March 2017 - keycloak-user - Jboss List Archives

KEYCLOAK-2962 and autodetect-bearer-only

by Amat, Juan (Nokia - US)

Hello, I was reading this ticket as I am having a similar use case: my application, using the wildfly adapter (2.5.1), is doing a mix of http requests: regular ones and ajax ones. I declare my client as 'public' and everything is fine. Except when the session times out and the next request is an ajax one. In this case, Keycloak will try to redirect which does not work. >From my understanding this is what this ticket was about. The proposed fix in OAuthRequestAuthenticator.java will 'fix' this problem. And it was similar to what is done in the spring security adapter (KEYCLOAK-1391). Instead the ticket was resolved by introducing the autodetect-bearer-only property. Unfortunately this does not help me as this will treat all ajax requests as 'bearer only'. But I do not set any Authorization header with a valid token (again this is some existing application and the only modification is configuration the keycloak sub system in my standalone.xml file. I am wondering then if we still do the same 'trick' as the one in the spring security adapter. At least for consistency reason. I understand that this is not a bug in Keycloak but an enhancement. I do have the problem when I am not using Keycloak but if Keycloak could solve it, then this will be a nice selling point! What do you think? Thank you, Juan

9 years

1
0
0 / 0

Using my own DB for user store

by Amit Arora

How can i use my own DB ( with existing users uid/pwd) with KeyCloak, The use case is I want to have keycloak authenticate users from my own existing DB. Amit

9 years

1
0
0 / 0

how to set user's locale when importing them into keycloak via Federation Provider

by Istvan Orban

Hello, I am writting a user federation provider and it works great! Thanks for the help from the forum members. At this point I reached an issue that seems trivial but I can not seem to find the solution. When I am importing the user via a federation provider. I have the user's locale avialable from the external system. Although I do not seem to find a way I can set this onto the user object. org.keycloak.models.UserModel does not seem to have a locale field like firstName. It has a constant defined in the class called LOCALE but it is never used. Also there is a LocaleHelper class but the setUserLocale is private hence I can not use it. Thanks for any suggestions. -- Kind Regards,

9 years

1
0
0 / 0

kc_idp_hint for Kerberos

by Glenn Campbell

Is there some mechanism similar to kc_idp_hint=login that will let me skip authentication via Kerberos ticket and let me log in via the Keycloak login page? My situation is that I have admin user accounts in my application but users don't log in to Windows with these accounts. So UserA logs in to Windows with his UserA account but sometimes needs to log in to my application as AdminX. I see that I can use impersonation from the Keycloak admin console to impersonate AdminX and then open a browser tab and go to my application and I'll be logged in to my application as AdminX. But this strategy is a little inconvenient for users to use on a daily basis. Not horrible by any means but I'm sure I'll get some complaints. More importantly these users are admins in my application but they are not Keycloak admins and I'd rather not have them mucking around in the Keycloak admin console.

9 years

2
3
0 / 0

Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found

by Georgijs Radovs

I apologize for once again raising this issue. I've started Keycloak 2.5.4 server with default standalone-ha.xml config and "User Federation" worked! I guess, I need to remove all references to LDAP connections from production standalone-ha.xml config, start the server, and then re-add them. Issue resolved. Thank you for help. -- <https://www.youtube.com/watch?v=coVJlV1LJ84>

9 years

1
0
0 / 0

Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found

by Georgijs Radovs

Hello, everyone! My current setup: 2 Keycloak 2.5.4 servers in Standalone HA mode, MySQL 5.6.27 database hosted on Amazon AWS RDS. Recently, I've migrated my Keycloak servers from 2.1.0 to 2.5.4. I've copied "standalone-ha.xml" and "keycloak-server.json" to the new installation and ran "jboss-cli.sh --file=migrate-standalone-ha.cli"|, |as per migration instructions in Keycloak documentation. jboss-cli.sh complete without errors, and the 2.5.4 server started successfully. All operations seemed running fine, until I've tried to add another LDAP server to User Federation... When I click "https://%server_fqdn%/auth/admin/master/console/#/realms/%realm_name%/user-federation" link, I get "Resource not found" page, and server logs show this error: "ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-16) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: https://%server_fqdn%/auth/admin/realms/%realm_name%/user-federation/providers" Also, Chrome console shows error with angluar.js <https://ibb.co/jzgDmF> Did anyone experienced similar problems? Any advice? -- <https://www.youtube.com/watch?v=coVJlV1LJ84>

