June 2017 - keycloak-user - Jboss List Archives

Organization Based Accounts and Permissions

by Charles Henck

Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin

7 years, 5 months

6
19
0 / 0

LDAP user group membership not syncing

by Luiz Carlos

Hi everyone I'm trying to sync the LDAP groups into Keycloak but it doesn't update the membership if I add or remove it from a group in LDAP. I was able to sync the groups and its users into Keycloak correctly if those wasn't provisioned before. For example, if the user already exists in Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also provisioned from LDAP), the user in Keycloak continues to being a member of the group in the Groups tab of user's details screen and in client's group mappers. However, if I open the Members tab of group's details screen the user was removed from the group. Is there any way to solve this problem? Because of my company policy I can't use Keycloak to manage the groups. I'm using Keycloak 2.5.1. Thanks for the help -- Luiz Carlos

7 years, 5 months

3
2
0 / 0

user storage ldap or keycloak

by Istvan Orban

Dear Keycloak users. I am very new to keycloak and I really like it. it is great. I am currently migrating a legacy app ( using it's own user management ) to support SSO. I have set-up keycloak with openid connect and it works very well. At this point we need to decide if we will use keycloak as our main user store or we will set-up an LDAP. My question is that. Is keycloak designed in a way that it can fullfil all the responsibilities of the main user store? Any risk with this at all? ps: our userbase is small and at this point I am not sure if we want to add ldap just for this. -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *

7 years, 5 months

3
2
0 / 0

Keycloak & Okta

by John D. Ament

Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John

7 years, 9 months

3
6
0 / 0

Additional attributes for an authorization request

by Scott Elliott

Would therebe any way to pass additional attributes (say, something from a REST API call's headers or body) to an authorization request, and access it in a Javascript or rules based policy? I see that what is available in the Evaluation API currently is pretty limited.

7 years, 10 months

3
5
0 / 0

Best setup to extend Keycloak

by Francis Zabala

Hello, What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly? Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification. Regards,Francis

8 years

1
1
0 / 0

How to stop the keycloak server from standalone sh

by Aritz Maeztu

Hello, I'm running a keycloak instance from a docker image, so when I start the container everything is up an running. Now I want to export the realms and users to deploy it in production and I've got two chances: 1- Copy the values from the mysql database (I'm using the keycloak-mysql image). 2- Run the standalone.sh export command. I would like to go the second way, but I'm into trouble since the widlfly server is launched with the docker container altogether. I can browse in to it for the standalone.sh script, but still haven't found a way to stop it (as the server is launched I get a "Address already in use" error when I try to perform the export while the server is running). Any ideas? Thanks in advance -- Aritz Maeztu Otaño Departamento Desarrollo de Software <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretaría: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

8 years, 1 month

4
4
0 / 0

Offline tokens with external IDP

by Haim Vana

Hi, We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token: 1. The user log in to the UI 2. Generates offline token by entering his password again 3. Put the offline token in his script 4. Executes the script Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ? Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ? Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

8 years, 1 month

3
6
0 / 0

User impersonation - JWT

by Harry Trinta

Dears, I need a help with user impersonation on keycloak. I am authenticating users through the "/realms/test/protocol/openid-connect/token". As expected, it returns a token JWT. In my app, all requests go through apiman, which validates the JWT. Now, I need to personification of user. I'm calling the service "/admin/realms/test/users/USER_ID/impersonation", sending the token in the header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...). The service /impersonation creates the user session on keycloak, however doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified user instead of cookie.* It's possible? Best regards Harry Costa

8 years, 1 month

3
4
0 / 0

Refreshing Tokens

by Christopher Davies

I adding keycloak into a legacy application that uses GWT and Jetty. I have managed to get add Keycloak application using Spring-security. Because this is GWT I am doing the authorisation in the application myself. Sping just provides a way to get access to the KeycloakSecurityContext. The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed. Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly. I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed. Thanks Chris

