February 2017 - keycloak-user - Jboss List Archives

Need help in resending registration emails

by Ganga Lakshmanasamy

Hi, We are using keycloak for our authentcation. Our smtp service went down when few users tried to register. So the registration process went through but the emails were not sent. The user's current status is in "verify email". Please let me know on how to resend the verification email for those registered users. Regards, Ganga Lakshmanasamy

8 years, 7 months

2
1
0 / 0

do not import users when brokering

by Peter Schiffer

Hello all, I'm working on some POC with keycloak and OpenShift [1] and I'm wondering - is it possible to configure Keycloak in a way, that it won't create new users in local database when acting as a broker? For example, in this case [2], I want to be able to login as `user` from saml broker, but without creating the new user in saml-authentication-broker. Is it possible? Thanks, peter [1] https://github.com/pschiffe/keycloak-demo [2] https://github.com/keycloak/keycloak/tree/master/examples/ broker/saml-broker-authentication

8 years, 7 months

3
3
0 / 0

HTTP error - 400 Bad Request - create realm CLI

by Colin Coleman

Hello, Is there a setting limiting the number of realms that can be created with the CLI? When creating realms via the CLI I start getting HTTP error - 400 Bad Request after about 20 realms kcadm.sh create realms -s realm=test3 -s enabled=true kcadm.sh create realms -s realm=test4 -s enabled=true kcadm.sh create realms -s realm=test5 -s enabled=true . . . I get . . Created new realm with id 'test13' Created new realm with id 'test14' HTTP error - 400 Bad Request HTTP error - 400 Bad Request . . . Colin

8 years, 7 months

2
3
0 / 0

Re Rest API for authentication

by harish jadhav

Hello Team, I have one web application which will be hosted in cloud. I am planning to use keycloak for only authentication purpose and keycloak will be running in on-premise customer location. My plan is to - 1. Import the users to my application through my own import mechanism and later push it to Keycloak over Rest API 2. Present a custom login page in my application which ask username/password and pass it to Keycloak for authentication over Rest API 3. Authentication can be through LDAP or SAML IDP ADFS4. Get the token and use it for accessing the service based on authorization I have some restriction on not to use keycloak login page so cannot use redirection to keycloak login page. Please let me know whether it works out and also give some pointer on Rest API on SAML. My requirement is that I need to authenticate the user either through LDAP, SAML providers. I know some basic auth using Rest but not getting idea on SAML. ThanksHarish

8 years, 7 months

1
2
0 / 0

Keycloak LDAP configuration - deletes ldap user from Keycloak

by Mustafa Kuru

Hi, We are using ldap Federation Provider in READONLY Edit Mode. I saw in Keycloak logs a lot of exceptions like "*Could not query server using DN*" (javax.naming. ServiceUnavailableException) OR "*LDAP: error code 52 - Proxy can't contact remote server*". In our case some ldap users were deleted from Keycloak and reimported into Keycloak from LDAP. We don't know why. Can these exceptions above cause this problem. Or what is the behaviour of Keycloak if it can not connect to ldap or gets empty response from ldap? Delete corresponding user from Keycloak? Thanks in advance. Mustafa Kuru

8 years, 7 months

1
0
0 / 0

custom user attribute access in JS policies

by swapnil.kshirsagar

Hello, I need a sample JavaScript Policy code and steps to access custom user attribute inside a JavaScript policies. Thank you. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/custom-user-attribute-access-in-... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 7 months

1
1
0 / 0

Error installing fuse adapters

by Marcelo Ohashi

Hi guys, I am trying to install fuse adapters from the rh-sso-7.0.0-maven-repository.zip, but it seems that not all bundles are there. So I'm getting the following error on fuse: Error executing command: Error accessing mvn:org.keycloak/keycloak-jetty92-adapter/1.9.8.Final-redhat-1 Does anyone know if there's another repository that I could use? Best regards, -- Marcelo Ohashi Middleware Architect | Red Hat Brasil M: +55 11 9 7338-6338 Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil. RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com <https://www.redhat.com/pt-br/about/trusted> <http://www.redhat.com/es/about/trusted> <http://www.redhat.com.br>[image: Red Hat] <http://www.redhat.com.br>

8 years, 7 months

1
0
0 / 0

Special Characters & Direct Access Grant Authentication

by Stefan Schlesinger

Hi, short question. When trying to login a user via the Direct Access Grant API, it looks like the password is not accepted in case it contains special characters. Anyone knows what format the special characters in passwords need to be supplied in? This is how my post request looks like, the password contains a “, which is correctly encoded as %22. > POST https://auth.example.com/auth/realms/master/protocol/openid-connect/token > Accept-Encoding: gzip, x-gzip, deflate, x-bzip2 > Content-Length: 156 > Content-Type: application/x-www-form-urlencoded > > scope=openid&username=example_user&password=asdf%22&totp=123456&grant_type=password&client_id=auth.example.com&client_secret=secret Running keycloak 2.5.1. Best, Stefan.

8 years, 7 months

1
0
0 / 0

missing autodetect-bearer-only from secure-deployment xsd?

by David Delbecq

Hello, i tried to enabled "autodetect bearer only" feature in my application, so that soap requests get proper reply. however, it seems you can only set this value inside keycloak.json, not inside the adapter subsystem config. Worse, if an adapter subsystem config is done, keycloak.json is ignored. Is this a bug i should report or am i missing some documentation? So far i looked here: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/wildfly/wi... https://github.com/keycloak/keycloak/pull/3663 https://keycloak.gitbooks.io/securing-client-applications-guide/content/t... When i set my adapter config like this: <secure-deployment name="my.war"> <realm>${authRealm}</realm> .... <autodetect-bearer-only>true</autodetect-bearer-only> </secure-deployment> I get this error from wildfly [Host Controller] 16:21:20,175 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0033: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration [Host Controller] at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) [Host Controller] at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:643) [Host Controller] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271) [Host Controller] at java.lang.Thread.run(Thread.java:745) [Host Controller] Caused by: javax.xml.stream.XMLStreamException: Unknown secure-deployment tag autodetect-bearer-only [Host Controller] at org.keycloak.subsystem.adapter.extension.KeycloakSubsystemParser.readDeployment(KeycloakSubsystemParser.java:107) -- <http://www.trimble.com/> David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq(a)trimbletl.com <http://www.trimbletl.com/>

8 years, 7 months

1
0
0 / 0

Keycloak SAML Sample

by Jitendra Chouhan

Can any point us to any example how to secure SpringBoot app with Keycloak using SAML protocol. We are not able to locate any specific adapter that can be used to secure spring boot application using SAML. Thanks, Jitendra Chouhan

8 years, 7 months

1
0
0 / 0

Can we distinguish between 'new account' and 'password reset' in the emails?

by Kevin Thorpe

Hi, not sure if this is possible or if it's a feature request. When we add a new user to our Keycloak database we set them up and send a 'reset action email'. This is to comply with our policies that we never send passwords via e-mail. Is there any way in the email template to detect if this is a new user or a true password reset? Maybe by checking if they've never logged in. We would like the e-mail to read differently to welcome them as a new user, On a slightly different point can we define the redirect location after a password reset? The reset as it is now works but leaves the user on the Keycloak site, not the site they were expecting to gain access to. Kevin Thorpe *VP Enterprise Platform* w: www.p-i.net p: *+44 (0)20 3005 6750 <+44%2020%203005%206750>* a: 7th Floor, 52 Grosvenor Gardens, London SW1W 0AU <https://twitter.com/pidataanalytics> <https://www.linkedin.com/company/piltd> _________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

8 years, 7 months

1
0
0 / 0

Impersonation not working from REST calls?

by David Delbecq

Hello, i have some issues to get impersonation to work in my webapp. There is a feature in web for an admin to show all business data and accounts, select one account and become that user. Scenario 1) i connect as user davidd to <keycloak>/auth/admin/<realm>/console. I select the user I want to impersonate, click on impersonate. Browser request sniffing show a REST call: POST: <keycloak>/auth/admin/<realm>/TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation followed by loading of account profile page of that user Scenario 2) I connect to my app as davidd. I select the user i want to become and start the impersonation process. My webapp first call /kc_query_bearer_token to get a token, then calls using xmlhttprequest <keycloak>/auth/admin/<realm>/TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation setting Bearer token in header, and same payload as in (1). I get an HTTP OK reply from keycloak. I then go to the root of my webapp and am redirected to login screen. My admin user was thus correctly logged out, but the new user is not set up for some reason. What am i missing to get impersonation to work from my webapp? Should i extract cookies from reply and put them in my own domain for example? -- <http://www.trimble.com/> David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq(a)trimbletl.com <http://www.trimbletl.com/>

