May 2017 - keycloak-user - Jboss List Archives

No state cookie returned from the keycloak adapter

by Sarp Kaya

Hello, A use case I have noticed is: 1) User tries to use the web application. Say http://www.app.com 2) The application redirects you to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 3) Before logging in, user bookmarks this page. 4) User logs in and then gets redirected to http://www.app.com 5) All works fine up till now Now user logs out, closes browser etc. Now user starts the workflow from bookmarked page (http://www.keycloaklogin.com/auth…) 1) User sees a login page 2) User logs in 3) User gets redirected to http://www.app.com?state=… 4) At this point this below code: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... is executed and user sees a 400 page due not having OAuth_Token_Request_State . So far you can argue that, well we didn’t want user not to have OAuth_Token_Request_State in the first place, but the next step that user can do is: 5) User goes to http://www.app.com page and then gets a redirect back to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 6) Keycloak sees that user is already logged in so redirects back to the same page 7) User now can see http://www.app.com<http://www.app.com/> due to the OAuth_Token_Request_State created in step 5 So to me it seems like this check is obsolete, however I’m curious whether this has a user case or prevents anything. If not, then it might be worth fixing at the step 4 where user actually gets to see the page (or re issue OAuth_Token_Request_State ) instead of showing 400 page. Thanks, Sarp

5 years, 10 months

3
2
0 / 0

JS adapter constantly refreshing page

by sesnor.silva＠sapo.pt

Hello, I'm trying to integrate keycloak's JS adapater into an application. However for some reason the page keeps refreshing (every 5 seconds or so?) after successfully logging in. I managed to reproduce the problem with the following minimal code:  <!DOCTYPE html> <html> <head> <title></title> </head> <body> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script> <script type="text/javascript" src="<MY KEYCLOAK SERVER>/auth/js/keycloak.js"></script> <script type="text/javascript"> angular.element(document).ready(function() { var keycloakAuth = Keycloak('keycloak.json'); keycloakAuth.init({ onLoad: 'login-required' }).success(function(authenticated) { keycloakAuth.loadUserInfo().success(function (userInfo) { console.log(userInfo) }); }).error(function() { var error = "There was an error initializing the authentication module."; console.error(error); }); }); </script> </body> </html> I tried searching around but I didn't find too many answers. I tried to base my implementation around: https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl... and https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a... But I get the same behavior every time: The page just keeps refreshing. It seems to be related to blocking third-party cookies on the browser. I use Firefox 53. Since my Keycloak isn't on the same host as the application, I think the browser rejects the keycloak's cookies. If this is the case, what could be a workaround for this? Is there any option on the adapter's side? I'm worried some browser might block third-party cookies by default (Opera and Brave Browser come to mind). Thank you, My best regards, Silva

5 years, 11 months

3
2
0 / 0

Credential Representation TOTP example

by Maximiliano

I'm trying to add a TOTP for an user with Admin Client API. Someone has an CredentialRepresentation setup for TOTP? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-e... Sent from the keycloak-user mailing list archive at Nabble.com.

5 years, 11 months

2
6
0 / 0

Force token refresh with the Spring Security adapter

by Aritz Maeztu

I'm using keycloak in a java client, configured with the Spring Security adapter. I've got a custom mapper in my keycloak configuration, so when the access token is refreshed, keycloak accesses an endpoint to retrieve some user permissions and they're stored in the token itself. Later on, my client application checks the token without having to perform the access to the permission endpoint itself (increased performance). However, when an admin user changes his own permissions, I would like the keycloak adapter to refresh the token after the permissions are stored, this way the admin user is not required to have its token refreshed or to re-login to load his new permissions. Is there a way to achieve it? Some kind of operation to refresh current session's token? -- Aritz Maeztu Otaño Departamento Desarrollo de Software <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretaría: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

6 years, 2 months

2
2
0 / 0

programmatic authentication flow

by Steve Favez

Hi all, I'd like to implement the following use case. I need a Browser authentication flow that will add, after User / Password Form Authenticator, a kind of "access rules" authenticator, that will, according to some request parameters, (for example, ip address, or application) will add dynamically a second factor authenticator in the flow. (Like OTP or SMS). Furthermore, I'd like to be able to provide a choice of 2FA systems to the end user (For example, we provide a set of second factory, and the end user can choose the one he'd like to use). So, if some "strong authentication" criteria are matched during browser authentication process, after providing user and password, user will get a form allowing him to choose the second factory system he'd like to use to authenticate. My goal is to be able to reuse existing authenticator. (So, not to write a big 2fa authenticator with all authenticators duplicated inside). Thanks in advance for your valuable input Cheers St

6 years, 2 months

3
2
0 / 0

Using Keycloak with Microsoft Azure Active Directory

by Reed Lewis

I am attempting to use Microsoft Azure Active Directory with Keycloak. It is not working correctly. Here is how I have it configured: OpenID Connect V1.0 Enabled: On Store Tokens: On Store Tokens Readable: On Trust Email: On Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize Token URL: https://login.microsoftonline.com/common/oauth2/token Logout URL: <none> Backchannel Logout: Off User Info URL: <blank> First Login Flow: First Broker Login It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address. Is there something I have configured incorrectly? I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory. Thank you, Reed Lewis

