Get magic link for users to login
by Martin Johansson
Is it possible to retrieve the magic link that are sent by e-mail via the Java
API? We have implemented an SPI with a REST interface and would like to get
the link for usage in custom e-mails.
Any hints which provider to be used is much appreciated.
Regards,
Martin
7 years, 8 months
Identity Brokering
by Danny Regis
Hello,
I'm trying to gain clarity on whether there is a subtle difference between
Identity Federation / Identity Brokering / Authentication Brokering.
Looking at the documentation for Identity Providers, it details this as
Identity Brokering, what I can't ascertain (and haven't been able to demo)
is exactly how this works. The documentation implies that the first broker
login flow creates a local user. What happens on the second login? Would
the user always be redirected to the IdP login pages? If so what is the
local user copy for?
Potentially I'm confusing federated Open ID Connect SSO with Identity
Brokering.
My specific use case...
Application A users authenticated and authorised via Identity Provider B
(Open Id Connect)
However application A users should always be authenticated against IdP B,
there should never be local authentication based upon a local KC user.
Would disabling "Create User If Unique" from the First Broker Login flow
fulfil my requirement?
Thanks
Danny
7 years, 9 months
Logout Issue with Keycloak
by Shiva Krishna
Hello,
I am using Keycloak as Identity and Access Management in my
application(ServiceProvider) and Salesforce as IDP. I am having a
logout issue when logging out of Salesforce.
1. Login to Salesforce and Open my application.
2. Request is redirected to Keycloak and opens my application in a new tab.
3. Now logout from Salesforce.
4. Go to my application and browse through it.
Expected Scenario:
In ideal scenario, since I have logged out of Salesforce, my
application should return to login page asking to login again.
Current Scenario:
Application is not logging out and I can browse through the application.
I guess, backchannel logout is not working properly. I have "Front
Channel Logout" enabled in my client in keycloak. Do I need to perform
any other configuration to logout completely?
Thanks,
Krishna S
7 years, 9 months
Photoz Authz example DB issue
by Ilya Korol
Hi, i'm trying to realize how does authz work in keycloak, therefore i
tried to run keycloak/examples/authz/photoz project. I failed to run it
from git sources (i'm even failed to build or test it!), so i downloaded
examples.zip from keycloak.org. I successfully built and deployed jars
to keycloak instance, but when i go to specified in README.md urls
(http://localhost:8080/photoz-html5-client/#/album/create ...) i see
NPEs in keycloak logs. This errors refers to any code like:
this.entityManager.createQuery("from Album where name = :name and userId
= :userId");
I checked persistence.xml:
<persistence-unit name="primary" transaction-type="RESOURCE_LOCAL">
<provider>org.hibernate.ejb.HibernatePersistence</provider>
<class>org.keycloak.example.photoz.entity.Album</class>
<class>org.keycloak.example.photoz.entity.Photo</class>
<properties>
<property name="hibernate.dialect"
value="org.hibernate.dialect.H2Dialect" />
<property name="hibernate.connection.driver_class"
value="org.h2.Driver" />
<property name="hibernate.connection.url"
value="jdbc:h2:~/keycloak-photoz-example" />
<property name="hibernate.connection.user" value="sa" />
<property name="hibernate.flushMode" value="FLUSH_AUTO" />
<property name="hibernate.hbm2ddl.auto" value="update" />
<property name="hibernate.show_sql" value="false" />
</properties>
</persistence-unit>
Do i have to make any DB bootstrapping actions or this project should
work right out of the box?
7 years, 9 months
Spring Security Adapter: Set locale on redirect to login page + Link back to application from login form
by Danny Trunk
Hello everyone,
1. Set locale on redirect:
We have a multilingual application where you can choose your locale.
The login entry point then looks like
https://localhost:8443/en_US/login.html
Now I need to tell Keycloak which locale to use.
The way I realized it isn't really clean:
I'm extending from KeycloakWebSecurityConfigurerAdapter and overriding
the keycloakAuthenticationProcessingFilter method in order to
instantiate my own authentication processing filter implementation:
@Bean
@Override
protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
RequestMatcher requestMatcher = new OrRequestMatcher(new
AntPathRequestMatcher("/*/login.html"), new
RequestHeaderRequestMatcher(KeycloakAuthenticationProcessingFilter.AUTHORIZATION_HEADER));
KeycloakAuthenticationProcessingFilter filter = new
LocaleAwareKeycloakAuthenticationProcessingFilter(keycloakAuthenticationManager(),
requestMatcher);
filter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
return filter;
}
The custom authentication processing filter is the following:
public class LocaleAwareKeycloakAuthenticationProcessingFilter extends
KeycloakAuthenticationProcessingFilter implements ApplicationContextAware {
private final Logger log = LogManager.getLogger(getClass());
private ApplicationContext applicationContext;
private AdapterDeploymentContext adapterDeploymentContext;
private AdapterTokenStoreFactory adapterTokenStoreFactory = new
SpringSecurityAdapterTokenStoreFactory();
public
LocaleAwareKeycloakAuthenticationProcessingFilter(AuthenticationManager
authenticationManager, RequestMatcher
requiresAuthenticationRequestMatcher) {
super(authenticationManager, requiresAuthenticationRequestMatcher);
}
@Override
public void afterPropertiesSet() {
super.afterPropertiesSet();
adapterDeploymentContext =
applicationContext.getBean(AdapterDeploymentContext.class);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest
request, HttpServletResponse response) {
log.debug("Attempting Keycloak authentication");
