User Attributes in User Profile
by Mehdi Sheikhalishahi
Hi,
How we can get/set user attributes through KC APIs or SDK?
I could not find any resource. Also, I was wondering if it is possible to
enable user attributes presentation as part of User Profile/Account in KC?
Thanks,
Mehdi
7 years, 9 months
UI for custom providers
by Tomás García
Hi,
I wonder if it's planned to add the possibility to make UI (HTML) for a
custom provider, like having a Providers section in the Keycloak dashboard
menu where it will appear all of those providers with custom UI. For
example, for an Keycloak custom API I've made, I want to let the admin to
change a whitelist of clients used inside the provider. Right now, I'll
have to use the configuration stuff inside the standalone.xml file, which
means that the server must be reset each time.
In this issue (https://issues.jboss.org/browse/KEYCLOAK-3605), Stian you
said:
"I think you misunderstood me. We now have a generic component storage
mechanism that makes it easy to add configurable providers. It sorts out
persistence as well as UI automatically. To support that the Email Sender
SPI including UI screens have to be changed. IMO that should be done prior
to adding more options to the email sender. "
Is this generic component storage mechanism going in this direction? Is
there an explanation somewhere about this mechanism? Example code?
Thanks.
7 years, 9 months
Optional 2FA Delegate Authenticator
by Steve Favez
Dear Keycloak community,
I'm trying to get the following functionality in my browser authentication
flow:
1. Like "OptionalOTP" I'd like to get, after user login authenticator, an
Option2FA (second authentication Factor) that will ask for a second factor
of authentication according to some predicates (client IP, time, user role,
...)
2. I need more than OTP as second factor. OTP is one good solution, but I
need to provide to the end user a set of 2FA, like SMS, MatrixCard and so
on.(can be configured). But I also need to leverage on existing
authenticator, so, my wish is to reuse existing or new Authenticator.
In that sense, I tried to create a skeleton implementation - and share it
through github,
I really need some input from the community, if it sounds correct or if you
have any better idea to implement such a use case.
see . https://github.com/stevefavez/keycloakext
class : ConditionalMultiFactorAuthenticatorDelegate
I look forward for your valuable feedback.
(By the way, I know that this feature should be implemented in the next
release, but I must implement it on 2.x, because we're using rh sso.)
Thanks in advance for your help.
Best regards
Steve
7 years, 9 months
Obtain Token and Invoke Service throught CLI
by Mehdi Sheikhalishahi
Hi
I have read
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
for trying to authenicate to KC with username and password through CLI. But
it seems this method does not work with KC 2.5.4, because public client
does not provide Redirect URI field.
See below:
Obtain Token and Invoke Service
First we need to create a client that can be used to obtain the token. Go
to the Keycloak admin console again and create a new client. This time give
it the *Client ID* curl and select public for access type. Under *Valid
Redirect URIs* enter http://localhost.
How can I do this with KC 2.5.4?
Thanks,
Mehdi
7 years, 9 months
Getting abstract method error for creating external Provider SPI
by Haseb Ansari
Hello,
My usecase was with JWE tokens and hence I started with implementing
custom external IDP extension like oidc in keycloak. I started my SPI by
extending AbstractIdentityProviderFactory, AbstractOAuth2IdentityProvider,
OAuth2IdentityProviderConfig classes. But when I try to use this provider
for login I get the below error:
ERROR [io.undertow.request] (default task-15) UT005023: Exception handling
request to /auth/realms/com/broker/cust/login:
org.jboss.resteasy.spi.UnhandledException: java.lang.AbstractMethodError:
co.com.custom.spi.CustomtIdentityProviderFactory.create(Lorg/keycloak/models/IdentityProviderModel;)Lorg/keycloak/broker/provider/IdentityProvider;
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
Caused by: java.lang.AbstractMethodError:
co.com.custom.spi.CustomIdentityProviderFactory.create(Lorg/keycloak/models/IdentityProviderModel;)Lorg/keycloak/broker/provider/IdentityProvider;
at
org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider(IdentityBrokerService.java:805)
at
org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:156)
Can anyone help me where did I go wrong ?
Thanks
7 years, 9 months
How to upgrade server keycloak-overlay
by ko lo
I have applications including those not deployed directly to the Keycloak
server. I want to upgrade the adapter.
I have to do similar steps to the standalone server? New WF installation
add new KC adapter, copy standalone.xml, themes, etc. over., etc..
