running multiple instances without clustering
by Sam Davis
Hi,
I understand that Keycloak supports clustering, but I am wondering if it is
possible to run multiple instances of Keycloak using the same configuration
database *without* using clustering, i.e. using the standalone
<https://keycloak.gitbooks.io/documentation/server_installation/topics/ope...>
operating mode.
It looks like the only difference between this and using the standalone
clustered mode is that the caches will not be synchronized between the
instances. I understand that it could cause some weird behaviour with user
sessions (e.g. a user logs out on one instance but is still logged in on
another, or vice versa). Would it cause any more serious problems (e.g.
corrupt configuration database) or create security vulnerabilities?
The use case is that my application bundles Keycloak and the application
and Keycloak run on the same server. If the server goes down, another
instance of the application on another server will take over, and that
instance will redirect users to another keycloak instance running on that
server. So I don't really need clustering, since normally only a single
Keycloak instance will actually be used at a time and will only be used by
a single application.
Thanks,
Sam
6 years, 10 months
Implementing Keycloak on Android
by Raquel Júdez Bello
Hi everyone,
I am having trouble finding libraries to implement a Keycloak client for
Android.
So far, I have found AppAuth and Androgear in keycloak.org, but I am not
convinced about their simplicity.
Has anyone implemented a simple client for Android?
Thank you very much.
--
Raquel Júdez.
6 years, 11 months
Key Rotation for SAML client
by Muein Muzamil
Hi all,
We have a business use case, where we'll have a realm with 50+ SAML clients
configured and we want to update the SAML key for the realm (either for
security reason or the certificate got expired),
I was reading following section but it seems mostly focused on OIDC.Can
someone please share how does KeyCloak handle this for SAML? Important
thing to realize is, we cannot imagine our customer to update realm
certificate in all 50+ service providers at the same time.
https://keycloak.gitbooks.io/documentation/server_admin/topics/realms/key...
Regards,
Muein
6 years, 11 months
Questions about OpenID Connect Identity Provider
by Christie, Marcus Aaron
Hello,
I have two questions about Identity Provider configuration in Keycloak.
1) I would like to add an Identity Provider and then have this be the only option available to the user for authentication. Is there a way to disable the username/password authentication and not show it on the login screen?
2) Is there a way to redirect to Keycloak and have it immediately redirect to an Identity Provider? As an example, let’s say I have two Identity Providers, Google and Facebook. In my web application I know that the user wants to log in via Google so I want to redirect to Keycloak and tell Keycloak to select the Google Identity Provider and redirect to it immediately. Maybe something like my web application redirects to keycloak like so:
https://mykeycloak.org/auth/realms/myrealm/protocol/openid-connect/auth?r...
and then mykeycloak.org<http://mykeycloak.org> immediately redirects to Google. For the user they don’t see the Keycloak page.
Is there any functionality like the in Keycloak?
Thanks,
Marcus
6 years, 11 months
How does a bearer only client validate
by Pulkit Gupta
Hi All,
I have two keycloak client one is a public client using implicit flow and
authenticating the user via a redirect and then once the user is
authenticate the client receives a token.
This token is then passed to a REST based backend service which validate it
before providing access to the API data.
I am looking for more information on how does a bearer only client
validates the token which it receives from the JavaScript based public
client. I will also be interested to understand more about the relationship
of these two clients based on scope to make this setup work
--
PULKIT
6 years, 11 months
IdP Initiated Login Redirects To Required Actions NULL
by Marcin Miklasz
Problem seems to be triggered in
AuthenticationProcessor.redirectToRequiredActions()
There is the following comment in the code:
public static Response redirectToRequiredActions(KeycloakSession
session, RealmModel realm, ClientSessionModel clientSession, UriInfo
uriInfo) {
// redirect to non-action url so browser refresh button works
without reposting past data
but with Idp Initiated login to the broker, browser response is
No webpage was found for the web address:
https://<broker-root>/auth/realms/<realm name>/login-actions/null
HTTP ERROR 404
Please advise what is causing this issue?
Using Keycloak version 2.5.1 configured as below:
1. SAML client with IDP Initiated SSO URL specified in Keycloak Broker
instance
2. SAML Identity Provider setup: First Login Flow: First Broker Login,
Post Login Flow: Blank
3. Keycloak Broker metadata configured in external IdP
4. External Idp initiated login results in user created correctly in the
broker, SAML attribute mappers work but post broker login redirect
completes with
5.
