Entitlement API specific resource POST error
by Sven Thoms
When I try to check a User's permissions for a given resource at a resource
server, I get an error.
curl -v -X POST \
> -H "Content-Type:application/json" \
> -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICIwRnJ0VnFYazM0M2gwTXFkdjZ4bjcwd21HUjJfdV
Y4QmNzNUlBN0F2VjBVIn0.eyJqdGkiOiIwMmNjZDg0ZS03ZTE2LT
QxYzYtYjc0MC0yNjdiODc0N2IzMjYiLCJleHAiOjE0ODc2Njc0NjksIm5iZi
I6MCwiaWF0IjoxNDg3NjY3MTY5LCJpc3MiOiJodHRwczovL2tleWNsb2FrLm
Zpbi51bmlxdWVkb21haW4vYXV0aC9yZWFsbXMvZmZzIiwiYXVkIjoiYWRtaW
4tY2xpIiwic3ViIjoiMmZlZjljOGUtMzc5MC00M2NkLTg5MGYtNDk4ZjJjNz
g4ZjI0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF
90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOWU5ZWIyMWItMDhkOS00OGJlLT
gwYWQtOTk5NTQ4MDA0OGQ5IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIj
oiYjkwNDFkMDItOTIwOS00ZmI5LWIzMTItN2MxZDkyODBlN2NmIiwiYWxsb3
dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbm
FnZW1lbnQiOnsicm9sZXMiOlsidmlldy1jbGllbnRzIl19fSwibmFtZSI6Ii
IsInByZWZlcnJlZF91c2VybmFtZSI6ImZmc19zZXJ2aWNlX3VzZXIifQ.BTSv5HIONmb3PGWhKn-
z0E79TUVFKAy3K6vDfais_YLpBx9Du_nHB-TlAjQJdPkFMm_
k9VBzAZ7bWxR4ttCyVDb5C8PjfbSDnx6Rx2p7GqxVMWDoWmIlEmx0UQBZ7Nn
rHFQbMh5EuuycQUyPf06scH3_Q2tENLmyhdVbodMDpHiVRZkgJ_fzP7rwtXzXAiwXqcJv-
RbVoKWsvGKRbTR_22PDpBJIXbuGvE6Xnw6VS2mzA_fBx-yVxBVcsGUDaqHEYAukkWueslw-
9L4A2FMVWxL6VwsmTfwaJvtQhpLOWl9JoYR4Ianai0ZGuaDXNGfyyQOTSeGN7-0_eBUlcFqieQ'
\
> -d '"permissions" : [ {"resource_set_name" : "Default Resource",
"resource_set_id" : "d7954958-b656-4acf-aa65-d2c46c6b8ad8" }]' \
> https://keycloak.fin.uniquedomain/auth/realms/ffs/
authz/entitlement/test_client
> Content-Type:application/json
> Content-Length: 123
>
* upload completely sent off: 123 out of 123 bytes
< HTTP/1.1 400 Bad Request
< Connection: keep-alive
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Content-Type: text/html
< Content-Length: 350
< Date: Tue, 21 Feb 2017 08:53:38 GMT
<
com.fasterxml.jackson.databind.JsonMappingException: Can not instantiate
value of type [simple type, class org.keycloak.authorization.
entitlement.representation.EntitlementRequest] from String value
('permissions'); no single-String constructor/factory method
According to the Authorization Services Guide, this should work.
8 years, 3 months
Force Keycloak to use external IdP as authentication mechanism
by Jason B
We have a requirement to disable local login (username/password) and allow
login through IdPs configured in Identity broker.
To test this scenario I have configured Salesforce as SP and Keycloak as
IDP. And in IdP (keycloak) disabled "Forms" based login and configured an
external IdP as identity broker.
But this configuration resulting in "Invalid username or password." error
in keycloak. In logs I observed following stack trace.
01:36:06,532 WARN [org.keycloak.services] (default task-40)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:795)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at
org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:527)
at
org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:523)
at
org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:310)
at
org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:221)
at
org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:514)
at
org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:536)
at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
01:36:06,532 WARN [org.keycloak.events] (default task-40)
type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com,
userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials,
auth_method=saml, redirect_uri=
https://jason-dev-ed.my.salesforce.com?so=00D62000005vWGB,
code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4
Any idea how to disable the username/password prompt during the login and
force keycloak to use configured identity brokers?
Also, in case I have multiple external IdPs configured as identity brokers
in my keycloak instance is there any way to inform keycloak to use
particular external IdP (broker). I know we can use kc_idp_hint parameter.
This will be helpful during IdP initiated sso but in case it is a SP
initiated SSO, how can we specify the default external IdP?
Thanks!
8 years, 3 months
NPE in SAMLIdentityProvider
by Goovaerts C (Caroline) (RIGD-LOXIA)
Hi all,
While implementing the single logout feature, we ran into a NPE in SAMLIdentityProvider.java.