8 years, 7 months

1
1
0 / 0

custom providers

by Patrycja Vrebos

Hi Keycloak users, I am new to keycloak. With my team we are using Red Hat Single Sign-On 7.0 with Keycloak 1.9.8. I need to customize this a little bit. We support diffrent languages and actually some message are not display us we want. For example message in Racaptcha is not in language as expected. I found example how to register Google Recaptcha and how to add validation of form elements on the page: *https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html <https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...>* So I suppose if I will register my own Recaptcha I will can specify message I want to display. As written I need to deploy my jar (j*ust copy it to the standalone/configuration/providers directory*) First, I didn't find *providers *directory in configuration so I created one where I copied my jar and I restarted my server. Then I tried to add my FormAction to the registration Flow but I don't see any diffrence in admin console. I mean I don't think my jar was deployed( I new to jboss) I found there also another way to deploy jar: *throw jar in Keycloak deploy directiry* but I don't understand what is meant by the "Keycloak deploy/ directory" mentioned in the documentation. Another change I want to do is: in reset password page add email validation. I found some example. *Keycloak is designed to cover most use-cases without requiring custom code, but we also want it to be customizable. To achive this **Keycloak has a number of Service Provider Interfaces (SPI) which you can implement your own providers for*. Could you please recommend one which I should implement for this goal. I will appreciate any help. Best regards, Patrycja

8 years, 7 months

2
2
0 / 0

SAML Assertion Signature Algorithm Validation

by Gabriel Lavoie

Hi, I'm currently testing different SAML signature algorithms with our application and I noticed that regardless of the chosen signature algorithm for a SAML client, Keycloak will accept assertions signed with another algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP). With many other IdPs, when a signature algorithm is chosen, there's a validation that the same algorithm is used in both directions. I think this is something that Keycloak should do too as a security measure. Can this be done right now or an enhancement request would be required? Thanks, -- Gabriel Lavoie glavoie(a)gmail.com

8 years, 7 months

2
1
0 / 0

SAML Binding - ECP Profile

by Jason B

Hi, I am trying to work on SAML ECP profile. According to Keycloak's server administration documentation this SAML binding is supported. But when I configure IdP/SSO in metadata I am not seeing any description/meta specific to ECP binding. Any documentation available on how to use ECP profile in Keycloak? Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform Keycloak to use specific binding? Is there any query string parameter available that I can use? Thanks!

8 years, 7 months

3
8
0 / 0

Keycloak LDAP configuration - deletes ldap user from Keycloak

by Mustafa Kuru

Hi, We are using ldap Federation Provider in READONLY Edit Mode. I saw in Keycloak logs a lot of exceptions like "*Could not query server using DN*" (javax.naming.ServiceUnavailableException) OR "*LDAP: error code 52 - Proxy can't contact remote server*". In our case some ldap users were deleted from Keycloak and reimported into Keycloak from LDAP. We don't know why. Can these exceptions above cause this problem. Or what is the behaviour of Keycloak if it can not connect to ldap or gets empty response from ldap? Delete corresponding user from Keycloak? Thanks in advance. Mustafa Kuru

8 years, 7 months

1
0
0 / 0

Connection Reset using LDAPS

by Thomas Barcia

In my Keycloak 2.2.1 environment we see continuous yet erratic errors in connecting to AD via LDAPS. For example, if I search for a user I may get a general server error and then click search again and receive results. I tried adding the following to the startup: -Djdk.tls.client.protocols=TLSv1 Based on an article regarding java8 and AD but it does not appear to have made any difference. The error: 14:56:20,143 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [OU=redacted,DC= redacted,DC=com] and filter [(&(UserPrincipalName=limttestio)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: simple bind failed: <ldap servername>:636 [Root exception is java.net.SocketException: Connection reset] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ... 78 more 14:56:20,148 ERROR [io.undertow.request] (default task-21) UT005023: Exception handling request to /auth/realms/redacted/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: LDAP Query failed at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.keycloak.models.ModelException: LDAP Query failed at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:169) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery@1c8e5a6 at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) ... 58 more Caused by: javax.naming.CommunicationException: simple bind failed: <ldaps servername>:636 [Root exception is java.net.SocketException: Connection reset] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:89) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) ... 59 more Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ... 78 more *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.***

8 years, 7 months

2
3
0 / 0

Re: [keycloak-user] Issue with LDAP federation import

by harish jadhav

Hi Team, Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also. Is there any workaround available for this? Thanks Harish -------------------------------------------- On Fri, 2/10/17, Bill Burke <bburke(a)redhat.com> wrote: Subject: Re: [keycloak-user] Issue with LDAP federation import To: keycloak-user(a)lists.jboss.org Date: Friday, February 10, 2017, 8:27 PM You can't have 2 users with same username. The sync is pulling users from 2nd federation provider, sees that its already been imported (by 1st Federation sync) and fails to import that user. On 2/10/17 9:32 AM, harish jadhav wrote: > Hello Keycloak Team, > I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. > > However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny(a)tkd.com with username Ronny in 172.16.11.100 and ronny(a)teckno.com with same username Ronny in 172.16.12.100. The error I am getting is > > User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > Can you please help on how to sync both users as technically both users are different having different email ids and domains. > Thanks in advance. > ThanksHarish > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 7 months

3
4
0 / 0

Wildfly/swarm - keycloak - mongodb

by suryo

Since keycloak doesn't support mongo anymore, is it still possible keycloak and wildfly with mongodb (with ssl connect)?

8 years, 7 months

1
0
0 / 0

email to reset password falied - keycloak 2.5.0

by Michael Mok

Was trying to send this via my other email but did not reach the mailing list. trying again with my other email. Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config <server name="default-server"> <ajp-listener name="mmemoeListener" socket-binding="ajp" redirect-socket="proxy-https" scheme="https" /> <http-listener name="default" socket-binding="http" redirect-socket="https"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="proxy-peer"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core" /> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> </filters> Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *> RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy> #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-acti... Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks.

8 years, 7 months

1
0
0 / 0

email to reset password falied - keycloak 2.5.0

by Michael Mok

Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config <server name="default-server"> <ajp-listener name="mmemoeListener" socket-binding="ajp" redirect-socket="proxy-https" scheme="https" /> <http-listener name="default" socket-binding="http" redirect-socket="https"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="proxy-peer"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core" /> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> </filters> Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *> RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy> #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-acti... Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks.

8 years, 7 months

1
0
0 / 0

OPTIONS 401 - CORS problem

by java_os

Group I have an angular spa deployed on host A - apache httpd (static content) making REST api calls into a spring-boot hosted by host B. The 2 servers are different domains. Spa is protected by Keycloak.js. Am able to bring in the index. When I click on a rest call, browser sends over first OPTIONS request to make sure server B is ready to accept since it is an XHR cross domain call. But the problem is that OPTIONS is being sent without Authorization: Bearer 'token' and so the rest webserver rejects the call with 401 -Unauthorized. Each REST call from the SPA to the cross domain REST is rejected. Am I the first one to hit this? I saw people solving this with regular un-secured apps, but in my case Keycloak using spring-security rejects it. Anyone in the group can help me - anyone has deployed the client and server (being bearer keycloak protected) and solved this problem. Have tried various things inside spring-boot to allow options/cors, etc - none worked. Thank you for help.

8 years, 7 months

1
3
0 / 0

admin login,domain cluster mode

by TheAzariturk .

hi we create domain mode cluster with 4 hc(host controller), i create admin user with add-user-keycloak --sc.........but i cant loggin with it, so when i stop 2 HC i can login with admin, please help that what is it???? note that i have shared databse. thanks

8 years, 7 months

1
0
0 / 0

update password failed

by Michael Mok

Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config <server name="default-server"> <ajp-listener name="mmemoeListener" socket-binding="ajp" redirect-socket="proxy-https" scheme="https" /> <http-listener name="default" socket-binding="http" redirect-socket="https"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="proxy-peer"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcom e-content"/> </handlers> <filters> <filter name="proxy-peer" class-name="io.undertow.server .handlers.ProxyPeerAddressHandler" module="io.undertow.core" /> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> </filters> Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *> RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy> #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions /execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lv bqhs.5b219018-98ad-4f39-a021-bda421809bcc Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login- actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIM H5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks.

