Parametric Client Configuration
by matteo restelli
Hi all,
is it possible to make client urls parametric?
I mean, is it possible to set environmental variables and reference them
inside the client configuration panel?
Thank you in advance,
Matteo
7 years
Re: [keycloak-user] [EXTERNAL] Re: Overriding AssertionConsumerServiceURL in
by Jacobs, Michael
So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5?
Also, re: the second part of my question, can anything be done about the password reset URL, to have those target our F5?
Thanks for you help with this,
MJ
On Apr 5, 2017 8:01 AM, Bill Burke <bburke(a)redhat.com> wrote:
The SP can send ACS URL, this URL will only be used if it is validated
against the Redirect URI patterns that are registered in the
configuration of the client. Does that answer your question?
On 4/4/17 6:07 PM, Jacobs, Michael wrote:
> For our application we created a SAML Identity Provider to proxy authentication to an outside source. However we need their response to be sent back to a load-balanced URL on our F5. The value that I believe controls this is "Redirect URI" in our SAML Provider config, looks like that goes to populate the AssertionConsumerServiceURL in the SAML request. Redirect URI is not editable in the UI. Is there a way we can control what gets populated there, so our partner will be directed to send to the load-balanced URL.
>
> We'd also like to control password reset emails links to contain that load-balanced URL, but it does not look like the templating system allows us to manipulate that that level.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
7 years
401 for spring security adapter + spring boot + long session
by Aritz Maeztu
I have an application where I want its users to be able to keep logged
in during long time (about one year before the session ends). I'm using
Spring Boot + Spring security and the keycloak Spring security adapter
(2.5.4 final). The keycloak server is 2.2.1. What I've done:
Set up the realm to permit long lived sessions:
Session Idle: 365 days
Session max: 365 days
Offline session idle: 30 days
Access token lifespan: 1 Minute
Lifespan for implicit flow: 365 days
Then, in my application (single server and single keycloak client,
confidential access type) I set up this environment variable:
server.session-timeout: 525600
Then in my front-end I've got AngularJs integrated, works as a Single
page application and performs some routing without refreshing the whole
page.
My problem:
When I leave the application idle (for around 30 minutes), after
performing some request to any rest endpoint, I get 401 code. The
application works again when I press F5 and refresh the page. The
problem is only related when I access the REST endpoints while I don't
request the whole page again.
Am I missing something?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
7 years
Disable CORS on realm endpoints?
by Joe Rowe
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and
causes false positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
7 years
Jgroups configuration
by Roman Nikolaevich
Hello Guys,
Could you please advise how can I change jgroups protocol stack ?
As I see it is hard coded right now.
if (clustered) {
gcb.transport().defaultTransport();
}
Is it possible to add some customization here ?
Thanks in advance.
7 years
Jgroups configruation
by Roman Nikolaevich
Hello Guys,
Could you please advise how can I change jgroups protocol stack ?
As I see it is hard coded right now.
if (clustered) {
gcb.transport().defaultTransport();
}
Is it possible to add some customization here ?
Thanks in advance.
7 years
Docker and Port 9999
by Marc Tempelmeier
Hi,
I am still trying to get the Domain Clustered Mode in Docker working. My Master container runs and is callable from the host, but I have problems to connect the slave.
The port 9999 is needed from the slave, right? I exposed it in the masters dockerfile, but if I do nmap from the slave it is still shown as closed.
What can I do to open it?
Best regards
Marc
7 years
How to authenticate using offline refresh_token
by Mariusz Chruscielewski - Info.nl
Hi,
We are using scope=offline_token param to get refresh_token that is valid for long time, then we do call :
grant_type=refresh_token&client_id=xxxx&scope=offline_access&refresh_token={refresh_token}
to get access_token, and that call returns access_token with status 200. Next step is to call our custom REST Endpoint using authorization header:
Authorization: bearer {access_token}
But in Keycloak itself, when we try to check if token is valid:
private final AuthenticationManager.AuthResult auth;
public EntitlementResourceProvider(KeycloakSession session, String abosUrl, String abosUsername, String abosPassword) {
this.session = session;
this.auth = new AppAuthManager().authenticateBearerToken(session, session.realms().getRealm(Constants.XXXXXXX));
}
this.auth is null, when I was debugging this, I found that Keycloak reports: Token invalid. How can it be invalid, if it was just issued?
What is even more interesting, this works between first login using credentials and time configured as SSO Session Idle (so in our case for 30 minutes)
I understand that session is closed after some Idle time, but if we have valid refresh_token, and we get new access_token, why doesn't it validate? Am I using wrong method?