8 years, 2 months

3
5
0 / 0

No state cookie returned from the keycloak adapter

by Sarp Kaya

Hello, A use case I have noticed is: 1) User tries to use the web application. Say http://www.app.com 2) The application redirects you to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 3) Before logging in, user bookmarks this page. 4) User logs in and then gets redirected to http://www.app.com 5) All works fine up till now Now user logs out, closes browser etc. Now user starts the workflow from bookmarked page (http://www.keycloaklogin.com/auth…) 1) User sees a login page 2) User logs in 3) User gets redirected to http://www.app.com?state=… 4) At this point this below code: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... is executed and user sees a 400 page due not having OAuth_Token_Request_State . So far you can argue that, well we didn’t want user not to have OAuth_Token_Request_State in the first place, but the next step that user can do is: 5) User goes to http://www.app.com page and then gets a redirect back to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 6) Keycloak sees that user is already logged in so redirects back to the same page 7) User now can see http://www.app.com<http://www.app.com/> due to the OAuth_Token_Request_State created in step 5 So to me it seems like this check is obsolete, however I’m curious whether this has a user case or prevents anything. If not, then it might be worth fixing at the step 4 where user actually gets to see the page (or re issue OAuth_Token_Request_State ) instead of showing 400 page. Thanks, Sarp

8 years, 2 months

3
2
0 / 0

JS adapter constantly refreshing page

by sesnor.silva＠sapo.pt

Hello, I'm trying to integrate keycloak's JS adapater into an application. However for some reason the page keeps refreshing (every 5 seconds or so?) after successfully logging in. I managed to reproduce the problem with the following minimal code:  <!DOCTYPE html> <html> <head> <title></title> </head> <body> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script> <script type="text/javascript" src="<MY KEYCLOAK SERVER>/auth/js/keycloak.js"></script> <script type="text/javascript"> angular.element(document).ready(function() { var keycloakAuth = Keycloak('keycloak.json'); keycloakAuth.init({ onLoad: 'login-required' }).success(function(authenticated) { keycloakAuth.loadUserInfo().success(function (userInfo) { console.log(userInfo) }); }).error(function() { var error = "There was an error initializing the authentication module."; console.error(error); }); }); </script> </body> </html> I tried searching around but I didn't find too many answers. I tried to base my implementation around: https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl... and https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a... But I get the same behavior every time: The page just keeps refreshing. It seems to be related to blocking third-party cookies on the browser. I use Firefox 53. Since my Keycloak isn't on the same host as the application, I think the browser rejects the keycloak's cookies. If this is the case, what could be a workaround for this? Is there any option on the adapter's side? I'm worried some browser might block third-party cookies by default (Opera and Brave Browser come to mind). Thank you, My best regards, Silva

8 years, 3 months

3
2
0 / 0

How to display user information from keycloak SAML adapter assertions/session?

by ken edward

Hello, I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp. I created a simple web app with a protected /saml directory. It seems to work. BUT how can I display the logged in user information after the user is authenticated? org.keycloak.adapters.saml.SamlSession : org.keycloak.adapters.saml.SamlSession@13a50bc9 Ken

8 years, 3 months

3
4
0 / 0

Credential Representation TOTP example

by Maximiliano

I'm trying to add a TOTP for an user with Admin Client API. Someone has an CredentialRepresentation setup for TOTP? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-e... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 3 months

2
6
0 / 0

Force token refresh with the Spring Security adapter

by Aritz Maeztu

I'm using keycloak in a java client, configured with the Spring Security adapter. I've got a custom mapper in my keycloak configuration, so when the access token is refreshed, keycloak accesses an endpoint to retrieve some user permissions and they're stored in the token itself. Later on, my client application checks the token without having to perform the access to the permission endpoint itself (increased performance). However, when an admin user changes his own permissions, I would like the keycloak adapter to refresh the token after the permissions are stored, this way the admin user is not required to have its token refreshed or to re-login to load his new permissions. Is there a way to achieve it? Some kind of operation to refresh current session's token? -- Aritz Maeztu Otaño Departamento Desarrollo de Software <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretaría: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