This behavior seems to be independent of using backchannel logout, whether or not:
at org.keycloak.broker.saml.SAMLIdentityProvider.backchannelLogout(SAMLIdentityProvider.java:154)
at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178)
In our application we invoke httpServletRequest.logout() as suggested in the guide: https://keycloak.gitbooks.io/securing-client-applications-guide/content/t....
Version info:
- ADFS server: 3.x
- Keycloak server: 2.3.0.Final
- Maven Keycloak modules: 2.2.1.Final
We'd like to know:
- Whether it is sufficient to invoke request.logout() to do a single logout
- Why it is broken in the given setup
I could not determine whether this is related to https://issues.jboss.org/browse/KEYCLOAK-4398 or not.
Thanks & kind regards,
Caroline Goovaerts
Developer
RIGD-LOXIA
8 years, 3 months
Manually editing standalone.xml vs offline install
by John D. Ament
Hi
I was wondering, if I wanted to avoid a build time run of offline install,
can I just edit standalone.xml? I already ship a customized standalone.xml
so its not an issue to include the file changes. These are the changes I
identified:
Added: <extension module="org.keycloak.keycloak-adapter-subsystem"/>
Added:
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
Added: <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
John
8 years, 3 months
Re: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization
by Gustavo Alvarez
The error is not 401, I get a 500 error code. The following is the log
capture of the backend application:
Caused by: java.lang.NullPointerException
at
org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:69)
at
org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:77)
at
org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142)
... 38 more
I use keycloak 2.3.0.Final whit the following configuration:
1. Backend app in EAR package whit jax rs service and the next
keycloak.json file:
{
"realm": "demo",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "afiliacion-web",
"credentials": {
"secret": "45226cd3-796e-4e38-9f38-8435877c660b"
},
"policy-enforcer": {}
}
and this is web.xml fiel:
<!-- PRIVATE -->
<security-constraint>
<display-name>Client Area</display-name>
<web-resource-collection>
<web-resource-name>client_resources</web-resource-name>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- BASIC AUTHENTICATION ALLOW LOGIN FROM REST SERVICE -->
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
2. Front end app is public client in keycloak, and sends all requests to
backend adding the bearer token.
Thank you so much Ebondu.
Gaalvarez.
8 years, 3 months
customizing password policy
by Ori Doolman
Hi,
I couldn't find any SPI for customizing the password policy.
In addition to the exiting options (lowercase characters, special characters etc.), I have an additional requirement - password should not contain any dictionary words.
I can still have it implemented using the Authenticator SPI - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...
The drawback is that it will not be available for configuration from the regular realm Authentication -> Password Policy screen.
Is that the proper way to go?
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
8 years, 3 months
Using AJAX during authentication process
by nowis1337@gmail.com
Hello,
Is there a way to use AJAX to ask Keycloak about the authentication process
status for the current session during the authentication? I'm trying to
implement new Autentication mechanism using the Authentication SPI and I
would like to use AJAX polling in it. I'm looking for a way of doing it
only within Keycloak to avoid the cross-domain requests.
8 years, 3 months
securing 3rd party non-OIDC/SAML applications
by Stephen Ingram
Reading through the documentation, I'm not sure if I'm understanding the
security proxy correctly. We have a few applications that use either Apache
htaccess or form type authentication built into the application. Since we
don't always have access the source code to add OIDC or SAML capability, I
thought the Keycloak security proxy might be a possible solution. I'm
wondering if it can work with just anything or does the app have to have at
least minimal OIDC or SAML capability? Are there any good examples anywhere?
Steve
8 years, 3 months
Deployment strategies
by John D. Ament
Hi,
I was wondering, is there any documented recommendations for deploying
keycloak? I can see the downloads, but are there recommendations based on
scale or load that help dictate databases to use, clustering requirements
and configuration, etc?
John
8 years, 3 months
Native android facebook auth and Keycloak token
by Julien Boulay
Hi all,
I have a question regarding authentication with facebook and keycloak in a
native Android app.
Is it possible to connect to facebook through native application, retrieve
an authorization code, and then exchange this authorization_code for an
access token with keycloak (id_token, refresh_token, token) ?
Can I use the facebook broker (for example
<keycloak_server_url>/auth/realms/<myrealm>/broker/facebook/endpoint) for
that ?
I'm using 2.5.1-final version of keycloak server.
Thanks
*Julien Boulay* *- Ekito*
Developer & Eclectic
15 rue Gabriel Péri 31000 Toulouse
+33 (0)6 80 46 73 78 <+33%206%2080%2046%2073%2078>
jboulay(a)ekito.fr
*Visit our Blog <http://www.ekito.fr/people> !*
8 years, 3 months
