How to remove Expires/Max-age from session cookie?
by Caranzo Gideon
Hi,
Is it possible in Keycloak to remove Expires/Max-age from "KEYCLOAK_SESSION" cookie?
Basically, we want the cookie to last only until browser is closed.
Also, why does Keycloak set this value on the cookie? What are the risks in case an attacker is able to steal it?
Best regards,
Gideon
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
8 years, 11 months
Support for transactional email providers like SendGrid, Mailgun or Mandrill
by Vineet Reynolds
Hi everybody,
Has anyone managed to configure Keycloak 2.0.0.Final to use a
transactional email API instead of configuring an SMTP server? I would
prefer to have Keycloak send emails using a rest API like Sendgrid,
Mandrill, Mailgun or Amazon SES (the cloud-native way) instead of running
an SMTP server.
I'd also appreciate if this is possible through the SPI providers.
* Should I implement both EmailSenderProvider and EmailTemplateProvider
SPIs ?
* I cannot get my custom EmailSenderProvider SPI implementation to work,
as the FreemarkerEmailTemplateProvider implementation fails to obtain the
implementation of the EmailSenderProvider. Stack trace is below
13:17:53,991 ERROR
[org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
task-39) Failed to send verification email:
org.keycloak.email.EmailException: Failed to template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at
org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at
org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:559)
at
org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:490)
at
org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:412)
at
org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299)
at
org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
at
org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Thanks,
Vineet
8 years, 11 months
Associating users to IDPs
by John D. Ament
Hi,
In my keycloak install, users don't have passwords yet as they're using
SAML to access my applications. Other than calling APIs to setup the
federated ID links, are there others to automatically create a relationship
between a user and their IDP? For now, every user would be associated to
every IDP in their realm.
John
8 years, 11 months
Trouble with initial SSL handshake from client
by Chris Benninger
Hi,
I just moved my dev setup to from HTTP to HTTPS. Right now I have a
self-signed cert.
What I do is, set up a cert the usual way and configure keycloak.
Everything is fine from the browser once I accept the cert.
Then my backend service keycloak.conf has 'https' now in it. All good. In
order to make my java service using keycloak client to trust it I have to
add the cert to the trust store.
I export the public cert
> keytool -export -keystore keycloak.jks -alias keycloak -file keycloak.cer
Then on the backend client, I import it to the default keystore
> keytool -import -trustcacerts -keystore
> $JAVA_HOME/jre/lib/security/cacerts -alias keycloak -file keycloak.cer
When I try and perform the first call on the backend service it is still
rejecting the cert for some reason? I can't get it to trust the thing.
2017-05-09 21:14:40,053 ERROR o.k.a.r.JWKPublicKeyLocator Error when
> sending request to retrieve realm keys
> org.keycloak.adapters.HttpClientAdapterException: IO error
> ...
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: signature check failed
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_111]
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: signature check
> failed
If anyone has any insight it would be greatly appreciated
8 years, 11 months
question on REST API usage
by Istvan Orban
Hi Guys,
We have several applications one of them is a SPA. We are moving our
application's user management to Keycloak.
In our SPA application we have three features.
1, /api/users/me -> returning the details of the logged-in user
2, /api/users -> get a list of users / realm
3, /api/users/{email} -> returning info of a user
solutions:
1, is easy to solve by using the userinfo endpoint of openid connect
2 and 3 i wanted to solve by creating a API proxy and use the REST endpoint
of keycloak
Of course to support this my existing API needs to log-in to the realm as a
user
am I on the right track? Is there a better aproach ?
Thanks for any guidance!
8 years, 11 months
Error with Postgres datasource
by sesnor.silva@sapo.pt
Hello,
I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the
documentation provided here:
https://keycloak.gitbooks.io/documentation/server_installation/topics/dat...
However, running in standalone operation mode, I get the following error:
2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]
(ServerService Thread Pool -- 48) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: Failed to connect to database
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
at
org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS
[Root exception is java.lang.IllegalStateException]
at
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
at
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
at
org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
... 31 more
Caused by: java.lang.IllegalStateException
at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
at
org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
at
org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
at
org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
at
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
... 40 more
And I'm at a stalemate with the configuration, because I have no idea
what I'm doing wrong.
I've configured the postgres driver module in
keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main
as (postgresql-9.4.1210.jar is present as well):
https://pastebin.com/pjwn09gX
My standalone.xml is as follows:
https://pastebin.com/ggDHZFJx
Does anyone have any idea what I could be doing wrong? Did I miss
anything on my configuration?