No webpage was found for the web address:
https://<broker-root>/auth/realms/<realm name>/login-actions/null
HTTP ERROR 404
6 years, 11 months
Severe bug in KC adapter - returns blank 200 when SSL is not used with external setting
by cen
Hello
I just managed to replicate this:
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
The unfortunate soul did not get a single reply in 2015, hopefully I
have better luck. I will try to provide as much info as reuested just to
get to the bottom of this.
Setup:
- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup
config cli:
embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server
- KC adapter jetty 9.3
- keycloak.json configured via env vars
- kc and api running in seperate docker containers on same server
{
"realm": "${env.KC_REALM}",
"auth-server-url": "${env.KC_BASE_URL}",
"ssl-required": "${env.KC_SSL_REQUIRED}",
"resource": "${env.KC_RESOURCE}",
"public-client": true
}
Docker ENV form my API service:
KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external
When I call a protected API this is logged by adapter:
api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN RequestAuthenticator:164 - SSL is
required to authenticate. Remote address <server ip> is secure: false,
SSL required for: EXTERNAL .
Why does it try to connect via IP and not over https? I clearly
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
tho I call it via https? I also parsed the access token and issuer is
from https, no trace of any IPs or http anywhere.
And now the worst thing: when this WARN happens, adapter returns blank
200! You'd expect at least internal server error or something along the
lines. . I lost 9 hours today blaming everything from nginx to my REST
API just to finally come down to this.
Setting SSL config to none in admin panel and in adapter env makes the
whole thing work. But this is clearly not the solution.
Hopefully some expert can shed some light on this.
Best regards, cen
6 years, 11 months
Securing Angular + REST based app using keycloak OIDC
by Pulkit Gupta
Hi All,
We are looking to integrate an application with Keycloak.
It is an Angular + REST application in which the REST services are
developed in Java and are running on EAP 6.
>From my reading I can figure out that we should secure both the front end
and the back end separately.
The Angular front-end can be secured using JavaScript adapter which will
check if a user has access token and in case not it will redirect it to
Keycloak. Once the user acquires an access token , it send the same token
to the REST services. We can configure REST service as a bearer only client
which will check for the validity of the token against Keycloak and return
the business data. We can use EAP 6 OIDC java adapter for Keycloak to
secure the REST part.
However their is one limitation that our setup only supports implicit flow.
I am sure with Implicit flow we can achieve the angular side of the
authentication. However I am not sure if we can make use of the Java OIDC
adapter to actually validate and secure our rest APIs.
Can you please guide me in case this is achievable with implicit flow.
Regards,
Pulkit
6 years, 11 months
How to configure Keycloak Admin Client to only access a specific Realm?
by Celso Agra
Hi all,
I'm trying to configure keycloak to manage users in a specific realm. Here
is my code:
*Keycloak kc = KeycloakBuilder.builder()*
* .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
* .realm("realm1").username("user")*
* .password("secret")*
* .clientId("admin-cli")*
* .resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build()*
* ).build();*
*RealmResource realmResource = kc.realm("realm1");*
*UsersResource userRessource = realmResource.users();*
*System.out.println("Count: " + userRessource.count());*
When I run this code, I'm getting this error:
*javax.ws.rs.BadRequestException: HTTP 400 Bad Request*
* at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:212)*
* at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:189)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)*
* at com.sun.proxy.$Proxy32.grantToken(Unknown Source)*
* at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)*
* at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)*
* at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)*
* at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)*
* at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)*
* at com.sun.proxy.$Proxy40.count(Unknown Source)*
* at
pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:72)*
* at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
* at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*
* at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*
* at java.lang.reflect.Method.invoke(Unknown Source)*
* at org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)*
* at
org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279)*
* at
org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)*
* at
org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177)*
* at
org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)*
* at
org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at
org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)*
* at
org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)*
* at
org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)*
* at
org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at
org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109)*
* at *
* ...*
But when I change the realm to "master", such as:
*Keycloak kc = KeycloakBuilder.builder()*
* .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
* .realm("master").username("admin")*
* .password("admin123!")*
* .clientId("admin-cli")*
* .resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build()*
* ).build();*
*RealmResource realmResource = kc.realm("realm1");*
*UsersResource userRessource = realmResource.users();*
*System.out.println("Count: " + userRessource.count());*
The code works fine.
I'd like to know if the admin user in the master realm is the only way to
add users using the keycloak Admin Client.
Is anybody get this same issue?
Best Regards
--
---
*Celso Agra*
6 years, 11 months
