email to reset password falied - keycloak 2.5.0
by Michael Mok
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine On
<Proxy *>
RequestHeader set X-Forwarded-Proto "https"
Require all granted
</Proxy>
#Keycloak requirements
LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\ " common
ProxyPass /auth ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-acti...
Apache log
[11/Feb/2017:01:37:06 +0000] "GET
/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
7 years, 11 months
OPTIONS 401 - CORS problem
by java_os
Group
I have an angular spa deployed on host A - apache httpd (static content)
making REST api calls into a spring-boot
hosted by host B. The 2 servers are different domains.
Spa is protected by Keycloak.js. Am able to bring in the index. When I
click on a rest call,
browser sends over first OPTIONS request to make sure server B is ready to
accept since it is an XHR cross domain call.
But the problem is that OPTIONS is being sent without Authorization:
Bearer 'token' and so the rest webserver rejects the call
with 401 -Unauthorized. Each REST call from the SPA to the cross domain
REST is rejected.
Am I the first one to hit this?
I saw people solving this with regular un-secured apps, but in my case
Keycloak using spring-security rejects it.
Anyone in the group can help me - anyone has deployed the client and
server (being bearer keycloak protected) and solved
this problem.
Have tried various things inside spring-boot to allow options/cors, etc -
none worked.
Thank you for help.
7 years, 11 months
admin login,domain cluster mode
by TheAzariturk .
hi
we create domain mode cluster with 4 hc(host controller), i create admin
user with add-user-keycloak --sc.........but i cant loggin with it, so when
i stop 2 HC i can login with admin, please help that what is it????
note that i have shared databse.
thanks
7 years, 11 months
update password failed
by Michael Mok
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcom
e-content"/>
</handlers>
<filters>
<filter name="proxy-peer" class-name="io.undertow.server
.handlers.ProxyPeerAddressHandler" module="io.undertow.core" />
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions
/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lv
bqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIM
H5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
7 years, 11 months
Updating user
by Alexey Kazakov
Hi,
Is it possible to update a user remotely using this user's access token?
I know that I can do it using Admin REST API but in this case I have to
use the admin user's access token which I would like to avoid.
We want to use our own user profile page + our backend service. User
updates his/her info. UI calls our endpoint providing the user's token.
Backend does some internal work related to the user's profile change
then updates Keycloak. The missing part is how do we update the Keycloak
user account using the user's token only and without obtaining the admin
token.
Something similar to
/realms/<realmname>/protocol/openid-connect/userinfo but for updating
the user's account. Or Admin REST API is the only way to do it?
Thank you.
7 years, 11 months
Authentication API
by Jason B
Hi,
I would like to handle user registration outside of Keycloak instead of
using built in registration feature. But I am having difficulty in
figuring out how to allow user to login into Keycloak seamlessly after
registration is completed.
Does Keycloak supports Authentication as API.. like a web service call and
is there any way we can create a session for a user through API?
Thanks!
7 years, 11 months
Issue with LDAP federation import
by harish jadhav
Hello Keycloak Team,
I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm.
However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny(a)tkd.com with username Ronny in 172.16.11.100 and ronny(a)teckno.com with same username Ronny in 172.16.12.100. The error I am getting is
User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e'
Can you please help on how to sync both users as technically both users are different having different email ids and domains.
Thanks in advance.
ThanksHarish
7 years, 11 months
Changing login form in OIDC Authorization Code Flow
by Daniel Radzikowski
Hi,
I'm trying to use OpenID Connect interface provided by Keycloak and I've
got one doubt: is there any way to customize the login form returned by
Keycloak to /protocol/openid-connect/auth request in Authorization Code
Flow? By customizing I mean not only changing the page itself, but also the
way the form is processed, e.g. it would call external service and after
successful authentication, user would be redirected to redirect_uri with
code granted (assuming session in Keycloak was created somehow in the
meantime).
If there isn't as I guess, would it be acceptable to implement such a
feature and merge it? I suppose it would be compliant with OpenID Connect
Authorization Code Flow.
--
Pozdrawiam,
Daniel Radzikowski.
7 years, 11 months
web origins of clients and using wildcards
by Christian Froehlich
Hi,
the tool tip of Web Origins at the client administration ui says: "...To
permit all origins add '*'.", but it doesn't work. It seems that wildcards
in web origins does not work at all. Using wildcards would be great in our
development sides where we often works with ips instead of real dns names.
So currently we have to add a set of web origins with the possible ips
like https://192.168.99.100, https://192.168.99.101,...
Is it a bug or just a wrong tool tip or am I completely wrong with my
assumption?
Regards Christian
7 years, 11 months
keycloak.js different registration page [Angular 2]
by ruiwp13
Hello,
I secured my app with the keycloak.js adapter as shown in the angular 2
example. I modified the login theme to look more like my app and now I was
trying to be able to use my own registration page. Is there anyway to
redirect to the keycloak login in every page but the registration one?
Or what other way is there to do this? Maybe use registrations endpoint and
edit the registration template to send the form data to my own endpoint?
Best Regards,
Rui
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-js-different-registrati...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 11 months
