No way to use First Broker Login without enabling Create User If Unique
by teroz
Hi there
is there a way to pre-create users and have these users able to link these
existing acounts google accounts without also being forced to allow any
random google user from being able to create an account?
Seems thats How First Broker Login works. Any attempt to disable the
"Create User If Unique" step makes the flow unusable with always the same
error
*WARN [org.keycloak.events] (default task-94)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=example,
clientId=js-console, userId=null, ipAddress=127.0.0.1,
error=invalid_user_credentials, identity_provider=google,
auth_method=openid-connect, auth_type=code,
redirect_uri=http://127.0.0.1:8080/js-console/
<http://127.0.0.1:8080/js-console/>, identity_provider_identity=......*
7 years, 1 month
Logout in broker mode doesn't propagate session's termination
by Dmitry Korchemkin
I was testing single logout in broker mode and came around this logical,
but not exactly desirable behaviour, when session on the broker and session
on the external idp states are not linked between the idp's.
My setup is broker saml example provided with keycloak, but instead of an
actual application i log in to the broker using "/account" url. Should be
all the same, since it's just another web-app, protected by this realm.
The behaviour is as follows:
If i kill a session on the external keycloak idp, the user is not logged
out. I assume since local session is alive and well the token is not being
revoked.
If i kill a session on the broker keycloak, upon hitting f5 user is
redirected to the broker login page, but when i press external idp login
button, he's logged right back with no credentials asked. I guess since the
session between 2 idp's is still up, broker thinks this user is already
authenticated.
I tested both oidc and saml, tried different backchannel/frontchannel
toggles in the UI of both broker and external IDP, but this had no visible
effect.
Can you please clarify if the behaviour observed is expected and normal, or
did i miss some configuration steps?
7 years, 1 month
problem setting up identity brokering from Keycloak to ADFS
by Glenn Campbell
What is the correct way to set up identity brokering from Keycloak to ADFS?
I’m new to ADFS so I suspect I’ve configured something incorrectly there.
Here’s what I’ve done so far:
1) Installed ADFS.
2) Opened ADFS Management.
3) Walked through the ADFS Configuration Wizard.
At one point in the process it asked which certificate I wanted to use. I
didn’t have one so I went into IIS Manager and created a self-signed
certificate. Then I came back to the ADFS Configuration Wizard and selected
the newly created certificate.
At the end of the process there was a list of configuration items that had
been performed and they all had green checkmarks by them.
Clicked Close.
4) At this point ADFS Management said I needed to configure a Trusted
Relying Party so I went to Keycloak to start setting up that side of things.
5) Since the certificate used by ADFS is self-signed I exported it from IIS
and imported it into the Wildfly jssecerts where Keycloak is running and
restarted Wildfly/Keycloak.
6) Saved the ADFS FederationMetadata.xml via the url https://<adfs
server>/FederationMetadata/2007-06/FederationMetadata.xml
7) In Keycloak admin console, on the Identity Providers page I chose “Add
provider… SAML v2.0”
8) Entered an alias for the new IdP then in “Import from file -> Select
File” I chose the FederationMetadata.xml that I acquired from the ADFS
server.
9) Saved the IdP configuration.
10) Went to the Export tab of the newly created IdP and downloaded the xml
config file.
11) At this point I went back to ADFS Management and followed the steps to
create a Trusted Relying Party, choosing to import data about the relying
party from the xml file exported from Keycloak.
12) For the rest of the Relying Party configuration I accepted the defaults.
When I go to the url for my application I’m redirected to the Keycloak
login screen where I select the Identity Provider I configured. I get a
security certificate warning since the certificate from the server is
self-signed but I choose to continue despite the warning. Then I get an
error page saying there was a problem accessing the site. I don’t get the
ADFS page where I would enter my login credentials.
I don’t know if it matters but my application and Keycloak currently use
http rather than https.
Any help would be greatly appreciated.
Thanks in advance,
Glenn
7 years, 1 month
Anonymous access to scoped resources
by ebondu
Hi all,
I am using Keycloak filters to secure a spring REST API and I need to
provide an anonymous access to a subset of resources having a given scope
(like 'urn:scope:read:public'). To me, anonymous means a unauthenticated
user without access token.
I defined a dedicted security chain to bybass the authentication filter but
the authorization filter is expecting an access token to grant requests, so
I can't use it.
Do I need to implement my own filter only based on the protection API to
retrieve and check scopes of requested resources or is there a better way to
grant access to resources for anonymous users ?
Thanks.
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resou...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 1 month
Revoking an OAuth Token
by Jason B
Hi,
I am wondering how can we revoke an issued OAuth access token/refresh token
in Keycloak ? What is the request will look like and what is the end point
we need to invoke?