9 years

2
3
0 / 0

How to configure new params and edit them with Keycloak and LDAP integration

by Celso Agra

Hi all, I'm trying to configure KC with LDAP, but some errors are occurring. First, I configured my LDAP to write in the LDAP server, but for some reasons I got this error when I try to register an user: 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) > KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: > Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > modifyAttributes(LDAPOperationManager.java:410) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > modifyAttributes(LDAPOperationManager.java:104) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPIdentityStore.update(LDAPIdentityStore.java:105) at org.keycloak.federation.ldap.mappers.msad. > MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( > MSADUserAccountControlMapper.java:235) at org.keycloak.federation.ldap.mappers.msad. > MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( > MSADUserAccountControlMapper.java:220) at org.keycloak.models.utils.UserModelDelegate.addRequiredAction( > UserModelDelegate.java:112) at org.keycloak.authentication.forms.RegistrationPassword. > success(RegistrationPassword.java:101) at org.keycloak.authentication.FormAuthenticationFlow.processAction( > FormAuthenticationFlow.java:234) at org.keycloak.authentication.DefaultAuthenticationFlow. > processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor. > authenticationAction(AuthenticationProcessor.java:759) at org.keycloak.services.resources.LoginActionsService.processFlow( > LoginActionsService.java:356) at org.keycloak.services.resources.LoginActionsService. > processRegistration(LoginActionsService.java:477) at org.keycloak.services.resources.LoginActionsService. > processRegister(LoginActionsService.java:535) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter. > doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler. > handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.servlet.handlers.security. > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security. > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security. > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security. > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler. > handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc. > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler. > dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1. > handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:202) at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.directory.InvalidAttributeIdentifierException: > [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining > name 'uid=11111111111,dc=zz,dc=dd,dc=aa' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes( > ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes( > InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes( > InitialDirContext.java:167) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPOperationManager$6.execute(LDAPOperationManager.java:405) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPOperationManager$6.execute(LDAPOperationManager.java:402) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > modifyAttributes(LDAPOperationManager.java:402) ... 59 more 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) > type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, > ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, > auth_method=openid-connect, auth_type=code, redirect_uri=http://127.0.0.1: > 8080/teste-portal/ and then, I got this result in my ldap: dn: uid=11111111111,dc=zz,dc=dd,dc=aa givenName:: IA== uid: 11111111111 objectClass: top objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: phpgwAccount objectClass: shadowAccount sn:: IA== cn:: IA== structuralObjectClass: inetOrgPerson entryUUID: 07f0e7caxxxxxxxxxxx creatorsName: cn=admin,dc=zz,dc=dd,dc=aa createTimestamp: 20170308140529Z entryCSN: 20170308140529.527857Z#000000#000#000000 modifiersName: cn=admin,dc=zz,dc=dd,dc=aa modifyTimestamp: 20170308140529Z So, I wrote the uid as 11111111111, but I didn't set the sn, cn and givenName as 'IA=='. It looks like some problem occurs in my configuration. please, need help!! Best Regards, -- --- *Celso Agra*

9 years

2
8
0 / 0

SSO Session Idle and Keycloak-js

by Plunkett McGurk

Hi Guys, I have an Angular2 application utilising the Keycloak Javascript (v2.3.0) adapter. The application uses the 'login-required' on load option and the session status iframe is enabled. However I have noticed a potential problem regarding the function of SSO Session Idle. According to the documentation both the token and session are invalidated when either the SSO Session Idle time or SSO Session Max values have been reached. If the SSO Session Max value is reached the user is automatically redirected to the Login screen however if the idle time is reached (idle time set to 5mins, Session max set to 30 mins) no redirect happens and any subsequent attempt to access keycloak results in the following error because of the expired token POST http://sso.keycloak-server.com/auth/realms/iot/protocol/openid-connect/token 400 (Bad Request) {"error":"invalid_grant","error_description":"Refresh token expired"} So is the lack of redirect to login expected behavior when the SSO Session Idle time has been exceeded? Thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.

9 years

1
1
0 / 0

Theming applications by customers

by Nicolas Gillet

Hello, I am looking for an SSO solution and started playing around with Keycloak. We currently have no SSO solution but it has become a need that our application can seamlessly interact. Our customers have "branding" requirement so we adapt the look of our application pages (including login pages) with their logo and colors. For some customers, we use a cookie to know which branding they need, for others we have dedicated domain names pointing to the very same IP's. >From what I grasped of Keycloak, this branding can be achieved with "themes" that can be configured on "realms". Configuring a realm seems to require quite some time and if we have an important number of branded customer this might become hard to maintain. Also, the "topology" of our application (which are "clients" in Keycloak I think) remains the same for all customers of ours but as a "client" belongs to a single "realm" we'll have to duplicate this configuration and propagate the changes to any realm. So, I am wondering if Keycloak can fit our need of if I don't get it correctly. If someone could be kind enough to shed some light on this for me or point me toward a way to achieve our goal I'd be very thankful. Kind regards, Nicolas GILLET Market-IP - Creating Mobile Intelligence Phone : +32 81 33 11 11 Fax : +32 81 33 11 10 www.market-ip.com<http://www.market-ip.com/> - www.telefleet.com<http://www.telefleet.com/> - www.geoplanning.net<http://www.geoplanning.net/> - www.drivexpert.net<http://www.drivexpert.net/>

9 years

3
4
0 / 0

Keycloak 2.5.5.Final Released

by Stian Thorgersen

Keycloak 2.5.5.Final is out. There's nothing much except a handful bug fixes, but it's still worth upgrading. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Highlights - A few bug fixes The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the migration guide <http://www.keycloak.org/docs/2.5/server_admin/topics/MigrationFromOlderVe...> .

9 years

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2017