Need any advice on issue KEYCLOAK-3923 (LDAP FEDERATION ISSUE)
by Sumit Das
Hi
I saw a few comments on the url below:-
https://issues.jboss.org/browse/KEYCLOAK-3923
We are also facing the same issue where we want to *delete Roles and Groups
from the LDAP(Active Directory)*, which is federating a Keycloak instance,
once we *delete the same from the Keycloak instance*.
We *want to have this feature* for our convenience. I read about a flag
being introduced to facilitate the same. Has the feature been already
developed?? Can you provide me with any update about it??
I would *highly appreciate any help* regarding this. Please do respond and
shed some light on the issue.
Regards
*Sumit Das*
7 years, 10 months
Realm Keys
by Jason B
Hi,
I am wondering where does Keycloak stores realm keys and how they are
replicated across servers when deployed multiple Keycloak servers as a
single cluster. Is it in database or some local keystore? Are there any
special considerations we need to take for realm keys while we deploying it
as a cluster?
Thanks!
7 years, 10 months
Delete Roles on Active Directory when deleted from Keycloak
by Sumit Das
Hi
I have done an integration of Keycloak Realm with an Active Directory
instance. The realm roles that have been created are mapped with the help
of a role-mapper. When I delete any roles from the Realm, the role still
persists in the AD instance, even after using the synchronization of
"Keycloak Roles to LDAP". How do i ensure that when i delete any role on
the Keycloak, it also gets deleted from the AD as well?
Please do respond.
Regards
*Sumit Das*
*Mobile No.- +91-9986872466 *
7 years, 10 months
Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization
by Andreea Ciuprina
Hi Sebasien,
Thank you for your answer.
After adding your suggestion to the security constrainst, I get the following error:
Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' from 'applicationConfig: [classpath:/application.properties]' to 'securityConstraints[0].securityCollections[0].http-method' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$SecurityConstraint'
My configuration looks like this:
keycloak.securityConstraints[0].securityCollections[0].name = secured end points
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin
keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/v1/hello/*
keycloak.securityConstraints[0].securityCollections[0].http-method = GET
Do you know what could the problem be?
Thank you!
Best,
Andreea
-----Original message-----
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Tuesday 21st February 2017 17:43
To: Andreea Ciuprina <aciuprin(a)mpi-bremen.de>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization
You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead
of just policy-enforcer).
Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty).
But even without using the authorization layer, you should be able to achieve this by configuring the security constraints.
keycloak.securityConstraints[1].securityCollections[0].http-method = GET
etc ...
On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina <aciuprin(a)mpi-bremen.de <mailto:aciuprin@mpi-bremen.de> > wrote:
Hello!
We are building an online application for which we are using Keycloak for authentification and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?
2. If the answer to question 1 is yes, then could you please provide a minimal configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin@mpi-bremen.de <mailto:aciuprin@mpi-bremen.de>
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina@jacobs-university.de <mailto:a.ciuprina@jacobs-university.de>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 10 months
Invinity loop while proxy angular2 devserver
by Okie Othsam
Hi,
I try to prepare a development environment and got a strange loop behavior.
I have build a docker scenario with a keycloak/postgresql container that is
behind a web server proxy container (tested Apache and nginx). The
webserver container proxy also to a local running node.js instance with
angualar2 devserver.
My sample angular app uses the javascript keycloak adapter and wrapped it
with a service.
If I run Angular devserver and keycloak without any proxy all works fine.
When I use the same servers (modified keycloak.json) behind the proxy, the
angular app runs after successful keycloak login in an endless loop. Every
second the site is reloaded - without any new login.
When I build a release from my angular app and deploy it to the webserver
all works fine. But this is not really an alternative because I want setup
an universal dev environment :-/
After days of debugging, imo there is a good chance for some race
conditions in Javascript adapter between the dynamic iframe and the angular
app or I do something essential wrong.
My question is now, have anyone here run a similar setup and use it without
any problems?
Currently my containers run with keycloak version 2.4.0.Final. As next step
I will update my setup to 2.5.1.Final and try to reproduce the behavior.
Kind regards
Eiko
7 years, 10 months
Configuring event logging in Keycloak
by Thomas Darimont
Hello group,
I needed to configure Keycloak to also show success events in the logs
in order to to be able to show the login count over time in a graylog
dashboard.
For this to work I needed to change the log level for the "success-level"
within the keycloak jboss-logging event-listener configuration.
As some other folks might want to do that as well I'd like to share my
jboss-cli config snippet with you.
Cheers,
Thomas
cd $KEYCLOAK_HOME
bin/jboss-cli.sh
# Start keycloak in embedded mode for configuration
embed-server --server-config=standalone-ha.xml --std-out=echo
# Configure jboss-logging event listener
/subsystem=keycloak-server/spi=eventsListener:add(default-provider=jboss-logging)
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true)
# Propgate success events to INFO instead of DEBUG
# This allows to track successful logins in log analysis
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info)
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn)
7 years, 10 months
User SPI and connection management
by Istvan Orban
Hi Guys,
I managed to implement User SPI for legacy user migration.
Can someone shed some light how User SPIs are called in the system?
Are they reused among threads or is it threadsafe ?
The reason I am asking is that I used RestEasy to migrate user from the
legacy platform and resteasy by default uses SingleClientConnManager.
I am wondering if I need to implement connection management in the SPI or
it is thrown awat between requests so there is no need for connection
management.
Thanks a lot
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
7 years, 10 months
New authenticator with CompletableFuture as the only authenticating factor
by Daniel Radzikowski
Hi,
I'm trying to implement new authenticator for Mobile Connect. It is a bit
unusual flow, where the first method *void
authenticate(AuthenticationFlowContext context)* before returning a
challenge, calls a REST API, which prompts user mobile phone with 'Click
OK' button. This API call waits until the user clicks OK (or timeouts), so
in order not to block the request, it is wrapped in CompletableFuture and
the login page (with no inputs) is immediately returned to the browser.
(browser should't wait for the API call result).
The problem is when the CompletableFuture is completed and calls a
callback. It's the place where the authentication should occur, but I don't
have any idea how to do it. The only authenticating factor is OK response
from this API. Can I set the authentication somehow bypassing the whole
processor (calling method *action(AuthenticationFlowContext context)* on
its way)? I thought I will eventually call the *action *from the browser
(with ajax) and only check if the session is already created. The only
thing that I can pass to the callback is an AuthenticationFlowContext data
obtained from the first *action(AuthenticationFlowContext context)* call.
Is there any way to do it?
--
Pozdrawiam,
Daniel Radzikowski.
7 years, 10 months