Also, I see there is a RFC for OAuth token revocation (
https://tools.ietf.org/html/rfc7009) process, but I am assuming this is not
yet implemented in Keycloak. Are there any plans for implementing this RFC
in future? Please let me know.
Thanks!
7 years, 1 month
Connecting Wildfly Adapter with Javascript
by phantomjinx
Hey,
I am looking into implementing keycloak integration with our application.
The application:
* java-based providing a rest interface using RestEasy
* deployed to wildfly as a war archive
* contains a web.xml detailing the security constraints, eg. runs over https only
* has used BASIC authentication
* has provided the swagger-ui interface for documentation and debugging of the REST operations
Switching to keycloak has meant:
* adding configuration to the keycloak xml element in wildfly's standalone.xml file
* separation of the main application and its swagger documentation into 2 separate wars. This was to
ensure
** the main application uses a bearer-only client implementation (no login page)
** the swagger page uses a public client implementation (login page displays and redirects back to
the swagger api)
Since the application is going to be released and distributed, the keycloak server-auth-url cannot
be assumed anywhere in the configuration. The use of the wildfly xml configuration has meant that
instructions can be provided to end-users to configure their own keycloak installations and specify
the correct auth url appropriately. However, I am now faced with a problem.
The swagger webpage redirects correctly to the keycloak login page, authenticates correctly and
displays accordingly. However, its internal urls, eg. swagger.json, cannot be loaded from wildfly
since these urls are not provided with the page's token. How do I provide the token from the main
page to the swagger.json (so as to load the REST API documentation) and to each REST API operation
when I want to "try it out"?
As the swagger page is javascript, the keycloak adapter is available for use and I have prototyped
using this. Yet the Keycloak object constructor requires a minimum of config, either directly or
from a keycloak.json file. This config mandates the specifying of a keycloak server-auth-url, which
is not appropriate to our situation. Therefore, is it possible to extract the token used to
successfully login from the keycloak login page from the metadata available in the loaded swagger page?
I have found that 'state' and 'code' are being passed as parameters to the logged-in swagger page.
However, it seems this page is refreshed and the request that includes these parameters is replaced
with the original url so impossible to glean them from the window.location.
In summary:
* Can the token or auth url be passed from the login page provided either to the javascript adapter
or made available directly as a global variable?
* Can the javascript adapter keycloak instance be initialised without needing to specify a
server-auth-url with the expectation that the init method would simple call 'check-sso' and extract
a token?
* Is there even a way to serve a keycloak.json file, free-standing, in a wildfly instance that could
at least be configured by end-users on installation of our application?
If someone is able to shed light on any part of this rather protracted problem, I would be most
grateful.
Thanks and regards
Paul
--
Paul Richardson
* p.g.richardson(a)phantomjinx.co.uk
* p.g.richardson(a)redhat.com
* pgrichardson(a)linux.com
7 years, 1 month
Re: [keycloak-user] Additional attributes for an authorization request
by Ori Doolman
Hi Pedro Igor,
You wrote:
You can't pass additional attributes along with an authorization request.
However, that is something we want to support on future versions.
I have some questions about that:
1. Which future version will support that? Any plan for it at the moment?
2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers?
For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)?
Thank you,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
7 years, 1 month
Authorization: Javascript policy
by Ori Doolman
Hi,
How rich can the Javascript policy be?
Is it limited to only specific interface ($evaluation), or can I use any Javascript package/code I want ?
Specifically, I need to have a mapping table between a token claim (user attribute) to a list-of-IDs.
Can I query another server using HTTP request within a policy code?
Or can I query the user database from the policy code?
Or can I pre-load the mapping table into PDP memory and query it from policy code?
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
7 years, 1 month
Admin REST API to List users which are related to a given role.
by Jéfte Santos
Hello!
I'm trying to get all users related to a given role and I'm iterating over all users and requesting their role-mappings, what may be cause performance problems in the future. Is there a way to request the users related to a given role using only the admin REST API?
7 years, 1 month
[HELP] Unable To Deploy Authenticator-Requirement-Action-Example
by Sagar Ahire
Hello,
In Keycloak 2.4.0 I tried to deploy authenticator requirement action
example (keycloak-2.4.0.Final/examples/providers/authenticator) using the
following command:
$ mvn clean install wildfly:deploy
Getting:
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.0.1.Final:deploy (default-cli)
on project authenticator-required-action-example: Deployment failed and was
rolled back. -> [Help 1]
-PFA for server log.
I also tried to copy authentication-requirement-action-example.jar into
standalone/deployment/providers directory but didn't work.
Can someone please help with this?
regards,
-Sagar
7 years, 1 month
