Is there any public Keycloak endpoint to get a code?
by Bernardo Pacheco
Hi everybody,
I'm trying to find out if Keycloak has an endpoint where I can submit my
username and password to get a code. Later with this code I could exchange
it for an access token.
According to the Keycloak's documentation and taking a looking into the
Keycloak source code, the only endpoint I found out is the following:
auth/realms/{realm-name}/protocol/openid-connect/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}&login=true
However, this endpoint returns a HTML page with a form where an user could
enter with username and password. The form action is:
auth/realms/zwift/login-actions/request/login?code={code}
The code parameter is generated by Keycloak when the HTML was processed and
served, so I cannot call this endpoint directly because I need this code
parameter.
My question is: in any Keycloak version, is there a public Keycloak
endpoint where I can submit username and password to get a code that will
be used to get a access token later via /token endpoint?
Just a note, I'm using an old Keycloak version: v1.2.0-Final.
Regards,
9 years
KeycloakPrincipal ClassCastException
by Brent Vaughn
Using KeyCloak 2.5.4 and Wildfly 10.1.0
I am attempting to create a JSF component that involves Keycloak. I am getting this exception:
java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal
Below is the line of code that throws the exception.
public void encodeBegin(FacesContext context) {
..........
KeycloakPrincipal<KeycloakSecurityContext> kp = (KeycloakPrincipal<KeycloakSecurityContext>) context.getExternalContext().getUserPrincipal();
..........
}
Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception.
Can anyone help me with this?
9 years
KeycloakPrincipal ClassCastException in JSF custom component
by Brent Vaughn
Using KeyCloak 2.5.4 and Wildfly 10.1.0
I am attempting to create a JSF component that involves Keycloak. I am getting this exception:
java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal
Below is the line of code that throws the exception.
public void encodeBegin(FacesContext context) {
..........
KeycloakPrincipal<KeycloakSecurityContext> kp = (KeycloakPrincipal<KeycloakSecurityContext>) context.getExternalContext().getUserPrincipal();
..........
}
Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception.
Can anyone help me with this?
9 years
[Custom User Federation] - Access to the ClientModel on a custom UserStorageProvider
by Pierre-Emmanuel PEDRON
Hello,
I develop a custom user federation (oidc - grant password) to call a legacy
authentication service.
On isValid() method, I want to access to the ClientModel to retrieve some
information I need (clientId and its roles) to call the legacy web service. But
I don’t know how…
The KeycloakSession is not enough to access to these information. I need to
get the ClientSession.
Do I make a custom authenticator to set the ClientModel to the
KeycloakSession ? Any Ideas ?
This is a bottle in the sea J
Many thanks,
Regards,
Pierre-Emmanuel Pedron
--
Cordialement,
PEDRON Pierre Emmanuel
9 years
KEYCLOAK-4523 SPI implementation
by Adam Kaplan
I noticed the ID for the original PasswordHashProvider
(Pbkdf2PasswordHashProvider) was hard-coded in several places.
1. Should I add an SPI definition to
default-server-subsys-config.properties?
2. Does calling getProvider(Class.class) on a KeycloakSession return the
default provider?
On Thu, Mar 9, 2017 at 12:15 PM, Adam Kaplan <akaplan(a)findyr.com> wrote:
> I'd agree with 4 being overkill - I just listed what was available in in
> the JRE.
>
> I started down the path of implementing - feature branch is here:
> https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523
>
> On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Search for usage of the class PasswordHashProvider
>>
>> On 9 March 2017 at 12:54, Ori Doolman <Ori.Doolman(a)amdocs.com> wrote:
>>
>>> From this discussion I understand that for all realm users, current
>>> password hashing algorithm is using SHA1 before the hashed password is
>>> saved to the DB.
>>>
>>> Can you please point me to the place in the code where this hashing
>>> occurs ?
>>>
>>> Thanks.
>>>
>>>
>>> -----Original Message-----
>>> From: keycloak-user-bounces(a)lists.jboss.org [mailto:
>>> keycloak-user-bounces(a)lists.jboss.org] On Behalf Of Bruno Oliveira
>>> Sent: יום ב 06 מרץ 2017 14:08
>>> To: stian(a)redhat.com; Adam Kaplan <akaplan(a)findyr.com>
>>> Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
>>> Subject: Re: [keycloak-user] Submitted Feature: More Secure
>>> PassowrdHashProviders
>>>
>>> On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen <sthorger(a)redhat.com>
>>> wrote:
>>>
>>> > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than
>>> > sufficient?
