Organization Based Accounts and Permissions
by Charles Henck
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
7 years, 5 months
user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
7 years, 5 months
Keycloak & Okta
by John D. Ament
Hi
Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to
authenticate (both SP initiated and IdP initiated) it fails with this error
01:40:54,626 WARN [org.keycloak.events] (default task-7)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-7) staleCodeMessage
I suspect its a setup issue on my side, so was hoping someone else has
tried this and can give tips. I even tried the import feature, no luck.
John
7 years, 9 months
Additional attributes for an authorization request
by Scott Elliott
Would therebe any way to pass additional attributes (say, something from a
REST API call's headers or body) to an authorization request, and access it
in a Javascript or rules based policy? I see that what is available in the
Evaluation API currently is pretty limited.
7 years, 10 months
Best setup to extend Keycloak
by Francis Zabala
Hello,
What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly?
Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification.
Regards,Francis
8 years
How to stop the keycloak server from standalone sh
by Aritz Maeztu
Hello,
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
image).
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 1 month
Offline tokens with external IDP
by Haim Vana
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 1 month
User impersonation - JWT
by Harry Trinta
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
Best regards
Harry Costa
8 years, 1 month
Refreshing Tokens
by Christopher Davies
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
Thanks
Chris
8 years, 2 months
Force token refresh with the Spring Security adapter
by Aritz Maeztu
I'm using keycloak in a java client, configured with the Spring Security
adapter.
I've got a custom mapper in my keycloak configuration, so when the
access token is refreshed, keycloak accesses an endpoint to retrieve
some user permissions and they're stored in the token itself. Later on,
my client application checks the token without having to perform the
access to the permission endpoint itself (increased performance).
However, when an admin user changes his own permissions, I would like
the keycloak adapter to refresh the token after the permissions are
stored, this way the admin user is not required to have its token
refreshed or to re-login to load his new permissions.
Is there a way to achieve it? Some kind of operation to refresh current
session's token?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 6 months
programmatic authentication flow
by Steve Favez
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
8 years, 7 months
Using Keycloak with Microsoft Azure Active Directory
by Reed Lewis
I am attempting to use Microsoft Azure Active Directory with Keycloak.
It is not working correctly.
Here is how I have it configured:
OpenID Connect V1.0
Enabled: On
Store Tokens: On
Store Tokens Readable: On
Trust Email: On
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Token URL: https://login.microsoftonline.com/common/oauth2/token
Logout URL: <none>
Backchannel Logout: Off
User Info URL: <blank>
First Login Flow: First Broker Login
It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address.
Is there something I have configured incorrectly?
I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory.
Thank you,
Reed Lewis
8 years, 7 months
Fwd: Error when session expired and ajax request execute in Keycloak?
by Adam Daduev
After login, i get in my app, and for all my ajax request from page to
backing bean, i receive response 401 even if the session is still alive.
If removed autodetect-bearer-only option, all work fine, but going back to
the old error.
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
---------- Forwarded message ---------
From: Adam Daduev <daduev.ad(a)gmail.com>
Date: вт, 10 янв. 2017 г. в 14:08
Subject: Re: [keycloak-user] Error when session expired and ajax request
execute in Keycloak?
To: <stian(a)redhat.com>
I tried, but does not work.
Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
not started, he not know autodetect-bearer-only option, then, i added via
json, wildfly started and app was deployed.
Secondly, on my ajax request to backing bean, i receive response 401 and
does not happend.
This is my keycloak.json
{
"realm": "azovstal",
"auth-server-url": "http://dc09-apps-06:8090/auth",
"ssl-required": "none",
"resource": "web-test",
"public-client": true,
"use-resource-role-mappings": true,
"autodetect-bearer-only": true
}
вт, 10 янв. 2017 г. в 10:19, <daduev.ad(a)gmail.com>:
Ok, I try, thanks.
10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
In that case take a look at the new autodetect-bearer-only option. You'll
need 2.5.0.Final for that.
On 9 January 2017 at 19:18, <daduev.ad(a)gmail.com> wrote:
No, I have jsf 2 app with richfaces framework, which deploy on wildfly
10.1.
9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
[Adding list back]
A web app redirects the user to a login page if not authenticated, while a
service should return a 401.
It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.
On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Thanks for the answer.
Yes i have confidential client, i have web application, that asks
Keycloak server
to authenticate a user for them. As I understand, bearer-only is for web
services clients.
I probably something do not understand?
2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
Looks like your services are configured as confidential clients rather than
bearer-only and hence is sending a login request back rather than a 401.
You should either swap your service war to be a bearer-only client or use
the new autodetect-bearer-only option in adapters if you have both web
pages and services in the same war.
On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 9 months
Spring Boot adapter with HTTP verb based authorization
by Andreea Ciuprina
Hello!
We are building an online application for which we are using Keycloak for authentification and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?
2. If the answer to question 1 is yes, then could you please provide a minimal configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin@mpi-bremen.de
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina@jacobs-university.de
8 years, 10 months
Spring security adapter for SAML
by Pulkit Gupta
Hi Team,
I have a application with Spring security configured.
We are trying to migrate the same to keycloak.
Do we have a spring security adapter for keycloak with SAML.
I went through the documentation and can see that we have a spring adapter
but that is for open ID connect.
--
Thanks,
Pulkit
AMS
8 years, 10 months
Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client
by Thomas Darimont
Hello Group,
what is currently the best way to verify an access token with the
keycloak-admin-client in an application without a configured keycloak
deployment/adapter?
In the adapter scenario the PublicKey needed by the RSATokenVerifier is
retrieved with a PublicKeyLocator which is provided by the
KeycloakDeployment.
With no deployment at hand one needs to retrieve the public key dynamically
to deal with key rotation. I found two variants to do this - which one do
you think is the best?
Variant 1)
Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys()
and find the public key currently referenced by the kid in the JWKSHeader
of the AccessToken.
However this requires that the current user / client role has at least one
role of the realm-management client, e.g. view-realm.
Variant 2)
Send a GET Request without any authentication to
http://192.168.99.1:8080/auth
This will return the representation of the PublicRealmResource as JSON
which contains the
currently active RSA public key for the realm.
This variant doesn't require any role on the client / user since it doesn't
require authentication.
Unfortunately the current keycloak-admin-client doesn't seem to provide a
way to access the PublicRealmResource information which requires additional
code to fetch the resource.
Is there a reason for this or is this "just" an API gap that can be fixed?
You can find a gist with a quick demo for the two variants here:
https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde
Cheers,
Thomas
8 years, 11 months
Support for transactional email providers like SendGrid, Mailgun or Mandrill
by Vineet Reynolds
Hi everybody,
Has anyone managed to configure Keycloak 2.0.0.Final to use a
transactional email API instead of configuring an SMTP server? I would
prefer to have Keycloak send emails using a rest API like Sendgrid,
Mandrill, Mailgun or Amazon SES (the cloud-native way) instead of running
an SMTP server.
I'd also appreciate if this is possible through the SPI providers.
* Should I implement both EmailSenderProvider and EmailTemplateProvider
SPIs ?
* I cannot get my custom EmailSenderProvider SPI implementation to work,
as the FreemarkerEmailTemplateProvider implementation fails to obtain the
implementation of the EmailSenderProvider. Stack trace is below
13:17:53,991 ERROR
[org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
task-39) Failed to send verification email:
org.keycloak.email.EmailException: Failed to template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at
org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at
org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:559)
at
org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:490)
at
org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:412)
at
org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299)
at
org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
at
org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Thanks,
Vineet
8 years, 11 months
Group Level Roles Not Honored by Policy Evaluation Tool
by Jeremy Majors
I have setup my users to have the 'read' role by associating that role to a group which my users have been associated with. While testing the policies for a resource using the Policy Evaluation tool I determined that the roles associated with the groups weren't being picked up and the user was being denied access to the resource (please note that when I looked at the user's roles I did notice that 'read' was listed as an effective role). When I removed one of the users from the group and directly assigned the 'role' to the user then I was able to successfully access the resource using the Policy Evaluation tool.
Can anyone else reproduce this issue? It's unclear whether it could be related to KEYCLOAK-2964, which has been closed.
Thanks in advance,
Jeremy
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
8 years, 11 months
update password failed - invalid code
by Michael Mok
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim
IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET
/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
8 years, 11 months
Attempting to build authenticator example and failing.
by Reed Lewis
I downloaded Keycloak version 2.5.1 example file. Extracted it onto a CentOS 7 machine, and installed Java-1.8.0 and java-devel.
When I attempted to use the example file: /examples/providers/authenticator
By typing: mvn clean install wildfly:deploy
I got the following error on the terminal where I was executing mvn:
ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) on project authenticator-required-action-example: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\"
[ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory"}}}}
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[root@localhost authenticator]# pwd
/root/keycloak-demo-2.5.1.Final/examples/providers/authenticator
Thank you,
Reed Lewis
This was what was displayed on the Keycloak server.