8 years, 6 months

2
2
0 / 0

programmatic authentication flow

by Steve Favez

Hi all, I'd like to implement the following use case. I need a Browser authentication flow that will add, after User / Password Form Authenticator, a kind of "access rules" authenticator, that will, according to some request parameters, (for example, ip address, or application) will add dynamically a second factor authenticator in the flow. (Like OTP or SMS). Furthermore, I'd like to be able to provide a choice of 2FA systems to the end user (For example, we provide a set of second factory, and the end user can choose the one he'd like to use). So, if some "strong authentication" criteria are matched during browser authentication process, after providing user and password, user will get a form allowing him to choose the second factory system he'd like to use to authenticate. My goal is to be able to reuse existing authenticator. (So, not to write a big 2fa authenticator with all authenticators duplicated inside). Thanks in advance for your valuable input Cheers St

8 years, 7 months

3
2
0 / 0

Upgrading from Red Hat SSO 7.0 to Keycloak 3.1

by Marcelo Nardelli

Hi, At work, we have an installation of Red Hat SSO 7.0 and we were going to upgrade it to version 7.1. However, I was told that the our Red Hat subscription won't be renewed, so now we want to upgrade to the last Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported? I've been trying to follow the instructions on the documentation ( https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...), but it's not working. Specifically, when I try to run the migration script (after copying the old standalone.xml and the keycloak-server.json file) jboss-cli.sh --file=migrate-standalone.cli I get this error: Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. I suppose the Keycloak version used in SSO 7.0 is too old and I will have to do some manual work here, but I wanted to know if there is some specific advice for this case... Thanks, Marcelo Nardelli

8 years, 7 months

2
2
0 / 0

Using Keycloak with Microsoft Azure Active Directory

by Reed Lewis

I am attempting to use Microsoft Azure Active Directory with Keycloak. It is not working correctly. Here is how I have it configured: OpenID Connect V1.0 Enabled: On Store Tokens: On Store Tokens Readable: On Trust Email: On Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize Token URL: https://login.microsoftonline.com/common/oauth2/token Logout URL: <none> Backchannel Logout: Off User Info URL: <blank> First Login Flow: First Broker Login It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address. Is there something I have configured incorrectly? I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory. Thank you, Reed Lewis

8 years, 7 months

4
4
0 / 0

by Federico Navarro Polo - Info.nl

Hello, I’m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all). From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import: { "realm": "test", "users": [ { "createdTimestamp" : 1476191007295, "username" : "somebody(a)somewhere.com", "enabled" : true, "totp" : false, "emailVerified" : true, "firstName" : "Test", "lastName" : "Test", "email" : "somebody(a)somewhere.com", "credentials" : [ ], "disableableCredentialTypes" : [ ], "requiredActions" : [ ], "federatedIdentities" : [ { "identityProvider" : "facebook", "userId" : "0123456789", "userName" : "somebody(a)somewhere.com", } ], "realmRoles" : [ "offline_access", "uma_authorization" ], "clientRoles" : { "account" : [ "manage-account", "view-profile" ] } } ] } , which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the “Account linking” screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration. I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can’t figure out what is it. Is there any possible way to avoid the account linking step? Met vriendelijke groet, Federico Navarro backend developer federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | +31 (0)2 05 30 91 61<tel:+31205309161> info.nl<http://www.info.nl/> Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>