>>> >
>>>
>>> +1
>>>
>>>
>>> >
>>> > On 2 March 2017 at 15:28, Adam Kaplan <akaplan(a)findyr.com> wrote:
>>> >
>>> > This is now in the jboss JIRA:
>>> > https://issues.jboss.org/browse/KEYCLOAK-4523
>>> >
>>> > I intend to work on it over the next week or two and submit a PR.
>>> >
>>> > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira <bruno(a)abstractj.org>
>>> > wrote:
>>> >
>>> > > Hi Adam and John, I understand your concern. Although, collisions
>>> > > are not practical for key derivation functions. There's a long
>>> > > discussion about this subject here[1].
>>> > >
>>> > > Anyways, you can file a Jira as a feature request. If you feel like
>>> > > you would like to attach a PR, better.
>>> > >
>>> > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973
>>> > >
>>> > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament
>>> > > <john.d.ament(a)gmail.com>
>>> > > wrote:
>>> > >
>>> > >> I deal with similarly concerned customer bases. I would be happy
>>> > >> to see some of these algorithms added. +1
>>> > >>
>>> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan <akaplan(a)findyr.com>
>>> wrote:
>>> > >>
>>> > >> > My company has a client whose security prerequisites require us
>>> > >> > to
>>> > store
>>> > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal).
>>> > >> > We're
>>> > >> looking
>>> > >> > to migrate our user management functions to Keycloak, and I
>>> > >> > noticed
>>> > that
>>> > >> > hashing with SHA-1 is only provider out of the box.
>>> > >> >
>>> > >> > I propose adding the following providers (and will be happy to
>>> > >> > contribute!), using the hash functions available in the Java 8
>>> > >> > runtime
>>> > >> > environment:
>>> > >> >
>>> > >> > 1. PBKDF2WithHmacSHA224
>>> > >> > 2. PBKDF2WithHmacSHA256
>>> > >> > 3. PBKDF2WithHmacSHA384
>>> > >> > 4. PBKDF2WithHmacSHA512
>>> > >> >
>>> > >> > I also propose marking the current Pbkdf2PasswordHashProvider as
>>> > >> > deprecated, now that a real SHA-1 hash collision has been
>>> > >> > published by Google Security.
>>> > >> >
>>> > >> > --
>>> > >> > *Adam Kaplan*
>>> > >> > Senior Engineer
>>> > >> > findyr <http://findyr.com/>
>>> >
>>> > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186>
>>> > >> > <//914.924.5186
>>> > >> <(914)%20924-5186> <(914)%20924-5186>> | e
>>> >
>>> >
>>> > >> > akaplan(a)findyr.com
>>> > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>>> > >> > _______________________________________________
>>> > >> > keycloak-user mailing list
>>> > >> > keycloak-user(a)lists.jboss.org
>>> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >> >
>>> > >> _______________________________________________
>>> > >> keycloak-user mailing list
>>> > >> keycloak-user(a)lists.jboss.org
>>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > >>
>>> > >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> >
>>> > *Adam Kaplan*
>>> > Senior Engineer
>>> > findyr <http://findyr.com/>
>>> >
>>> > m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
>>> >
>>> >
>>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> This message and the information contained herein is proprietary and
>>> confidential and subject to the Amdocs policy statement,
>>>
>>> you may review at http://www.amdocs.com/email_disclaimer.asp
>>>
>>
>>
>
>
> --
> *Adam Kaplan*
> Senior Engineer
> findyr <http://findyr.com/>
> m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
> WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
>
--
*Adam Kaplan*
Senior Engineer
findyr <http://findyr.com/>
m 914.924.5186 <//914.924.5186> | e akaplan(a)findyr.com
WeWork c/o Findyr | 1460 Broadway | New York, NY 10036
9 years
Problem with keycloak behind a proxy using port 8080
by Bas Passon
Hello,
I seem to have an issue with keycloak 2.5.1.Final running behind nginx. Nginx is configured to listen to port 8080. When i now try to request the admin panel using http://keycloak-local:8080/auth/admin/ <http://keycloak-local:8080/auth/admin/> I get redirected to http://keycloak-local/auth/admin/master/console/ <http://keycloak-local/auth/admin/master/console/>. I would expect to be redirected to http://keycloak-local:8080/auth/admin/master/console/ <http://keycloak-local:8080/auth/admin/master/console/>. I have added the request dump and keycloak undertow subsystem configuration below.