8 years, 7 months

1
0
0 / 0

Updating user

by Alexey Kazakov

Hi, Is it possible to update a user remotely using this user's access token? I know that I can do it using Admin REST API but in this case I have to use the admin user's access token which I would like to avoid. We want to use our own user profile page + our backend service. User updates his/her info. UI calls our endpoint providing the user's token. Backend does some internal work related to the user's profile change then updates Keycloak. The missing part is how do we update the Keycloak user account using the user's token only and without obtaining the admin token. Something similar to /realms/<realmname>/protocol/openid-connect/userinfo but for updating the user's account. Or Admin REST API is the only way to do it? Thank you.

8 years, 7 months

1
0
0 / 0

Authentication API

by Jason B

Hi, I would like to handle user registration outside of Keycloak instead of using built in registration feature. But I am having difficulty in figuring out how to allow user to login into Keycloak seamlessly after registration is completed. Does Keycloak supports Authentication as API.. like a web service call and is there any way we can create a session for a user through API? Thanks!

8 years, 7 months

2
3
0 / 0

Issue with LDAP federation import

by harish jadhav

Hello Keycloak Team, I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny(a)tkd.com with username Ronny in 172.16.11.100 and ronny(a)teckno.com with same username Ronny in 172.16.12.100. The error I am getting is User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' Can you please help on how to sync both users as technically both users are different having different email ids and domains. Thanks in advance. ThanksHarish

8 years, 7 months

2
1
0 / 0

Changing login form in OIDC Authorization Code Flow

by Daniel Radzikowski

Hi, I'm trying to use OpenID Connect interface provided by Keycloak and I've got one doubt: is there any way to customize the login form returned by Keycloak to /protocol/openid-connect/auth request in Authorization Code Flow? By customizing I mean not only changing the page itself, but also the way the form is processed, e.g. it would call external service and after successful authentication, user would be redirected to redirect_uri with code granted (assuming session in Keycloak was created somehow in the meantime). If there isn't as I guess, would it be acceptable to implement such a feature and merge it? I suppose it would be compliant with OpenID Connect Authorization Code Flow. -- Pozdrawiam, Daniel Radzikowski.

8 years, 7 months

2
2
0 / 0

web origins of clients and using wildcards

by Christian Froehlich

Hi, the tool tip of Web Origins at the client administration ui says: "...To permit all origins add '*'.", but it doesn't work. It seems that wildcards in web origins does not work at all. Using wildcards would be great in our development sides where we often works with ips instead of real dns names. So currently we have to add a set of web origins with the possible ips like https://192.168.99.100, https://192.168.99.101,... Is it a bug or just a wrong tool tip or am I completely wrong with my assumption? Regards Christian

8 years, 7 months

2
2
0 / 0

keycloak.js different registration page [Angular 2]

by ruiwp13

Hello, I secured my app with the keycloak.js adapter as shown in the angular 2 example. I modified the login theme to look more like my app and now I was trying to be able to use my own registration page. Is there anyway to redirect to the keycloak login in every page but the registration one? Or what other way is there to do this? Maybe use registrations endpoint and edit the registration template to send the form data to my own endpoint? Best Regards, Rui -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-js-different-registrati... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 7 months

1
0
0 / 0

Notifying clients after session creation in Keycloak

by Daniel Radzikowski

Hi, I'm working on custom SSO, which uses Direct Grant API to store sessions in Keycloak. The SSO creates own cookie and data related to it and then creates session in Keycloak calling /protocol/openid-connect/token, hiding returned tokens behind the cookie. I'm aware that solution isn't the best one, but that's not the case now. What I need now is to provide OpenID Connect Authorization Code Flow to external clients of my custom SSO. The easiest solution would be if they called Keycloak directly, but then the session in custom SSO is not created and the Keycloak session in not related to the user data stored in custom SSO. The question is if there is any way to notify clients (custom SSO) after successful session creation in Keycloak? It would need to call the custom SSO with the contents of /protocol/openid-connect/token response, allowing the custom SSO to store tokens behind the cookie. What if I implemented such a feature and merged it to Keycloak? -- Pozdrawiam, Daniel Radzikowski.

8 years, 7 months

1
0
0 / 0

Using another name than Keycloak's?

by Guus der Kinderen

Hi, We're attempting to protect a service using Keycloak. We've noticed that some values that are valid usernames in Keycloak, are not valid in our service. We'd like to be able to use a username in our service that's different from the username that is used in Keycloak. Preferably, we'd like Keycloak to store the association between 'our' username and the Keycloak user. Is something like this feasible with the existing integration features that are offered by Keycloak? Regards, Guus

8 years, 7 months

2
3
0 / 0

keycloak.js library, init callback never called?

by David Delbecq

Hello, I have a strange issue with the keycloak.js library. I have this code var loader = $q.defer(); var keycloakAuth = new Keycloak(keycloakConfig); var keycloakInit = ...... keycloakAuth.init(keycloakInit).success(function (authenticated) { auth.loggedIn = authenticated; if (authenticated){ KeycloakStorage.setStatus(keycloakAuth); } auth.authz = keycloakAuth; loader.resolve('loaded'); }).error(function () { loader.reject('Failed to load keycloak settings'); }); The init is in check-sso mode and include the refresh and access token last saved in borwser storage. However, when there is some keycloak misconfiguration (here CORS value were bad in client config of keycloak), the iframe generates a 404 without any log event in keycloak, and on javascript side, neither the success nor the error callback get called. I had the feeling, reading the doc, that i should have the guarantee that either error or success will be called. Am i understanding the documentation wrong or is it a bug in Keycloak.js ? Best regards. -- <http://www.trimble.com/> David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq(a)trimbletl.com <http://www.trimbletl.com/>

8 years, 7 months

1
0
0 / 0

Auth SPI being refactored in 3.0

by Bill Burke

The Authentication SPI is being refactored in 3.0. Like what happened in Keycloak 2.x and the User Storage SPI, the Authentication SPI will be refactored and improved through various 3.x releases. We'll clean up areas, rewrite certain areas, and get the SPI ready so that it can be stable and supportable for the foreseeable future. We are also doing this work so that we can support things like step-up authentication and FIDO etc. although the latter is for much later down the road. The first area that will be tackled will be the Form SPI. Regards, Bill

8 years, 7 months

1
0
0 / 0

OAuth token introspection

by Jason B

Hi, I am trying to understand the OAuth 2.0 capabilities of Keycloak server and I have a few questions with respective to the implementation of OAuth introspection spec. This is how a sample introspection response looking like { "jti": "7e0a2c4b-9725-432b-a0fd-594f21686108", "exp": 1485492229, "nbf": 0, "iat": 1485491929, "iss": "http://localhost:8080/auth/realms/nkadali", "aud": "proxy", "sub": "e89175d5-94fd-453a-8abb-9953d59d04cf", "typ": "Bearer", "azp": "proxy", "auth_time": 1485487408, "session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7", "name": "", "preferred_username": "jason", "acr": "0", "client_session": "5d761332-97eb-404d-8624-3de4eca967cd", "allowed-origins": [], "realm_access": { "roles": [ "uma_authorization" ] }, "resource_access": { "account": { "roles": [ "manage-account", "view-profile" ] } }, "client_id": "proxy", "username": "jason", "active": true } I have two question based on this response. 1. According to the OAuth OAuth 2.0 Token Introspection ( https://tools.ietf.org/html/rfc7662) the json response body may contain "token_type" member. But why keycloak representing "token_type" as "typ"? Is there any specific reason? 2. I don't see any "scope" attribute in the response body even though I supplied scope parameter while requesting for the access token. Any idea on how to get scopes associated with the supplied access token? Thanks!