Thank you very much for your time,
My best regards,
Silva
8 years, 11 months
Keycloak -- possible to configure connectionsJpa.migrationStrategy to "manual" via standalone.sh -D option?
by Jan Lieskovsky
Hello Keycloak users,
in order to perform manual db upgrade, when upgrading Keycloak from older
versions current documentation:
https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...
(section Migrate database)
suggests to configure standalone.xml as follows:
<spi name="connectionsJpa">
<provider name="default" enabled="true">
<properties>
...
<property name="migrationStrategy" value="manual"/>
</properties>
</provider>
</spi>
and possibly also set "initializeEmpty=false" and proper "migrationExport" file location [1].
As an alternative it is suggested to use CLI (also aware of exact form of the corresponding CLI query)
instead.
But suppose due some limitations it's not possible to perform neither of these two
actions (neither the standalone.xml update, nor the jboss-cli change).
Is there a way how to configure "migrationStrategy" to "manual" using the list
of correct options supplied on the CLI, when starting the standalone.sh server?
Something like [*]:
./standalone.sh -Dkeycloak.connectionsJpa.migrationStrategy=manual \
-Dkeycloak.connectionsJpa.initializeEmpty=false \
-Dkeycloak.connectionsJpa.migrationExport=/tmp/kdb-update.sql?
E.g. it seems to be possible to use -Dkeycloak.connectionsJpa.{url,driver,user,password}
options at the very least (based on:
http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009286.html or
https://github.com/keycloak/keycloak/blob/master/misc/DatabaseTesting.md )
Or the db export / import options (-Dkeycloak.migration.{action,provider} based on:
https://keycloak.gitbooks.io/documentation/server_admin/topics/export-imp...)
But is the same way (via custom -D options) possible to configure "migrationStrategy" to manual?
If so, could you hopefully provide list / set / example of these options, how they should look like?
Thank you for your time.
Regards,
--
Jan iankko Lieskovsky
P.S.: If someone is wondering, /me not only asking, but actually tried the settings in [*],
but they doesn't seem to be working for me. Thus actually wondering if I have issue
in my setup or the "migrationStrategy" options are not expected to be working
via -D options (yet)? (seeking for the developers confirmation this is actually the
case in the latter case)
[1] https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/...
8 years, 11 months
Group Level Roles Not Honored by Policy Evaluation Tool
by Jeremy Majors
I have setup my users to have the 'read' role by associating that role to a group which my users have been associated with. While testing the policies for a resource using the Policy Evaluation tool I determined that the roles associated with the groups weren't being picked up and the user was being denied access to the resource (please note that when I looked at the user's roles I did notice that 'read' was listed as an effective role). When I removed one of the users from the group and directly assigned the 'role' to the user then I was able to successfully access the resource using the Policy Evaluation tool.
Can anyone else reproduce this issue? It's unclear whether it could be related to KEYCLOAK-2964, which has been closed.
Thanks in advance,
Jeremy
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
8 years, 11 months
Authorization Evaluation tool and how to merge PR in lower branch
by Teodor Haret
Hello !
First of all, congratulations on a nice product and keep up the good work !
We are using KC v2.5.5.Final and we encountered an issue with Evaluation
tool on RBAC, which seems to have been already fixed in latest version - I
tested on master branch. At a first look, the issue seems to have been
already fixed under KEYCLOAK-4652.
Our issue in few details is:
- if we evaluate against a user which was granted a given realm role
(ROLE1) directly, the result is 'Permit'; this is expected behavior.
- if we evaluate against another user which inherits the same realm role
(ROLE1) indirectly - due to belonging to a group, the evaluation result is
'Deny'.
I would need your advise on:
- supposing 'KEYCLOAK-4652' is the one that fixes also my issue, what would
the procedure to ask for this fix to be merged down to 2.5.5.Final as well ?
- generically speaking, is there any scenario where I should open a
separate issue on 2.5.5.Final ( eg. cases where fix from 'KEYCLOAK-4652' is
generic/complex and we want only a sub-part of it, etc) ?
Thank you,
Teo
8 years, 11 months
Recurrent unexpected UPDATE_PASSWORD required action (AD related?)
by Adrian Matei
Hi guys,
Some users get unexpectedly the UPDATE_PASSWORD required action. The funny
thing is, this happens even if the this is disabled in Realm >
Authentication > Required Actions > Update Password (OFF) (BUT entries
still get generated in the USER_REQUIRED_ACTION table).
I presume this happens when the sync with Active Directory happens, even
when no users are imported... (No special config there)
We had this issue with version 1.7.0.Final, but still persists with the
migration to version 2.5.1.Final
Anyone experiences same issue or can advise on this? Thanks.
Best regards,
Adrian
8 years, 11 months
