Authenticate a REST API with keycloak in express node js without using adapters
by Saransh Kumar
Hello all,
I have a REST API in express node js.
I want to secure it with keycloak bearer auth only.
So, a keycloak token would be recieved in the Authorization header of the
GET request to the REST API.
I have to verify the token with keycloak without using any adapters.
Please help me out in the process.
Thanks in advance
Saransh
7 years, 10 months
Client Deleting Bug?
by Benjamin Zaitlen
Hi All,
I'm new to both keycloak and this mailing list. I may be doing something
incorrect in my work flow but I think i found a bug around cilent
deletion. I filed a bug here: https://issues.jboss.org/browse/KEYCLOAK-4525
The short of it is that when I delete a client with active sessions and
offline_tokens I get `Internal Server Errors` when visiting:
https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ and
going to the session and/or application tabs generates: `Internal Server
Errors`
I would've expected that when deleting the client tokens and sessions would
have automagically been cleaned up as well?
Anyways, if I am doing something wrong please let me know and I'll close
the issue.
Thank you,
--Ben
Note: in the bug filed I posted logs from the server.
7 years, 10 months
Custom Authenticator development
by Pavel Bezdienezhnykh
Hi All.
I try to develop custom authentication module for Keycloak server.
According to requirements I need to validate not only login/password but
one more attribute - siteId, which indicates the country domain of the
application.
I implemented factory and
*SiteIdAuthenticator extends **UsernamePasswordForm*
In my *action *method I check all needed credential and if it's OK, I
create new user account. (Or if user already exists, just fetch its
account and add it to AuthenticationFlowContext )
validateUserAndPassword(AuthenticationFlowContext context,
MultivaluedMap<String, String> inputData) {
...
UserModel userById =
context.getSession().userLocalStorage().getUserById(userId,
context.getRealm());
if(userById == null) {
logger.info("add new user:" + userId);
UserModel userModel =
context.getSession().userLocalStorage().addUser(context.getRealm(),
userId, userName, true, false);
context.setUser(userModel);
}
else {
logger.info("user exists:" + userId);
context.setUser(userById);
}
...
}
My question is - Do I really have to add new user account to user
storage? Because in Keycloak version 2.5.1 there is a posibiliti of
non-importing user fedration.
So maybe it is somehow possible to implement custom Authenticator
without creating new user account in Keycloaks storage?
Thanks in advice,
Pavel
7 years, 10 months
Admin web site not working with Safari browser on OS X since 2.5.4
by Stephane Granger
Not sure if it's a Safari bug or a Keycloak problem but since I updated to
2.5.4 I can't use Safari any more. The web site displays but it's as if
there is a thread that refresh the page every 10 seconds making it
unusable. This behaviour was observed on 2 computers. MacOS version
10.12.3 Safari 10.0.3
7 years, 10 months
Custom SAML request parameters
by nowis1337@gmail.com
Hello,
I've got a custom authentication flow (based on Authentication SPI) which
uses additional OIDC parameter - login_hint - passed in the request (as
described in Parameters Forwarding in Keycloak docs). It's working great,
but I also want to connect some clients to the same realm using SAML
protocol. The problem is it will be using the same authentication flow and
I want to retrieve the same information as passed in login_hint parameter
in requests from OIDC client.
The question is: Do Keycloak predicts something like custom parameters
added to SAML endpoints? If not, what is the best way i could achieve that
and get that information from client request in my authentication flow?
kind regards,
Bartosz
7 years, 10 months
SAML Custom Attribute NameID
by Adam Keily
Can anyone direct me on how to configure a custom attribute as the SubjectNameID for a SAML2 client? The format will be username but I want to use a custom attribute and not the username of the user.
I've tried various mapping configurations but they just get sent as attributes alongside the subject nameid.
Thanks
7 years, 10 months
kid and x5t jwt header
by Robert .
Hi,
A (.net) application has stored multiple certificates. It wants to choose
the appropriate certificate to validate the signature in the received jwt.
Regarding this I have the following questions.
What exactly is the key ID (kid) header in the jwt? Is it possible to use
this to find the right certificate.
Is it possible to add a x.509 certificate thumbprint (x5t) header in the
jwt created by keycloak? Is there a feature request for this? Could I
implement this myself via some extension mechanism?
Or do I need to add it in the core source code and submit it to be included
in the keycloak product?
Regards,
Robert
7 years, 10 months
ClassNotFoundException: Custom UserStorageProvider
by Danny Trunk
Hello,
I've implemented a custom User Storage Provider to connect to a
configurable (external) database through Hibernate/JDBC:
public class MyUserStorageProviderFactory implements
UserStorageProviderFactory<MyUserStorageProvider> {
// ...
public MyUserStorageProvider create(KeycloakSession session,
ComponentModel model) {
logger.info(">>>>>> Creating factory");
PersistenceConfig config = new
PersistenceConfig(model.getConfig());
entityManagerFactory = new
HibernatePersistenceProvider().createContainerEntityManagerFactory(getPersistenceUnitInfo(),
config.asProperties());
entityManager = entityManagerFactory.createEntityManager();
return new MyUserStorageProvider(entityManager, session, model);
}
// ...
}
In src/main/resources/META-INF I've placed a file named
jboss-deployment-structure.xml:
<?xml version="1.0" ?>
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.hibernate" />
<module name="org.jboss.logging" />
<module name="org.keycloak.keycloak-core" />
<module name="org.keycloak.keycloak-server-spi" />
<module name="org.postgresql" />
</dependencies>
</deployment>
</jboss-deployment-structure>
Although there's a dependency for org.postgresql I'm getting a
ClassNotFoundException when trying to authenticate:
WARN [org.keycloak.services] (default task-6) KC-SERVICES0013: Failed
authentication: org.hibernate.service.spi.ServiceException: Unable to
create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
...
Caused by:
org.hibernate.boot.registry.classloading.spi.ClassLoadingException:
Unable to load class [org.postgresql.Driver]
...
Caused by: java.lang.ClassNotFoundException: Could not load requested
class : org.postgresql.Driver
PostgreSQL is deployed as module as described here:
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
7 years, 10 months
Keycloak onLoad option
by Andreea Ciuprina
Hello!
I am running into the following issue when using the Keycloak JavaScript adapter in order to connect our React frontend client with the Keycloak server.
The following code, where the onLoad option is set to "login-required" causes the webpage to refresh every 10 seconds, after logging in:
const SEC_UPDATE_TOKEN = 30;
const kc: Keycloak.KeycloakInstance = Keycloak("/keycloak.json");
kc.init({onLoad: "login-required"}).success((authenticated: boolean) => {
if (authenticated) {
kc.updateToken(SEC_UPDATE_TOKEN).success(() => {
loadData();
}).error(() => {
alert("Failed to refresh token");
});
}
else {
// show possibly other page here...
kc.login();
}
}).error(() => {
alert("failed to initialize");
});
If I replace the onLoad option to "check-sso", the problem dissapears.
Reading the documentation, i.e. this part:
login-required will authenticate the client if the
user is logged-in to Keycloak or display the login page if not. check-sso will only
authenticate the client if the user is already logged-in, if the user is not logged-in the browser
will be redirected back to the application and remain unauthenticated.
was not very clear for me, regarding to the behaviour that I am observing in my case.
Could you please explain me the difference between "login-required" and "check-sso" and why using one of them instead of the other in my case
causes the unwanted, constant page refresh?
Thank you!
Best regards,
Andreea
7 years, 10 months