8 years, 7 months

2
2
0 / 0

Re: [keycloak-user] Keycloak using HTTPS, error login Facebook

by LEONARDO NUNES

I¹m sorry everyone, the server I was testing the HTTPS didn¹t have access to the Internet. After fixing the Internet connection everything is working fine. -- Leonardo On 09/02/17 14:47, "keycloak-user-bounces(a)lists.jboss.org on behalf of LEONARDO NUNES" <keycloak-user-bounces(a)lists.jboss.org on behalf of leo.nunes(a)gjccorp.com.br> wrote: >[Este remetente foi reprovado em nossas verificações de detecção de >fraude e pode não ser quem ele parece ser. Saiba mais sobre falsificação >em http://aka.ms/LearnAboutSpoofing] > >Hi Everyone, > >I¹m using Keycloak 1.9.8 in production. >Everything was working fine before I configured to use HTTPS. >Now when I try to login using Facebook, I get the error below. >Normal login with email and password is working fine. > >Steps: > > * Go to a restricted page > * On Keycloak login page click on the Facebook icon > * Login at Facebook > * When Facebook tries to redirect back, after a couple minutes I get >the error below > > >2017-02-09 14:36:22,502 ERROR >[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default >task-1) Failed to make identity provider oauth callback: >java.net.ConnectException: Connection timed out >at java.net.PlainSocketImpl.socketConnect(Native Method) >at >java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:35 >0) >at >java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl. >java:206) >at >java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >at java.net.Socket.connect(Socket.java:589) >at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) >at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) >at sun.net.NetworkClient.doConnect(NetworkClient.java:180) >at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) >at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) >at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) >at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) >at >sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpCl >ient(AbstractDelegateHttpsURLConnection.java:191) >at >sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnectio >n.java:1105) >at >sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection >.java:999) >at >sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abst >ractDelegateHttpsURLConnection.java:177) >at >sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnec >tion.java:1283) >at >sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnect >ion.java:1258) >at >sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURL >ConnectionImpl.java:250) >at >org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141) >at >org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authRespo >nse(AbstractOAuth2IdentityProvider.java:228) >at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: >62) >at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm >pl.java:43) >at java.lang.reflect.Method.invoke(Method.java:498) >at >org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java: >139) >at >org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMetho >dInvoker.java:295) >at >org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker >.java:249) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resour >ceLocatorInvoker.java:138) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvok >er.java:107) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resour >ceLocatorInvoker.java:133) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvok >er.java:101) >at >org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher >.java:395) >at >org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher >.java:202) >at >org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.servi >ce(ServletContainerDispatcher.java:221) >at >org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(Ht >tpServletDispatcher.java:56) >at >org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(Ht >tpServletDispatcher.java:51) >at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >at >io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.j >ava:85) >at >io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Filter >Handler.java:129) >at >org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Keyclo >akSessionServletFilter.java:88) >at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >at >io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Filter >Handler.java:131) >at >io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.jav >a:84) >at >io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleReq >uest(ServletSecurityRoleHandler.java:62) >at >io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(Servl >etDispatchingHandler.java:36) >at >org.wildfly.extension.undertow.security.SecurityContextAssociationHandler. >handleRequest(SecurityContextAssociationHandler.java:78) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.han >dleRequest(SSLInformationAssociationHandler.java:131) >at >io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.han >dleRequest(ServletAuthenticationCallHandler.java:57) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest >(AbstractConfidentialityHandler.java:46) >at >io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHand >ler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >at >io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReques >t(AuthenticationMechanismsHandler.java:60) >at >io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.ha >ndleRequest(CachedAuthenticatedSessionHandler.java:77) >at >io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(No >tificationReceiverHandler.java:50) >at >io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.ha >ndleRequest(AbstractSecurityContextAssociationHandler.java:43) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRe >quest(JACCContextIdHandler.java:61) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Serv >letInitialHandler.java:284) >at >io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Servlet >InitialHandler.java:263) >at >io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIniti >alHandler.java:81) >at >io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Servlet >InitialHandler.java:174) >at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >at >io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >at >java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java: >1142) >at >java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java >:617) >at java.lang.Thread.run(Thread.java:745) > >2017-02-09 14:36:22,503 WARN [org.keycloak.events] (default task-1) >type=LOGIN_ERROR, realmId=accounts, clientId=null, userId=null, >ipAddress=10.112.0.28, error=identity_provider_login_failure > > > > >-- >Leonardo Nunes >________________________________ >Esta mensagem pode conter informação confidencial e/ou privilegiada. Se >você não for o destinatário ou a pessoa autorizada a receber esta >mensagem, não poderá usar, copiar ou divulgar as informações nela >contidas ou tomar qualquer ação baseada nessas informações. Se você >recebeu esta mensagem por engano, por favor avise imediatamente o >remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua >cooperação. > >This message may contain confidential and/or privileged information. If >you are not the addressee or authorized to receive this for the >addressee, you must not use, copy, disclose or take any action based on >this message or any information herein. If you have received this message >in error, please advise the sender immediately by reply e-mail and delete >this message. Thank you for your cooperation >_______________________________________________ >keycloak-user mailing list >keycloak-user(a)lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 7 months

1
0
0 / 0

Keycloak using HTTPS, error login Facebook

by LEONARDO NUNES

Hi Everyone, I’m using Keycloak 1.9.8 in production. Everything was working fine before I configured to use HTTPS. Now when I try to login using Facebook, I get the error below. Normal login with email and password is working fine. Steps: * Go to a restricted page * On Keycloak login page click on the Facebook icon * Login at Facebook * When Facebook tries to redirect back, after a couple minutes I get the error below 2017-02-09 14:36:22,502 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-1) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) at sun.net.NetworkClient.doConnect(NetworkClient.java:180) at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2017-02-09 14:36:22,503 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=accounts, clientId=null, userId=null, ipAddress=10.112.0.28, error=identity_provider_login_failure -- Leonardo Nunes ________________________________ Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

8 years, 7 months

1
0
0 / 0

Keycloak Admin Client, create user, error 500, Internal Server Error

by max.catarino＠rps.com.br

I'm using Keycloak 2.5.1 Final, Keycloak Admin Client 2.5.1 Final, Resteasy Client 3.1.0 Final and Resteasy Jacksom2 Provider 3.1.0 Final. I'm using the code above to test create an user using the Admin Client. When the application run the create method, the response returns error 500, Internal Server Error with the trace above on Undertown server. I'm missing something? Keycloak kc = KeycloakBuilder.builder() .serverUrl("https://IP:8443/auth/realms/sgp/protocol/openid-connect/auth") .realm("testrealm") .username(adminUser) .password(adminPassword) .clientId("admin-cli") .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) .build(); userRep = new UserRepresentation(); userRep.setFirstName("John"); userRep.setLastName("Doe"); userRep.setEmail("john.doe(a)test.com"); userRep.setEnable(Boolean.TRUE); Response response = kc.realm(realmId).users().create(userRep); 17:19:58,337 ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /auth/admin/realms/testrealm/users: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:230) at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more

8 years, 7 months

3
3
0 / 0

implement one way user sync from legacy db to keycloak

by Istvan Orban

Hi Guys, I am in the process of moving to keycloak and I need to make a decision how to migrate my users. I think I have two options 1, migrate users using JSON import. I can grab the password from the db as they are encrypted with a reversible encryption :) In this case I have one question. I need to generate an output JSON and for that I need to see how keycloak salts and encrypts the passwords by default. Can you point me to the class that does this ? Can I include keycloak as a dependency and call the same class to do the work for me ? 2, migrate uses on-the-fly I did find this example -> examples/userstorage/readonly/PropertyFileUserStorageProvider.java which is a great starting point although I have one question on this one. Do I need to implement CredentialInputUpdater All I need to do is one way import of the users from my DB which I will probably do via an API call I do not wish to sync users back to the legacy db at all. Would it be enough to simply just implement these interfaces -> UserStorageProvider, UserLookupProvider, CredentialInputValidator, Also I did find an enum in UserStorageProvider called EditMode and I could not find out where to use this enum ? Do I need to worry about this at all? Thanks for any help ! -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *

8 years, 7 months

1
0
0 / 0

Change locale (language) for select list information.

by Gustavo Alvarez

Hi all. I am using the keycloak 2.3.0 Final. I changed the language for a master realm, created a client and the information is presented whit the new language, except some list retrieved from database in English, for example in the menu 'Authentication' tab 'Bindings' the select list in browser flow Do not change the language, always is English. Can I change the language of this information ?? Thanks for your help. Gaalvarez.