7 years, 9 months
keycloak java rest client compatibility
by David Delbecq
Hello,
For some operation in our software, we need to perform some REST operations
on keycloak (mainly set some client role in response to some business
logic). For that we use the provided java rest client. However, we noticed
in the past that if the client and server don't run the exact same version,
you start getting exceptions on the client side. It was due to server
replying with additional parameters in the json, and the client throwing
Exception on parsing those unattended additional properties. I think I was
running at that time client 2.3 on a 2.5 server. It seems like the api used
to generate java client has a parameter to be more relax on unexpected
properties, but it has been generated by requesting a strict adherence to
expected reply.
Is it expected behavior that java client crash if server is not at the same
version? That doesn't seem very practical from a production point of view,
if you need to upgrade your keycloak server, you then need to sync with
applications upgrade schedule.
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
7 years, 9 months
Second try: Using a different claim in the data from a Third Party IDP to associate the user with a Keycloak User..
by Reed Lewis
Can anyone help please? I really need to figure this out. Thank you!
Right now I am working on getting Keycloak to be able to use Azure with Keycloak logging in. The issue is that we are going to prepopulate the users in Keycloak by calling Azure to get a list of users using the Azure route here:
https://graph.microsoft.com/v1.0/myOrganization/users
We get an access and refresh token not using Keycloak, then call the above route. It returns data like this:
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","@odata.nextLink":"https://graph.microsoft.com/v1.0/myOrganization/users?$skiptoken=X%<secret>","value":[{"id":"<ID1>","businessPhones":[],"displayName":"user081","givenName":null,"jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":null,"userPrincipalName":"nothing at carboniteinc.com<https://lists.jboss.org/mailman/listinfo/keycloak-user>"}
Continuing on and on.
The <ID1> is a guuid that identifies the user.
When I use Keycloak in debug mode this is in the log file:
{"amr":"[\"wia\"]","family_name":"someone","given_name":”first","ipaddr":"<IP>","name":"me","oid":"<ID1>”,"onprem_sid":"something else",
"platf":"5","sub":"A different value here","tid":"Another differen value","unique_name":"<secret>@carbonite.com","upn":"<secret>@carbonite.com","ver":"1.0"}
It is using the value in the “sub” claim to associate the user in Azure with the user in Keycloak. Is there a way to change Keycloak in the config to use the OID instead since that matches what I get from the user listing?
Because the sub claim is not known when listing the users.
Thank you,
Reed Lewis
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail.
7 years, 9 months
Submitted Feature: More Secure PassowrdHashProviders
by Adam Kaplan
This is now in the jboss JIRA: https://issues.jboss.org/browse/KEYCLOAK-4523
I intend to work on it over the next week or two and submit a PR.
On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
> Hi Adam and John, I understand your concern. Although, collisions are not
> practical for key derivation functions. There's a long discussion about
> this subject here[1].
>
> Anyways, you can file a Jira as a feature request. If you feel like you
> would like to attach a PR, better.
>
> [1] - http://comments.gmane.org/gmane.comp.security.phc/973
>
> On Wed, Mar 1, 2017 at 3:33 PM John D. Ament <john.d.ament(a)gmail.com>
> wrote:
>
>> I deal with similarly concerned customer bases. I would be happy to see
>> some of these algorithms added. +1
>>
>> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com> wrote:
>>
>> > My company has a client whose security prerequisites require us to store
>> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're
>> looking
>> > to migrate our user management functions to Keycloak, and I noticed that
>> > hashing with SHA-1 is only provider out of the box.
>> >
>> > I propose adding the following providers (and will be happy to
>> > contribute!), using the hash functions available in the Java 8 runtime
>> > environment:
>> >
>> > 1. PBKDF2WithHmacSHA224
>> > 2. PBKDF2WithHmacSHA256
>> > 3. PBKDF2WithHmacSHA384
>> > 4. PBKDF2WithHmacSHA512
>> >
>> > I also propose marking the current Pbkdf2PasswordHashProvider as
>> > deprecated, now that a real SHA-1 hash collision has been published by
>> > Google Security.
>> >
>> > --
>> > *Adam Kaplan*
>> > Senior Engineer
>> > findyr <http://findyr.com/>
>> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> <//914.924.5186
>> <(914)%20924-5186> <(914)%20924-5186>> | e
>> > akaplan(a)findyr.com
>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
7 years, 9 months
How I possible to reuse configuration between authenticators?
by Known Michael
I need to use 2 authenticators in 2 different flows: browser and direct
grant flows.
It will be different authenticators from the keycloak point of view same
Java classes.
I want to reuse the authenticator configuration:
- I want to update configuration of only one authenticator
- I want to store it in one place in the database
- I want its configuration properties will be provided only for
one authenticator
- I want to reuse the configuration in the second authenticator
How is possible to do it?
7 years, 9 months
