Keycloak Logout hangs for exactly 5.00 seconds
by William Drescher [CELUM]
Hi there,
We have the problem that when logging out, Keycloak hangs for exactly 5.00 seconds before it allows a redirect to login page. Any ideas as to what could be causing this? We have a Java application using the Vert.x OAuth2 and use the AccessToken logout which logs out over the RestApi, but the same thing happens with Java Keycloak library (also over rest)
Would appreciate any tips for avenues of investigation,
William Drescher
7 years, 2 months
Re: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application?
by Jason Spittel
Even in the case that SP app from step 1 was not through Keycloak?
--------------------------------------------
On Wed, 10/4/17, Hynek Mlnarik <hmlnarik(a)redhat.com> wrote:
Subject: Re: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application?
To: "Jason Spittel" <jasonspittel(a)yahoo.com>
Cc: "Keycloak-user" <keycloak-user(a)lists.jboss.org>
Received: Wednesday, October 4, 2017, 1:27 PM
Yes. Keycloak supports this
scenario regardless of brokering - this is
basic single sign on scenario.
--Hynek
On
Wed, Oct 4, 2017 at 7:45 PM, Jason Spittel <jasonspittel(a)yahoo.com>
wrote:
> Does Keycloak, in SAML brokering
mode, support the following scenario?
>
1. User logs into SP app 1.
> 2. User
does not close browser but accesses SP app 2 (through
Keycloak brokering).3. Will Keycloak recognize
authentication that user has done for step 1?
> In this case the IdP Keycloak is brokering
to is AzureAD.
> Thanks,
> Jason
>
_______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
7 years, 2 months
user count
by Stephen Henrie
Hey all,
I have Keycloak 3.2.1.Final configured with a realm that has 13 users in
it. When I call the API rest endpoint for GET /admin/realms/{realm}/users,
I get 13 user "records" back as expected. However, when I call the API rest
endpoint GET /admin/realms/{realm}/users/count for the same realm, I get
the number 21 returned.
I would have expected this to return the number 13 Has anyone else
experienced this? Is there something that I am missing?
Thanks
Stephen
7 years, 2 months
Parameterizing keycloak.json?
by Malte Finsterwalder
Hi there,
I set up a web application to use Keycloak.
I added a keycloak.json file to configure the keycloak settings.
In this file there is the auth-server-url and a path to a truststore.
The keycloak.json file is packaged into the war file, of course.
But I need to deploy the same war file to different servers, that should
talk to different Keycloak-Servers.
Is there a way to parameterize information in the keycloak.json file? Or
can I configure overrides in a JBoss server?
I know that I could configure the keycloak settings completely in the
JBoss configuration, but I rather like the idea to have a config per app.
Greetings,
Malte
7 years, 2 months
PolicyEnforcer always requires all defined scopes as 'required'
by sahlex
Hi.
I'm trying to get warm with keycloak. So I created a test project that uses
KeycloakOIDCFilter to secure a servlet request (a vaadin UI).
Basically it's working. Now I want to add some portions of the UI only
visible to users granted permission to a certain scope.
So I set up:
* client (named test-context) is configured for authorization
* A resource (admin-ui) with associated scopes urn:test-project:article:view
and urn:test-project:article:create.
* two realm roles: admin and user
* two users (test, admin), one of them (test) having role user, the other
(admin) having both admin and user roles
* auth settings: policy enforcement mode: enforcing (also added
"policy-enforcer": {} in keycloak.json)
* Two policies:
- Admin policy: type role, roles: admin (required)
- User policy: type role, roles: user
* Two scope permissions bound to the resource admin-ui.
- Article Create Permission: resource: admin-ui, scopes:
urn:test-project:article:create, policy: Admin policy, unanimous
- Admin UI View Permission: resource: admin-ui, scopes:
urn:test-project:article:view, policy User policy, unanimous
* A resource permission granting access to the resource itself using Default
Permission (js, grant all)
Admin user is working fine and testing for scope membership using
authzClient is working fine as well.
However, when I try to access the page with user 'test', the user is denied
access due to AbstractPolicyEnforcer. In method authorize() it always passes
the requiredScopes variable to isAuthorized(...). This variable is ALWAYS
filled with all scopes assiciated for the resource. These are taken from the
pathConfig, which always yields both associated scopes.