8 years, 7 months

1
0
0 / 0

Differences between SAML descriptors

by Muein Muzamil

Hi All, Currently, KeyCloak supports two mechanisms to download SAML metadata. One is using this public URL <root>/auth/realms/{realm}/protocol/saml/descriptor. The Second option is to download it from the installation tab of the client or using this API /admin/realms/{realm}/clients/ {id}/installation/providers/{providerId} It seems that there are some differences between them. Especially the first option returns you metadata with an extra <EntitiesDescriptor> tag. Such as <EntitiesDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <EntityDescriptor entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y "> ......... </EntityDescriptor> </EntitiesDescriptor> When we try to upload this metadata (downloaded from the public URL) to PingOne, it doesn't like it (metadata from installation tab works fine). Is there any reason for this? Regards, Muein

8 years, 7 months

4
7
0 / 0

Using a service account for an app

by Juan Diego

Hi, Sorry I am a little bit confused on how to use a service account. And if I am doing this correctly. I was reading this https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/cl... So at the moment I have a java rest api backend that is set as an access type bearer-only, a front end in angular 1.5 that is a public access type. And they work ok with keycloak. So I am creating a third app (it is not web), in java. I want this app to be able to access my rest services without logging in or creating public services. So for what I understand I should create client of type confidential, and allow services accounts. So here is the part that I am a kind of lost. I only have one role called users, that I was using on my backend and front end. Should I create a new role for my app, and should I add this role on my backend? Thanks

8 years, 7 months

1
0
0 / 0

Re: [keycloak-user] Two Factor Authentication in Keycloak using text message or email to the user.

by Kevin Berendsen

Hi Reed, It sure is possible but every text message gateway vendor probably has its own custom API so you need to create your own authenticator unless someone else did it for the same vendor. It sure is possible and if you get to know the Authentication SPI of Keycloak, its most likely done within two weeks (includes testing and playing around with the code). We are doing the very same thing in about 2 weeks. On 8 Feb 2017 7:50 pm, Reed Lewis <RLewis(a)carbonite.com> wrote: We wish to use two factor Authentication with Keycloak, but not the built in authenticator, but instead a more user friendly of sending a text message to the user which the user will type into a box on the screen to successfully log in. Would that be something that could be done with Keycloak easily? I would guess there would need to be a plug in to do this, but want to make sure it would be possible first. Reed _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 7 months

1
0
0 / 0

Two Factor Authentication in Keycloak using text message or email to the user.

by Reed Lewis

We wish to use two factor Authentication with Keycloak, but not the built in authenticator, but instead a more user friendly of sending a text message to the user which the user will type into a box on the screen to successfully log in. Would that be something that could be done with Keycloak easily? I would guess there would need to be a plug in to do this, but want to make sure it would be possible first. Reed

8 years, 7 months

2
1
0 / 0

Client setup recommandation

by David Delbecq

Hello, we have a javascript web application we are migrating to keycloak. I am not sue what are the recommandations on setting up configuration for that client with the following requirement: Once user triggers the "login" and gets keycloak authenticated, we should get a bearer token to use later on REST services. The user should not be requested again to login, unless he logs out. Even if he closes his browser. So we need a way to keep or replace token on a regular basis. Is there some keycloak REST service we can poll on a regular basis for this? Sometimes the user goes "off grid" (no network communication) for several hours. How can we ensure we still keep logged in? My first idea was to just increase the SSO timeout and token validity to 30 days. But it seems like a bad idea from my reading of keycloak documentation. So i tried to use an offline token instead, but it seems the implicit flow doesn't allow you to get an offline token. All token i get after login are marked as expiring within 15 minutes. What's the recommended way to get long lived refresh token, using implicit flow? -- <http://www.trimble.com/> David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq(a)trimbletl.com <http://www.trimbletl.com/>

8 years, 7 months

2
4
0 / 0

[Keycloak][Ldap Federation][Custom User LDAP Filter]

by Salvatore Incandela

Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but this seems to be ignored. Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that once an EqualsCondition was found this one is considered and the others ignored. *if (condition instanceof EqualCondition) {* . . return results; } I'm sure that I'm doing something wrong, some ideas? -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela(a)redhat.com

8 years, 7 months

2
3
0 / 0

Re: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter]

by Kevin Berendsen

Hi, Depending on the implementation of your LDAP server, 'uid' is most likely the unique identifier so not once should there be two LDAP entries with the same value. If you're searching based on your uuid which most likely set to 'uid', then other conditions shouldnt matter as only one can return anyway. Remove 'uid' from your baseDN could fix your issue. Even better to help you out, could you send your LDAP federation config? Leave out all the information that you may consider sensitive such as passwords. - Kevin On 8 Feb 2017 10:46 am, Salvatore Incandela <salvatore.incandela(a)redhat.com> wrote: This is what is see from log files: *2017-02-08 10:36:41,667 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-44) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=example,ou=People,dc=example,dc=it , uuid: example, attributes: {uid=[example], userPassword=[[B@6ba1b2f0], mail=[example(a)example.it <example(a)example.it>], givenName=[example], sn=[example], title=[disabled], modifyTimestamp=[20170207194557Z], createTimestamp=[20170207114007Z]}, readOnly attribute names: [givenname, sn, userpassword, mail, uid, modifytimestamp, title, createtimestamp] ]* Why in the case of UUID search the Custom User LDAP Filter is ignored? On Wed, Feb 8, 2017 at 9:03 AM, Marek Posolda <mposolda(a)redhat.com> wrote: > On 07/02/17 16:12, Salvatore Incandela wrote: > >> Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom >> query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but >> this seems to be ignored. >> Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that >> once an EqualsCondition was found this one is considered and the others >> ignored. >> >> *if (condition instanceof EqualCondition) {* >> . >> . >> return results; >> } >> > Nope, if you look at the code more deeply, you can find that this one is > used just for the special case when you query by UUID. > > Maybe it can help to enable TRACE logging for the class > org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your > standalone.xml . With this enabled, you should be able to see some > additional logging messages in server.log like: > > TRACE Using filter for LDAP search: ... > > you can see in which DN you're searching and how exactly your LDAP filter > looks like. Hopefully this can help to figure what is wrong. > > Marek > > >> I'm sure that I'm doing something wrong, some ideas? >> >> > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com<http://www.redhat.com> Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela(a)redhat.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 7 months

1
0
0 / 0

How to check whether user account is activated

by Shaikh Asrafali Anwarali

Hi, I need to check whether user account is activated or not, below is the scenario Whenever we create user and assign some temporary password, so that user changes password immediately after login. immediately after login message is prompt "You need to change your password to activate your account." Wherein user needs to set his new password. So question is until new password is set account is not activated, so by which property can we know that user account is not activated. I need to check this in my new custom required action. Regards, Asraf Shaikh

8 years, 7 months

1
0
0 / 0

Issues starting up keycloak after DB migration to 2.2.1 from 1.8.0

by Nathan McGinnis

Hi Everyone, I'm unable to start our keycloak server and could some assistance. Just to give a quick recap of background and steps we've taken.. We've been using keycloak 1.8.0 for a while and are in the process of migrating to a 2.2.1 instance in AWS. We're running standalone HA mode with two nodes behind a public ELB. I have configured JDBC Ping to save session state across both nodes in preproduction and it works there. I have configured production the same way as preprod (we're also using Chef so I know its configured the same). In production, we've taken a backup of the keycloak postgresql DB (1.8.0) and restored it to the keycloak DB our 2.2.1 instance is pointed to. I have set migrationStrategy to manual and it produced a .sql file to run. We had some issues running it related to indicies and tables and such already existing so we decided to run each statement line by line. This got us past the "Database not up-to-date" error, but we're now seeing this in the server.log which causes the startup to fail. Does anyone have an idea what the problem could be? 2017-02-07 17:16:50,380 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 55) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment. default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services. resources.KeycloakApplication(javax.servlet.ServletContext, org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication( javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start( ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet( ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start( DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService. startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. run(UndertowDeploymentService.java:82) ... 6 more Caused by: javax.persistence.EntityNotFoundException: Unable to find org.keycloak.models.jpa.entities.ClientEntity with id asdfg123-123x-123e-1xx1-sdkasdjf7123 at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImp l$JpaEntityNotFoundDelegate.handleEntityNotFound( EntityManagerFactoryBuilderImpl.java:144) at org.hibernate.proxy.AbstractLazyInitializer.checkTargetState( AbstractLazyInitializer.java:242) at org.hibernate.proxy.AbstractLazyInitializer.initialize( AbstractLazyInitializer.java:159) at org.hibernate.proxy.AbstractLazyInitializer.getImplementation( AbstractLazyInitializer.java:266) at org.hibernate.proxy.pojo.javassist.JavassistLazyInitializer.invoke( JavassistLazyInitializer.java:68) at org.keycloak.models.jpa.entities.ClientEntity_$$_jvst1c4_8.getRealm( ClientEntity_$$_jvst1c4_8.java) at org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient( RealmAdapter.java:1234) at org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>( CachedRealm.java:241) at org.keycloak.models.cache.infinispan.RealmCacheSession. getRealm(RealmCacheSession.java:379) at org.keycloak.migration.migrators.MigrateTo1_9_0. migrate(MigrateTo1_9_0.java:45) at org.keycloak.migration.MigrationModelManager.migrate( MigrationModelManager.java:74) at org.keycloak.services.resources.KeycloakApplication.migrateModel( KeycloakApplication.java:221) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap( KeycloakApplication.java:162) at org.keycloak.services.resources.KeycloakApplication$ 1.run(KeycloakApplication.java:121) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( KeycloakModelUtils.java:295) at org.keycloak.services.resources.KeycloakApplication. <init>(KeycloakApplication.java:112) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance( NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( ConstructorInjectorImpl.java:150) ... 19 more

