Offline tokens with external IDP
by Haim Vana
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
6 years, 2 months
User impersonation - JWT
by Harry Trinta
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
Best regards
Harry Costa
6 years, 2 months
Refreshing Tokens
by Christopher Davies
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
6 years, 2 months
get Authorization reasons
by Corentin Dupont
Hi,
I'm using the entitlement API to protect the resources of my API.
Sometimes the user gets a "not authorized" message, and it's hard for him
to known why.
Is there any way to provide the user why more information with why it was
rejected?
Something similar with the infos provided by the "evaluate" panel, but with
the API.
Thanks
Corentin
6 years, 2 months
offlineSessions data in cache vs db
by Tonnis Wildeboer
Hello Keycloak Users,
Ultimately, what we want to do is have three nodes in one Kubernetes
namespace that define a cluster. Then be able to add three more nodes to
the cluster in a new namespace that shares the same subnet and database,
then kill off the original three nodes, effectively migrating the
cluster to the new namespace and do all this without anyone being logged
out. The namespace distinction is invisible to Keycloak, as far as I can
tell.
What we have tried:
* Start with 3 standalone-ha mode instances clustered with
JGroups/JDBC_PING.
* Set the number of cache owners for sessions to 6.
* Start the three new instances in the new Kubernetes namespace,
configured exactly the same as the first three - that is, same db, same
number of cache owners.
* Kill the original three
But it seems this caused offlineSession tokens to be expired immediately.
I found this in the online documentation
(http://www.keycloak.org/docs/latest/server_installation/index.html#server...):
> The second type of cache handles managing user sessions, offline
tokens, and keeping track of login failures... The data held in these
caches is temporary, in memory only, but is possibly replicated across
the cluster.
> The sessions, authenticationSessions, offlineSessions and
loginFailures caches are the only caches that may perform replication.
Entries are not replicated to every single node, but instead one or more
nodes is chosen as an owner of that data. If a node is not the owner of
a specific cache entry it queries the cluster to obtain it. What this
means for failover is that if all the nodes that own a piece of data go
down, that data is lost forever. By default, Keycloak only specifies one
owner for data. So if that one node goes down that data is lost. This
usually means that users will be logged out and will have to login again.
It appears, based on these documentation comments and our experience,
that the "source of truth" regarding offlineSessions is the data in the
"owner" caches, is NOT the database, as I would have expected. It also
seems to be the case that if a node joins the cluster (as defined by
JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions
cache from the database, but must rely on replication from one of the
owner nodes.
Questions:
1. Is the above understanding regarding the db vs cache correct?
2. If so, please explain the design/reasoning behind this behavior.
Otherwise, please correct my understanding.
3. Is there a way to perform this simple migration without losing any
sessions?
Thanks,
--Tonnis
6 years, 3 months
JS adapter constantly refreshing page
by sesnor.silva@sapo.pt
Hello,
I'm trying to integrate keycloak's JS adapater into an application.
However for some reason the page keeps refreshing (every 5 seconds or
so?) after successfully logging in.
I managed to reproduce the problem with the following minimal code:
<!-- index.html FILE -->
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<script type="text/javascript"
src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script>
<script type="text/javascript" src="<MY KEYCLOAK
SERVER>/auth/js/keycloak.js"></script>
<script type="text/javascript">
angular.element(document).ready(function() {
var keycloakAuth = Keycloak('keycloak.json');
keycloakAuth.init({
onLoad: 'login-required'
}).success(function(authenticated) {
keycloakAuth.loadUserInfo().success(function (userInfo) {
console.log(userInfo)
});
}).error(function() {
var error = "There was an error initializing the
authentication module.";
console.error(error);
});
});
</script>
</body>
</html>
I tried searching around but I didn't find too many answers. I tried
to base my implementation around:
https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl...
and
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...
But I get the same behavior every time: The page just keeps refreshing.
It seems to be related to blocking third-party cookies on the
browser. I use Firefox 53. Since my Keycloak isn't on the same host
as the application, I think the browser rejects the keycloak's
cookies. If this is the case, what could be a workaround for this? Is
there any option on the adapter's side? I'm worried some browser might
block third-party cookies by default (Opera and Brave Browser come to
mind).
Thank you,
My best regards,
Silva
6 years, 4 months
How to display user information from keycloak SAML adapter assertions/session?
by ken edward
Hello,
I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
I created a simple web app with a protected /saml directory. It seems
to work. BUT how can I display the logged in user information after
the user is authenticated?
org.keycloak.adapters.saml.SamlSession :
org.keycloak.adapters.saml.SamlSession@13a50bc9
Ken
6 years, 4 months