Of course, user 'test' has only granted permission to scope
urn:test-project:article:view following the authorization set up, thus
failing the grant although the evaluator is returning PERMIT with scopes
(urn:testproject:article:view) as expected:
{
"jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c",
"exp": 1507127243,
"nbf": 0,
"iat": 1507126943,
"aud": "test-context",
"sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0",
"typ": "Bearer",
"azp": "test-context",
"auth_time": 0,
"session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8",
"acr": "1",
"allowed-origins": [
"http://"
],
"realm_access": {
"roles": [
"uma_authorization",
"user"
]
},
"resource_access": {},
"authorization": {
"permissions": [
{
"scopes": [
"urn:testproject:article:view"
],
"resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8",
"resource_set_name": "Admin UI"
}
]
},
"name": "Test Tester",
"preferred_username": "test",
"given_name": "Test",
"family_name": "Tester",
"email": "test(a)bla.de"
}
I'm using keycloak 3.2.1.FINAL on karaf 4.1.2.
Please help!
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
7 years, 2 months
How to use two providers with same username in a realm/client
by Jansen, Gerhard
Hello,
in our application I us an application specific user-database for authentication and I can also authenticate users with their Active Directory credential (SPNEGO or username/password).
Now we want to switch to Keycloak, but we can only use either a custom user-database provider or an Active Directory federation provider in a realm. SPNEGO works fine, but form-based login doesn't.
Only the first federation provider is called. Maybe because login name for both providers is the same, even though neither userbase is imported.
How can I authenticate a user with a second federation provider with same login name, after authentication with first provider fails.
(Or do I even have to think in a completely different direction ?)
Thanks in advance for any suggestions.
Best regards,
Gerhard Jansen
7 years, 2 months
Two browser tabs result in two
by Anders Kabell Kristensen
By the way, our parameters to the js init function were lost in the mailing list.
It should have read:
keycloakAuth.init({ onLoad: 'login-required', responseMode: 'fragment', flow: 'standard', checkLoginIframe: false})
Cheers,
Anders
Date: Wed, 4 Oct 2017 05:47:52 -0700 (MST)
From: Anders KK <anders.kabell.kristensen(a)systematic.com>
Subject: [keycloak-user] Two browser tabs result in two
access-/refresh tokens and accidental logout
To: keycloak-user(a)lists.jboss.org
Message-ID: <1507121272796-0.post(a)n6.nabble.com>
Content-Type: text/plain; charset=us-ascii
Hi guys,
We run into an accidental logout when opening our application in a second tab in the browser. It seems that the second tab acquires its own access-/refresh token pair, however, the tabs share the session.
Consequently, when the first tab needs to refresh its token, the refresh token is no longer valid, resulting in the first tab initiating a logout - and then the second tab only lives until token expiration, since refresh fails due to the first tab having ended the session.
Looking into the js adapter code we got the impression that the tabs would share tokens through local storage - is this something we need to activate explicitly in the configuration?
We have a setup with an Angular2 app making use of the Keycloak js adapter.
We made use of the example provided with the 3.0.0 quickstarts, but modified the parameters for the init function:
Thanks for the great effort put into Keycloak!
Anders
7 years, 2 months
No events for Keycloak session timeouts?
by Matuszak, Eduard
Hello
Is there any chance to get informed about Keycloak-session timeouts? It seems that there is (up to now) no appropriate event-type in org.keycloak.events.EventType for this.
Thanks for any help, Eduard Matuszak
7 years, 2 months
Keycloak SAML Brokering, reusing login of another SAML application?
by Jason Spittel
Does Keycloak, in SAML brokering mode, support the following scenario?
1. User logs into SP app 1.
2. User does not close browser but accesses SP app 2 (through Keycloak brokering).3. Will Keycloak recognize authentication that user has done for step 1?
In this case the IdP Keycloak is brokering to is AzureAD.
Thanks,
Jason
7 years, 2 months
OPENID Java Client
by Виталий Ищенко
I was looking at keykloak examples for client credentials flow examples,
and it looks like the everything required is located in adapter-core
module, especially AdapterRSATokenVerifier and ServerRequest classes.
But I wonder if it safe to use this module in terms of API stability and
documentation, or I should better stick to some 3rd party OpenID client,
that will do all the fancy things with token validation, key retrieval,
caching etc.
Best Regards,
Vitalii
7 years, 2 months
