October 2017 - keycloak-user - Jboss List Archives

preferred identity mechanism for rest clients

by Graham O'Regan

Hi, We are using mod_auth_openidc set up as a keycloak client so we can use openid-connect for browsers and oauth20 for REST clients. We have setup some REST clients as users and use a grant_type=password to get a bearer token but I’ve also tested using a keycloak client with a service account to achieve a similar effect. There is a benefit to us in using a user account because we have hooked the account creation into our internal authorization mechanism but would it be preferable to use service accounts instead? Thanks in advance, G

8 years, 5 months

2
1
0 / 0

Mapping provider user ID to user attribute

by Ruh, Garret

Context: Using Keycloak as an OpenID Connect identity broker, and onboarding an IDP. Is it possible to map a provider user ID (from an OpenID Connect identity provider – so the value in the sub claim) to a user attribute? Have attempted using an "Attribute Importer" mapper w/ claim "sub" to no avail. End goal is to include that attribute (if it exists) in generated access tokens so that applications can still reference the provider user ID during a transitional period. Seems like it’d be a pretty common use case, so apologies if this has been asked and answered before. Could be missing the applicable search term(s). Regards, Garret Ruh This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.

8 years, 5 months

1
0
0 / 0

Re: [keycloak-user] Keycloak Architecture

by Stian Thorgersen

You need to subscribe to the mailing list to send to it On 16 October 2017 at 19:45, Manikanta Surya Movva (CDS) < surya.movva(a)cogentdatasolutions.in> wrote: > Hello Keycloak Team > > When I tried to post my question to *keycloak-user(a)lists.jboss.org > <keycloak-user(a)lists.jboss.org>, *I'm getting the following response. > > *"You are not allowed to post to this mailing list, and your message has* > > > *been automatically rejected. If you think that your messages arebeing > rejected in error, contact the mailing list owner > atkeycloak-user-owner(a)lists.jboss.org <http://jboss.org>."* > > > I do have a question regarding the keycloak architecture. I'm trying to > integrate keycloak for my application (Job Portal) which is developed using > Java with spring and hibernate frameworks. > My application consists of 4 modules. Job Seeker, Employer, Admin and > Sales. All modules are build as a same war file too. If I want to integrate > keycloak, do I need to take Single realm with multiple clients or Multiple > realms with single client. If I need to go with single realm can I able to > distinguish login and registration pages per each and every client. I don't > want to show same view for each and every client and don't want to ask same > attributes in all registration pages. In forgot password functionality if I > gave non existing emailId I'm not getting a proper message. Please assist > me . > > The response I got while I'm sending an email is attached below. > > > Thanks and Regards > Surya > > >

8 years, 5 months

1
0
0 / 0

Authorization with service account

by Jean-François HEROUARD

Hi, In a client, I have service account and authorization enabled. When service account fetches all resources, authorizations applied. I would like a specific user policy rule for this user but "service-account-(client name)" is not suggested nor accepted by the user policy provider. Is there another way to do that ? In js but what is the uuid of a service user ? Is that a functionnal bug ? Thanks.

8 years, 5 months

2
2
0 / 0

Authenticate REST API call with IDP Brokering (one more time)

by Sergei Degtyarev

Hello I have web application (UI and REST services java/Wildfly). Keycloak is used as Identity Broker with Salesforce (OpenID Connect Brokering) and if I try to access UI application I can successfully log in via Salesforce. At the moment I need to make REST service call from Salesforce Apex code and authenticate caller by his access_token (provided by Salesforce). Is it possible to make client authentication based on that access_token? (or how can I extend Keycloak adapter and Server via SPI)? Yes, I know about Direct Grant and Service Account if I want to call RestAPI method. But in that cases I need to somehow fill securityContext with rights roles. Regards, Sergei Degtyarev

8 years, 5 months

1
0
0 / 0

Generated token too large for usage as authorization bearer header value

by Rob Parker

I am finding the size of the token returned from keycloak is too large to use as a bearer Authorization header when making subsequent api requests from my application via our nodejs express server. This happens after I add many roles to the user account I am using. When removing enough roles, eventually they size of the header is allowed through. Is it possible to not include user roles in the token issued to a user when authenticating? I could then retrieve the users roles after logging in to our application through some other means, e.g userinfo endpoint? Thanks

8 years, 5 months

1
0
0 / 0

(no subject)

by Franjo Marjanovic

is ok

8 years, 5 months

1
0
0 / 0

Keycloak Production?

by Y Levine

Is Keycloak ready for production use? Or still considered by RedHat as in product development. And if suitable for production --- use with EAP or WildFly? Thanks.

8 years, 5 months

2
1
0 / 0

customizable attribute mapper

by Jonas Weismueller

Hi, we are still evaluating keycloak vs. simplesamlphp. What we find quite convenient using simplesamlphp is this authentication processing attributealter possibility: https://simplesamlphp.org/docs/stable/core:authproc_attributealter Using this especially with the feature to be able to use regex pattern matching it is quite easy to combine/construct certain SAML attributes in the way the SP needs it. For example we could add a fixed top level domain to the IDPEmail Attribute, where the SP needs it in the syntax username(a)domain.tld instead of username as retrieved by our LDAP backend system. One real example from our current simplesamlphp configuration: 30 => array( 'class' => 'core:AttributeAlter', 'subject' => 'uid', 'pattern' => '/([a-z]+)/', 'replacement' => '\1(a)domain.tld', 'target' => 'IDPEmail', ), I could not find any similar feature within keycloak or did I just overseen it? Cheers Jonas

8 years, 5 months

2
3
0 / 0

Can't login with certificate

by Karol Buler

Hi, when I try to login with certificate according to Keycloak's documentation instructions (http://www.keycloak.org/docs/latest/server_admin/topics/authentication/x5...) I am getting this error: curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. I also checked the logs in DEBUG level and there is: 11:01:50,494 DEBUG [io.undertow.request.io] (default I/O-4) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:920) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1015) at io.undertow.protocols.ssl.UndertowSslConnection.closeAction(UndertowSslConnection.java:146) at org.xnio.Connection.close(Connection.java:132) at org.xnio.IoUtils.safeClose(IoUtils.java:134) at io.undertow.protocols.ssl.SslConduit$4$1.run(SslConduit.java:984) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575) ... 8 more I don't know what is wrong. Maybe someone of you had the same problem? Regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com<https://www.adbglobal.com> [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https://www.linkedin.com/company/adb/> [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] <https://twitter.com/adb_global> [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] <https://pinterest.com/adbglobal/pins/>

8 years, 5 months

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2017