12:06:20,685 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "authenticator-required-action-example.jar" (runtime-name: "authenticator-required-action-example.jar")
12:06:20,761 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-4) Deploying Keycloak provider: {0}
12:06:20,767 WARN [org.jboss.modules] (MSC service thread 1-4) Failed to define class org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory in Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
12:06:20,768 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "authenticator-required-action-example.jar"
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
... 5 more
12:06:20,769 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "authenticator-required-action-example.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\"
Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory"}}
12:06:20,769 ERROR [org.jboss.as.server] (management-handler-thread - 4) WFLYSRV0021: Deploy of deployment "authenticator-required-action-example.jar" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\"
Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory"}}
12:06:20,772 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment authenticator-required-action-example.jar (runtime-name: authenticator-required-action-example.jar) in 2ms
12:06:20,773 INFO [org.jboss.as.controller] (management-handler-thread - 4) WFLYCTL0183: Service status report
WFLYCTL0186: Services which failed to start: service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE
9 years
JavaScript client, iframe and IE
by Thomas Raehalme
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
9 years
Keycloak Social Login
by Anunay Sinha
Hi
I am using keycloak as security layer and working towards enabling social
login.
Social login was working and I was able to integrate Facebook with just
configurations using the doicuments.
However I have a requirement where in I need to provide an API end points
for the same.
Our mobile devices will be communicating to facebook via the app and will
have the token from the facebook (Implicit Flow).
I will then be exchanging the token with keycloak for the keycloak access
token.
I have two questions
1. Is this approach correct, if not why
2. How can I achieve this. I was thinking of writing a custom authenticator
(Am not sure if thats the right approoach as I have to register user are
well if FB Access token user is not available with us (We can afford to
login user and with jsut emailID as we can onbaord new users later)
I am blocked because authenticator is not working with any build from 2.4.0
onwards
Let me know if my approach is correct and if so how to proceed about it.
9 years
Anonymous access to scoped resources
by ebondu
Hi all,
I am using Keycloak filters to secure a spring REST API and I need to
provide an anonymous access to a subset of resources having a given scope
(like 'urn:scope:read:public'). To me, anonymous means a unauthenticated
user without access token.
I defined a dedicted security chain to bybass the authentication filter but
the authorization filter is expecting an access token to grant requests, so
I can't use it.
Do I need to implement my own filter only based on the protection API to
retrieve and check scopes of requested resources or is there a better way to
grant access to resources for anonymous users ?
Thanks.
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resou...
Sent from the keycloak-user mailing list archive at Nabble.com.
9 years, 1 month
Re: [keycloak-user] Additional attributes for an authorization request
by Ori Doolman
Hi Pedro Igor,
You wrote:
You can't pass additional attributes along with an authorization request.
However, that is something we want to support on future versions.
I have some questions about that:
1. Which future version will support that? Any plan for it at the moment?
2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers?
For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)?
Thank you,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
9 years, 1 month
Authorization: Javascript policy
by Ori Doolman
Hi,
How rich can the Javascript policy be?
Is it limited to only specific interface ($evaluation), or can I use any Javascript package/code I want ?
Specifically, I need to have a mapping table between a token claim (user attribute) to a list-of-IDs.
Can I query another server using HTTP request within a policy code?
Or can I query the user database from the policy code?
Or can I pre-load the mapping table into PDP memory and query it from policy code?
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
9 years, 1 month
[HELP] Unable To Deploy Authenticator-Requirement-Action-Example
by Sagar Ahire
Hello,
In Keycloak 2.4.0 I tried to deploy authenticator requirement action
example (keycloak-2.4.0.Final/examples/providers/authenticator) using the
following command:
$ mvn clean install wildfly:deploy
Getting:
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.0.1.Final:deploy (default-cli)
on project authenticator-required-action-example: Deployment failed and was
rolled back. -> [Help 1]
-PFA for server log.
I also tried to copy authentication-requirement-action-example.jar into
standalone/deployment/providers directory but didn't work.
Can someone please help with this?
regards,
-Sagar
9 years, 1 month
Stack Overflow
by Stian Thorgersen
We're considering dropping the Keycloak user mailing list and moving to
Stack Overflow instead.
Thoughts?
9 years, 1 month
Keycloak onLoad option
by Andreea Ciuprina
Hello!
I am running into the following issue when using the Keycloak JavaScript adapter in order to connect our React frontend client with the Keycloak server.
The following code, where the onLoad option is set to "login-required" causes the webpage to refresh every 10 seconds, after logging in:
const SEC_UPDATE_TOKEN = 30;
const kc: Keycloak.KeycloakInstance = Keycloak("/keycloak.json");
kc.init({onLoad: "login-required"}).success((authenticated: boolean) => {
if (authenticated) {
kc.updateToken(SEC_UPDATE_TOKEN).success(() => {
loadData();
}).error(() => {
alert("Failed to refresh token");
});
}
else {
// show possibly other page here...
kc.login();
}
}).error(() => {
alert("failed to initialize");
});
If I replace the onLoad option to "check-sso", the problem dissapears.
Reading the documentation, i.e. this part:
login-required will authenticate the client if the
user is logged-in to Keycloak or display the login page if not. check-sso will only
authenticate the client if the user is already logged-in, if the user is not logged-in the browser
will be redirected back to the application and remain unauthenticated.
was not very clear for me, regarding to the behaviour that I am observing in my case.
Could you please explain me the difference between "login-required" and "check-sso" and why using one of them instead of the other in my case
causes the unwanted, constant page refresh?
Thank you!
Best regards,
Andreea
9 years, 1 month
Performance Testing keycloak
by John D. Ament
Hi,
I wanted to put together some basic perf tests of keycloak. I'm logging in
as an admin and doing some basic create user operations.
I wrote a simple gatling script to do this work. One issue I'm seeing is
that gatling is grabbing the bearer header in the request. I was
wondering, do I need to send the bearer or can keycloak rely on the cookie
alone?
9 years, 1 month
Directs Grants API & OTP
by Stefan Schlesinger
Hello,
I’m using the Direct Grants API as authentication backend for our Radius server.
Currently I’m unable to determine whether an user already has an OTP token configured or not,
and thus our Radius server always prompts the user with an Access-Challenge dialog.
Users who haven’t configured an OTP token yet won’t be able to login, or in case I can work
around this issue, will at least be presented with a question for an OTP token, which they
are not aware of.
Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC
clients can trigger?
Best,
Stefan.
9 years, 1 month
Mobile Game Authentication Flow
by Mat Pataki
Hello!
I'm a developer at a mobile gaming company, and I'm trying to better
understand how/if KeyCloak fits within the paradigm that we have, and that
I believe also to be pretty typical in this space. At the moment I am
specifically interested in User Registration and Authentication. I should
say that I've spent a larger amount of time with the documentation before
turning here, so hopefully I'm not missing something completely obvious
(although I can't really rule that out!).
Third party identity providers such as facebook and google provide mobile
SDKs that are capable of completing the OAuth2 flow with their respective
identity platforms. In the end, our consuming mobile apps receive an access
token if all goes well. We send this token to our current custom backend
authentication solution which will validate them, obtain an ID from the
identity provider, and link that ID to our own internal ID for the user.
It's this backend component that I would like to replace with KeyCloak.
For reference, I see very similar code to this in the KeyCloak source, here
<https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>,
which is encouraging!
The problem however, is that KC's social login flow, and seemingly the
custom SPI flows as well, all begin with the web based registration page.
For our use case, we would like to avoid directing our users away from our
app during this process, and in fact avoid performing the OAuth2 flow
between us and facebook, for example, entirely. This is something we have
today via these client SDKs.
Down the line we plan to use KeyCloak for it's more traditional use cases,
including securing our own micro serves and applications, but that's
assuming that we can solve this problem.
Any advice would be greatly appreciated! Thanks in advance!
Mat
9 years, 1 month
How to have multiple data sources?
by Danny Trunk
Hello,
I've followed the instructions from
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
But instead of changing the existing DS and provider, I simply added
another one:
<subsystem xmlns="urn:jboss:domain:datasources:4.0">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS"
pool-name="ExampleDS" enabled="true" use-java-context="true">
...
</datasource>
<datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
...
</datasource>
<datasource jndi-name="java:jboss/datasources/myproject"
pool-name="myproject" enabled="true" use-java-context="true">
<connection-url>jdbc:postgresql://192.168.XX.XX/myproject</connection-url>
<driver>postgresql</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>myproject</user-name>
<password>password</password>
</security>
</datasource>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
...
<spi name="connectionsJpa">
<provider name="default" enabled="true">
...
</provider>
<provider name="myproject" enabled="true">
<properties>
<property name="dataSource"
value="java:jboss/datasources/myproject"/>
<property name="initializeEmpty" value="false"/>
<property name="migrationStrategy" value="validate"/>
</properties>
</provider>
</spi>
...
</subsystem>
That's because I want to set the datasource per realm (If that's possible?).