8 years, 8 months

2
2
0 / 0

Fwd: CORS's problem with JavaScript's library

by Sebastien Blanc

(forgot including user list) Are you using keycloak-auth-utils on your frontend application ? Why not the JavaScript library ? Also have you configured the "Web Origins" field of your client in the Keycloak Web Console ? On Wed, Jun 28, 2017 at 3:09 PM, Karol Buler <K.Buler(a)adbglobal.com> wrote: > Hi Everyone, > > We have problem with CORS. We are using this lib: > https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript > application. > > When we try to get AccessToken we are getting this message: > > Fetch API cannot load http://<keycloak_address>/auth > /realms/master/protocol/openid-connect/token. Request header field > x-client is not allowed by Access-Control-Allow-Headers in preflight > response. > > We tried to modify CORS headers in standalone.xml file of Keycloak's > server, but we found that CORS headers are hardcoded and added "in air". > > Best regards, > Karol Buler > > [https://www.adbglobal.com/wp-content/uploads/adb.png] > connecting lives > connecting worlds > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

8 years, 9 months

3
3
0 / 0

ProviderFactory::postInit + transactions = startup failure

by Dmitry Telegin

Hi, (TL;DR) if a KeycloakTransaction is opened from ProviderFactory::postInit, sometimes the transaction is already active on the underlying org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads to errors. (full version) I think it's essential for the providers to be able to access realm data in postInit(). For that, a transaction is required; using KeycloakModelUtils.runJobInTransaction() is a convenient method to do that: @Override public void postInit(KeycloakSessionFactory factory) { KeycloakModelUtils.runJobInTransaction(factory, (KeycloakSession session) -> { List<RealmModel> realms = session.realms().getRealms(); // do stuff }); } When such a provider is deployed, in about half of cases Keycloak fails to start due to the following exception: java.sql.SQLException: IJ031017: You cannot set autocommit during a managed transaction (see full stacktrace here https://pastebin.com/ETtPqXQk) I've managed to track it down to something that looks like transaction clash over a single instance of org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What happens is that the two treads at the same time begin two KeycloakTransactions which end up with the same instance of LocalManagedConnection. The above exception results from the second begin() call. There's a system property called "ironjacamar.jdbc.ignoreautocommit" that allows to ignore the situation, but I think it's dangerous because it doesn't eliminate the transaction clash, just suppresses the check. If I'm not mistaken, this began to happen around Keycloak 2.2.x, which coincides with the changes to Keycloak transaction management. That said, do I need now some additional transaction coordination with the rest of Keycloak, or is it a bug? If former, how do I do that? If latter, how do we fix it? I hope we'll sort it out, since the ability to access the data at every phase of provider's lifecycle seems something fundamental to me. Regards, Dmitry

8 years, 9 months

3
8
0 / 0

Keycloak offline token

by Sherminator Kasuga

I have a web app (called A) that is using Keycloak to login in. There is another external web app (called B) that uses an own system as login. Now I need to create a link between A to B that automatic logins into web app B without keycloak login form (auto-login). How can i reproduce this behavior? I have user and a password for B , and i am thinking to use an offline token could help me with this objective. username=bburke&password=geheim&grant_type=password&scope=offline_access Saving into the database of A the offline token at the first time that i use the link and then using this offline token for the next. could it be possible? my idea is something like: If database.offlinetoken = empty LINK_TO_GENERATE_OFFLINE_TOKEN --- save this token into db after login in B else LINK_USING_OFFLINETOKEN endif Do you have any example about how to build above links? Thanks in advance :)

8 years, 9 months

2
1
0 / 0

ProviderFactory::postInit not called with hot deployment

by Dmitry Telegin

Hi, Seems like o.k.provider.ProviderFactory::postInit() is called only upon server startup, no matter which way the provider has been deployed, as a module or via the deployments dir. However, if the provider is hot (re)deployed on the running server, the method is not called. (ProviderFactory::init() is called always, but it's insufficient for most init phase tasks since normally a KeycloakSessionFactory instance is required.) Indeed, o.k.services.DefaultKeycloakSessionFactory::deploy() doesn't contain mentions of postInit, contrary to DefaultKeycloakSessionFactory::init(). Seems like a bug to me, OK to file JIRA issue and PR? Regards, Dmitry

