Information about keyckoak client_assertion_type
by Thibaut.Castaing@isocel.info
Hi all,
i'm currently working on Keycloack and its integration in our architecture
witch is composed of several modules.
According to the documentation i plan to
- create a realm (witch is related to my organisation)
- create "clients" for every applications i would like to secure with
keycloak.
I don't want to manage roles at realm level (for organisational and
security reasons). I want to manage roles by client (using eventually a
client template if several modules share the same configuration).
In this mode, i would like to be abble, from a given resource in the
context of an authenticated client (authenticate from the brower
authentification), to retrieve roles for a given remote "client' in order
to male a remote call to its api using the right roles.
i would like to know if it's possible from a given backend client to ask
to Keycloak an "access_token" for an other client using the current
authenticated user (and so its related jwt token).
i plan to use a client authentificator client_assertion_type with the
current user token. Is it the right solution ?
Thks for your reply.
7 years, 9 months
Multiple logins by one user from different laptops
by Александр Зверков
Hi,
One user can login to the instance multiple times from different leptops
Could you advise how we can solve this.
We need the following result: one user can enter the instance only once at
a given time
Thanks in advance
Alex
7 years, 9 months
Alternative sub flow
by Matt Evans
Hi
I have been trying to configure a keycloak flow but have not been successful, and I am wondering if what I am trying to do is possible.
We have the standard flows
Cookie
Kerberos
Identity Provider Redirector
Browser
Inside the Browser flow we have
Username Password Form
2SV - sub flow required
OTP execution - alternative
SMS execution - alternative
The OTP and SMS executions are custom authenticators, that I'd like to have at least one of them.
With this configuration I can see the OTP authenticator returns a form from the challenge method, but it doesn't show the form. The authentication just passes and I am logged in without asking for either the otp or the sms code.
Can I use the alternative requirements in this way?
Matt
7 years, 9 months
password reset and OTP
by Bas Passon
Hey Guys,
I have a question about the password reset in combination with OTP. I have password reset enabled and OTP reset disabled. I noticed it is possible to to remove a users OTP from his account if you are able to hijack an email account. On the login page of the user account page you can click password reset. An email arrives with a link to reset the password. After resetting the password you are directly logged in to the users account. N No OTP code needed. There you can simple remove OTP. Is there a way to prevent this from happening? Have I got some configuration error?
The Keycloak version in use is 2.5.4.Final.
Kind Regards,
Bas Passon
--
First Eight BV
KvK dossiernr: 30.17.95.44
Gemeente Utrecht
Kerkenbos 1059b
6546 BB NIJMEGEN
T: 024-3483570
F: 024-3483571
E: b.passon(a)first8.nl
W: www.first8.nl
Disclaimer:
Op alle offertes, aanbiedingen of overeenkomsten van First Eight BV zijn, tenzij expliciet anders overeengekomen, de Algemene Voorwaarden van Conclusion B.V. van toepassing, welke zijn te vinden op www.conclusion.nl <http://www.conclusion.nl/>. Tevens zijn deze gedeponeerd bij de Kamer van Koophandel Midden-Nederland onder nummer 16059253. Op schriftelijk verzoek zullen de Algemene Voorwaarden u kosteloos worden toegezonden.
De inhoud van dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Gebruik van de inhoud daarvan door anderen of verzending aan anderen is zonder toestemming van de afzender of geadresseerde(n) onrechtmatig. Mocht dit e-mailbericht ten onrechte bij u terechtgekomen zijn, dan verzoeken wij u onmiddellijk contact met ons op te nemen. First Eight BV betracht de grootst mogelijke zorgvuldigheid bij het voorkomen van virussen in de bijlage(n) bij dit bericht. Desondanks dient u zelf de bijlage(n) te controleren op de aanwezigheid van virussen en kan First Eight BV niet aansprakelijk worden gehouden indien bijlage(n) schade, waaronder schade aan computer(systeem), veroorzaken.
7 years, 9 months
Custom password hash provider seems not getting triggered
by Danny Trunk
Hi,
I've implemented a custom user storage provider and a custom password
hash provider as the user storage doesn't use Pbkdf2.
