Fwd: issue with google
by téeg-wendé gildas zougmore
Hi all,
i have some trouble with social media configuration on keycloak.after
configuration in the way of keycloak documentation, i got a error when
authenticating via google id provider.
I use keycloak 2.5.4.Final and the error i got is "unexpected error when
authenticating with identity provider"
Best regards
9 years
Fwd: CORS disable config?
by Joe Rowe
Hi,
I have a question regarding disabling CORS on keycloak realm endpoints.
When sending a request to :
<keycloak server : port>/auth/realms/<valid realm>
And setting an Origin on the request, the response contains an
access-control-allow-origin containing the request origin. Further testing
indicates that all origins are allowed.
This was flagged as a security vulnerability when penetration testing, and
although the content is of course public info, it would be useful if I
could disable CORS here as 1) I do not need to expose this data, and 2) it
would reduce false positives from testing.
Is there a config property for the keycloak standalone that will allow me
to do this? Ive searched this list as well as the keycloak docs and
examples but havent found an answer to this specific case.
Best regards,
Joe
9 years
ReCaptcha behind proxy
by Plank Martin
Hello,
It would be nice if the ReCaptcha worked behind a corporate proxy. It was already reported in [1].
The problem is that ReCaptcha validation is implemented with the use of Apache HttpClient, which does not respect the Java proxy settings by default.
It can be fixed by using the SimpleHttp utility (which uses HttpURLConnection under the hood) instead of HttpClient.
I will be happy to contribute. Would you welcome this contribution?
Thank you for your answers
Martin
[1] https://issues.jboss.org/browse/KEYCLOAK-4272
9 years
Using NGINX as reverse proxy, issuer in token is not using correct protocol
by Ushanas Shastri
Hello,
I am using NGINX as a reverse proxy in front of KeyCloak. The protocol
between the client and NGINX is https, but between NGINX and KeyCloak, its
http.
In this case, I have set the X-Forwarded-For and X-Forwarded-Proto headers
in NGINX.
I see that the issuer in the well known configuration remains http, while
it does contain the URL exposed via NGINX.
As a result, the validation on issuer fails.
How do I get to have the issuer as https instead of http?
Regards, Ushanas.
9 years
Reset admin password, ver 3.0
by Ushanas Shastri
Hello,
How do I reset the admin password? I don't have the admin password, and
want to be able to reset it like it was a new install.
Regards, Ushanas.
9 years
Is it possible to combine oidc login with tomcat adapter?
by Federico Navarro Polo - Info.nl
Hello,
We’re facing a kind of special scenario with our current setup, in which we have Keycloak as identity provider for both a website and a native mobile app.
For the website part, we use the Tomcat adapter and the Keycloak built-in login screen, and it works fine.
For the native app, we’ve been using oidc and the /token and /userinfo endpoints for logging in and retrieving user data, and that also has been working fine so far.
Now, the situation is that we would like to allow opening certain pages from the website within a webview in the app, and these wesite pages should reflect the user information correctly. Is it possible to make the Tomcat adapter aware of the session opened via oidc? The first idea was to get the access token from /token and then pass that somehow to the request in a way that the Tomcat adapter will use it.
I attempted to do so by using the QueryParamterTokenRequestAuthenticator provided by the Tomcat adapter, which recognizes an access_token query parameter, and I can see that the user is properly authenticated while debugging. However, after a redirect, we do not seem to have the KeycloakPrincipal nor the KeycloakContext in the request anymore, as opposed to what it happens when logging in through the Keycloak built-in login screen. I’m guessing that the difference is that the regular OAuthRequestAuthenticator saves data into the AdapterTokenStore, while the BearerAuthentication (from which inherits the QueryParamterTokenRequestAuthenticator) does not.
Is there any alternative to make this work without making the user login multiple times?
Thanks in advance!
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<http://www.linkedin.com/in/jasperleferink> | +31 (0)2 05 30 91 61<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
9 years
Realm Agnostic User Storage SPI
by Dmitriy Dmitriy
Hi Guys,
I am a new keycloak user and have a question.
I have a multi-tenant use case and am using different realms/themes to keep
users segregated. However I also need an ability to have a separate global
default view with all the users/realms without duplicating them across
realms for different application.
After doing some digging, my thoughts are to have a default realm use
custom User Storage SPI to enable additional user lookups that are not part
of the default realm.
My Questions:
1) Does this sound like I am on the right track or is there a better way of
looking at it?
2) Do you know if something similar already exists?
3) Do you see any potential issues with this approach?
Thank you,
Dmitriy
9 years
Spi for custom protocol mapper
by ko lo
I know that exist spi protocol mapper. And I can use it for custom protocol
mapper. I don't understand, what interface need to be implemented?
9 years
Keycloak 3.0.0.CR1 released
by Stian Thorgersen
Keycloak 3.0.0.CR1 is released. Even though we've been busy wrapping up
Keycloak 2.5 we've managed to include quite a few new features.
To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
This release is the first that comes without Mongo support.
Highlights
- *No import option for LDAP* - This option allows consuming users from
LDAP without importing into the Keycloak database
- *Initiate linking of identity provider from application* - In the past
adding additional identity brokering accounts could only be done through
the account management console. Now this can be done from your application
- *Hide identity provider* - It's now possible to hide an identity
provider from the login page
- *Jetty 9.4* - Thanks to reneploetz <https://github.com/reneploetz> we
now have support for Jetty 9.4
- *Swedish translations* - Thanks to Viktor Kostov for adding Swedish
translations
- *Checksums for downloads* - The website now has md5 checksums for all
downloads
- *BOMs* - We've added BOMs for adapters as well as Server SPIs
The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
.
Upgrading
Before you upgrade remember to backup your database and check the migration
guide
<https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...>
.
9 years