8 years, 9 months

2
2
0 / 0

Okta as IdP, Keycloak as SP, end-app is node.js w/openid-connect

by Eric Malenfant

So, I’m trying to figure this one out, see if it’s possible. Maybe I’m just not using the right re-directs.. Anyways, keycloak is version 3.0.0, on centos 7.3.1611 I’ve got my App able to use Okta from app -> keycloak -> okta – but the customer has a requirement to use the Okta portal, click on the app, and be auto-logged in (after account creation). What I am not seeing, or understanding perhaps, is which URL I should be using to redirect for SSO from Okta -> go through keycloak then onto my App. Is this even possible? Thanks in advance. Eric

8 years, 9 months

1
0
0 / 0

Re: [keycloak-user] Keycloak relations between resources in a system

by Kirill Liubun

Thank you for your answer. Mapping company as the realm is a good idea I thought about this too but it has a big disadvantage for my case. I forgot to note that device can change a company and if I made the company as a realm, it will complicate the way of transferring the device from one company to another. Also, as far as I know, I can specify in keycloak adapter only one realm thus I need to create separate resource server per company instead of storing all data in one. It makes my architecture more tangled and harder to implement future features those require executing operations in more than one company. What do you suggest to do in such case? Also, I want to ask one more question: Can keycloak's javascript-based policy call API of remote service? I need this because relations in my system can become much complex (will be added companies' departments and subdepartments, a device can be into two or more departments at the same time). And as far as I know, keycloak don't allow to implement sophisticated *hierarchical (network) relation model *among system's resources. So, I decided to create separate *mapping server* that would know all those relations and keycloak policies would call one to figure out to grant or deny access to the resources. On Fri, Jun 30, 2017 at 6:46 PM, Kirill Liubun <igneuslynx(a)gmail.com> wrote: > Thank you for your answer. Mapping company as the realm is a good idea I > thought about this too but it has a big disadvantage for my case. > I forgot to note that device can change a company and if I made the > company as a realm, it will complicate the way of transferring the device > from one company to another. Also, as far as I know, I can specify in > keycloak adapter only one realm thus I need to create separate resource > server per company instead of storing all data in one. It makes my > architecture more tangled and harder to implement future features those > require executing operations in more than one company. > What do you suggest to do in such case? > Also, I want to ask one more question: Can keycloak's javascript-based > policy call API of remote service? I need this because relations in my > system can become much complex (will be added companies' departments and > subdepartments, a device can be into two or more departments at the same > time). And as far as I know, keycloak don't allow to implement > sophisticated *hierarchical (network) relation model *among system's > resources. So, I decided to create separate *mapping server* that would > know all those relations and keycloak policies would call one to figure out > to grant or deny access to the resources. > > > On Fri, Jun 30, 2017 at 2:27 PM, Pedro Igor Silva <psilva(a)redhat.com> > wrote: > >> Hello ... >> >> On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx(a)gmail.com> >> wrote: >> >>> Hi there, >>> >>> >>> I am new to keycloak and try to use it as auth server in my solution. >>> >>> I have next entity's model: the *devices* are owned by a particular >>> *company* to which belongs some *users*. A user with role *admin* can >>> grant >>> permission for viewing some set of devices to a regular user but only >>> those >>> devices that belong to admin's company. Thus all users except admins can >>> view the only subset of all devices in the company. Based on >>> requirements I >>> decided to make a company as *group* and devices as keycloak's >>> *resources*. >>> To evaluating permissions I chose *rule-based policy*. The problem is I >>> ran >>> into next question about hot to implement other relations and business >>> rules: >>> >>> 1. >>> >>> Can I set the group as an owner of the resource to check this relation >>> in policy? >>> >> >> You can't. Right the owner should be an user (or service account). But I >> think groups should also be included in the list if supported owners >> though. I think that would help you to address your requirement [1]. >> >> In fact, maybe we should allow anything as the owner. I think we had some >> discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135. >> >> [1] https://issues.jboss.org/browse/JBEAP-11377 >> >> >>> 2. >>> >>> Which mechanism better to use in my case to grant view permission on a >>> particular device to a regular user? >>> >>> If someone is more experienced in keycloak and knows how to better >>> represent such model, please help. >>> >>> Thank you in advance. >>> >>> *P.S.* >>> >>> For the second question I have two solutions: >>> >>> - Create on each device new role which name consists of *device's >>> name* + >>> word *view* (This solution has big disadvantage because If user has >>> over >>> 1000 devices the *Permission Ticket* will be very huge) >>> - Represent mapping between user and device via scope -- when you >>> admin >>> set relation between particular device and user to the resource >>> (device) >>> added scope which name consists of *user id* plus word *view* (I know >>> it >>> is not good way to use scopes but I have no idea can better configure >>> this >>> relation in keycloak) >>> >> >> It seems company and realm have a 1:1 mapping ? If so, we end up missing >> the group issue I mentioned previously. >> >> Makes sense ? >> >> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >

