April 2017 - keycloak-user - Jboss List Archives

help

by Ulrik Lejon

-- Ulrik Lejon Mollyware AB +46-700-137786 ulrik.lejon(a)mollyware.se www.mollyware.se

7 years, 8 months

1
0
0 / 0

Load Balancer and Domain Clustered Mode

by Marc Tempelmeier

Hi, The docu said we should use our own load balancer. Is nginx a good idea there and how is the general rough setup then? Nginx in front, Domain controller is admin only and just controls the config, 2 slaves with an open Port (8080, 8081) which the load balancer uses? Or does the Domain Controller has some another role in this setup? Not asking for specifics, just the general workflow. Greetings Marc

7 years, 8 months

1
1
0 / 0

how to use keycloak JS Adapter with a signed JWT Token?

by Celso Agra

Hi there, It's me again! I'd like to know if would be possible to configure my frontend app with keycloak JS adapter, bu my app is configured with a signed JWT. Here is the credential configs: "credentials": { "jwt": { "client-key-password": "REPLACE WITH THE KEY PASSWORD IN KEYSTORE", "client-keystore-file": "REPLACE WITH THE LOCATION OF YOUR KEYSTORE FILE", "client-keystore-password": "REPLACE WITH THE KEYSTORE PASSWORD", "client-key-alias": "<my alias>", "token-timeout": 10, "client-keystore-type": "jks" } } When I try to add this config in the Keycloak JS: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... I haven't see config to do with signed JWT. So, How people do this configuration? Best regards, -- --- *Celso Agra*

7 years, 8 months

2
1
0 / 0

Re: Identity Brokering

by Danny Regis

> > Thanks Bill , > Is there a subtle distinction between identity brokering vs federation? Is there anywhere which details the interaction on subsequent logins, I found this page useful for the initial login: http://www.keycloak.org/docs/1.9/server_admin_guide/topics/identity-broke... I assume credentials are not imported/created during the identity federation, hence on a return visit Keycloak would forward an authentication request to the target IdP - effectively step 5 in the flow linked above. Danny > > > Message: 6 > Date: Thu, 13 Apr 2017 10:25:14 -0400 > From: Bill Burke <bburke(a)redhat.com> > Subject: > > Re: [keycloak-user] Identity Brokering > To: keycloak-user(a)lists.jboss.org > Message-ID: <3e60adeb-bb6f-ef07-7f55-3c5611c0122b(a)redhat.com> > Content-Type: text/plain; charset=windows-1252; format=flowed > > > brokering is authentication delegation. The user is imported, a local > account is created and linked to the external IDP. > > > On 4/13/17 9:12 AM, Danny Regis wrote: > > Hello, > > > > I'm trying to gain clarity on whether there is a subtle difference > between > > Identity Federation / Identity Brokering / Authentication Brokering. > > > > Looking at the documentation for Identity Providers, it details this as > > Identity Brokering, what I can't ascertain (and haven't been able to > demo) > > is exactly how this works. The documentation implies that the first > broker > > login flow creates a local user. What happens on the second login? Would > > the user always be redirected to the IdP login pages? If so what is the > > local user copy for? > > > > Potentially I'm confusing federated Open ID Connect SSO with Identity > > Brokering. > > > > > > My specific use case... > > > > Application A users authenticated and authorised via Identity Provider B > > (Open Id Connect) > > > > However application A users should always be authenticated against IdP B, > > there should never be local authentication based upon a local KC user. > > > > Would disabling "Create User If Unique" from the First Broker Login flow > > fulfil my requirement? > > > > Thanks > > Danny > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 40, Issue 20 > ********************************************* >

7 years, 8 months

1
0
0 / 0

Access Token And PRT(request party token), which one should I use to access the resource protected by keycloak

by Yizhou Jiang(Yizhou)

Hi, By reading the document of KeyCloak ,I found that I can use a Access-token or a PRT(request party token) to access the resources protected by keycloak. 1 Use PRT: https://keycloak.gitbooks.io/documentation/authorization_services/topics/... GET /my-resource-server/my-protected-resource HTTP/1.1 Host: host.com Authorization: Bearer ${RPT} 2 Use access token: https://github.com/keycloak/keycloak-quickstarts/blob/master/app-jee-html... line 38 if (keycloak.authenticated) { req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); } I'm confused about the difference between them. I don't know When I should use access token , and when I should use another one ? I am looking forward to your reply. thanks , yizhou

7 years, 8 months

2
3
0 / 0

Keycloak ACL for a specific user on a specific object

by Antoine Carton

Hello, Is there a way to manage fine grained authorizations with Keycloak like in the following scenario: - A user user1 belongs to a group group1 - group1 has READ access to the REST path: GET /my/entity/{entity_id} - group1 has not WRITE access to this path: POST /my/entity/{entity_id} This means that all users of that group can only READ at that path, whatever the {entity_id} is. The question is: Is it possible to allow user1 ONLY of group1, to have WRITE access to a specific entity_id. The purpose is to use the Spring Boot/Spring Security Adapter and replace what Spring security does with @PreAuthorize annotation for example. Thank you for your help, Best regards

7 years, 8 months

4
4
0 / 0

Session Logout with Offline Access Token

by Benjamin Zaitlen

Hi All, I'm having some trouble with sessions, clients, and offline access tokens. Let's say I have a client (APP 1) and I've logged in with OIDC. I now have a refresh_token and session for APP 1. Using the auth code flow I can generate an offline_access token (refresh_token) for a second client: APP 2. When I look in *realms/myrealm/account/sessions, *I see one session but two clients. At first I thought, great! I was able to get the auth code flow working and I generated a refresh token for a second client. But then disaster set in, when I logged out of the APP 1 client with the URL: *protocol/openid-connect/logout.* I was logged out the session which included the* second client* and thus the offline access token for APP 2 was effectively revoked. I've seen a handful of JIRAs related to offline access tokens and logouts but I think they don't quite cover this usecase. I have two questions: 1. Is it possible, using the auth code flow, to generate a refresh token in separate session. That is can APP 1 generate an offline_access token for APP 2 in a separate session without re-authenticating? 2. Can I logout a specific client for a session by passing additional parameters in the logout URL ? Thanks, --Ben

