External Role to Role Mapper
by Adam Keily
Hi All,
I'm running KC 2.5.1. In the following scenario. The role mapper 'External Role to Role' doesn't seem to work correctly.
I have two KC realms. Realm A is an IdP for Realm B. In the IdP config on realm B, I configure a External Role to Role mapper to map the role "Test".
During the first broker login of a user from Realm B to Realm A, the user is created and the role is mapped successfully.
If the role is removed from the user in Realm A, then the user signs in again from Realm B, the role is not re-added.
Similarly, the role is not added if there is an existing user in Realm A and they create a federation link with Realm B.
I have noticed an error though if I try to map to a non-existant role in Realm A.
Can anyone tell me if this is by design, resolved in a later release or an issue I should raise a JIRA about?
Thanks
Adam
7 years, 8 months
CatalinaSamlAuthenticator issue using keycloak saml eap6 adapter
by Jacobs, Michael
I have plugged keycloak-saml-eap6-adapter-dist-2.5.5.Final into JBoss eap-6.4.1 following these instructions:
http://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/saml-jbos...
I am using Keycloak 2.5.5 as well. I have my client set up to use POST binding, and was getting into a loop of the client trying to login over and over in loop.
I narrowed it down to the CatalinaSamlAuthenticator which overrides createBrowserHandler() to set up a BrowserHandler, as opposed to the WebBrowserSsoAuthenticationHandler the parent class sets up.
This BrowserHandler overrides handle() in a way that does not read the samlResponse from the façade. This leads to initiateLogin() in the parent class getting called over and over.
If I comment createBrowserHandler() in CatalinaSamlAuthenticator I get the WebBrowserSsoAuthenticationHandler implementation which has a version of handle() that works.
Am I misconfigured somehow? Or is this a bug?
Thanks,
MJ
7 years, 8 months
Cloud (PaaS) Deployments
by Dana Danet
Any experience out there deploying Keycloak in standalone mode to a Cloud platform container? Currently we are shopping providers ( Pivotal Cloud Foundry, Heroku, AWS ) in that order.
Initially, and before any real investigation of PCF I was hoping I could use a java build pack, unfortunately I do not see support for deploying a standalone archive, I am assuming Heruko will be the same, which leaves AWS as a bare metal provider. Not ideal since our cloud implementation will be in PCF.
Any and all suggestions are appreciated..
-dana
dana_dot_danet_at_evisions_dot_com
7 years, 8 months
Where does Keycloak store the RSA private key used in JWT signing?
by Reed Lewis
I have Keycloak 3.0.0, and was trying to find where the private/public key pair is store for signing. I cannot find it anywhere in the database.
Thank you,
Reed
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail
7 years, 8 months
Realm login screen
by Marc Tempelmeier
Hi,
Is there a standard url for a realm login screen? We want to provide back links to it from various error templates.
At the moment we can use:
/auth/realms/fastlane/protocol/openid-connect/auth?client_id=account&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2Fauth%2Frealms%2Ffastlane%2Faccount&response_type=code&scope=openid
That will obviously fail, because our production server is not on 127.0.0.1.
Can we get the IP address in freemarker template or is there a general URL for it.
Best regards
Marc Tempelmeier
7 years, 8 months
Signed JWT and Policy Enforcement
by Hübner, Bettina
Hi,
we use the Keycloak Spring Security Adapter and fine-grained authorization settings for a Spring Boot App and it works fine. I now tried to use signed JWT for client authentication instead of client secret but get an error message ("Client Secret not provided") when starting our app. It seems the AuthzClient expects to find a “secret”-entry in the keycloak.json. If I remove the policy enforcer claim, there is no error.
Can anyone help?
Thanks
Bettina
7 years, 8 months
Re: Get magic link for users to login
by Martin Johansson
Hi!
We want to achieve the following:
Expose a REST endpoint where an authenticated client can retrieve a magic
login link for a specific user. We have an ID in the attributes for the
user which enables us to get the correct user.
The reason for this is that we need to expose the possibility to send
e-mails from other systems than Keycloak. We have other ways of composing
the e-mails.
So wanted final state is that a user can click a link in his e-mail client
and be redirected to our app and be logged in.
BR,
Martin
---------- Forwarded message ----------
> From: Ilya Korol <llivezking(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Cc:
> Bcc:
> Date: Fri, 14 Apr 2017 15:59:10 +1000
> Subject: Re: [keycloak-user] Get magic link for users to login
> Hi, could you explain more detailed what you want to achieve? As for my
> team we also implemented custom rest endpoint, which send customized emails
> to users. Check out org.keycloak.services.resources.admin.UsersResource
> for details of default link constructing. (methods: resetPasswordEmail(),
> executeActionsEmail(), sendVerifyEmail())
>
>
> On 13.04.2017 17:54, Martin Johansson wrote:
>
>> Is it possible to retrieve the magic link that are sent by e-mail via the
>> Java
>> API? We have implemented an SPI with a REST interface and would like to
>> get
>> the link for usage in custom e-mails.
>> Any hints which provider to be used is much appreciated.
>>
>> Regards,
>> Martin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
7 years, 8 months
Keycloak grant_type
by Tech
Hi,
We are trying to setup a working login infrastructure as follows: an
application which we are trying to login through Keycloak.
The flow is as follows: we get to the application, which redirects us to
Keycloak, which should log the user and give correct access rights. This
works, Keycloak is putting the correct cookies (KEYCLOAK_IDENTITY,
KEYCLOAK_SESSION) and that redirects us back to the application.
The problem that we have is that we are not able to identify the user
logged in to KeyCloak. This is doable by the access_token, if we would
work with REST calls, but we only have the KEYCLOAK_IDENTITY cookie.
We are trying to somehow get the openid token with this
url /auth/realms/demo/protocol/openid-connect/token with the following
URL Encoded params:
- grant_type: authorization_code
- client_id: *client-id*
- client_secret: *secret*
- code: ???what code should we provide here??? (we tried adding the code
seen from browser requests but that throws invalid_code error)
The actual problem is that there is no available example in the
documentation (or at least we didn't find any) that shows how to setup a
login flow without access_token request.
Thanks,
Alin
7 years, 8 months
User account
by Maísa Cáceres
Hi everyone,
I'm developing a system and using Keycloak to manage users.
I try to find out if it's possible for a user to manage his information
account by API, I could not found anything about it.
Is it possible?
Thanks in advanced.
--
Maísa Cáceres
7 years, 8 months
