Adapter Token Verification
by Kevin Berendsen
Hi community!
Is there any diagram of how token verification takes place in adapters? I have a public client and a bearer-only client which is basically a protected API. I wish to verify the token on each API request and it already does that out-of-the-box with Spring Security which is nice but how I'm 100% certain that the bearer token is valid?
In Keycloak.json it's possible to fill in a realm-public-key. When that key has a value in the JSON object, will the verification of the token only happen on the client (due to the signature within the token) or does it make an external request to the Keycloak endpoint to verify the token and fill the security context of the HttpSession?
Kind regards,
Kevin
7 years, 1 month
Host header verification during introspect?
by Dmitry Korchemkin
As i wrote a couple of days ago, i have an issue with introspection. When
sending an introspect request through proxy i get a pretty uninformative
{"active" : "false"} as a result.
I have two proxies, private and public and all the requests to keycloak go
through them. When i get a token from private proxy (http://private
.com/../protocol/openid-connect/token) and then try to access introspect
through public proxy (http://public/../
protocol/openid-connect/token/introspect) with this token, it fails with an
error i provided above. Token is issued to private proxy, obviously.
When i receive a token and use it to access introspect through the same
proxy, it works.
I've tried to modify my proxies to hack Host header and replace it with
whatever the token is issued to and it works when i manually do the steps
above with postman, but unfortunately it horribly breaks something else
within my code.
I get that it's more secure this way, but i did not have this issue when i
used 1.9.8.Final. Is there a way to disable this introspect host checking
with the 3.0.0.?
7 years, 1 month
Best Practices and Recommendations
by Hugh Campbell
Greetings!
I am involved in a client engagement event upcoming on-site performing a
Best Practices analysis of their environment for Red Hat SSO which Keycloak
is a component of. I have been in the process of reviewing all available
information related to Keycloak as well as setting up my own instances to
get a better feel for the platform.
However, one area I am having little success in is finding a collection of
best practices and recommendations for deploying and securing Keycloak. I
am also having difficulty finding best practices and recommendations for
SAML SSO that would relate to Keycloak.
Does such material exist or is this an instance where we will have to take
the current literature as it exists and adapt it to meet our client's
needs? I'd rather not re-invent the wheel and instead draw from the wisdom
of the crowd for this effort.
Thanks in advance!
V/R
- Hugh
7 years, 1 month
Fwd: Retrieve SAMLResponse after login
by Shiva Krishna
Hello,
I need to retrieve SAMLResponse as is which appears on browser after
login using Keycloak. I am able to retrieve SAMLPrincipal and other
variables. But, I am not able to see the parameter "SAMLResponse".
What is the way to get it?
Thanks,
Krishna S
7 years, 1 month
username in host-slave.xml
by Marc Tempelmeier
Hi,
I saw that the official documentation does not mention a username in the host-slave.xml, but in the wildfly docu it is present.
How does Keycloak determine the correct user?
Best regard
Marc
7 years, 1 month
[development] Jumping to another flow from an authenticator
by Tomás García
Hi,
I'm doing experiments with authenticators... I've made an authenticator for
the "first broker login" flow and I'm wondering if, under certain condition
I implemented inside the authenticateImpl method of the authenticator, I
can jump to the browser flow to "challenge" the user with the regular login
screen. It looks like it's impossible by design.
If there's another alternative, you can think about, it would be great.
Thanks.
7 years, 1 month
Themeing: Set Urls + Locale
by Danny Trunk
Hello everyone,
is there a clean way to set the registrationUrl, loginUpdateProfileUrl,
loginResetCredentialsUrl to my own one based on the Redirect URI as well
as sending a Locale to the Keycloak pages which to be used instead of
the configured default?
I'm using the Spring Security Adapter and I'm also familiar in creating
Service Provider.
I need to do the registration, password forgotten and update profile
processes within my webapp as there are some post-processes to be done
and I don't want to rewrite them.
That's no problem as I'm using a User Storage Provider.
The Redirect URI looks like https://localhost:8443/de_DE/login.html
The Registration page is accessible through
https://localhost:8443/de_DE/register.html
The Password forgotten page is accessible through
https://localhost:8443/de_DE/pwreminder.html
The Update Profile page is accessible through
https://localhost:8443/de_DE/myaccount.html
The hackish way would be to get the Query Parameter "redirect_uri" in
the ftl Template and build the base url "https://localhost:8443/de_DE".
But then the Template still uses the default Locale.
Are there any clean ways?
7 years, 1 month