7 years, 8 months

2
5
0 / 0

Re: [keycloak-user] Keycloak App Logs out in Under 1 Minute

by Kevin Berendsen

Hi, I think by setting checkLoginIframe to false in your initialization call that it may solve your problem. You could also debug the Keycloak adapter in Firefox or Chrome to see whats happening and when. On 14 Apr 2017 9:15 pm, "Roger Turnau (US - Advisory)" <roger.turnau(a)pwc.com> wrote: Kevin, Thanks for getting back to me. Here are the answers, and a little bit of clarification from further investigations: 1. The realms are for two separate codebases with different keycloak configurations, but otherwise identical keycloak code. 2. Nothing is showing up in the Keycloak logs. There are no server errors that I can see. 3. We are not doing anything with checkLoginIFrame in our initialization code. Looking under the hood at the Javascript adapter, we found that the token was being revoked by the following code: if (event.data != "unchanged") { kc.clearToken(); } I notice that that happens in the message callback created when the iframe is set up. I assume that means that setting checkLoginIFrame to false in our configuration will fix the issue. Is that correct? Thanks again, Roger Turnau On Fri, Apr 14, 2017 at 2:01 PM, Kevin Berendsen <kevin.berendsen(a)pharmapartners.nl<mailto:kevin.berendsen@pharmapartners.nl>> wrote: Hello Roger, I have got a few questions to know a little more about your situation: * Is a single AngularJS app with multi-tenancy support or are there two codebases with identical code but different keycloak.json files? * Have you checked your loggings of Keycloak already to get to know where it possibly might go wrong? Loggings would be a major help and solve most of your issues. * Have you set the default checkLoginIframe from true to false in the init() method of the Keycloak JS Adapter? If you could answer these three questions, that'd be great to help you out further :) I ran into similar problems and hopefully I can solve your's as well. Kind regards, Kevin -----Oorspronkelijk bericht----- Van: keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>] Namens Roger Turnau (US - Advisory) Verzonden: vrijdag 14 april 2017 17:42 Aan: keycloak-user <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>> Onderwerp: [keycloak-user] Keycloak App Logs out in Under 1 Minute Hi all, I am experiencing a weird behavior where Keycloak immediately logs out a user who has just logged in. A few details: - The Keycloak server has two realms. The issue only happens on one of the realms. The other one works as expected. - The configuration of both realms is pretty much identical. - The login happens from an AngularJS app. The JS Keycloak code is identical to the code that runs in the other realm's app. - Keycloak has been working with almost no issues for a few months now. This is a new behavior. - I have examined the JWT token, and don't see anything unusual. The "exp" claims and "iat" claims are giving the correct epoch time. The app will accept the bearer token, make its back-end REST calls, and then suddenly fall back to the login screen. Any ideas what might cause behavior like this? Thank you for your help, -- *Roger Turnau* PwC | Manager - Advisory Financial Services Mobile: 850-228-2006<tel:850-228-2006> Email: roger.turnau(a)pwc.com<mailto:roger.turnau@pwc.com> PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user -- Roger Turnau PwC | Manager - Advisory Financial Services Mobile: 850-228-2006 Email: roger.turnau(a)pwc.com<mailto:roger.turnau@pwc.com> PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

7 years, 8 months

1
0
0 / 0

Keycloak App Logs out in Under 1 Minute

by Roger Turnau (US - Advisory)

Hi all, I am experiencing a weird behavior where Keycloak immediately logs out a user who has just logged in. A few details: - The Keycloak server has two realms. The issue only happens on one of the realms. The other one works as expected. - The configuration of both realms is pretty much identical. - The login happens from an AngularJS app. The JS Keycloak code is identical to the code that runs in the other realm's app. - Keycloak has been working with almost no issues for a few months now. This is a new behavior. - I have examined the JWT token, and don't see anything unusual. The "exp" claims and "iat" claims are giving the correct epoch time. The app will accept the bearer token, make its back-end REST calls, and then suddenly fall back to the login screen. Any ideas what might cause behavior like this? Thank you for your help, -- *Roger Turnau* PwC | Manager - Advisory Financial Services Mobile: 850-228-2006 Email: roger.turnau(a)pwc.com PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

7 years, 8 months

2
2
0 / 0

Securing Web Apps with Sessions and KeyCloak?

by Alex Berg

Hello KeyCloak users, I spent tons of time trying to find an example of using KeyCloak to secure an https-cookie-based session id for managing user sessions, but I can't find it. I found examples which demonstrate using the OID redirect flow from an AngularJS app to get tokens, but I'm concerned about the security of storing this token in JS-land in a browser. I suspect a malicious script could grab it and impersonate the user. Also, I don't know of any websites I use which use this flow, but I'm new to managing user accounts so it could be invisible to me. I was thinking I'd like to send have a form which sends the user's id and secret to my server, then turn it into session id to keep on an https cookie. Or perhaps this is "the old way" of doing auth? Anyway, is my concerns unwarranted? Is common practice now to simply treat my browser app as an OID client and pass a user token when requesting data from the server? Thanks for KeyCloak! I love how easy it is to deploy it as containers! I was originally planning to use Gluu, but they have a pretty crappy story for deploying as containers. Also, the KeyCloak docs and examples are simply more relate-able! Nice work on those! - Alex

7 years, 8 months

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user April 2017