6 years, 3 months

4
4
0 / 0

KeyCloak pose no login challenge

by shimin q

I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7. I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app. 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml: <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" > <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF: { "realm": "rtna", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", "auth-server-url": "https://135.112.180.27:8666/auth", "ssl-required": "external", "resource": "rtna2", "public-client": true} 5. modify rtna2/WEB-INF/web.xml: <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" > <module-name>rtna2</module-name><welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>rtna2</web-resource-name> <url-pattern>/rtna2/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>rtna</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>sudo</role-name> </security-role></web-app> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work 6. in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm: client id: rtna2Access type: public (tried "confidential" also)Authorization enabled: on ("off" also)Root URL: https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/* I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error. But once I put the absolute paths, it took me right to the web app without posing the login challenge! What could possibly be wrong? Please advise! Thanks!!

6 years, 5 months

4
12
0 / 0

Fwd: Error when session expired and ajax request execute in Keycloak?

by Adam Daduev

After login, i get in my app, and for all my ajax request from page to backing bean, i receive response 401 even if the session is still alive. If removed autodetect-bearer-only option, all work fine, but going back to the old error. XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/ realms/azovstal/protocol/openid-connect/auth?…ml&state= 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. ---------- Forwarded message --------- From: Adam Daduev <daduev.ad(a)gmail.com> Date: вт, 10 янв. 2017 г. в 14:08 Subject: Re: [keycloak-user] Error when session expired and ajax request execute in Keycloak? To: <stian(a)redhat.com> I tried, but does not work. Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly not started, he not know autodetect-bearer-only option, then, i added via json, wildfly started and app was deployed. Secondly, on my ajax request to backing bean, i receive response 401 and does not happend. This is my keycloak.json { "realm": "azovstal", "auth-server-url": "http://dc09-apps-06:8090/auth", "ssl-required": "none", "resource": "web-test", "public-client": true, "use-resource-role-mappings": true, "autodetect-bearer-only": true } вт, 10 янв. 2017 г. в 10:19, <daduev.ad(a)gmail.com>: Ok, I try, thanks. 10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger(a)redhat.com> написал(а): In that case take a look at the new autodetect-bearer-only option. You'll need 2.5.0.Final for that. On 9 January 2017 at 19:18, <daduev.ad(a)gmail.com> wrote: No, I have jsf 2 app with richfaces framework, which deploy on wildfly 10.1. 9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger(a)redhat.com> написал(а): [Adding list back] A web app redirects the user to a login page if not authenticated, while a service should return a 401. It sounds like what you have is a JS application with a service backend. In Keycloak you should have two separate types of clients for that. The JS application should be a public client, while the services a bearer-only client. On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote: Thanks for the answer. Yes i have confidential client, i have web application, that asks Keycloak server to authenticate a user for them. As I understand, bearer-only is for web services clients. I probably something do not understand? 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>: Looks like your services are configured as confidential clients rather than bearer-only and hence is sending a login request back rather than a 401. You should either swap your service war to be a bearer-only client or use the new autodetect-bearer-only option in adapters if you have both web pages and services in the same war. On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote: Hi, can you help me! When session expired and ajax request execute in Keycloak, i have error in browser console: XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/ realms/azovstal/protocol/openid-connect/auth?…ml&state= 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. I add in Keycloak admin console, in the client setting, Web Origins= http://localhost:8080 (or *), and enabled cors in app, but still has error in console. I used Keycloak 2.5.0 _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

6 years, 5 months

3
5
0 / 0

Keycloak Java adapter & ADFS

by Cat Mucius

Good day, I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft ADFS (on IdP side). As I understood from this article [1], ADFS expects to receive <KeyInfo> element in <Signature> of SAMLRequest in specific format: "Importantly, then the SAML Signature Key Name field that shows after enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate." But the Java adapter sends <KeyInfo> in another format – the <KeyValue> format [2]: <dsig:KeyInfo> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus> <dsig:Exponent>AQAB</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </dsig:KeyInfo> So I have two questions: a. Is it really a problem? Has anyone used the Java adapter successfully to authenticate against ADFS? b. If it is, is there a way to instruct the adapter to send <KeyInfo> in some another format? Thanks, Mucius. Links: [1] http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html [2] http://coheigea.blogspot.co.il/2013/03/signature-and-encryption-key.html

6 years, 5 months

2
1
0 / 0

Browser tries to store the username "This is not a login form" after updating a temporary password

by Gregoire Jeanmart

Hello, One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly. Is there a way to fix this issue ? Information: - Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL - Browser: Google Chrome and Mozilla Firefox - Similar issue: https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-is-... Thanks in advance. Gregoire Jeanmart

6 years, 6 months

6
9
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2017