android google-oauth-client parse idtoken
by Matthew Broadhead
i am using com.google.oauth-client:google-oauth-client:1.23.0 in an
android project. when it parses the idtoken received from keycloak
(3.4.0) it doesn't receive a "name" part in the payload. there is no
preferred_username there either. the scopes i am sending from the
example are
private static final String[] SCOPES = new String[]{ "openid",
"offline_access", "profile" };
i was wondering if anyone knew off the top of their head whether i am
missing something for example if i need to define an extra scope
6 years, 4 months
SAML login via python when using Keycloak as Identity broker
by Pieter Lukasse
Hi,
I have Keycloak as an identity broker for the a SAML SSO service. Login via
the browser works great. Now, I want to call the APIs of the SP's
application directly using python or java. Are these steps documented
somewhere? Should my python script send 2 authentication requests (e.g.
first to Keycloak and then to the real IDP)?
Thanks,
Pieter
www.thehyve.nl
E pieter(a)thehyve.nl
We empower scientists by building on open source software
6 years, 4 months
kc_idp_hint parameter is being ignored
by Jeremy Michael
Hello all,
I’m trying to do something that looks like it should be very easy, but is
not working for me. Hopefully someone can help me figure out what I’m doing
wrong.
We have an application secured by Keycloak and have two Identity Providers
set up. Clicking the buttons on the standard Keycloak login screen works
fine for both Identity Providers. We can also set up either provider as a
default (in the browser Authentication flow) to bypass the login screen,
and that works fine. However, in some cases, we want to bypass the login
screen and use Identity Provider 1, and in others we want to bypass the
login screen and use Identity Provider 2.
It looks like we should be able to achieve what we want by using the
kc_idp_hint parameter. But, when I try to test it out, the
kc_idp_hint seems to be ignored.
I tried the following, where the URL is the address of my app secured by
Keycloak, and idp1alias is the alias of the Identity Provider I want to use:
https://www.myapp.com?kc_idp_hint=idp1alias
<https://www.myapp.com/?kc_idp_hint=idp1alias>
However, instead of bypassing the login screen and automatically beginning
the authentication process with Identity Provider 1, I am landing on the
standard Keycloak login screen.
As another test, I tried just going to the built in,
“/auth/realms/<realm>/account” with the "kc_idp_hint" parameter added and I
got the same behavior (i.e., I saw the Keycloak login screen):
https://mykeycloakurl.com/auth/realms/myrealm/account?kc_idp_hint=idp1alias.
I’m clearly missing something, or misunderstanding how this should work.
Can someone help get me pointed in the right direction?
Thanks!
Jeremy
6 years, 4 months
Is there "client initiated account UN-linking"?
by Jarrod D
Hi Keycloak community,
Is there a way for client applications to request that Keycloak unlink a
specified external ID provider from a user, basically the inverse operation
of client initiated account linking?
I currently have a working Keycloak server and an application in
development that uses Keycloak for authentication. Keycloak is configured
for linking of Google or Facebook accounts with token storage turned on.
The application I'm developing can successfully do "client initiated
account linking" (documented at
http://www.keycloak.org/docs/3.4/server_development/index.html#client-ini...)
but I haven't found a way for the client to unlink an external IDP. I know
unlinking is possible from Keycloak's account management screen ->
Federated Identity -> "remove" button, but it would useful in my case to do
this from the client application.
Regards,
Jarrod
6 years, 4 months
test coverage
by bauer_marie@gmx.net
Hi,
is there any documentation about the test coverage? I didn't find any maven plugins like JaCoCo, Emma, Cobertura or anything.
Are there any quality gates? And if so, how are they measured?
Best regards,
Marie
6 years, 4 months
Session state iframe doesn't work reliably
by Виталий Ищенко
Hello
I'm trying to setup seamless logout flow for SPA, but falling into issue in
the following scenario
User is logged-in with a public client using code grant and check login
iframe enabled.
I see that KEYCLOAK_SESSION cookie is set during code exchange phase, and
later used in iframe to validate user session
Application refreshes token using refresh_token when access_token is close
to expiration
Now I log user out from application using Keycloak admin app
I do not expect that user should be logged-out immediately.
But what I do expect is to get error response from a token endpoint, when I
will try to refresh token next time.
Response, returned by OP, doesn't have Cors Headers, so application can't
access any information from response that will allow distinguishing between
network error and cors related errors
Other option may be to clear cookie in response to token endpoint call
Any help will be appreciated
6 years, 4 months
Keycloak 3.4.1.CR1 SAML issues
by Drew Weirshousky
Hi,
3.4.1.CR1 seems to get me a step closer to a working keycloak setup. Now I "login" using IDP initiated login, I receive an error page "An internal server error occurred". Keycloak generates a stack trace with an error on parsing the SAML response "org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" If I know go and access the app directly in the same browser I am authenticated as the user from the IDP. I receive an error on logout but that is because I don't have a logout URI configured for the IDP.
Is there another bug related to SAML parsing issues in the pipeline? I am going to go browse the bug list more, may have seen something but it might have been old.
Any help on this would be appreciated. Could this still be a configuration issue if a valid token is being generated? Maybe something is redirecting back to the wrong location?
Thanks
Drew
6 years, 4 months
Idp attribute mapper lowercase
by Byte Flinger
Is there any way with the default SAML Identity Provider Mappers in
Keycloak to map the lowercase value of an attribute coming from the SAML
response?
I am attempting to add an Idp mapper to map the NAMEID attribute of the
SAML response to the username (Which I believe is the default anyway) but
the issue is that the attribute value is in all CAPS and I would like to
keep the username in keycloak to all lowercase
If not, can one easilly add new mappers?
Regards
Byte
6 years, 4 months
Idp thumbnail?
by Byte Flinger
When adding a new identity provider to Keycloak, such as a SAML IDP, is it
possible to setup so the button you click to login with that provider has a
nice icon/thumbnail instead of text (or both)?
Regards
Byte
6 years, 4 months