I added some logging to check if I can see it in the server.log but
there's no output from my custom password hash provider:
public class MyPasswordHashProvider implements
PasswordHashProviderFactory, PasswordHashProvider {
private static final Logger logger =
Logger.getLogger(MyPasswordHashProvider.class);
public static final String ID = "XX";
public PasswordHashProvider create(KeycloakSession session) {
logger.info(">>>>>> Creating factory");
return this;
}
public void close() {
logger.info("<<<<<< Closing provider/factory");
}
public void encode(String rawPassword, PasswordPolicy policy,
CredentialModel credential) {
logger.info("Encoding password");
String salt = getSalt();
String encodedPassword = encode(rawPassword, salt);
credential.setType(UserCredentialModel.PASSWORD);
credential.setValue(encodedPassword);
credential.setSalt(salt.getBytes());
credential.setAlgorithm(ID);
logger.info("Credential model: " + credential);
}
}
In src/main/resources/META-INF/services I've created a file called
org.keycloak.credential.hash.PasswordHashProviderFactory which contains
the fully qualified class name (including package):
com.example.keycloak.credential.hash.MyPasswordHashProvider
This is the log I can see while trying to login:
2017-03-14 14:57:14,215 INFO
[com.example.keycloak.storage.MyUserStorageProviderFactory] (default
task-4) >>>>>> Creating factory
2017-03-14 14:57:14,217 WARN [org.keycloak.events] (default task-4)
type=LOGIN_ERROR, realmId=test, clientId=test,
userId=f:dbXXXXbb-aXXf-XXXX-befb-XXXeaXcbXXbb:john.doe@example.com,
ipAddress=127.0.0.1, error=invalid_user_credentials,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://XXX.XXX.XX.XX:8443/login.html,
code_id=fbfXbXXX-dfdX-Xfba-bfXX-XXXXacXXXeXe, username=john.doe(a)example.com
Do I miss something?
7 years, 9 months
Keycloak single sign on/out clarification
by Michal Keda
Hi,
we are evaluating keycloak and I have one problem with getting single
sign out working properly and one question about design of app+keycloak.
The problem is following: I have two applications that are protected via
keycloak that are based on keycloak quickstart vanilla-jee apps and
deployed to tomcat. This should mimic our future use case, in which
multiple applications on multiple servers should have SSO. If user logs
into any of the sites (or keycloaks /auth/realms/realm/account page), he
is logged to other two. BUT troubles come when users want to log out.
When user logs out from my app, he is logged out from keycloacks
/auth/realms/realm/account page, but not from other application. If
users logs out from /auth/realms/realm/account page, he is not logged
out from any of my applications. It just seems, that if session in my
application is established successfully, it no longers tries to check if
users is logged in with keycloack server. Which seems quite
"un"singlesingout-ish.
I am logging out like this:
public void handleLogout(HttpServletRequest req) throws
ServletException {
if (req.getParameter("logout") != null) {
req.logout();
}
}
Since single sign on is achieved basically just by changing
<auth-method>KEYCLOAK</auth-method> in web.xml and automagic does
everything else, I was excpecting single sign out to be similarly
efortless. What I need to do to make it work?
My second question is regarding custom login form. Product owner simply
denied that we will redirect users to keycloack login page during login
process. I didn't found much information how to use existing login form
with keycloak, but we came up with following solution. I just want to
ask if it is reasonable approach. I created page
"linksVisibleForLoggedInUsers.html" that is protected by keycloak in
web.xml. I included this page into iframe instead of former log in form.
So when unlogged users accesses index page, this iframe shows keycloak
login form (which can be themed to mimic original log in form). User
then can log into keycloak in iframe and it wors fine. My feeling is
that altghough this works, it might not be optimal solution.
Best regards,
Michal Keda
7 years, 9 months
What is the effect on performance in changing the number of Hashing Iterations for the password.
by Reed Lewis
What is the true effect on performance in terms of the number of Hashing Iterations that can be configured for Keycloak? There is of course a diminishing return in terms of security with more and more iterations, but that of course needs to be offset against the CPU power required to perform those iterations for each login.
So is there any performance analysis of the different number of iterations and its effect on the capacity to handle users?
Thank you.
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail
7 years, 9 months
What is the procedure for upgrading from 2.x to 3.x and beyond?
by Reed Lewis
We are planning on using keycloak for SSO for our entire organization. We plan on running all of Keycloak in either Azure or AWS using a hosted SQL database (MS SQL or Postgres), and having multiple keycloak VMs which will connect to the single database instance.
I have already figured out jdbc_ping and its configuration in terms of caching, etc.
What we would like to know though is when we deploy the servers, what happens when we upgrade from whatever version we decide to implement to a later version of Keycloak? Are there database schema updates that happen in the background? Do we need to shut down the entire system, then start a new version and let it migrate? Can a newer and older version of Keycloak be connected to the same database or is that an invalid use case?
So bottom line: We need to know the upgrade procedure when running a very large installation of Keycloak with multiple VMs as the Keycloak servers.
Thank you.
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail
7 years, 9 months
Keycloak and 3 clients
by Marc Tempelmeier
Hi,
I´m new to Keycloak and have the lucky possibility to play around with it here at my new company.
Unlucky is I´m the only person who plays around with it at the moment.
So I have to make it possible that we have 3 services connected with Keycloak. But just one of them should have the users in the same realm but the users shouldn´t be logged out.
To recap:
Keycloak with 3 clients, logout should log out only 2, but login should occur for all 3.
Can you give me a gist how to solve that?
Best regards
Marc
7 years, 9 months
