Call to protected resource
by Sebastien Michea
Hi,
I have a general question.
Let say i have a javaee webapp that need to call an external API or
resource secured for instance with openidConnect.
Can keycloak help me in some way in order to implement the authentication
flow?
Thank you
Best regards
9 years, 1 month
Implementing New Required Action
by Shaikh Asrafali Anwarali
Hi,
At present I am implementing New Required Action, similar to that of updatePassword required action.
I did go through Authenticator example . Question is for implementing new required action do we need to provide implementation for Authenticator and
AuthenticatorFactory?
Is there any guidelines for implementing required action apart from the Authenticator example.
Regards,
Asraf Shaikh
9 years, 2 months
implementing new password policy
by Shaikh Asrafali Anwarali
Hi ,
Hope you are doing well.
I am currently trying to implement new password policy, is there any kind of documentation or guide available which helps in implementation.
Or any example.
Thanks in advance.
Regards,
Asraf Shaikh
9 years, 2 months
IdP initiated SSO to Account page?
by Mark Pardijs
Hi,
I want to give my users the possibility to edit their account settings from an federated IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account?
As far as I can see, I have to do the following steps:
1. In the ‘master’ keycloak: add a new SAML client with URL {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there’s no such thing as ‘OpenID Connect IdP initiated SSO as far as I can see)
2. In the federated IdP: send a SAMLResponse to http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID}
The login goes successfully, but after login I see a 403 "Failed executing POST /realms/master/account” error, since the account page doesn’t accept POST requests. If I refresh the browser window which is pointing at the account page all is well, since this last request is a GET request. (See http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same question about POST/GET)
I could make a third client with as only function showing a link to the account page but don’t know if this is the right way to go.
9 years, 2 months
Re: [keycloak-user] Angular2 app with non-authenticated pages
by Kevin Berendsen
Hi,
Our initiation of the Keycloak JS adapter happens after the user tries his first attempt to access an authenticated-only page. We developed a very simple abstract class that will act as our authenticated component and will be extended by all components which requires an authenticated user. So our initiation logic is contained by our abstract authenticated component class.
This solution only requires a little refactoring in your codebase and some additional code.
Tip: remove the reload page logic in the catch clause when you try to initiate the Keycloak JS adapter. You might end up in redirect infinite loops.
Kind regards,
Kevin Berendsen
-----Oorspronkelijk bericht-----
Date: Mon, 6 Feb 2017 10:47:29 +0000
From: Plunkett McGurk <plunkett_mcgurk(a)accelerite.com>
Subject: [keycloak-user] Angular2 app with non-authenticated pages
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<BM1PR01MB0851B2EC94B85E3E104284E7E1400(a)BM1PR01MB0851.INDPRD01.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="us-ascii"
Hi Guys,
In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...)
I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login.
So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages
Many thanks
Plunkett
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
------------------------------
9 years, 2 months
Exposing keycloak to clients or hide it
by Istvan Orban
Hi Everyone,
I have set-up keycloak locally and I like it a lot. I generally like to
hide implementation detail from related services so that they can be
decoupled.
I know keycloak have libs for plenty of different frameworks etc, although
I am thinking about setting it up using Apache and mod_auth_openidc
The advantage is that our software will have openid connect as a dependency
rather than keycloak. I would like to ask you what I am missing out with
such a setup?
Are there any major features I am loosing by not using keycloak specific
clients libs to connect my appllications to keycloak directly?
Thanks for any insights !
Istvan
9 years, 2 months
Removing Mongo support from Keycloak
by Stian Thorgersen
At times you have to make hard decisions and this has been one of those. We
have decided to remove Mongo support from Keycloak. The primary motivation
behind this decision is that we simply don't have the resources to maintain
and further develop the back-end for both relational databases and Mongo.
Further, there are some fundamental issues with our current use of Mongo
that would require a large amount of work to become fully production ready.
This primarily boils down to the lack of ACID transactions in Mongo.
We hope that this decision won't result in too much trouble for those of
you that are currently using Mongo as the back-end for Keycloak. It should
be relatively painless to migrate to a relational database with our
export/import feature. If you do run into issues with this please let us
know on the mailing list and we will do whatever we can to help make the
transition as smooth as possible.
If anyone from the community would like to take over the Mongo support and
maintain it as a separate extension please let us know. We can help with
extracting the code and work together in making it easy to install it as an
extension.
Migrating from Mongo to relational database
First step is to export the full database. You can do this by stopping the
Keycloak server and running:
bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup
This will export all data from Mongo to JSON files within the directory
backup. For full details refer to the Server Administration Guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ex...>
.
Next step is to install a relational database and configure it in Keycloak.
Take your pick we support quite a few. For full details refer to the Server
Installation Guide
<https://keycloak.gitbooks.io/server-installation-and-configuration/conten...>
.
Once you have the relational database ready and configured, you can start
Keycloak and import the data exported from Mongo. To do this run Keycloak
with:
bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup
Hopefully you're now up and running with all your realms and users migrated
to the relational database. If not, let us know on the user mailing list
and we'll help you out as soon as possible.
9 years, 2 months
Angular 2 with Webpack
by Brian Schwartz
Has anyone created an angular 2 application that's bundled with Webpack and
protected by keycloak?
How do I include the required dependencies and use them?
Thanks
9 years, 2 months
Keycloak-Proxy OR mod_auth_openidc
by abhishek raghav
Hi
I was working on a legacy app, which doesn't support keycloak adapter to be
configured there.
I did some POC and figured out that there are 2 solutions i.e. Keycloak
Proxy and another is apache mods "mod_auth_openidc".
I could successfully integrate both the solutions with keycloak and could
setup the authentication
Any suggestions on which one to use when..?
Which can be a better candidate among the two..?
Any suggestions are deeply appreciated.
Thanks in advance.
Cheers
Abhishek Raghav
9 years, 2 months