8 years, 7 months

1
0
0 / 0

External Username, Password, Email... dataset with Keycloak

by Reed Lewis

Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis

8 years, 7 months

4
16
0 / 0

Call to protected resource

by Sebastien Michea

Hi, I have a general question. Let say i have a javaee webapp that need to call an external API or resource secured for instance with openidConnect. Can keycloak help me in some way in order to implement the authentication flow? Thank you Best regards

8 years, 7 months

1
0
0 / 0

Implementing New Required Action

by Shaikh Asrafali Anwarali

Hi, At present I am implementing New Required Action, similar to that of updatePassword required action. I did go through Authenticator example . Question is for implementing new required action do we need to provide implementation for Authenticator and AuthenticatorFactory? Is there any guidelines for implementing required action apart from the Authenticator example. Regards, Asraf Shaikh

8 years, 7 months

1
0
0 / 0

implementing new password policy

by Shaikh Asrafali Anwarali

Hi , Hope you are doing well. I am currently trying to implement new password policy, is there any kind of documentation or guide available which helps in implementation. Or any example. Thanks in advance. Regards, Asraf Shaikh

8 years, 7 months

2
2
0 / 0

IdP initiated SSO to Account page?

by Mark Pardijs

Hi, I want to give my users the possibility to edit their account settings from an federated IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account? As far as I can see, I have to do the following steps: 1. In the ‘master’ keycloak: add a new SAML client with URL {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no such thing as ‘OpenID Connect IdP initiated SSO as far as I can see) 2. In the federated IdP: send a SAMLResponse to http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID} The login goes successfully, but after login I see a 403 "Failed executing POST /realms/master/account” error, since the account page doesn’t accept POST requests. If I refresh the browser window which is pointing at the account page all is well, since this last request is a GET request. (See http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same question about POST/GET) I could make a third client with as only function showing a link to the account page but don’t know if this is the right way to go.

8 years, 7 months

2
2
0 / 0

Re: [keycloak-user] Angular2 app with non-authenticated pages

by Kevin Berendsen

Hi, Our initiation of the Keycloak JS adapter happens after the user tries his first attempt to access an authenticated-only page. We developed a very simple abstract class that will act as our authenticated component and will be extended by all components which requires an authenticated user. So our initiation logic is contained by our abstract authenticated component class. This solution only requires a little refactoring in your codebase and some additional code. Tip: remove the reload page logic in the catch clause when you try to initiate the Keycloak JS adapter. You might end up in redirect infinite loops. Kind regards, Kevin Berendsen -----Oorspronkelijk bericht----- Date: Mon, 6 Feb 2017 10:47:29 +0000 From: Plunkett McGurk <plunkett_mcgurk(a)accelerite.com> Subject: [keycloak-user] Angular2 app with non-authenticated pages To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> Message-ID: <BM1PR01MB0851B2EC94B85E3E104284E7E1400(a)BM1PR01MB0851.INDPRD01.PROD.OUTLOOK.COM> Content-Type: text/plain; charset="us-ascii" Hi Guys, In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...) I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages Many thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. ------------------------------

8 years, 7 months

3
2
0 / 0

Exposing keycloak to clients or hide it

by Istvan Orban

Hi Everyone, I have set-up keycloak locally and I like it a lot. I generally like to hide implementation detail from related services so that they can be decoupled. I know keycloak have libs for plenty of different frameworks etc, although I am thinking about setting it up using Apache and mod_auth_openidc The advantage is that our software will have openid connect as a dependency rather than keycloak. I would like to ask you what I am missing out with such a setup? Are there any major features I am loosing by not using keycloak specific clients libs to connect my appllications to keycloak directly? Thanks for any insights ! Istvan

8 years, 7 months

2
2
0 / 0

Release date 2.5.3.Final

by Mark Pardijs

When will release 2.5.3.Final be published? In Jira it has status Released (https://issues.jboss.org/projects/KEYCLOAK/versions/12333576) but in the downloads section or docker repo the version is still 2.5.1.Final.

8 years, 7 months

2
1
0 / 0

Removing Mongo support from Keycloak

by Stian Thorgersen

At times you have to make hard decisions and this has been one of those. We have decided to remove Mongo support from Keycloak. The primary motivation behind this decision is that we simply don't have the resources to maintain and further develop the back-end for both relational databases and Mongo. Further, there are some fundamental issues with our current use of Mongo that would require a large amount of work to become fully production ready. This primarily boils down to the lack of ACID transactions in Mongo. We hope that this decision won't result in too much trouble for those of you that are currently using Mongo as the back-end for Keycloak. It should be relatively painless to migrate to a relational database with our export/import feature. If you do run into issues with this please let us know on the mailing list and we will do whatever we can to help make the transition as smooth as possible. If anyone from the community would like to take over the Mongo support and maintain it as a separate extension please let us know. We can help with extracting the code and work together in making it easy to install it as an extension. Migrating from Mongo to relational database First step is to export the full database. You can do this by stopping the Keycloak server and running: bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup This will export all data from Mongo to JSON files within the directory backup. For full details refer to the Server Administration Guide <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ex...> . Next step is to install a relational database and configure it in Keycloak. Take your pick we support quite a few. For full details refer to the Server Installation Guide <https://keycloak.gitbooks.io/server-installation-and-configuration/conten...> . Once you have the relational database ready and configured, you can start Keycloak and import the data exported from Mongo. To do this run Keycloak with: bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup Hopefully you're now up and running with all your realms and users migrated to the relational database. If not, let us know on the user mailing list and we'll help you out as soon as possible.

8 years, 7 months

1
0
0 / 0

Angular 2 with Webpack

by Brian Schwartz

Has anyone created an angular 2 application that's bundled with Webpack and protected by keycloak? How do I include the required dependencies and use them? Thanks

8 years, 7 months

5
25
0 / 0

Keycloak-Proxy OR mod_auth_openidc

by abhishek raghav

Hi I was working on a legacy app, which doesn't support keycloak adapter to be configured there. I did some POC and figured out that there are 2 solutions i.e. Keycloak Proxy and another is apache mods "mod_auth_openidc". I could successfully integrate both the solutions with keycloak and could setup the authentication Any suggestions on which one to use when..? Which can be a better candidate among the two..? Any suggestions are deeply appreciated. Thanks in advance. Cheers Abhishek Raghav

8 years, 7 months

1
0
0 / 0

Angular2 app with non-authenticated pages

by Plunkett McGurk

Hi Guys, In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...) I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages Many thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.

8 years, 7 months

2
1
0 / 0

Scopes auto complete on Resources gets only limited records.

by Ushanas Shastri

Hello, In the resources screen, when we add new resource, and want to select some Scopes, the auto complete gets limited records, which look like page size chunks from the Scopes screen. If I have say 50 Scopes, all of which have parts of the word Search, then beyond the initial list, the other scopes don't show up. Regards, Ushanas.