Now I can't find this connection provider in the admin console. Only the
default is listed in Server Info > Providers.
Server Version: 2.5.1.Final
By the way: This DS configuration is a mess. It would be much more user
friendly to simply add a database provider and configure them through
the admin console.
9 years, 1 month
User's groups in authz policy
by Alexey Kazakov
Hi,
Is there a way to grand permissions to some resource if the user belongs
to some group in general and in a JS policy in particular?
Thanks.
9 years, 1 month
Does Policy Evaluation Tool Support Client Roles?
by Jeremy Majors
When I'm testing my policies using the Policy Evaluation Tool, I am unable to get the administration application to return any client based roles so that I can test that scenario (currently it only allows me to specify realm based roles). Is this because we shouldn't be testing the client based roles or does the tool simply not support that feature yet.
My setup is as follows:
* ?No roles are defined at the realm level
* Client has defined 2 roles (read/write)
* Policy has been setup to allow reading for specific client (using client role). The client role 'read' is required
* Permission has been setup to associate the policy with a particular resource's authorization scope.
I setup all of the roles under the client so that I don't pollute the realm roles with application specific settings, but potentially that isn't how keycloak is supposed to be used.
?
Thanks,
Jeremy
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
9 years, 1 month
Clustering Keycloak via TCP
by John D. Ament
Hi
I was wondering, has Keycloak been tested using Wildfly 10.1 TCP based
Jgroups? I'm told that the TCP ports are lazy, and I'm never seeing them
come up. It looks like Keycloak doesn't have a war file, no web.xml and as
a result no distributable flag.
John
9 years, 1 month
SAML Broker configuration based on SAML/Broker examples leads to client_not_found error
by Dmitry Korchemkin
I was trying to set up two SAML keycloak idp's, based on basic SAML and
broker examples provided with keycloak.
Using broker example as a reference, i added an IDP to saml-demo client. In
this IDP i changed Single Sign-On Service URL to the uri of the second
realm - http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml,
just like in the broker example.
In saml-broker-realm i configure SAML client identically to the broker
example.
When i try to log in using this new configuration by pressing a new button,
i get the following error: type=LOGIN_ERROR, realmId=saml-demo, clientId=
http://localhost:8080/auth/realms/saml-demo, userId=null,
ipAddress=10.0.2.2, error=client_not_found.
I tried googling the issue, but all the answers seem to be linked to
keycloak.json, which indeed is not used by SAML example, as far as i can
tell.
Am i right in my assumption that this configuration will not work by
definition due to keycloak.json missing, or this error may be caused by
something else?
9 years, 1 month
bearer auth only in keyclaok secured rest API(node js)
by Saransh Kumar
Hello,
I have used bearer auth only in my REST API, and I am sending an
Authorization Bearer header in GET request from the front end.
*Protect.js*
......
return function protect (request, response, next) {
if (request.kauth && request.kauth.grant) {* // Line 2*
if (!guard || guard(request.kauth.grant.access_token, request,
response)) {
return next();
}
return keycloak.accessDenied(request, response, next);
}
........
*When I am invoking protect.js in my GET request:-*
router.get('/', cors(), keycloak.protect(), function (req, res, next) { }
Line 2, which is the if statement is turning out to be false, so* I wanted
to know why is request.kauth and request.kauth.grant returning false?*
Thanks in advance
Saransh
9 years, 1 month
[Keycloak][Get identity provides roles]
by Salvatore Incandela
Hi guys, is possible to populate user roles given by an identity provider
(another keycloak instance) getting those from the json claim?
--
Salvatore Incandela
Middleware Consultant
------------------------------
Red Hat - www.redhat.com
Via Andrea Doria 41M
00192 Roma (Italy)
Mobile +39 349 6196615 <+39%20349%20619%206615>
Fax +39 06 39728535 <+39%2006%203972%208535>
E-mail salvatore.incandela(a)redhat.com
9 years, 1 month
Re: [keycloak-user] IDP Initiated Login
by John D. Ament
Ok, I must have fat fingered there at the end. Sorry.
With that said, assuming that I want IDP initiated login, it seems like
what I have to do is:
- Create a SAML client in Keycloak for my application.
- Follow the IDP initiated flow from
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
- Point my IDP to the endpoint that gets generated in here.
As a result, it seems like I don't have to even create a SAML IDP in
Keycloak, unless that somehow gets used for SP initiated.
John
On Wed, Feb 22, 2017 at 10:15 PM John D. Ament <john.d.ament(a)gmail.com>
wrote:
> This is the part that's confusing me. What do you mean by a "URL
> somewhere that links to your app which will then redirect to keycloak"?
>
> Are you talking about triggering the inbound IDP initiated by first
> calling into my app?
>
> If I look at (Okta for instance) they actually have a portal-like site
> that users can leverage to directly link to their apps. The links
> generated here are doing IDP initiated SSO, by triggering SAML in the
> broker then the broker is expected to forward to the client (and mind you,
> I know very little about SAML, but this is how I'm seeing it behave in the
> browser).
>
> With that said, assum
>
>
> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke <bburke(a)redhat.com> wrote:
>
> OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to
> create a URL somewhere that links to your app which will then redirect
> to Keycloak.
>
>
> On 2/22/17 8:23 PM, John D. Ament wrote:
> > Looks like I answered half of my question -
> > https://issues.jboss.org/browse/KEYCLOAK-4454
> >
> > Seems like it will only work if I'm using SAML.
> >
> > John
> >
> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament <john.d.ament(a)gmail.com>
> > wrote:
> >
> >> Changing the subject to be a bit clearer about the problems.
> >>
> >> I think I'm understanding a bit further. when reading through
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
> >>
> >> - It seems like my application has to be SAML. I cannot do an OIDC
> based
> >> solution.
> >> - First thing I have to do is add IDP Initiated SSO URL Name to my
> >> application.
> >> - The confusing part is about if my application requires... this seems a
> >> bit odd, since I'm using the Keycloak adapter but sure.
> >> - The part that's missing is what gets setup in the actual broker. You
> >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs.
> In
> >> general these look like Keycloak specific parameters.
> >>
> >> Any thoughts?
> >>
> >> John
> >>
> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament <john.d.ament(a)gmail.com>
> >> wrote:
> >>
> >> Ok, so I was able to get SP initiated working fine. I had only tried
> IDP
> >> when I sent this mail out.
> >>
> >> I'm going through this doc, and its not clear to me on a few areas:
> >>
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl...
> >>
> >> - I have my application (the SP) and the SAML IDP (Okta in this case).
> I
> >> have a link on the okta portal to login automatically to my SP.
> >> - I think the webpage is saying that this only works if I'm using the
> SAML
> >> connector for keycloak, is that accurate?
> >> - All of my Okta settings are from getting SP initiated working. Do any
> >> of those need to change?
> >> - Do I in fact setup Okta as a SAML client in Keycloak?
> >>
> >> John
> >>
> >>
> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament <john.d.ament(a)gmail.com>
> >> wrote:
> >>
> >> Hi
> >>
> >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to
> >> authenticate (both SP initiated and IdP initiated) it fails with this
> error
> >>
> >> 01:40:54,626 WARN [org.keycloak.events] (default task-7)
> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
> >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
> >> 01:40:54,627 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> >> (default task-7) staleCodeMessage
> >>
> >> I suspect its a setup issue on my side, so was hoping someone else has
> >> tried this and can give tips. I even tried the import feature, no luck.
> >>
> >> John
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
9 years, 1 month
Authenticate a rest api using keycloak access token
by Saransh Kumar
Hello,
How to get user information like username,name, email etc. from the
keycloak token in server side node js REST API (secured through bearer auth
only )?
--------------------------------------------------------------------------------------------------------------------------------------------
*Code:*
var express = require('express');
var router = express.Router();
var app = express();
var cors = require('cors');
var Keycloak = require('keycloak-connect');
var session = require('express-session');
var memoryStore = new session.MemoryStore();
app.use(session({
secret: 'c214ad7b-e4f9-4b11-9d79-d25084e7c721',
resave: false,
saveUninitialized: true,
store: memoryStore
}));
var keycloak =new Keycloak({store: memoryStore});
app.use( keycloak.middleware({logout: '/logout', admin: '/',}));
router.options('/', cors());
/* GET users listing. */
//router.get('/',keycloak.protect(),function(req, res, next) {
router.get('/', cors(),function(req, res, next) {
if (keycloak.protect())
{
// How to fetch userInfo here?
res.send('Reached here!');
}
else
{
res.send('Failed to authenticate');
}
});
module.exports = router;
------------------------------------------------------------------------------------------------------------------------------------------
Also, is there any method so that we can cache the user data from the token
assigned to a particular user, so that whenever request from the same user
comes again with the same token, we need not query keycloak about the user
information?
