User registration outside of Keycloak login form
by Niels Bertram
Hi Keycloak users,
a strange question for the community ... I have a customer that wants to
have SSO but does not want to use the Keycloak registration screens (themed
or otherwise) but requires the user to be "logged in" to Keycloak after
user registration.
My understanding is that to get the SSO magic to work, a user agent must be
redirected to the Keycloak server so the KEYCLOAK_SESSION? cookie can be
set so that when the user navigates to another SSO enabled site after user
registration, they would be identified in the auth flow of this client. Is
there any way to create a valid SSO session without using the registration
forms of Keycloak server itself? Like doing an XHR request that would
create a user registration and also sets the required server side cookies
in the user agent?
Interested to hear your thoughts.
Many thanks, Niels
6 years, 5 months
Roles from UserStorageSPI
by Rob Shepherd
Hi,
I have successfully authenticated users from a custom User Storage Provider.
I cannot find how I map roles to the users that come from this provider.
I am able to include the user's roles in the UserModel, and i have created ClientRoles which match, but I can’t find how I attribute Roles to my users.
Furthermore, I have a default realm role, but this never appears in the ID token or userInfo object.
Any pointers appreciated.
Thanks
Rob
6 years, 5 months
Extract kc_locale from a redirect URI
by Valerij Timofeev
Hi,
we are extracting kc_locale parameter from redirect URIs and appending it
to the Keycloak login form URI using NGINX rewrite rule at the moment.
Extracting locale from redirect URI is indispensable for example when using
deep links in emails or linking to protected resources from a public site.
I wonder whether there is more simple method to extract kc_locale parameter
from redirect URI and set according locale in the Keycloak login form.
Best regards,
Valerij
6 years, 5 months
Login Confirmation every time
by Rob Shepherd
Hi,
I have a requirement where multiple users use shared terminals.
I would like to have a “Continue to ${client} as ${username}?” prompt page that occurs after every (unprompted) authentication. (I.e. if cookie auth was successful, but no login form)
So this would always be present when processing of a login that can occur without interaction if a cookie is still valid.
When prompted, and it appears to the user that it is an old login from previous person, then I will present the option to “Login as someone else"
(What I describe is different to the consent screen that occurs once per client per user.)
Doe this already exist?
Otherwise, should I be thinking of a RequiredAction for this, or an Authentication flow?
Pointers appreciated.
Thanks
Rob
6 years, 5 months
Keycloak & Large # of Realms
by John D. Ament
Hi All
Looking for some more insight, haven't heard about this issue in a while.
The specific endpoint I'm having issues with is the /auth/admin/realms
endpoint ->
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
For what Keycloak is doing in the UI for the list realms, is it necessary
to provide all realm details or can it use a simplified version of the
realm representation to populate the drop down in the top left navigation
(at least I'm assuming that's where it's being fetched to be populated
into)?
I'm seeing this endpoint perform particularly slowly. Some of the key
spots (I have 125
- 750 calls to select authentica0_.ID as ID1_3_0_, authentica0_.ALIAS as
ALIAS2_3_0_, authentica0_.BUILT_IN as BUILT_IN3_3_0_,
authentica0_.DESCRIPTION as DESCRIPT4_3_0_, authentica0_.PROVIDER_ID as
PROVIDER5_3_0_, authentica0_.REALM_ID as REALM_ID7_3_0_,
authentica0_.TOP_LEVEL as TOP_LEVE6_3_0_ from AUTHENTICATION_FLOW
authentica0_ where authentica0_.ID='15249ca1-1be3-4b59-a0e0-80bf00a107a4'
(the ID changes per request, looks like you're loading auth flows per ID)
- 250 calls to get client entities
- 125 calls for groups, locales, enabled events, required actions, roles,
smtp config, idps, attributes, roles, role mappers, etc.
I suspect the 125 calls are needed, we don't want to load those in a larger
batch. However, if there's a simpler use for realms that would be
beneficial from a loading standpoint.
John
6 years, 5 months
Keycloak startup fails when Widlfly running in Standalone-HA mode
by Narendra Kadali
I am trying to deploy Keycloak cluster in standalone-ha mode in our Openshift environment. I followed following blog post: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html and made changes to standalone-ha.xml configuration file. When I am deploying Keycloak in our environment, deployment is failing and I am seeing below error message.
21:53:01,694 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started (with errors) in 3413ms - Started 523 of 918 services (3 services failed or missing dependencies, 651 services are lazy, passive or on-demand)
Apart from this I don't see any errors in the logs. In fact in logs, I see Keycloak deployed successfully but when I am trying to access Keycloak getting HTTP 404 error. Below is the snippet of the log.
21:53:01,612 INFO [org.jboss.as.server] (ServerService Thread Pool -- 51) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
21:53:01,694 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
21:53:01,694 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
21:53:01,694 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started (with errors) in 3413ms - Started 523 of 918 services (3 services failed or missing dependencies, 651 services are lazy, passive or on-demand)
When I accessed Wildfly management console and looked under deployments section, I realized that keycloak war file deployment failed. For some reason Keycloak deployment failing and it is not outputting any error logs. In our environment UDP - Multicast doesn't work. So we are relaying on TCPPING protocol for node discovery process. Can it cause any such issues?
Attached the complete server startup log and ha configuration we are using. On a side note, when we are running Keycloak in standalone mode we are not facing any such issues.
Have you any of you came across this issue? Any help on this issue is appreciated.
Thanks!
6 years, 5 months
NoSuchMethodError when storing the user into Keycloak's cache
by Kruti Parmar
Hi,
I have created a custom storage provider which will migrate user from legacy app to keycloak's local storage on demand. That is achieved.
Now I want to modify this functionality and store the user in to keycloak's cache instead of keycloak's local storage.
For that I have used the following code :
@Override
public void onCache(RealmModel realm, CachedUserModel user, UserModel delegate) {
String password = ((UserAdapter)delegate).getPassword();
if (password != null) {
user.getCachedWith().put(PASSWORD_CACHE_KEY, password);
}
}
But I am getting an error saying - "org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.keycloak.models.cache.CachedUserModel.getCachedWith()Ljava/util/concurrent/ConcurrentMap;".
Can anyone please help me to resolve this?
PS : I am using keycloak 3.1.0 Final version.
Thanks & regards,
Kruti
***** Email confidentiality *****
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.
***** Email monitoring *****
Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.
***** Email security *****
In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.
This email has been scanned for viruses by the Symantec Email Security.cloud service.
Advanced Computer Software Group Limited
Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK
Registered in England under number 5965280
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
6 years, 5 months
Keycloak Spring Boot Adapter does not populate security context principal
by Niels Bertram
Hi Keycloak Users,
I tried to configure a dead simple Spring Boot CXF REST endpoint with
Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It
appears the Keycloak Tomcat Valve fails authorization even before the
keycloak adapter ever gets a chance to parse the Bearer token and setup the
session. I would have thought that with AutoConfig it would just be that
... auto config. I added the below keycloak adapter configuration to the
application.yml file and made sure all required jars are on the classpath.
Does anyone have any suggestions or a link to a working example that shows
how to use Spring Boot with Keycloak *AND* CXF ?
Many thanks, Niels
Example:
https://github.com/bertramn/keycloak-secured-rest-endpoint
application.yml configuration:
keycloak:
realm: demo
authServerUrl: 'http://localhost:8080/auth'
realmKey: 'MIIBIjANBgDAQAB'
sslRequired: external
resource: test-client
bearerOnly: true
securityConstraints:
- authRoles: [ '*' ]
securityCollections:
- name: authed
patterns: [ '/v1/secured' ]
6 years, 5 months