update password failed - invalid code
by Michael Mok
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim
IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET
/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
8 years, 11 months
Use OIDC Scope to limit the roles included in Offline Token and/or to enforce separation of duties?
by Peter K. Boucher
Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access. We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).
Can we (and if so, how best would we) use openid scope to
* Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?
* Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?
I think I gathered from this thread in keycloak-dev
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers to docs with practical guidance for how best to do these two
things.
Thanks!
Regards,
Peter K. Boucher
8 years, 11 months
Session Logout with Offline Access Token
by Benjamin Zaitlen
Hi All,
I'm having some trouble with sessions, clients, and offline access tokens.
Let's say I have a client (APP 1) and I've logged in with OIDC. I now have
a refresh_token and session for APP 1. Using the auth code flow I can
generate an offline_access token (refresh_token) for a second client: APP
2. When I look in *realms/myrealm/account/sessions, *I see one session
but two clients. At first I thought, great! I was able to get the auth
code flow working and I generated a refresh token for a second client.
But then disaster set in, when I logged out of the APP 1 client with the
URL: *protocol/openid-connect/logout.* I was logged out the session which
included the* second client* and thus the offline access token for APP 2
was effectively revoked.
I've seen a handful of JIRAs related to offline access tokens and logouts
but I think they don't quite cover this usecase. I have two questions:
1. Is it possible, using the auth code flow, to generate a refresh token in
separate session. That is can APP 1 generate an offline_access token for
APP 2 in a separate session without re-authenticating?
2. Can I logout a specific client for a session by passing additional
parameters in the logout URL ?
Thanks,
--Ben
8 years, 11 months
Authorization on resources that belong to different "groups"
by Gabriel Trisca
HI there,
We've integrated Keycloak auth and authz to an existing REST service which
serves endpoints like this:
GET /api/report?country={country}
GET /api/status?country={country}
GET /api/history?country={country}
As far as I understand, the only way to protect these resources is to
create "global" resources (/api/report, /api/status etc.), but then we
can't validate if the current user is authorized to make requests for a
given "country":
The other alternative would be to include the country name in the URI, but
this would lead to duplication of resource definitions:
/api/report/country1
/api/report/country2
/api/status/country1
/api/status/country2
...
We considered including a list of the countries the user has access to as
an attribute in the access_token but that would require manually
maintaining said attribute
Is there another way that would accommodate this kind of authentication
requirements?
Thanks in advance!
--
*Gabriel Trisca, Software Developer*
Cignifi | 101 Main Street, 14th Floor, Cambridge, MA 02142 USA
8 years, 11 months
How to retrieve Organiational Unit from LDAP?
by Celso Agra
Hi all,
I'd like to retrieve the organizational unit (ou) from LDAP Mapper and set
this in the User Attributes.
When I get a user from LDAP, it set an attribute called LDAP_ENTRY_DN, with
value : "uid=xxxxxx,ou=group,dc=dom3,dc=dom2,dc=dom1"
So, I'd like to retrieve just the ou info "group", and set this to the user
attribute.
Would be possible to do that? Is there some mapper type just to retrieve
this information?
Best Regards,
--
---
*Celso Agra*
8 years, 12 months
Disable CORS on realm endpoints?
by Joe Rowe
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and
causes false positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
8 years, 12 months
Mobile App, native login
by matteo restelli
Hi all,
we're planning to use Keycloak for a project and we're really excited about
that. The only thing that makes us thinking a little bit is the
authentication flow via native mobile app. I've already read that the
authentication via Webview or External Browser, using the Keycloak login
page, is the best practice. But we think that our mobile app designers
might prefer a native login form with some buttons for social login. How
can we do that?
1) For "direct" authentication via username & password we can use the
direct access grants mode, is it right?
2) What about the social login part? How can we authenticate users when we
receive the access token from an external identity providers such as
Facebook? We need to implement our custom Authenticators and then deploy
them with Keycloak?
I apologize because i know that this question has been asked a lot of
times, but we haven't been able to figure it out.
Thank you very much, have a nice day,
Matteo
9 years
Unable to Store and Retrieve Group-Role relationship in LDAP
by abhishek raghav
Hi
I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in an
*MSAD*. Similar is the case for a set of *Groups*.
But when I *assign a group with a certain role, the assignment is visible
in Keycloak. But the same is not reflected on the AD.*
I mean, this mapping of role and group is *not stored in the "member" or
"memberof" attributes of either the respective group or the role*.
Please suggest is this functionality available using any mapper from
Keycloak to AD? Or do we need to create our own Custom Mapper? If yes, how?
*- Best Regards*
Abhishek Raghav
9 years
Authorize with local Login Form
by Danny Trunk
Hello,
my application is Spring Security based.
I've added and configured the Keycloak Spring Security Adapter.
Now I would like to have my own Login page without redirect and
customizing or adding any Keycloak Themes.
Is it possible to use a local Login Form to authorize on the external
Keycloak Server?
If so, how to realize it?
I've read something about Bearer Tokens.
Is it the right way?
Can someone point me into the right direction please?
9 years