Kind Regards,
Mariusz Chruścielewski
software engineer
mariusz(a)info.nl<mailto:mariusz@info.nl> | LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530 9113<tel:+31205309113%20>
info.nl <http://www.info.nl>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
7 years
Re: [keycloak-user] Mapping Azure Ad token_id groups to users roles
by Andrius Karpavičius
Hi,
I have posted a question few weeks ago on similar topic - how to
retrieve Azure AD groups and roles, but nobody has answered.
So maybe you can tell me how you have your AD configured that you get
groups info in the token.
Thanks,
Andrius
>>>
I have created OpenId identity provider with Azure Active directory and it
works. What I am failing is to retrieve any group or role information from
Azure, so I can assign corresponding roles in Keycloak.
In their documentation, https://docs.microsoft.com/en-
us/azure/active-directory/develop/active-directory-token-and-claims I see
that if response_type is specified as "id_token" additional claims "roles"
and "groups" should be returned.
But Keycloak's redirect to authorization URL in Azure contains parameter
response_type=code and there is no way to overwrite it.
Azure AD's openId configuration https://login.microsoftonline.
com/e061e904-dda8-491c-9f2f-d1e3051a5191/.well-known/openid-configuration
returns "response_types_supported":["code","id_token","code
id_token","token id_token","token"] but in "claims_supported" don't mention
"groups" nor "roles" claims.
So question - is it possible to change response_type to include id_token,
so groups or roles claims are retrieved and can be used in mapper to assign
corresponding roles in Keycloak. If not - what is a suggested approach -
store the token and retrieve them separately?
Andrius Karpavičius
tel.: +54 9 3546 482150,
skype: andriuskarpavicius
>
>
> Date: Wed, 5 Apr 2017 09:12:01 +0200
> From: Adrien Voisin <adrien.voisin.be(a)gmail.com>
> Subject: [keycloak-user] Mapping Azure Ad token_id groups to users
> roles
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
>
> Hi all,
>
>
> I have the following configuration :
>
>
> *My application :*
>
> Front : Angular 2
>
> Backend : Springboot rest api
>
>
> *Auth:*
>
> Keycloak 3.0.0
>
> Windows Azure AD
>
>
> The goal is to use Keyloack and Windows Azure for authentication and
> permissions management of my web app.
>
> (I followed this tutorial :
> http://slackspace.de/articles/authentication-with-spring-
boot-angularjs-and-keycloak/
> )
>
>
> *Windows Azure AD* : I registered my webapp into Azure AD
>
> *Keycloak *: I added two clients (front & back) + an identity provider
> (Azure).
>
>
> The authentication part works well. (Each request is redirected to the
> Microsoft auth, then a user in Keycloak is added (first login).
>
>
> Now I would like to use information of the token of Azure (doc :
> https://docs.microsoft.com/en-us/azure/active-directory/
develop/active-directory-token-and-claims)
> for permissions management.
>
>
> A token from azure ad looks like below :
>
>
> {
> typ: "JWT",
> alg: "RS256",
> x5t: "kriMPdmBvx68skT8-mPAB3BseeA"
> }.
> {
> aud: "https://contoso.onmicrosoft.com/scratchservice",
> iss: "https://sts.windows.net/b9411234-09af-49c2-b0c3-653adc1f376e/",
> iat: 1416968588,
> nbf: 1416968588,
> exp: 1416972488,
> ver: "1.0",
> tid: "b9411234-09af-49c2-b0c3-653adc1f376e",
> amr: [
> "pwd"
> ],
> roles: [
> "Admin"
> ],
> oid: "6526e123-0ff9-4fec-ae64-a8d5a77cf287",
> upn: "sample.user(a)contoso.onmicrosoft.com",
> unique_name: "sample.user(a)contoso.onmicrosoft.com",
> sub: "yf8C5e_VRkR1egGxJSDt5_olDFay6L5ilBA81hZhQEI",
> family_name: "User",
> given_name: "Sample",
> *groups: [
> "0e129f6b-6b0a-4944-982d-f776000632af",
> "323b13b3-1851-4b94-947f-9a4dacb595f4",
> "6e32c250-9b0a-4491-b429-6c60d2ca9a42",
> "f3a161a7-9a58-4e8f-9d47-b70022a07424",
> "8d4c81b2-b1ad-476d-9574-544d155aa6ff",
> "1bf80164-ff24-4866-b19c-6212e5b9a847",
> "76f80127-f2cd-46f4-8c52-8edd8bc749b1",
> "0ba27160-44d0-42b5-b90c-47b3fcc48e35"
> ],*
> appid: "b075ddef-0efa-123b-997b-de1337c29185",
> appidacr: "1",
> scp: "user_impersonation",
> acr: "1"
> }.
7 years
