Strange behavior upon the RP initiated logout
by Known Michael
Hey,
I successfully integrated mod_auth_openidc with Keycloak:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/t...
In addition to the master realm we use our own realm.
I have strange behavior upon the RP initiated logout.
I access RP logout URL it redirects to Keycloak using the logout endpoint
(https://<ip>/auth/realms/realm/protocol/openid-connect/logout) as
described here:
https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management#...
Unfortunately, Keycloak redirect me to the “Session not active” error
string when I press on the logout after couple of minutes of work.
The logout is successfully if I press the logout button after 1 or 2
minutes after the login.
I have tried to debug Keycloak and I have found the following:
TokenManager in the function
org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to JsonWebToken
and founds that the token is expired
(org.keycloak.representations.JsonWebToken#isExpired)
It caused since the expiration of the token is very short (couple of
minutes).
Questions:
1) How to configure the token expiration?
I have increased “SSO Session Idle” to 90 minute but it does not change the
token expiration (it remains short)
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/se...
2) Why logout cannot work after couple of minutes?
7 years, 2 months
Response CORS Headers
by Eriksson Fabian
Hello!
We are currently facing a problem with CORS-headers and the theme cache settings found in standalone/configuration/standalone.xml. We have two applications using the same realm, when logging in to the first application we first call the /auth/realms/${realm-name}/.well-known/openid-configuration to find OIDC configuration and the browser first does an options request and the response is showing the correct access-control-allow-origin header and the header is cached for as long as the staticMaxAge is set to. But when we try to login to the second application the response headers that was cached is used and we get the wrong access-control-allow-origin header (still pointing to the first application URL).
Our question is; can we configure only this endpoint (.../.well-known/openid-configuration) to have a no-cache header but leave the rest of the application cached?
BR
Fabian Eriksson
7 years, 2 months
Exception on realm import
by David Delbecq
Hello,
I tried to use the import feature to import preconfigured client & roles
from dev environment to production, but I get an exception during the
import. I got to the realm -> import, select file, realm to import, check
import client and check import client roles, set to overwrite. I get an
error "*Error!* javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: could not execute
statement"
Any workaround / suggestion? It seems related to a client role named
"authenticated" but not sure it's not just failing on first client role of
file.
Here is server stacktrace:
2017-01-26 15:29:29,718 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) SQL
Error: 23505, SQLState: 23505
2017-01-26 15:29:29,718 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) Unique
index or primary key violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON
PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */
null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated',
null, null, null, null)"; SQL statement:
insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE,
DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?,
?, ?, ?, ?, ?, ?, ?) [23505-173]
2017-01-26 15:29:29,719 INFO
[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default
task-31) HHH000010: On release of batch it still contained JDBC statements
2017-01-26 15:29:29,719 ERROR [org.keycloak.services] (default task-31)
KC-SERVICES0038: Error importing roles:
org.keycloak.models.ModelDuplicateException:
javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: could not execute
statement
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:57)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51)
at com.sun.proxy.$Proxy61.flush(Unknown Source)
at
org.keycloak.models.jpa.JpaRealmProvider.addClientRole(JpaRealmProvider.java:231)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.addClientRole(RealmCacheSession.java:703)
at org.keycloak.models.jpa.ClientAdapter.addRole(ClientAdapter.java:636)
at
org.keycloak.models.utils.RepresentationToModel.importRoles(RepresentationToModel.java:437)
at
org.keycloak.partialimport.RolesPartialImport.doImport(RolesPartialImport.java:98)
at
org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:77)
at
org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:855)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: could not execute
statement
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303)
at sun.reflect.GeneratedMethodAccessor342.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
... 57 more
Caused by: org.hibernate.exception.ConstraintViolationException: could not
execute statement
at
org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112)
at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
at
org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
at
org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886)
at
org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386)
at
org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434)
at
org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
at
org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300)
... 61 more
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON
PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */
null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated',
null, null, null, null)"; SQL statement:
insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE,
DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?,
?, ?, ?, ?, ?, ?, ?) [23505-173]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:331)
at org.h2.message.DbException.get(DbException.java:171)
at org.h2.message.DbException.get(DbException.java:148)
at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)
at org.h2.index.PageBtree.find(PageBtree.java:121)
at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)
at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)
at org.h2.index.PageBtreeNode.addRowTry(PageBtreeNode.java:201)
at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:95)
at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:86)
at org.h2.table.RegularTable.addRow(RegularTable.java:125)
at org.h2.command.dml.Insert.insertRows(Insert.java:127)
at org.h2.command.dml.Insert.update(Insert.java:86)
at org.h2.command.CommandContainer.update(CommandContainer.java:79)
at org.h2.command.Command.executeUpdate(Command.java:235)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
... 71 more
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
7 years, 2 months
Authentication via client certificate
by FREIMUELLER Christian
Dear all,
I've a hopefully short question regarding authentication in Keycloak.