8 years, 7 months

2
3
0 / 0

keycloak user store provider and modules logic

by Giordano, Antonio

Hi all, We are moving from keycloak 1.7 to 2.5.1 and we have some troubles in the deployment of a jar relative to our user storage provider. In the old version we deploy all jars and properties with jboss modules logic but in new version there is a specific folder "providers" where we have to deploy our user storage provider. Unfortunately seems that our jar can't use resources loaded in modules section of wildfly (other jars or props) and needs all resources in his package. My question is: which is the correct way in 2.5.1 to deploy a keycloak provider that use resources defined in wildfly classpath via modules logic? Thanks for your help agi

8 years, 8 months

2
1
0 / 0

keycloak.js updateToken does not validate refresh token expiration date

by adam.michalski＠aol.com

keycloak.js updateToken does not validate refresh token expiration date in example https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a... when i call getToken() method after refresh token expires i get console.info('[KEYCLOAK] Refreshing token: token expired'); from keycloak.js:400 with /auth/realms/InfiniteBirEUmowy/protocol/openid-connect/token 400 (Bad Request) [KEYCLOAK] Failed to refresh token I need to check if refresh token does not expired and if it is call KeycloakService.auth.authz.login(); Why this token refresh expiration check is not handled by updateToken inside keycloak.js updateToken()?

8 years, 8 months

2
1
0 / 0

Group / Subgroup Creation in Java

by Rodel Talampas

Hi All, Need help on the following scenario. Been doing some POC for our keycloak user management project and having problems passing my unit test as when I create 3 level subgroups, my Keycloak Server hangs. Sample Junit Test code: ====================================================== createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_2"); createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_2"); ==================================== private static void createSubGroups(Keycloak keycloak, String realmName, String groupName, String realmClient){ GroupRepresentation parentSub = null; boolean found = false; for (GroupRepresentation group: keycloak.realm(realmName).groups().groups()){ for (GroupRepresentation sub: group.getSubGroups()){ if (sub.getName().equals(groupName)) { parentSub = sub; found = true; break; } } if (found) break; } GroupResource parentSubResource = keycloak.realm(realmName).groups().group(parentSub.getId()); GroupRepresentation subGroup1 = new GroupRepresentation(); subGroup1.setName(groupName + "-" + realmClient); subGroup1.setPath("/Group_1/" + groupName); parentSubResource.subGroup(subGroup1); } ========== Target Output Below ====== Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 DUTY_MANAGER_Client_2 CASHIER CASHIER_Client_1 CASHIER_Client_2 ================================= My code will only work properly for the first 2 calls of the method. On the 3rd call, it will somehow hang on the loop. Am not able to debug nor step through in Junit. It will only produce the following: Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 CASHIER CASHIER_Client_1 I also tried of instead using a loop I use the getGroupByPath from the realmResource but still the same issue. The only thing left for me is to call the Restful Service directly from my code. Any suggestions will be very much appreciated. Thanks Rodel

8 years, 8 months

2
2
0 / 0

Getting Access token over REST API

by akash agrawal

Hi, I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect. I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option. Appreciate your help. Thanks. Akash

8 years, 8 months

2
3
0 / 0

Email Templates

by Serhii Morunov

Hello. I meet some issue with using keycloack Admin API and client. When im trying to send email-verification email via /send-verify-email i recieving template for "Update user account". Is it known issue or i doing something wrong? Im trying with Keycloak 2.5.1.Final server version. Best Regards, Serhii

8 years, 8 months

2
1
0 / 0

Keycloak admin-panel. Infinite loop.

by keijo.korte＠kvak.net

Hi, Setup: OS: Centos 6.8 Keycloak version, 2.5.1-FINAL httpd version 2.2.15 I have configured httpd as a SSL off loading reverse proxy for Keycloak server. The proxy and the Keycloak are on different servers. Basically everything works fine, but I can't log in because I am been redirected back to the square one all the time. Here is the flow: GET https://idp.xxx.net/auth/admin/ GET https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... POST https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH... GET https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8... GET lots of resources: /config, login-status-iframe.html, /token, /messages.json and so on GET https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?clien... and the same thing from the start. Forever. httpd configuration for SSL: ***** <VirtualHost *:443> ServerName idp.xxx.net ServerAdmin webmaster(a)xxx.net DocumentRoot /var/www/html/ <Directory /> Order deny,allow Allow from all Options FollowSymLinks AllowOverride None </Directory> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests Off RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" ProxyPreserveHost on ProxyPass / http://172.16.22.12:8080/ keepalive=On ProxyPassReverse / http://172.16.22.12:8080/ + lots of cipher suite setting and so on. ***** WildFly configuration: ***** <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> <host name="default-host" alias="localhost idp.xxx.net"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> .... <socket-binding-group name="standard-sockets" default-interface="any" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" port="${jboss.http.port:8080}"/> <socket-binding name="proxy-https" port="443"/> <socket-binding name="https" port="${jboss.https.port:8443}"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <outbound-socket-binding name="mail-smtp"> <remote-destination host="localhost" port="25"/> </outbound-socket-binding> </socket-binding-group> ***** Does someone has some kind of clue why I am been redirected? First I think that this was some kind of http/https redirect problem, but when I enabled requestdumper @ wildfly I can see that everything is HTTPS. ***** ----------------------------REQUEST--------------------------- URI=/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=en-US,en;q=0.5 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=idp.xxx.net header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 header=Connection=Keep-Alive header=X-Forwarded-Proto=https header=X-Forwarded-Port=443 header=X-Forwarded-For=88.12.13.14 header=Upgrade-Insecure-Requests=1 header=Host=idp.xxx.net header=X-Forwarded-Host=idp.xxx.net locale=[en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=88.12.13.14:0 remoteHost=88.12.13.14 scheme=https host=idp.xxx.net serverPort=443 ***** -Keijo

8 years, 8 months

3
4
0 / 0

k_query_bearer_token, is there a way to query the associated public key?

by Scott Stark

So I can query the current access token via the myapp-root/k_query_bearer_token when expose-token is set to true, but is there a way to query the public key associated with the signature portion of the token?

8 years, 8 months

2
3
0 / 0

How explicitly enable session management in Keycloak?

by Known Michael

Hey, I use mod_auth_openidc version "2.1.2", Keycloak version “2.4.0” I was not able to implement the session management using OP and RP frames as described here: https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management I see in mod_auth_openidc logs the following: [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): [client 192.168.111.33] oidc_save_in_session: session management disabled: session_state ((null)) and/or check_session_iframe ( https://localhost/auth/realms/realm/protocol/openid-connect/login-status-...) is not provided, referer: https://192.168.110.2/auth/realms/realm/protocol/openid-connect/auth?resp... It looks like the session management is disabled because the Provider did not return a session_state parameter in the authentication response (which in its turn can be verified via the referer URL in the same log entry) as the spec dictates: https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdating... How should I configure explicitly enable session management in Keycloak? It should starts returning session_state in the authentication responses. I see that it is implemented already https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss something.

8 years, 8 months

2
1
0 / 0

Strange behavior upon the RP initiated logout

by Known Michael

Hey, I successfully integrated mod_auth_openidc with Keycloak: https://keycloak.gitbooks.io/securing-client-applications-guide/content/t... In addition to the master realm we use our own realm. I have strange behavior upon the RP initiated logout. I access RP logout URL it redirects to Keycloak using the logout endpoint (https://<ip>/auth/realms/realm/protocol/openid-connect/logout) as described here: https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management#... Unfortunately, Keycloak redirect me to the “Session not active” error string when I press on the logout after couple of minutes of work. The logout is successfully if I press the logout button after 1 or 2 minutes after the login. I have tried to debug Keycloak and I have found the following: TokenManager in the function org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to JsonWebToken and founds that the token is expired (org.keycloak.representations.JsonWebToken#isExpired) It caused since the expiration of the token is very short (couple of minutes). Questions: 1) How to configure the token expiration? I have increased “SSO Session Idle” to 90 minute but it does not change the token expiration (it remains short) https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/se... 2) Why logout cannot work after couple of minutes?