Thanks in advance
Saransh
9 years, 1 month
Restrict access to a client to a subset of Keycloak users
by Shane Boulden
Hi everyone,
I'm trying to figure out a fairly straight-forward problem set -
- I have a number of users in a Keycloak database, federated from an
LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users)
- I want to limit access to a client to only certain Keycloak users
I thought this would be possible with a role that is shared by the client
and the user. However, it looks like Keycloak lets the application itself
determine access via a role: http://lists.jboss.org/
pipermail/keycloak-user/2014-November/001205.html
But what if I can't update the application's behaviour? Eg; if I want to
integrate Keycloak with OpenShift, and OpenShift doesn't consume any
information from the OIDC provider?
In this particular example, I don't want to limit the users in the Keycloak
database - I want to sync all users from LDAP, but limit application access
to only a subset.
Any assistance is greatly appreciated.
Shane
9 years, 1 month
Re: [keycloak-user] Quick help request
by Bill Burke
There is an add-user.sh script.
On 2/24/17 3:23 PM, Mark True wrote:
> Hi Team,
>
> I am doing the quick start for RH-SSO and I was trying to set up user federation with LDAP, in the process of doing so I accidentally deleted my only user with admin permissions.
>
> It doesn’t seem like there is a way to fix this, and there was no prohibition or warning about doing so given by the app! This seems like something that could be potentially bad in a live setup with thousands of users, but I do not feel like I know the system enough to call it a proper “bug”. Thoughts?
>
> For my purposes though, Is there a way I can add an admin user back manually or do I need to reinstall?
>
> —Mark True
9 years, 1 month
'Service Accounts Enabled' Client Setting Not Honored During Import
by Jeremy Majors
In order to have repeatable deployments of my companies keycloak instances I'm trying to use the import feature of keycloak to ensure that the clients are setup the same way in each environment. ? I have noticed that when I import a client, as opposed to the realm, the 'Authorization Enabled' flag is not set to true even if I have set it to true in the JSON that I'm importing. If I try to set it to true after importing I get an error unless I first turn off 'Service Accounts Enabled' and then attempt to enable 'Authorization Enabled'.
The JSON that I'm sending is provided below:
{
"clientId" : "hello-world-authz-service",
"secret" : "secret",
"authorizationServicesEnabled" : True,
"enabled" : True,
"redirectUris" : [ "http://localhost:8080/hello-world-authz-service/*" ],
"baseUrl": "http://localhost:8080/hello-world-authz-service",
"adminUrl": "http://localhost:8080/hello-world-authz-service",
"directAccessGrantsEnabled" : True
}
The JSON above is actually based upon one of the examples that was provided in the keycloak source code and it works when I import everything as a realm, but not when I use just the client portion.
Can anyone provide guidance in regards to how I can import JSON into Keycloak in order to setup a specific client?
This is the entire realm json file I refered to: https://github.com/keycloak/keycloak/blob/master/examples/authz/hello-wor...
I'm running keycloak version 2.5.0.Final Community.
Thank you in advance for your guidance,
Jeremy?
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
9 years, 1 month
SAML2.0 Identity Provider modify authn context / extensions
by Martin Hardselius
Hi,
Is there an easy way to add stuff to the authn context or add extensions to
the AuthN request? Or even add query parameters to the destination url?
Context:
The SAML2.0 Provider I'm integrating with supports several auth methods.
Usually you would end up on a method select page, where the options are
presented to you, once you've been forwarded to the IDP. They do however
support selecting an option directly by modifying the authncontext. They
also support prefilling information by adding extensions to the authn
request or adding supplying it through query params. Kind of like "login
hint".
So. Easy way, or do I have to extend SAMLIdentityProvider?
Martin
9 years, 1 month
Best practices for multi-realm user management with Keycloak-Admin-Client
by Thomas Darimont
Hello Group,
What's the current best practice to manage users in multiple realms via
the keycloak-admin-client?
A simple variant is to create a dedicated confidential client
"internal-realm-admin" in
the master realm with only "direct access grants: on" and "service
accounts enabled: on"
and "standards flow enabled: off".
Given that the Keycloak contains two other realms "tenant1" and "tenant2"
besides master
we want to enable the service account for "internal-realm-admin" to manage
users (CRUD)
for those realms only.
Now this service client gets the following service-account client roles:
* "tenant1-realm": "manage-users" and "view-clients" (to list the
applications)
* "tenant2-realm": "manage-users" and "view-clients" (to list the
applications)
Now one can use this single client in a centralized service to manage both
realms
with a keycloak-admin-client constructed like this:
KeycloakBuilder.builder() //
.realm("master")
.serverUrl("http://192.168.99.1:8080/auth")
.clientId("internal-realm-manager")
.clientSecret("SECRET")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.build();
To manage users in tenant1 one can now do something like that:
keycloak.realm("tenant1").users().create(userRepresentation)
and for tenant2 ...
keycloak.realm("tenant2").users().create(userRepresentation)
Some Advantages:
+ one can globally manage users via a single centralized client
+ you can quickly generate a new secret for this single service
+ you don't need a dedicated user to manage other users
Some Disadvantages
- in certain environments this can be seen as a too privileged user / client
- user management operations are performed with the client service account
and not a "real" user
I think with this approach one is quite flexible and still has the
possibility to create
a dedicated (tenant) realm admin user / client and exclude it from the
"internal-realm-admin"
for tenants who needs explicity control over their user management.
Thoughts?
Cheers,
Thomas
9 years, 1 month
Clustered Keycloak in Kubernetes
by Staffan
Hi,
I got a direct question based on the mailing list thread
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008470.html.
The author tried different <inet-address value="${jboss.bind.address}"/>
values in standalone-ha.xml but failed to get docker containers to
"discover" each other.
Here's is my reply, which I think should be in the mailing list as well:
I never got the default JGroups config - UDP broadcast - to work in
Kubernetes (except in single-node testing). May work in some k8s clusters,
but I ended up switching to TCP. Instead of broadcast I chose JDBC for
jgroups "ping". I summarized my conclusions in https://github.com/jboss-
dockerfiles/keycloak/pull/62.
Regarding port binding I ended up using the interface "eth0" instead of an
IP. It allowed external connections in all docker contexts I tested,
without being specific to a network setup.
You can see the config changes produced by the PR as a diff in the build
output, for example: https://hub.docker.com/r/solsson/keycloak-ha-mysql/
builds/btueapadj2mhwhuggjbne4j/
regards
/Staffan
9 years, 1 month
Different TOC's for different clients
by Adam Keily
Is it possible using Keycloak to present different TOC's, or a custom form, depending on the client the user is trying to access? Somehow we need to detect and intercept the login event on a per client basis.
9 years, 1 month
Authenticate a rest api using keycloak access token (received from Authorization header in the HTTP GET request from the front end) in node js
by Saransh Kumar
down votefavorite
<http://stackoverflow.com/questions/42394475/authenticate-a-rest-api-using...>
var loadData = function () {
var url = 'http://localhost:3000/users';
var req = new XMLHttpRequest();
req.open('GET', url, true);
req.setRequestHeader('Accept', 'application/json');
req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
req.onreadystatechange = function () {
if (req.readyState == 4) {
if (req.status == 200) {
console.log('Success');
} else if (req.status == 403) {
console.log('Forbidden');
}
}}
req.send(); };
Above is my front end code requesting the REST API and passing the keycloak
token in the authorization header which will be needed for authentication
at the node js server side.
*Now I wanted to know how to secure my Rest Api using Keycloak and
authenticate it on the basis of token received from the front end and tell
whether the authentic user is requesting the rest api resource or not?*
I have created a rest api in node js and used keycloak-connect npm packge.
I have mapped the nodejs middleware with keycloak middleware.
var express = require('express');var router = express.Router();var app
= express();var Keycloak = require('keycloak-connect');var keycloak
=new Keycloak();
app.use( keycloak.middleware( {
logout: '/logout',
admin: '/',} ));
router.get('/users',function(req, res, next) {var
token=req.headers['authorization']; //Access token received from front
end
//Now how to authenticate this token with keycloak???
});
I have also included the keycloak.json file in the root folder of my
project.
9 years, 1 month
Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI
by Colin Coleman
The –x trick gave me enough info to find this…
https://issues.jboss.org/browse/KEYCLOAK-1268
And even if the workarounds work it looks like keycloak was not designed and is not tested for the sort of multi-tenant setup I was trying to do.
The jdbc driver version was a red herring – everything is the latest version
Using the CLI with –x I got the following
HTTP error - 400 Bad Request
org.keycloak.client.admin.cli.util.HttpResponseException: HTTP error - 400 Bad Request
at org.keycloak.client.admin.cli.util.HeadersBodyStatus.checkSuccess(HeadersBodyStatus.java:61)
at org.keycloak.client.admin.cli.util.HttpUtil.checkSuccess(HttpUtil.java:329)
at org.keycloak.client.admin.cli.commands.AbstractRequestCmd.process(AbstractRequestCmd.java:363)
at org.keycloak.client.admin.cli.commands.AbstractRequestCmd.execute(AbstractRequestCmd.java:126)
at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63)
at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48)
at org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: <html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>awselb/2.0</center>
</body>
</html>
Colin
From: Colin Coleman <cco(a)capraconsulting.no>
Date: Wednesday, 15 February 2017 at 10:05
To: Marko Strukelj <mstrukel(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI
There is no stacktrace on the logs – I turned the <root-logger> level up to debug and could find nothing then either.