8 years, 9 months

1
0
0 / 0

keycloak.js - access custom claims in token

by java_os

Hi Group Using keycloak.js, what is the best approach to access any custom claims (other claims) from the token. Anyway can share this I would appreciate it. Thanks D

8 years, 9 months

2
2
0 / 0

Keycloak 3.2.0.CR2 released

by Stian Thorgersen

We've just released Keycloak 3.2.0.CR1. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. HighlightsFine grained admin permissions This is something that we've wanted to add for a long time! Through our authorization services it's now possible to finely tune permissions for admins. This makes it possible to limit what clients, users, roles, etc. admins have access to. Documentation is missing for this at the moment, but will be added in time for 3.2.0.Final. Docker Registry support It's not possible to secure a Docker Registry with a standard OAuth or OpenID Connect provider. For some strange reason they have only partially followed the specifications and the Docker Registry maintainers refuse to fix this! Fear not, thanks to cainj13 <https://github.com/cainj13> who contributed this we now have a special Docker Registry protocol that can be enabled in Keycloak. Authentication sessions and access tokens In the effort to provide support for running Keycloak in multiple data centers we've done a large amount of work around user sessions. We've introduced authentication sessions that are special sessions used primarily during the authentication flows. There are two main reasons for this. Authentication flows can fairly easily be fixed to a specific node within a specific data center and there is no need to replicate this to other data centers. They are also more write heavy than the user sessions. The introduction of access tokens makes it possible to detach actions (for example verify email) from a user session, which has a number of benefits. More will come in future 3.x releases and by the end of the year we aim to fully support replicating Keycloak cross multiple data centers. Authorization Service improvements There's been a lot of work done to the authorization services in this release. Way to many to list here so check out JIRA <https://issues.jboss.org/browse/KEYCLOAK-5072?jql=project%20%3D%20keycloa...> for details. QuickStarts We've introduced new QuickStarts with the aim to make it even simpler for you to get started securing your applications and services with Keycloak. The QuickStarts have proper tests as well, which can serve as a reference on how to tests your own applications and services secured with Keycloak. Check out the new QuickStarts in the keycloak-quickstarts GitHub repository <https://github.com/keycloak/keycloak-quickstarts>. Upgraded AngularJS and JQuery We've upgraded the versions we use of AngularJS and JQuery as there where a number of known vulnerabilities. We're fairly certain neither of the known vulnerabilities affect Keycloak, but to be on the safe side we decided to upgrade. Updated Password Hashing Algorithms We're still using PBKDF2, but we've added support for SHA256 and SHA512. PBKDF2 is SHA256 is now used by default. Spring Boot QuickStarter We've added a new Spring Boot QuickStarter that makes it super simple to get started securing your Spring Boot applications. For more details check out the blog post about it <http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html>. Loads more.. - Partial export of realms in the admin console - Redirect URI rewrite rules for adapters - Test email settings in the admin console - Initial access tokens now persisted to the db The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the migration guide <https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...>. Release candidates are not recommended in production and we do not support upgrading from release candidates.