8 years, 8 months

2
1
0 / 0

Response CORS Headers

by Eriksson Fabian

Hello! We are currently facing a problem with CORS-headers and the theme cache settings found in standalone/configuration/standalone.xml. We have two applications using the same realm, when logging in to the first application we first call the /auth/realms/${realm-name}/.well-known/openid-configuration to find OIDC configuration and the browser first does an options request and the response is showing the correct access-control-allow-origin header and the header is cached for as long as the staticMaxAge is set to. But when we try to login to the second application the response headers that was cached is used and we get the wrong access-control-allow-origin header (still pointing to the first application URL). Our question is; can we configure only this endpoint (.../.well-known/openid-configuration) to have a no-cache header but leave the rest of the application cached? BR Fabian Eriksson

8 years, 8 months

2
1
0 / 0

Exception on realm import

by David Delbecq

Hello, I tried to use the import feature to import preconfigured client & roles from dev environment to production, but I get an exception during the import. I got to the realm -> import, select file, realm to import, check import client and check import client roles, set to overwrite. I get an error "*Error!* javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement" Any workaround / suggestion? It seems related to a client role named "authenticated" but not sure it's not just failing on first client role of file. Here is server stacktrace: 2017-01-26 15:29:29,718 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) SQL Error: 23505, SQLState: 23505 2017-01-26 15:29:29,718 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) Unique index or primary key violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */ null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated', null, null, null, null)"; SQL statement: insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE, DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-173] 2017-01-26 15:29:29,719 INFO [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-31) HHH000010: On release of batch it still contained JDBC statements 2017-01-26 15:29:29,719 ERROR [org.keycloak.services] (default task-31) KC-SERVICES0038: Error importing roles: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:57) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy61.flush(Unknown Source) at org.keycloak.models.jpa.JpaRealmProvider.addClientRole(JpaRealmProvider.java:231) at org.keycloak.models.cache.infinispan.RealmCacheSession.addClientRole(RealmCacheSession.java:703) at org.keycloak.models.jpa.ClientAdapter.addRole(ClientAdapter.java:636) at org.keycloak.models.utils.RepresentationToModel.importRoles(RepresentationToModel.java:437) at org.keycloak.partialimport.RolesPartialImport.doImport(RolesPartialImport.java:98) at org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:77) at org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:855) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) at sun.reflect.GeneratedMethodAccessor342.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ... 57 more Caused by: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) ... 61 more Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */ null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated', null, null, null, null)"; SQL statement: insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE, DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-173] at org.h2.message.DbException.getJdbcSQLException(DbException.java:331) at org.h2.message.DbException.get(DbException.java:171) at org.h2.message.DbException.get(DbException.java:148) at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101) at org.h2.index.PageBtree.find(PageBtree.java:121) at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148) at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101) at org.h2.index.PageBtreeNode.addRowTry(PageBtreeNode.java:201) at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:95) at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:86) at org.h2.table.RegularTable.addRow(RegularTable.java:125) at org.h2.command.dml.Insert.insertRows(Insert.java:127) at org.h2.command.dml.Insert.update(Insert.java:86) at org.h2.command.CommandContainer.update(CommandContainer.java:79) at org.h2.command.Command.executeUpdate(Command.java:235) at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154) at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 71 more -- <http://www.trimble.com/> David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq(a)trimbletl.com <http://www.trimbletl.com/>

8 years, 8 months

2
1
0 / 0

Authentication via client certificate

by FREIMUELLER Christian

Dear all, I've a hopefully short question regarding authentication in Keycloak. Is there an already built in mechanism to authenticate against Keycloak via client certificate? If yes, how can I configure it? Are there any examples in the showcase regarding client certificates? If no, how can I implement and configure it? - I guess implementing the Authentication SPI and register it in Keycloak as an alternative flow? Best regards, Christian

8 years, 8 months

2
1
0 / 0

Add local user instead of federated user

by andrew dwyer

Hi, I’m wondering if there is a way to add a local user to a realm with an existing LDAP User Federation link. At the moment when I attempt to add a user via the web admin console Keycloak thinks I want to add the user to LDAP and fails with the error “Registration is not supported by this ldap server”. This is to support the small percentage of our users who aren’t in our corporate LDAP directory. My fall back solution may be to write a simple alternative provider or set up an LDAP server under our control to add to the provider list. https://keycloak.gitbooks.io/server-developer-guide/ content/topics/user-storage/simple-example.html Thanks Andrew Dwyer

8 years, 8 months

2
1
0 / 0

Re: [keycloak-user] keycloak-user Digest, Vol 38, Issue 3

by max.catarino＠rps.com.br

Yes, is possible. http://lists.jboss.org/pipermail/keycloak-user/2016-April/005869.html > Date: Wed, 1 Feb 2017 23:00:47 +0000 (UTC) > From: akash agrawal <akash_agrawal(a)yahoo.co.uk> > Getting Access token over REST API > > Hi, > I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect. > I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option. > Appreciate your help. Thanks. > Akash

8 years, 8 months

1
0
0 / 0

setOTPEnabled

by Amit Arora

In 2.2.0 , I was using setOTPEnabled to enable and disable totp verification on run time. It seems in 2.5.0 this method is not available , do we have any way to have this functionality.. I can see a usercredentialmanager having a method disableCredentials , it seems i can use this to disable the totp verification but there is no counterpart to enable it Can any have a hint?

8 years, 8 months

2
1
0 / 0

another small enhancement request for MSAD password mapper

by mj

Hi, In the microsoft management tools there is a checkbox: "user must change password at next logon". If I check that box, keycloak 2.5 gives us a logon failure. Perhaps it would be only a rather small change, to map that MSAD checkbox ("Pwd-Last-Set" = 0) to the equivalent in keycloak: "credentials" / "temporary" switch. So the next time a user is asked to change his/her password. More MS info here: https://msdn.microsoft.com/en-us/library/ms679430 And, and thanks very much very much for the recent fix of issue 2333, on MSAD password policies! Much appreciated! :-) MJ

8 years, 8 months

3
11
0 / 0

SAML AuthnContext

by Muein Muzamil

Hi all, We are trying to configure OpenAM as SAML client with KeyCloak, as part of SAML request it sends PasswordProtectedTransport AuthnContext (as shown below) and it expects this back as part of SAML response. <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Comparison="exact"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> Currently, KeyCloak always returns unspecified as AuthnContext, is there any way to return back AuthnContext what KeyCloak received in the request? <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> Regards, Muein

8 years, 8 months

2
2
0 / 0

Add OneTimeUse condition to SAMLResponse

by Mark Pardijs

Hi, Is it possible to add an client configuration option to include the <OneTimeUse> condition in the SAMLResponse sent to a client? Currently this element is not included, but I’ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4: http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable.

8 years, 8 months

2
2
0 / 0

Re: [keycloak-user] [keycloak-dev] Keycloak on active MQ

by Marek Posolda

I didn't try that yet. However I think it should work as ActiveMQ has some support for JAAS. We have some JAAS login modules, which can be used to secure those kind of services. See docs for details https://keycloak.gitbooks.io/securing-client-applications-guide/content/v... . Marek On 01/02/17 10:26, Shankar_Bhaskaran wrote: > Hi , > > We are using keycloak as SSO in our organization. I would like to know if securing activemq using keycloak is a valid use case. Does keycloak allow us to validate jms requests to the queue or topic? > > Regards, > Shankar > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev

8 years, 8 months

1
0
0 / 0

Conflict with LastPass Chrome Extension

by Alessandro Segatto

Hi, we found a conflict between LastPass chrome extension (version 4.1.38) and Keycloak js adapter (version 2.5). LastPass is sending a message to login status iframe, which crashes while trying to parse it! I think LastPass caused the issue with his last update , but i think you should also be interested in solving this lack of robustness. If you agree, I can open an issue o Jira. I made an attempt also with angular2-product-app , but i run into a similar issue (LastPass and Keycloak messaging one the other, then crashing) Thanks, Alessandro Segatto -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you.

8 years, 8 months

2
4
0 / 0

Validation of IdP SAML signatures using KeyInfo

by Mark Pardijs

Hi, Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here. We use a SAML IdP which is configured in Keycloak as federated IdP, and I’ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description “The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).” but in the code, I see that for checking the signatures a “HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details. This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c7.... My two questions concerning this approach: 1. Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I”m facing a NullPointer exception when sending a SAMLResponse without KeyInfo element. 2. What’s the idea behind the HardcodedKeyLocator, it doesn’t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended? Hope to hear your thoughts on this! Mark

8 years, 8 months

2
8
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2017