The only difference between a success when there were less than 20 realms and a failure when there were more than 20 realms was a lack of debug lines from org.hibernate which seems to show that the database never gets queried when a 400 is produced.
My Stack is:
Ubuntu 16.04
openjdk version "1.8.0_121"
PostgreSQL 9.6.1 (running on different machine)
keycloak-2.5.1.Final – running uning standalone-ha.xml
DB driver: postgresql-9.4.1212.jre6.jar
Writing this I notice that the db driver and db are not on the same level – I will update this and test again.
------------------------------------------------
Colin
From: Marko Strukelj <mstrukel(a)redhat.com>
Date: Tuesday, 14 February 2017 at 18:16
To: Colin Coleman <cco(a)capraconsulting.no>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI
There is no such restriction, and I can't reproduce your issue.
Is there any stacktrace on the server?
Do you get any more information on the client if you add -x option?
On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman <cco(a)capraconsulting.no> wrote:
Hello,
Is there a setting limiting the number of realms that can be created with the CLI?
When creating realms via the CLI I start getting HTTP error - 400 Bad Request after about 20 realms
kcadm.sh create realms -s realm=test3 -s enabled=true
kcadm.sh create realms -s realm=test4 -s enabled=true
kcadm.sh create realms -s realm=test5 -s enabled=true
.
.
.
I get
.
.
Created new realm with id 'test13'
Created new realm with id 'test14'
HTTP error - 400 Bad Request
HTTP error - 400 Bad Request
.
.
.
Colin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 1 month
Unknown authentication mechanism KEYCLOAK
by Kevin Marsden
Good Day.
I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following the
instructions in the documentation to the letter.
I executed the patch script as follows :
jboss-cli.bat --connect --file="adapter-install.cli"
{"outcome" => "success"}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{
"outcome" => "success",
"result" => [("keycloak" => "1.1.0")],
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
My standalone.xml has been updated as follows :
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
My web.xml is as follows :
<security-constraint>
<web-resource-collection>
<web-resource-name>webresources</web-resource-name>
<url-pattern>/webresources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
I would gladly appreciate any help at this stage.
Kind Regards.
Kevin.
9 years, 1 month
Does keycloak OIDC supports decryption of JWT token encrypted with JWE ?
by Haseb Ansari
Hello all,
I have setup a custom Open ID Connect provider for my external IDP and
the token request on my external IDP sends me an encrypted JWT with JWE
(JSON Web Encryption). I have the enc key with me but cannot understand how
use it with Identity Provider settings.
Please help me out with this issue.
Thanks in advance !!!!!!
Regards,
Haseb
9 years, 1 month
Delete Roles on Active Directory when deleted from Keycloak
by Sumit Das
Hi
I have done an integration of Keycloak Realm with an Active Directory
instance. The realm roles that have been created are mapped with the help
of a role-mapper. When I delete any roles from the Realm, the role still
persists in the AD instance, even after using the synchronization of
"Keycloak Roles to LDAP". How do i ensure that when i delete any role on
the Keycloak, it also gets deleted from the AD as well?
I have kept the following configuration:-
1. In LDAP settings: Edit Mode: WRITABLE
2. In Role-mapper: Mode: LDAP_ONLY
Still it is not working.
Please do respond.
Regards
*Sumit Das*
*Mobile No.- +91-9986872466 *
9 years, 1 month
Need any advice on issue KEYCLOAK-3923 (LDAP FEDERATION ISSUE)
by Sumit Das
Hi
I saw a few comments on the url below:-
https://issues.jboss.org/browse/KEYCLOAK-3923
We are also facing the same issue where we want to *delete Roles and Groups
from the LDAP(Active Directory)*, which is federating a Keycloak instance,
once we *delete the same from the Keycloak instance*.
We *want to have this feature* for our convenience. I read about a flag
being introduced to facilitate the same. Has the feature been already
developed?? Can you provide me with any update about it??
I would *highly appreciate any help* regarding this. Please do respond and
shed some light on the issue.
Regards
*Sumit Das*
9 years, 1 month
Realm Keys
by Jason B
Hi,
I am wondering where does Keycloak stores realm keys and how they are
replicated across servers when deployed multiple Keycloak servers as a
single cluster. Is it in database or some local keystore? Are there any
special considerations we need to take for realm keys while we deploying it
as a cluster?
Thanks!
9 years, 1 month
Delete Roles on Active Directory when deleted from Keycloak
by Sumit Das
Hi
I have done an integration of Keycloak Realm with an Active Directory
instance. The realm roles that have been created are mapped with the help
of a role-mapper. When I delete any roles from the Realm, the role still
persists in the AD instance, even after using the synchronization of
"Keycloak Roles to LDAP". How do i ensure that when i delete any role on
the Keycloak, it also gets deleted from the AD as well?
Please do respond.
Regards
*Sumit Das*
*Mobile No.- +91-9986872466 *
9 years, 1 month
Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization
by Andreea Ciuprina
Hi Sebasien,
Thank you for your answer.
After adding your suggestion to the security constrainst, I get the following error:
Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' from 'applicationConfig: [classpath:/application.properties]' to 'securityConstraints[0].securityCollections[0].http-method' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$SecurityConstraint'
My configuration looks like this:
keycloak.securityConstraints[0].securityCollections[0].name = secured end points
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin
keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/v1/hello/*
keycloak.securityConstraints[0].securityCollections[0].http-method = GET
Do you know what could the problem be?
Thank you!
Best,
Andreea
-----Original message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Tuesday 21st February 2017 17:43
To: Andreea Ciuprina <aciuprin(a)mpi-bremen.de>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization
You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead
of just policy-enforcer).
Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty).
But even without using the authorization layer, you should be able to achieve this by configuring the security constraints.
keycloak.securityConstraints[1].securityCollections[0].http-method = GET
etc ...
On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina <aciuprin(a)mpi-bremen.de <mailto:aciuprin@mpi-bremen.de> > wrote:
Hello!
We are building an online application for which we are using Keycloak for authentification and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?
2. If the answer to question 1 is yes, then could you please provide a minimal configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin@mpi-bremen.de <mailto:aciuprin@mpi-bremen.de>
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina@jacobs-university.de <mailto:a.ciuprina@jacobs-university.de>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
9 years, 1 month
Invinity loop while proxy angular2 devserver
by Okie Othsam
Hi,
I try to prepare a development environment and got a strange loop behavior.
I have build a docker scenario with a keycloak/postgresql container that is
behind a web server proxy container (tested Apache and nginx). The
webserver container proxy also to a local running node.js instance with
angualar2 devserver.
My sample angular app uses the javascript keycloak adapter and wrapped it
with a service.
If I run Angular devserver and keycloak without any proxy all works fine.
When I use the same servers (modified keycloak.json) behind the proxy, the
angular app runs after successful keycloak login in an endless loop. Every
second the site is reloaded - without any new login.
When I build a release from my angular app and deploy it to the webserver
all works fine. But this is not really an alternative because I want setup
an universal dev environment :-/
After days of debugging, imo there is a good chance for some race
conditions in Javascript adapter between the dynamic iframe and the angular
app or I do something essential wrong.
My question is now, have anyone here run a similar setup and use it without
any problems?
Currently my containers run with keycloak version 2.4.0.Final. As next step
I will update my setup to 2.5.1.Final and try to reproduce the behavior.
Kind regards
Eiko
9 years, 1 month
Configuring event logging in Keycloak
by Thomas Darimont
Hello group,
I needed to configure Keycloak to also show success events in the logs
in order to to be able to show the login count over time in a graylog
dashboard.
For this to work I needed to change the log level for the "success-level"
within the keycloak jboss-logging event-listener configuration.
As some other folks might want to do that as well I'd like to share my
jboss-cli config snippet with you.
Cheers,
Thomas
cd $KEYCLOAK_HOME
bin/jboss-cli.sh
# Start keycloak in embedded mode for configuration
embed-server --server-config=standalone-ha.xml --std-out=echo
# Configure jboss-logging event listener
/subsystem=keycloak-server/spi=eventsListener:add(default-provider=jboss-logging)
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true)
# Propgate success events to INFO instead of DEBUG
# This allows to track successful logins in log analysis
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info)
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn)
9 years, 1 month
User SPI and connection management
by Istvan Orban
Hi Guys,
I managed to implement User SPI for legacy user migration.
Can someone shed some light how User SPIs are called in the system?
Are they reused among threads or is it threadsafe ?
The reason I am asking is that I used RestEasy to migrate user from the
legacy platform and resteasy by default uses SingleClientConnManager.