HttpFacade facade = new SimpleHttpFacade(request, response);
KeycloakDeployment deployment =
adapterDeploymentContext.resolveDeployment(facade);
AdapterTokenStore tokenStore =
adapterTokenStoreFactory.createAdapterTokenStore(deployment, request);
RequestAuthenticator authenticator = new
LocaleAwareRequestAuthenticator(facade, request, deployment, tokenStore,
-1);
AuthOutcome result = authenticator.authenticate();
log.debug("Auth outcome: {}", result);
if (AuthOutcome.FAILED.equals(result)) {
throw new KeycloakAuthenticationException("Auth outcome: "
+ result);
} else if (AuthOutcome.AUTHENTICATED.equals(result)) {
Authentication authentication =
SecurityContextHolder.getContext().getAuthentication();
Assert.notNull(authentication, "Authentication
SecurityContextHolder was null");
return getAuthenticationManager().authenticate(authentication);
} else {
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
challenge.challenge(facade);
}
return null;
}
}
@Override
public void setApplicationContext(ApplicationContext
applicationContext) {
super.setApplicationContext(applicationContext);
this.applicationContext = applicationContext;
}
@Override
public void setAdapterTokenStoreFactory(AdapterTokenStoreFactory
adapterTokenStoreFactory) {
super.setAdapterTokenStoreFactory(adapterTokenStoreFactory);
this.adapterTokenStoreFactory = adapterTokenStoreFactory;
}
}
The custom request authentication is the following:
public class LocaleAwareRequestAuthenticator extends
SpringSecurityRequestAuthenticator {
public LocaleAwareRequestAuthenticator(HttpFacade facade,
HttpServletRequest request, KeycloakDeployment deployment,
AdapterTokenStore tokenStore, int sslRedirectPort) {
super(facade, request, deployment, tokenStore, sslRedirectPort);
}
@Override
protected OAuthRequestAuthenticator createOAuthAuthenticator() {
return new LocaleAwareOAuthRequestAuthenticator(this, facade,
deployment, sslRedirectPort, tokenStore);
}
}
And finally the LocaleAwareOAuthRequestAuthenticator is the following:
public class LocaleAwareOAuthRequestAuthenticator extends
OAuthRequestAuthenticator {
public LocaleAwareOAuthRequestAuthenticator(RequestAuthenticator
requestAuthenticator, HttpFacade facade, KeycloakDeployment deployment,
int sslRedirectPort, AdapterSessionStore tokenStore) {
super(requestAuthenticator, facade, deployment,
sslRedirectPort, tokenStore);
}
@Override
protected String getRedirectUri(String state) {
String redirect = super.getRedirectUri(state);
if (redirect == null) {
return null;
}
// getting the locale from our relative path and appending to
the redirect uri
String url = facade.getRequest().getRelativePath();
return redirect + "&kc_locale=" +
ServletUtils.getLocaleFromURL(url).getLanguage();
}
}
As you can see I had to override many methods and had to duplicate much
code.
Is there really no other way to set the locale when redirecting to the
login page?
---
2. Link back to application
And another problem I had to fight with: We only use the login page from
Keycloak. All other stuff should happen in our application as there are
some processes we don't want to copy. As we use a custom user storage
provider which accesses the external db from our application this isn't
a problem.
I had to make some template in order to set the URLs to link to our
password reminder and registering pages.
In this case I'm using "${client.baseUrl}/${.locale}" as base URL to
link back to pwreminder.html and register.html.
As ${client.baseUrl} isn't a mandatory field in the Keycloak Admin
Console this isn't a clean way as well.
But there's no ${client.rootUrl} to access. So this is the only chance
to unsafely link back to our application.
Why the client root url isn't accessible in the templates? Any good
reason not to add it to the template data model?
---
If good solutions for those problems need to be implemented I'll take a
look at the code, opening issues and providing a pull requests on GitHub.
7 years, 9 months
Loading extra claims from database
by Mailing lists
Hi all,
I have not been able to divine the way I might add extra claims from my application database. Given my limited understanding, I see two ways:
1 - after successful authentication have keycloak pull extra claims from the application database, somehow. This app database is postgres, for example.
2 - have the application database update the jwt with extra claims using a shared key.
I would like some feedback both paths. I feel that the fist option may be safer. However I am not sure where to begin that implementation journey.
Many thanks. Mark
7 years, 9 months
Offline token used to get access token - keycloak return 400
by Mariusz Chruscielewski - Info.nl
Hi. We are using offlice refresh tokens in our app. I see strange behaviour that I can't undestand:
Keycloak version: 2.5.5
First we do login request:
http://keycloak/auth/realms/vi/protocol/openid-connect/token
using password grant type, credentials and scope=offline_access
Then we wanted to test what happens when keycloak server is restarted (because of deployment, outage, whatever)
Next we do refresh call using refresh_token (offline token):
http://keycloak/auth/realms/vi/protocol/openid-connect/token
grant_type=refresh_token&client_id=vinl&refresh_token={offline_refresh_token}
We get 200 response with access_token in it
When we try to use it to get user-details:
http://keycloak/auth/realms/vi/protocol/openid-connect/userinfo
using authorization header with access_token generated by using refresh_token
Authorization: Bearer {Access_token}
we get 400:
{
"error": "invalid_request",
"error_description": "User session not found"
}
Can you please tell me if I'm doing something wrong or is it a Keycloak bug.
After restart of KC, there is no active sessions, but I can see that offline tokens are there (in admin console)
Why does it return 400?
Thanks in advance
Mariusz Chruścielewski
7 years, 9 months