8 years, 9 months

2
2
0 / 0

Keycloak relations between resources in a system

by Kirill Liubun

Hi there, I am new to keycloak and try to use it as auth server in my solution. I have next entity's model: the *devices* are owned by a particular *company* to which belongs some *users*. A user with role *admin* can grant permission for viewing some set of devices to a regular user but only those devices that belong to admin's company. Thus all users except admins can view the only subset of all devices in the company. Based on requirements I decided to make a company as *group* and devices as keycloak's *resources*. To evaluating permissions I chose *rule-based policy*. The problem is I ran into next question about hot to implement other relations and business rules: 1. Can I set the group as an owner of the resource to check this relation in policy? 2. Which mechanism better to use in my case to grant view permission on a particular device to a regular user? If someone is more experienced in keycloak and knows how to better represent such model, please help. Thank you in advance. *P.S.* For the second question I have two solutions: - Create on each device new role which name consists of *device's name* + word *view* (This solution has big disadvantage because If user has over 1000 devices the *Permission Ticket* will be very huge) - Represent mapping between user and device via scope -- when you admin set relation between particular device and user to the resource (device) added scope which name consists of *user id* plus word *view* (I know it is not good way to use scopes but I have no idea can better configure this relation in keycloak)

8 years, 9 months

2
1
0 / 0

SAML2 exception - Undeclared namespace prefix "dsig"

by Michael Mok

Hi there We are using Keycloak 3.1.0 and when it is processing a SAML response, we encountered the following error. 08:24:46,541 ERROR [io.undertow.request] (default task-352) UT005023: Exception handling request to /auth/realms/dev/login-actions/first-broker-login: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "dsig" at [row,col {unknown-source}]: [1,338] at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException( ExceptionHandler.java:212) The "dsig" is declared in the header of the xml but Keycloak does not appear to recognise it. Here is the SAML response <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" *xmlns:dsig="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig#>"* xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles: attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://www.bill.com/auth/realms/dev/broker/ saml/endpoint <https://www.billview.com.au/auth/realms/billviewdev/broker/saml/endpoint>" ID="id--nk-7uGxvonvTG7h8NL09hLwcKIpGZC053Zj-3Cz" InResponseTo="ID_0c62fac6-d0d1-487d-91a6-44dd8c6cee16" IssueInstant="2017-06-29T00:24:46Z" Version="2.0" > <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> http://iamdev.edu/oam/fed</saml:Issuer <http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion ID="id-S80vqfesnCZBogvgpKyOKL2z1I8Y-mlMpAQwVk8q" IssueInstant="2017-06-29T00:24:46Z" Version="2.0" > <saml:Issuer Format="urn:oasis:names:tc: SAML:2.0:nameid-format:entity">http://iamdev.edu/oam/fed</saml:Issuer <http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>> <dsig:Signature> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/ 2001/10/xml-exc-c14n#" /> <dsig:SignatureMethod Algorithm="http://www.w3.org/ 2000/09/xmldsig#rsa-sha1" /> <dsig:Reference URI="#id-S80vqfesnCZBogvgpKyOKL2z1I8Y- mlMpAQwVk8q"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/ 2000/09/xmldsig#enveloped-signature" /> <dsig:Transform Algorithm="http://www.w3.org/ 2001/10/xml-exc-c14n#" /> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/ 2000/09/xmldsig#sha1" /> <dsig:DigestValue>/9fx72oB3eQ5vDcEJE5q0u43P8k=</ dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo>

8 years, 9 months

2
1
0 / 0

example for Resteasy and keycloak

by Nikolaj Majorov

Hi all, there can I find example for resteasy and keycloak ? can someone share ? thanks ! Regards, Nikolaj