I am wondering if I need to implement connection management in the SPI or
it is thrown awat between requests so there is no need for connection
management.
Thanks a lot
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
9 years, 1 month
New authenticator with CompletableFuture as the only authenticating factor
by Daniel Radzikowski
Hi,
I'm trying to implement new authenticator for Mobile Connect. It is a bit
unusual flow, where the first method *void
authenticate(AuthenticationFlowContext context)* before returning a
challenge, calls a REST API, which prompts user mobile phone with 'Click
OK' button. This API call waits until the user clicks OK (or timeouts), so
in order not to block the request, it is wrapped in CompletableFuture and
the login page (with no inputs) is immediately returned to the browser.
(browser should't wait for the API call result).
The problem is when the CompletableFuture is completed and calls a
callback. It's the place where the authentication should occur, but I don't
have any idea how to do it. The only authenticating factor is OK response
from this API. Can I set the authentication somehow bypassing the whole
processor (calling method *action(AuthenticationFlowContext context)* on
its way)? I thought I will eventually call the *action *from the browser
(with ajax) and only check if the session is already created. The only
thing that I can pass to the callback is an AuthenticationFlowContext data
obtained from the first *action(AuthenticationFlowContext context)* call.
Is there any way to do it?
--
Pozdrawiam,
Daniel Radzikowski.
9 years, 1 month
Entitlement API specific resource POST error
by Sven Thoms
When I try to check a User's permissions for a given resource at a resource
server, I get an error.
curl -v -X POST \
> -H "Content-Type:application/json" \
> -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICIwRnJ0VnFYazM0M2gwTXFkdjZ4bjcwd21HUjJfdV
Y4QmNzNUlBN0F2VjBVIn0.eyJqdGkiOiIwMmNjZDg0ZS03ZTE2LT
QxYzYtYjc0MC0yNjdiODc0N2IzMjYiLCJleHAiOjE0ODc2Njc0NjksIm5iZi
I6MCwiaWF0IjoxNDg3NjY3MTY5LCJpc3MiOiJodHRwczovL2tleWNsb2FrLm
Zpbi51bmlxdWVkb21haW4vYXV0aC9yZWFsbXMvZmZzIiwiYXVkIjoiYWRtaW
4tY2xpIiwic3ViIjoiMmZlZjljOGUtMzc5MC00M2NkLTg5MGYtNDk4ZjJjNz
g4ZjI0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF
90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOWU5ZWIyMWItMDhkOS00OGJlLT
gwYWQtOTk5NTQ4MDA0OGQ5IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIj
oiYjkwNDFkMDItOTIwOS00ZmI5LWIzMTItN2MxZDkyODBlN2NmIiwiYWxsb3
dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbm
FnZW1lbnQiOnsicm9sZXMiOlsidmlldy1jbGllbnRzIl19fSwibmFtZSI6Ii
IsInByZWZlcnJlZF91c2VybmFtZSI6ImZmc19zZXJ2aWNlX3VzZXIifQ.BTSv5HIONmb3PGWhKn-
z0E79TUVFKAy3K6vDfais_YLpBx9Du_nHB-TlAjQJdPkFMm_
k9VBzAZ7bWxR4ttCyVDb5C8PjfbSDnx6Rx2p7GqxVMWDoWmIlEmx0UQBZ7Nn
rHFQbMh5EuuycQUyPf06scH3_Q2tENLmyhdVbodMDpHiVRZkgJ_fzP7rwtXzXAiwXqcJv-
RbVoKWsvGKRbTR_22PDpBJIXbuGvE6Xnw6VS2mzA_fBx-yVxBVcsGUDaqHEYAukkWueslw-
9L4A2FMVWxL6VwsmTfwaJvtQhpLOWl9JoYR4Ianai0ZGuaDXNGfyyQOTSeGN7-0_eBUlcFqieQ'
\
> -d '"permissions" : [ {"resource_set_name" : "Default Resource",
"resource_set_id" : "d7954958-b656-4acf-aa65-d2c46c6b8ad8" }]' \
> https://keycloak.fin.uniquedomain/auth/realms/ffs/
authz/entitlement/test_client
> Content-Type:application/json
> Content-Length: 123
>
* upload completely sent off: 123 out of 123 bytes
< HTTP/1.1 400 Bad Request
< Connection: keep-alive
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Content-Type: text/html
< Content-Length: 350
< Date: Tue, 21 Feb 2017 08:53:38 GMT
<
com.fasterxml.jackson.databind.JsonMappingException: Can not instantiate
value of type [simple type, class org.keycloak.authorization.
entitlement.representation.EntitlementRequest] from String value
('permissions'); no single-String constructor/factory method
According to the Authorization Services Guide, this should work.
9 years, 1 month
Force Keycloak to use external IdP as authentication mechanism
by Jason B
We have a requirement to disable local login (username/password) and allow
login through IdPs configured in Identity broker.
To test this scenario I have configured Salesforce as SP and Keycloak as
IDP. And in IdP (keycloak) disabled "Forms" based login and configured an
external IdP as identity broker.
But this configuration resulting in "Invalid username or password." error
in keycloak. In logs I observed following stack trace.
01:36:06,532 WARN [org.keycloak.services] (default task-40)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:795)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at
org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:527)
at
org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:523)
at
org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:310)
at
org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:221)
at
org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:514)
at
org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:536)
at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
01:36:06,532 WARN [org.keycloak.events] (default task-40)
type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com,
userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials,
auth_method=saml, redirect_uri=
https://jason-dev-ed.my.salesforce.com?so=00D62000005vWGB,
code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4
Any idea how to disable the username/password prompt during the login and
force keycloak to use configured identity brokers?
Also, in case I have multiple external IdPs configured as identity brokers
in my keycloak instance is there any way to inform keycloak to use
particular external IdP (broker). I know we can use kc_idp_hint parameter.
This will be helpful during IdP initiated sso but in case it is a SP
initiated SSO, how can we specify the default external IdP?
Thanks!
9 years, 1 month
NPE in SAMLIdentityProvider
by Goovaerts C (Caroline) (RIGD-LOXIA)
Hi all,
While implementing the single logout feature, we ran into a NPE in SAMLIdentityProvider.java.
This behavior seems to be independent of using backchannel logout, whether or not:
at org.keycloak.broker.saml.SAMLIdentityProvider.backchannelLogout(SAMLIdentityProvider.java:154)
at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178)
In our application we invoke httpServletRequest.logout() as suggested in the guide: https://keycloak.gitbooks.io/securing-client-applications-guide/content/t....
Version info:
- ADFS server: 3.x
- Keycloak server: 2.3.0.Final
- Maven Keycloak modules: 2.2.1.Final
We'd like to know:
- Whether it is sufficient to invoke request.logout() to do a single logout
- Why it is broken in the given setup
I could not determine whether this is related to https://issues.jboss.org/browse/KEYCLOAK-4398 or not.
Thanks & kind regards,
Caroline Goovaerts
Developer
RIGD-LOXIA
9 years, 1 month
Manually editing standalone.xml vs offline install
by John D. Ament
Hi
I was wondering, if I wanted to avoid a build time run of offline install,
can I just edit standalone.xml? I already ship a customized standalone.xml
so its not an issue to include the file changes. These are the changes I
identified:
Added: <extension module="org.keycloak.keycloak-adapter-subsystem"/>
Added:
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
Added: <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
John
9 years, 1 month
Re: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization
by Gustavo Alvarez
The error is not 401, I get a 500 error code. The following is the log
capture of the backend application:
Caused by: java.lang.NullPointerException
at
org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:69)
at
org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:77)
at
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142)
... 38 more
I use keycloak 2.3.0.Final whit the following configuration:
1. Backend app in EAR package whit jax rs service and the next
keycloak.json file:
{
"realm": "demo",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "afiliacion-web",
"credentials": {
"secret": "45226cd3-796e-4e38-9f38-8435877c660b"
},
"policy-enforcer": {}
}
and this is web.xml fiel:
<!-- PRIVATE -->
<security-constraint>
<display-name>Client Area</display-name>
<web-resource-collection>
<web-resource-name>client_resources</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- BASIC AUTHENTICATION ALLOW LOGIN FROM REST SERVICE -->
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
2. Front end app is public client in keycloak, and sends all requests to
backend adding the bearer token.
Thank you so much Ebondu.
Gaalvarez.
9 years, 1 month
customizing password policy
by Ori Doolman
Hi,
I couldn't find any SPI for customizing the password policy.
In addition to the exiting options (lowercase characters, special characters etc.), I have an additional requirement - password should not contain any dictionary words.
I can still have it implemented using the Authenticator SPI - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...
The drawback is that it will not be available for configuration from the regular realm Authentication -> Password Policy screen.
Is that the proper way to go?