What do I need to do to make keycloak redirect to the correct url?
Kind Regards,
Bas Passon
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<filter name="proxy-peer" module="io.undertow.core" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/>
<filter name="request-dumper" module="io.undertow.core" class-name="io.undertow.server.handlers.RequestDumpingHandler"/>
</filters>
</subsystem>
16:34:15,131 INFO [io.undertow.request.dump] (default task-1)
----------------------------REQUEST---------------------------
URI=/auth/admin/
characterEncoding=null
contentLength=-1
contentType=null
header=X-Real-IP=172.17.0.1
header=Accept=*/*
header=User-Agent=curl/7.43.0
header=Connection=close
header=X-Forwarded-Proto=http
header=X-Forwarded-Port=8080
header=X-Forwarded-For=172.17.0.1
header=Host=keycloak-local
header=X-Forwarded-Host=keycloak-local
locale=[]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=172.17.0.1:0
remoteHost=172.17.0.1
scheme=http
host=keycloak-local
serverPort=8080
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=close
header=X-Powered-By=Undertow/1
header=Server=WildFly/10
header=Location=http://keycloak-local/auth/admin/master/console/ <http://keycloak-local/auth/admin/master/console/>
header=Content-Length=0
header=Date=Thu, 09 Mar 2017 16:34:15 GMT
status=302
==============================================================
--
First Eight BV
KvK dossiernr: 30.17.95.44
Gemeente Utrecht
Kerkenbos 1059b
6546 BB NIJMEGEN
T: 024-3483570
F: 024-3483571
E: b.passon(a)first8.nl
W: www.first8.nl
Disclaimer:
Op alle offertes, aanbiedingen of overeenkomsten van First Eight BV zijn, tenzij expliciet anders overeengekomen, de Algemene Voorwaarden van Conclusion B.V. van toepassing, welke zijn te vinden op www.conclusion.nl <http://www.conclusion.nl/>. Tevens zijn deze gedeponeerd bij de Kamer van Koophandel Midden-Nederland onder nummer 16059253. Op schriftelijk verzoek zullen de Algemene Voorwaarden u kosteloos worden toegezonden.
De inhoud van dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Gebruik van de inhoud daarvan door anderen of verzending aan anderen is zonder toestemming van de afzender of geadresseerde(n) onrechtmatig. Mocht dit e-mailbericht ten onrechte bij u terechtgekomen zijn, dan verzoeken wij u onmiddellijk contact met ons op te nemen. First Eight BV betracht de grootst mogelijke zorgvuldigheid bij het voorkomen van virussen in de bijlage(n) bij dit bericht. Desondanks dient u zelf de bijlage(n) te controleren op de aanwezigheid van virussen en kan First Eight BV niet aansprakelijk worden gehouden indien bijlage(n) schade, waaronder schade aan computer(systeem), veroorzaken.
9 years
Multi tenancy quesiton
by Roman Nikolaevich
We are testing example from official documentation regarding multi tenancy
https://keycloak.gitbooks.io/securing-client-applications-
guide/content/topics/oidc/java/multi-tenancy.html
So we are getting realm name from path but at some point our request is
getting redirected to /sso/login url and as result realm name is lost,
simply because of this method
org.keycloak.adapters.springsecurity.authentication.
KeycloakAuthenticationEntryPoint#commenceLoginRedirect
protected void commenceLoginRedirect(HttpServletRequest request,
HttpServletResponse response) throws IOException {
String contextAwareLoginUri = request.getContextPath() + loginUri;
log.debug("Redirecting to login URI {}", contextAwareLoginUri);
response.sendRedirect(contextAwareLoginUri);
}
Could you please advise how to handle such situation ? We see an option to
override commenceLoginRedirect method, but we are not sure that it is
correct way.
Thanks in advance.
Br,
Roma
9 years
Sending email from Azure hosted Keycloak instances
by Reed Lewis
We are planning on running Keycloak in Azure and of course need a mail server to send the emails that Keycloak generates.
As you may know, Azure IP addresses are blocked from sending email to other people.
I have found the following companies already:
https://sendgrid.com
https://www.smtp.com/
https://www.mailjet.com/
Are there any others that work better? Any experience with these or any others?
Thanks!
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail.
9 years
