can tell is not run with Travis)? And is there a way of testing a single arquillian integration test in an IDE (for the console module)?
I don't know if this is the right forum to ask these questions but I thought I'll give it a try
Thanks in advance
Fabian Eriksson
-----Original Message-----
From: Bruno Oliveira [mailto:bruno@abstractj.org]
Sent: den 11 januari 2017 19:18
To: Eriksson Fabian
Cc: stian(a)redhat.com; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Brute force detector extension
I believe the best is to create Jira as a feature request. And later you can attach your PR to that.
On 2017-01-11, Eriksson Fabian wrote:
> Do you want me to create a new feature request through the dev mailing list or could I immediately create a Jira-ticket?
>
> Best regards
> Fabian Eriksson
>
> From: Stian Thorgersen [mailto:sthorger@redhat.com]
> Sent: den 2 januari 2017 09:15
> To: Eriksson Fabian
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Brute force detector extension
>
> You can implement a custom provider for the brute force protection that would do what you want. It wouldn't be configurable through the admin console though.
>
> I don't see why we couldn't add it as an option to the built-in provider though so if you are happy to send a PR for it including tests we could accept it into 3.x.
>
> On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson(a)gi-de.com<mailto:fabian.eriksson@gi-de.com>> wrote:
> Hi all!
>
> We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login.
>
> Does this sound interesting and could this then be something that we could contribute with to KeyCloak?
>
> Or is there a way to substitute the already existing brute force detector?
>
> Thanks in advance!
> Fabian Eriksson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
7 years, 3 months