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
9 years, 1 month
Using AJAX during authentication process
by nowis1337@gmail.com
Hello,
Is there a way to use AJAX to ask Keycloak about the authentication process
status for the current session during the authentication? I'm trying to
implement new Autentication mechanism using the Authentication SPI and I
would like to use AJAX polling in it. I'm looking for a way of doing it
only within Keycloak to avoid the cross-domain requests.
9 years, 1 month
securing 3rd party non-OIDC/SAML applications
by Stephen Ingram
Reading through the documentation, I'm not sure if I'm understanding the
security proxy correctly. We have a few applications that use either Apache
htaccess or form type authentication built into the application. Since we
don't always have access the source code to add OIDC or SAML capability, I
thought the Keycloak security proxy might be a possible solution. I'm
wondering if it can work with just anything or does the app have to have at
least minimal OIDC or SAML capability? Are there any good examples anywhere?
Steve
9 years, 1 month
Deployment strategies
by John D. Ament
Hi,
I was wondering, is there any documented recommendations for deploying
keycloak? I can see the downloads, but are there recommendations based on
scale or load that help dictate databases to use, clustering requirements
and configuration, etc?
John
9 years, 1 month
Native android facebook auth and Keycloak token
by Julien Boulay
Hi all,
I have a question regarding authentication with facebook and keycloak in a
native Android app.
Is it possible to connect to facebook through native application, retrieve
an authorization code, and then exchange this authorization_code for an
access token with keycloak (id_token, refresh_token, token) ?
Can I use the facebook broker (for example
<keycloak_server_url>/auth/realms/<myrealm>/broker/facebook/endpoint) for
that ?
I'm using 2.5.1-final version of keycloak server.
Thanks
*Julien Boulay* *- Ekito*
Developer & Eclectic
15 rue Gabriel Péri 31000 Toulouse
+33 (0)6 80 46 73 78 <+33%206%2080%2046%2073%2078>
jboulay(a)ekito.fr
*Visit our Blog <http://www.ekito.fr/people> !*
9 years, 1 month
attribute retrieval
by Alabura Fgc
Hi everyoneam using the sample Vanilla application deployed on wildfly how can i retrieve the user attributes together with the token when i authenticate to keycloak. thank you
P Save a tree! Print this message only if it's absolutely necessary
9 years, 1 month
Using Keycloak on Linux with A Microsoft SQL server
by Reed Lewis
Has anyone configured Keycloak to use Microsoft SQL server where Keycloak is running on a linux machine? I can make it work correctly with Postgres, but cannot get it to work with Microsoft SQL.
Here is my part of the standalone-ha.xml file:
<subsystem xmlns="urn:jboss:domain:datasources:4.0">
<datasources>
<datasource jndi-name="java:/MSSQLDS" pool-name="MSSQLDS" enabled="true">
<connection-url>jdbc:sqlserver://(IP ADDRESS):1433;databaseName=keycloak</connection-url>
<driver>sqlserver</driver>
<security>
<user-name>username</user-name>
<password>password</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mssql.MSSQLValidConnectionChecker"></valid-connection-checker>
</validation>
</datasource>
<drivers>
<driver name="sqlserver" module="com.microsoft">
<xa-datasource-class>com.microsoft.sqlserver.jdbc.SQLServerXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
and here is where I use the datasource.
<spi name="connectionsJpa">
<provider name="default" enabled="true">
<properties>
<property name="dataSource" value="java:/MSSQLDS"/>
<property name="initializeEmpty" value="true"/>
<property name="migrationStrategy" value="manual"/>
<property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
</properties>
</provider>
</spi>
and I am using JDBC_PING to handle multiple systems since the environment I want to use does not support multicast.
<protocol type="JDBC_PING">
<property name="datasource_jndi_name">java:/MSSQLDS</property>
<property name="initialize_sql">
CREATE TABLE IF NOT EXISTS jgroupsping (
own_addr VARCHAR(200) NOT NULL,
cluster_name VARCHAR(200) NOT NULL,
ping_data BYTEA DEFAULT NULL,
PRIMARY KEY (own_addr, cluster_name)
)
</property>
</protocol>
And this is the error when I start it up.
13:39:48,758 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (MSC service thread 1-6) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:343)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:350)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:285)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1319)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:626)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:598)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:429)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66)
at org.jgroups.protocols.JDBC_PING.getConnection(JDBC_PING.java:348)
at org.jgroups.protocols.JDBC_PING.attemptSchemaInitialization(JDBC_PING.java:298)
at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:130)
at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:860)
at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:481)
at org.jgroups.JChannel.init(JChannel.java:853)
at org.jgroups.JChannel.<init>(JChannel.java:159)
at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95)
at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92)
at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636)
at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98)
at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4098)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3160)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:43)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3123)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7505)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2445)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1981)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1628)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1459)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:773)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1168)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:319)
... 28 more
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/keycloak/modules/system/layers/keycloak,/opt/keycloak/modules/system/layers/base))]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
... 40 more
13:39:48,760 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread 1-6) Could not open connection to database: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66)
at org.jgroups.protocols.JDBC_PING.getConnection(JDBC_PING.java:348)
at org.jgroups.protocols.JDBC_PING.attemptSchemaInitialization(JDBC_PING.java:298)
at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:130)
at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:860)
at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:481)
at org.jgroups.JChannel.init(JChannel.java:853)
at org.jgroups.JChannel.<init>(JChannel.java:159)
at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95)
at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92)
at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636)
at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98)
at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:656)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:429)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 18 more
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:343)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:350)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:285)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1319)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:626)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:598)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590)
... 21 more
Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4098)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3160)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:43)
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3123)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7505)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2445)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1981)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1628)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1459)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:773)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1168)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:319)
... 28 more
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/keycloak/modules/system/layers/keycloak,/opt/keycloak/modules/system/layers/base))]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
... 40 more
9 years, 1 month
Possible bug when trying to modifying custom storage provider configuraiton?
by Jared Blashka
I'm not sure if this is an issue with my implementation of
UserStorageProvider, but I'm running into an issue when trying to edit
blank fields in the provider configuration after initial creation.
If I create a new instance of my provider and define values for all of the
configuration properties there's no issue. But if I leave some of the
configuration properties blank, save my configuration, and then try to
supply values for those properties later the form submission errors. It
looks like the entirely new values in the update get submitted as a JSON
object but any modified value gets submitted as a String array.
I tried replicating this behavior with the provided ldap provider but it
doesn't happen there. Empty input boxes are still present in
$scope.instance.config as an empty String array. But when working with my
custom provider empty input boxes aren't present in $scope.instance.config
at all after the initial provider creation.
I'm also not sure how to mark any of my properties as required. I see that
the ldap provider has required fields but it looks like this was hard-coded
into the HTML form rather than set in the provider configuration. Is that
correct?
I'm using the lastest code on the 2.5.x branch, it's 2.5.4.Final-SNAPSHOT
currently.
Thanks
9 years, 1 month
[Revoke grants] Application without roles
by Yann Jacobs
Hi,
In reference to an old message sent into maillist :
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008346.html
I got an application who all users can access (no roles defined/requested)
with request consent activated.
All seems to be fine but 'Applications' tab into Account don't display my
application.
According to the ApplicationsBean.java file @ L56
https://github.com/keycloak/keycloak/blob/d941e0716982502ee84255e196f8efb...
// Don't show applications, which user doesn't have access into (any
> available roles)
> if (availableRoles.isEmpty()) {
> continue;
> }
Isn't it too restrictive ?
Can we imagine an more permisive condition ? Like that :
> if (availableRoles.isEmpty() && realmRolesGranted.isEmpty() &&
> resourceRolesGranted.isEmpty() && claimsGranted.isEmpty() &&
> additionalGrants.isEmpty()) {
> continue;
> }
Can we consider that we can revoke grants without availableRoles ?
Is it a bug or a missing/not supported use-case ?
Thx
9 years, 1 month
Node.js Adapter usage
by Sandro Santilli
Hi all, I've just subscribed to this list as I'm working on adding keycloak
support in a node.js project.
Unfortunately, following the instructions on [1] I was unable to pass
the `var keycloack = new Keycloak()` step, in that `Keycloak` class
is not defined.
[1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
I guess I have to require the module, but when I try
`var Keycloak = require('keycloak-connect')` I get a failure message:
/usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/node_modules/keycloak-connect/index.js:254
.then(grant => { return this.grantManager.ensureFreshness(grant); })
^
SyntaxError: Unexpected token >
at Module._compile (module.js:439:25)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.require (module.js:364:17)
at require (module.js:380:17)
at Object.<anonymous> (/usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/http/server.js:10:16)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
This is with node-0.10 though, while node-4.2.6 does not complain there
(but does in another place).
So, a few questions:
1. Where to report the lack of `require('keycloak-connect')`
instruction in the documentation ?
2. What's the least supported node version ?
3. Are there working examples I could look at ?
Thanks in advance
--strk;
() ASCII ribbon campaign -- Keep it simple !
