Force token refresh with the Spring Security adapter
by Aritz Maeztu
I'm using keycloak in a java client, configured with the Spring Security
adapter.
I've got a custom mapper in my keycloak configuration, so when the
access token is refreshed, keycloak accesses an endpoint to retrieve
some user permissions and they're stored in the token itself. Later on,
my client application checks the token without having to perform the
access to the permission endpoint itself (increased performance).
However, when an admin user changes his own permissions, I would like
the keycloak adapter to refresh the token after the permissions are
stored, this way the admin user is not required to have its token
refreshed or to re-login to load his new permissions.
Is there a way to achieve it? Some kind of operation to refresh current
session's token?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 7 months
programmatic authentication flow
by Steve Favez
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
6 years, 8 months
Using Keycloak with Microsoft Azure Active Directory
by Reed Lewis
I am attempting to use Microsoft Azure Active Directory with Keycloak.
It is not working correctly.
Here is how I have it configured:
OpenID Connect V1.0
Enabled: On
Store Tokens: On
Store Tokens Readable: On
Trust Email: On
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Token URL: https://login.microsoftonline.com/common/oauth2/token
Logout URL: <none>
Backchannel Logout: Off
User Info URL: <blank>
First Login Flow: First Broker Login
It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address.
Is there something I have configured incorrectly?
I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory.
Thank you,
Reed Lewis
6 years, 8 months
Fwd: Error when session expired and ajax request execute in Keycloak?
by Adam Daduev
After login, i get in my app, and for all my ajax request from page to
backing bean, i receive response 401 even if the session is still alive.
If removed autodetect-bearer-only option, all work fine, but going back to
the old error.
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
---------- Forwarded message ---------
From: Adam Daduev <daduev.ad(a)gmail.com>
Date: вт, 10 янв. 2017 г. в 14:08
Subject: Re: [keycloak-user] Error when session expired and ajax request
execute in Keycloak?
To: <stian(a)redhat.com>
I tried, but does not work.
Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
not started, he not know autodetect-bearer-only option, then, i added via
json, wildfly started and app was deployed.
Secondly, on my ajax request to backing bean, i receive response 401 and
does not happend.
This is my keycloak.json
{
"realm": "azovstal",
"auth-server-url": "http://dc09-apps-06:8090/auth",
"ssl-required": "none",
"resource": "web-test",
"public-client": true,
"use-resource-role-mappings": true,
"autodetect-bearer-only": true
}
вт, 10 янв. 2017 г. в 10:19, <daduev.ad(a)gmail.com>:
Ok, I try, thanks.
10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
In that case take a look at the new autodetect-bearer-only option. You'll
need 2.5.0.Final for that.
On 9 January 2017 at 19:18, <daduev.ad(a)gmail.com> wrote:
No, I have jsf 2 app with richfaces framework, which deploy on wildfly
10.1.
9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger(a)redhat.com> написал(а):
[Adding list back]
A web app redirects the user to a login page if not authenticated, while a
service should return a 401.
It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.
On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Thanks for the answer.
Yes i have confidential client, i have web application, that asks
Keycloak server
to authenticate a user for them. As I understand, bearer-only is for web
services clients.
I probably something do not understand?
2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
Looks like your services are configured as confidential clients rather than
bearer-only and hence is sending a login request back rather than a 401.
You should either swap your service war to be a bearer-only client or use
the new autodetect-bearer-only option in adapters if you have both web
pages and services in the same war.
On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote:
Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:
XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth?…ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.
I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 10 months
Keycloak Java adapter & ADFS
by Cat Mucius
Good day,
I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood from this article [1], ADFS expects to receive <KeyInfo>
element in <Signature> of SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."
But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
format [2]:
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?
Thanks,
Mucius.
Links:
[1]
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
[2] http://coheigea.blogspot.co.il/2013/03/signature-and-encryption-key.html
6 years, 11 months
NullPointerException while adding userFederationMappers
by Nabeel Ahmed
Hi Everyone,
I am using keycloak 2.4.0.Final and creating ldap user federation provider.
Getting the following error when creating UserFederationMappers.
14:09:27,255 ERROR [io.undertow.request] (default task-11) UT005023:
Exception handling request to
/auth/admin/realms/DecisionSpace_Integration_Server/user-federation/instances/79a731e1-6d8d-499e-a62f-73cb38af72e2/mappers:
org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at
org.keycloak.services.resources.admin.UserFederationProviderResource.validateModel(UserFederationProviderResource.java:450)
at
org.keycloak.services.resources.admin.UserFederationProviderResource.addMapper(UserFederationProviderResource.java:321)
at sun.reflect.GeneratedMethodAccessor789.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Regards,
Nabeel Ahmed
Cell # +92 333 540 5542
6 years, 11 months
Spring Boot adapter with HTTP verb based authorization
by Andreea Ciuprina
Hello!
We are building an online application for which we are using Keycloak for authentification and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?
2. If the answer to question 1 is yes, then could you please provide a minimal configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin@mpi-bremen.de
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina@jacobs-university.de
6 years, 11 months
Spring security adapter for SAML
by Pulkit Gupta
Hi Team,
I have a application with Spring security configured.
We are trying to migrate the same to keycloak.
Do we have a spring security adapter for keycloak with SAML.
I went through the documentation and can see that we have a spring adapter
but that is for open ID connect.
--
Thanks,
Pulkit
AMS
6 years, 11 months
OAuth2 token introspection requires an active session?
by Iván Perdomo
Hi all,
We're trying to use offline access [1] to retrieve access_tokens on
behalf of the user and access a protected resource in a long running
process.
This protected resource checks the validity of the access_token using
the OAuth2 token introspection.
In our tests we found that the introspection flag "active" true|false
depends on having an active session in the server. Which seems to defeat
the purpose of the offline access capabilities.
I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
is the same.
* Get an offline token via direct grants
* Get an access_token using the offline_token
* We have an active session
* Use the token introspection for the access_token and get the expected
result: active=true
* Wait for SSO Idle timeout (so the session expires)
* Get a new access_token using the "stored" offline_token
* Use the token introspection with the new access_token. Keycloak
returns active=false because we don't have a session. But the
access_token is valid, and not expired.
The following code repository has an isolated test case of this scenario:
https://github.com/iperdomo/keycloak-oauth2-instrospection
The described steps are in this script:
https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/te...
I tried to look for logged issues regarding token introspection and
didn't found anything related to this problem.
Is this a bug or an expected behavior?
[1]
https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/o...
Thanks for your support.
--
Iván
6 years, 11 months