Is there an already built in mechanism to authenticate against Keycloak via client certificate?
If yes, how can I configure it?
Are there any examples in the showcase regarding client certificates?
If no, how can I implement and configure it?
- I guess implementing the Authentication SPI and register it in Keycloak as an alternative flow?
Best regards,
Christian
7 years, 2 months
Add local user instead of federated user
by andrew dwyer
Hi,
I’m wondering if there is a way to add a local user to a realm with an
existing LDAP User Federation link. At the moment when I attempt to add a
user via the web admin console Keycloak thinks I want to add the user to
LDAP and fails with the error “Registration is not supported by this ldap
server”.
This is to support the small percentage of our users who aren’t in our
corporate LDAP directory. My fall back solution may be to write a simple
alternative provider or set up an LDAP server under our control to add to
the provider list. https://keycloak.gitbooks.io/server-developer-guide/
content/topics/user-storage/simple-example.html
Thanks
Andrew Dwyer
7 years, 2 months
Re: [keycloak-user] keycloak-user Digest, Vol 38, Issue 3
by max.catarino@rps.com.br
Yes, is possible.
http://lists.jboss.org/pipermail/keycloak-user/2016-April/005869.html
> Date: Wed, 1 Feb 2017 23:00:47 +0000 (UTC)
> From: akash agrawal <akash_agrawal(a)yahoo.co.uk>
> Getting Access token over REST API
>
> Hi,
> I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect.
> I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option.
> Appreciate your help. Thanks.
> Akash
7 years, 2 months
setOTPEnabled
by Amit Arora
In 2.2.0 , I was using setOTPEnabled to enable and disable totp
verification on run time. It seems in 2.5.0 this method is not available ,
do we have any way to have this functionality..
I can see a usercredentialmanager having a method disableCredentials , it
seems i can use this to disable the totp verification but there is no
counterpart to enable it
Can any have a hint?
7 years, 2 months
another small enhancement request for MSAD password mapper
by mj
Hi,
In the microsoft management tools there is a checkbox: "user must change
password at next logon". If I check that box, keycloak 2.5 gives us a
logon failure.
Perhaps it would be only a rather small change, to map that MSAD
checkbox ("Pwd-Last-Set" = 0) to the equivalent in keycloak:
"credentials" / "temporary" switch. So the next time a user is asked to
change his/her password.
More MS info here:
https://msdn.microsoft.com/en-us/library/ms679430
And, and thanks very much very much for the recent fix of issue 2333, on
MSAD password policies! Much appreciated! :-)
MJ
7 years, 2 months
SAML AuthnContext
by Muein Muzamil
Hi all,
We are trying to configure OpenAM as SAML client with KeyCloak, as part of
SAML request it sends PasswordProtectedTransport AuthnContext (as shown
below) and it expects this back as part of SAML response.
<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Comparison="exact">
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
Currently, KeyCloak always returns unspecified as AuthnContext, is there
any way to return back AuthnContext what KeyCloak received in the request?
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
Regards,
Muein
7 years, 2 months
Add OneTimeUse condition to SAMLResponse
by Mark Pardijs
Hi,
Is it possible to add an client configuration option to include the <OneTimeUse> condition in the SAMLResponse sent to a client? Currently this element is not included, but I’ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4:
http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable.
7 years, 2 months