/\ https://strk.kbt.io/rants/ascii_mails.txt
9 years, 1 month
Re: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization
by Gustavo Alvarez
Thanks for this valuable information. I will try using your lib.
I tried with official js connector and the example for angular 2, and I get
an error in backend if this is configured as confidential, when sends a
request to protect resource whit barer token. Is this way incorrect of
send token to backend server?
Thank you so much.
Gaalvarez.
9 years, 1 month
Keycloak Authorizaion with SaaS
by Adam Keily
Hi Guys,
Just wondering if it's possible to do any implement any keycloak authorization controls for a SaaS app scenario where we don't have the ability to modify the application?
e.g. We want to allow or deny access to an application based on role but no code can be added to the app.
9 years, 1 month
dynamic client registration call idempotency
by Sven Thoms
When registering a client dynamically at the well-known registration
endpoint:
http://keycloak.domain/auth/realms/myrealm/clients-registrations/openid-c...
with a given name, clientId and id returned are assigned a unique ID, e.g.
id: "fa8eeac6-0fb3-4fa4-8a1b-7c1d091001dc"
clientId: "fa8eeac6-0fb3-4fa4-8a1b-7c1d091001dc"
name: "test_client"
Is there a particular reason that within the same realm, when using OIDC
dynamic client registration, registration calls to the URL above are not
idempotent?
When I make a client registration multiple times using the same client
name, I end up getting many instances of the same client, making
per-client management of permissions, roles, resources etc. tedious.
Furthermore, when querying the Admin REST interface for all clients, no
client_id_issued_at field indicating a timestamp is present, so
determining which client is the latest one given same names is not possible
either.
This behavior breaks our automation pipeline.
9 years, 1 month
JAX-RS Backend Service + Angular 2 Front-End + Role Authorization
by Gustavo Alvarez
Hello everyone.
I am developing a web application with Angular 2 on the front end, and
jax-rs services on the backend, I also need authorization with user roles
but I have the following problems:
1. The recommendation in the documentation is to establish the angular
customer as public, which means that the authorization can not go here.
2. If the backend is set as the confidential customer, the service can not
be consumed from angular 2 with the barer symbol.
3. If the backend is configured as a barer only client, the roles are not
validated on the authorization defined in keycloak.
Can you help me find a better configuration for this environment?
Thank you all.
Gaalvarez.
9 years, 1 month
Export
by Brian Schwartz
Is the keycloak export functionality broken since the last couple of
versions?
https://keycloak.gitbooks.io/server-adminstration-guide/
content/v/2.4/topics/export-import.html
I run this command:
./standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=
demokeycloak.json
I get this error:
14:00:33,664 INFO
[org.keycloak.exportimport.singlefile.SingleFileExportProvider]
(ServerService Thread Pool -- 48) Exporting model into file
/Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json
14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server
shutdown has been requested.
14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-4) WFLYJCA0010: Unbound data source
[java:jboss/datasources/KeycloakDS]
14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 48) MSC000001: Failed to start service jboss.undertow.deployment.
default-server.default-host./auth: org.jboss.msc.service.StartException in
service jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.
construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.
createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.
createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(
ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.
ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.
HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.
proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.
RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.
proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$
DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(
ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(
DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at org.keycloak.models.utils.ModelToRepresentation$2.
compare(ModelToRepresentation.java:431)
at org.keycloak.models.utils.ModelToRepresentation$2.
compare(ModelToRepresentation.java:428)
at java.util.TimSort.countRunAndMakeAscending(
TimSort.java:356)
at java.util.TimSort.sort(TimSort.java:220)
at java.util.Arrays.sort(Arrays.java:1512)
at java.util.ArrayList.sort(ArrayList.java:1454)
at java.util.Collections.sort(Collections.java:175)
at org.keycloak.models.utils.ModelToRepresentation.
exportAuthenticationFlows(ModelToRepresentation.java:428)
at org.keycloak.models.utils.ModelToRepresentation.
toRepresentation(ModelToRepresentation.java:372)
at org.keycloak.exportimport.util.ExportUtils.exportRealm(
ExportUtils.java:87)
at org.keycloak.exportimport.singlefile.
SingleFileExportProvider$1.runExportImportTask(
SingleFileExportProvider.java:65)
at org.keycloak.exportimport.util.ExportImportSessionTask.
run(ExportImportSessionTask.java:35)
at org.keycloak.models.utils.KeycloakModelUtils.
runJobInTransaction(KeycloakModelUtils.java:236)
at org.keycloak.exportimport.singlefile.
SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58)
at org.keycloak.exportimport.ExportImportManager.runExport(
ExportImportManager.java:102)
at org.keycloak.services.resources.KeycloakApplication.
<init>(KeycloakApplication.java:149)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorI
mpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.
newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.
construct(ConstructorInjectorImpl.java:150)
... 19 more
This has not worked for me since version 2.1.0.
I’m currently using version 2.4.0.Final.
Thanks
9 years, 1 month
mapper for client_session, clientid, clientAddress
by Ori Doolman
Hi,
I am using KC 2.4 and OIDC implicit flow with a public client.
In the client mapper, I have the following claims mapped and enabled for the Access Token : client_session, clientid, clientAddress.
However, they don't return as part of the token.
Other claims don't have this problem.
I noticed that all of those 3 claims are of type 'User Session Note'.
Is this related to the fact that my client is public?
Is there any way to get those properties into the access token?
I need, for logging purpose, to get a unique session ID and client information (name + IP address).
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
9 years, 1 month
EntityManager and JpaEntityProvider SPI Error
by Bruno Palermo
Hi,
I've implemented a custom resource using ResourceProvider SPI and a
custom JPA entity using JpaEntityProvider SPI.
If I try to import a EntityManager inside my custom resource, using:
EntityManager em = session.getProvider(JpaConnectionProvider.class)
.getEntityManager();
When I try to access, I receive the following error:
*Stack Trace*
java.lang.NoClassDefFoundError: javax/persistence/EntityManager
java.lang.Class.getDeclaredMethods0(Native Method)
java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
java.lang.Class.getDeclaredMethods(Class.java:1975)
org.jboss.resteasy.util.GetRestful.hasJAXRSAnnotations(GetRestful.java:109)
org.jboss.resteasy.util.GetRestful.isSubResourceClass(GetRestful.java:38)
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:121)
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
java.lang.Thread.run(Thread.java:745)
If I remove the EntityManager code, the resource works fine.
Any ideas?
Thanks,
Bruno
9 years, 1 month
Identity Brokering Question
by Chris Savory
Is it possible to set up multiple keycloak realms as an identity broker to a single realm? For example, we have a site that is mutli-tenant and users are in different realms. Each site will connect to realm A, B, or C depending on where the user goes to log in. I want to build a micro-service that is available to serve authenticated requests from all the sites. So, can I set up a realm D that will accept bearer tokens from realms A, B or C?
--
Christopher Savory
Software Engineer | EdLogics
9 years, 1 month
Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter
by Petr Široký
Hello everyone,
I am having a logout issue when using the EAP7/WF10 adapter
(2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I
also tried the upstream Keycloak 2.5.1.Final).
This is a simplified version of the code (full reproducer here
https://github.com/psiroky/servlet-app-keycloak-reproducer):
public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
....
request.logout();
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
...
}
The code first calls request.logout() and then session.invalidate().
This works OK when we are _not_ using the Keycloak adapter. However,
once we switch to Keycloak adapter we end up with
"java.lang.IllegalStateException:UT000021: Session already invalidated".
I've been debugging the calls and it happens, because the
request.logout() bubbles down to the Keycloak adapter code which calls
session.invalidate() as well. For some reason (bug in Undertow/EAP?) the
request.getSession(false) then returns what it seems to be a valid
session (the invalidated flag=false). The session.invalidate() call
happens again, but the session was in fact already invalidated and thus
Undertow throws that IllegalStateException.
Please note that exactly the same code works on EAP 6 (+ EAP6 adapter).
The session also gets invalidated as part of logout(), but then the
request.getSession(false) returns null, so the second call to
invalidate() does not happen (this kind of points to Undertow as the
culprit).
I am trying to figure out what the root cause is:
1) Our application should _not_ call both request.logout() and then
session.invalidate() (even though it works for EAP6 and also with e.g.
basic auth without the Keycloak integration)
2) Keycloak adapter should not call session.invalidate() as part of
request.logout()
3) Undertow does not properly propagate the invalidate() call by the
Keycloak adapter.
4) Something completely different?
Thanks,
Petr
9 years, 1 month
Configuring keycloak with JSON instead of UI
by Sarp Kaya
Hello,
I’m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I’m guessing this is useful for back-ups or duplicating the entire environment.
My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable:
1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch.
2) During the import, it’s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all.
My question is, what is the best practice to configure keycloak in multiple environments?
9 years, 1 month
Custom Email Provider
by Bruno Palermo
Hi,
I'm implementing a custom AWS SES email provider.
How can I choose which implementation to use for send emails?
Thanks,
Bruno
9 years, 1 month