8 years, 9 months

2
1
0 / 0

Cache renewal and invalidation for User provider

by Couralet Cédric

Hello, With Keycloak 3.1.0 configured with a ldap as user storage provider, we had a problem where when an attribute is modified the ldap directly, it is not immediately picked up by keycloak (in account or administrative interface), even though the attribute in question is marked as "Always Read Value From LDAP" in the mapper. We tried changing the cache policy on the user federation configuration, or even with "import" option off. But it seems the cache is global to keycloak (wildfly?). There is 2 needs behind that question : 1) we have an attribute in ldap which governs if the user must change password. Our idea was to check the attribute in a script based authenticator to add and user action if found. Except, in our situation the new value was never read from ldap, we finally had a solution by calling "user.getDelegateForUpdate();" before reading the attribute, but I don't think it is the best way to do that. 2) We have some attribute changing independantly from keycloak, which could change some access authorization for an user. So we need thos attribute picked up immediatly. Clearing the realm cache seems to work, but it is far from a good solution. Is there something we missed? What are the recommended ways to treat these cases? Best regards, Cédric Couralet

8 years, 9 months

2
1
0 / 0

Review Chinese translations

by Stian Thorgersen

Can someone please review PR for Chinese translations: https://github.com/keycloak/keycloak/pull/4251

8 years, 9 months

1
0
0 / 0

Problems logging out using JEE to keycloak to SAML (ADFS)

by Jason Spittel

Hello, I'm having difficulty completing a logout. SETUP: JEE webapp to keycloak to IdP (ADFS (SAML)) WORKFLOW: 1) On logout in the webapp externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true"); 2) User is sent to ADFS letting them know they have successfully logged out. 3) However, there is still a keycloak user session alive (seen in the admin console) 4) Hitting a protected resource in the webapp lets user in without having to log back in. Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262 String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER); if (brokerId != null) { IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId); Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm); if (response != null) return response; } return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers); I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session. But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly? Thanks, Jason

8 years, 9 months

1
0
0 / 0

CORS's problem with JavaScript's library

by Karol Buler

Hi Everyone, We have problem with CORS. We are using this lib: https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript application. When we try to get AccessToken we are getting this message: Fetch API cannot load http://<keycloak_address>/auth/realms/master/protocol/openid-connect/token. Request header field x-client is not allowed by Access-Control-Allow-Headers in preflight response. We tried to modify CORS headers in standalone.xml file of Keycloak's server, but we found that CORS headers are hardcoded and added "in air". Best regards, Karol Buler [https://www.adbglobal.com/wp-content/uploads/adb.png] connecting lives connecting worlds

8 years, 9 months

2
2
0 / 0

service account with offline tokens

by Ravinder Thirumala

Hi, We have application which has frontend and backend(running on glassfish), we have secured with keycloak for user authentication. Now have got other application X which provides RESTful service, these RESTful APIs are called as part of scheduled jobs from backend without user login. Can I use service account with offline tokens for calling RESTful API on AppX. Do i need to have different keycloak.json for REST API communication ? regards Ravi

8 years, 9 months

2
1
0 / 0

liquibase.exception.DatabaseException

by Marc Tempelmeier

Hi, Is this a bug? [Server:slave1] 14:12:02,873 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) [Server:slave1] Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) [Server:slave1] Caused by: liquibase.exception.UnexpectedLiquibaseException: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist [Server:slave1] Position: 22 [Server:slave1] Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist [Server:slave1] Position: 22 [Server:slave1] Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist [Server:slave1] Position: 22"}} Database looks good though, after the error the slave crashed and unregistered. BR Marc

8 years, 9 months

2
2
0 / 0

install quickstart into to the keycloak server

by Nikolaj Majorov

HI all, if I install quickstarts to keycloak server 3.1.0.Final do I need to install wildfly adapter there ? ot it's already enabled ? I register client and deploy service-jee-jaxrs application, but only get Unknown authentication mechanism KEYCLOAK then I deploy directly to the keycloak server 3.1.0 Regards, Nikolaj

8 years, 9 months

3
2
0 / 0

Re: [keycloak-user] Keycloak offline token

by Sherminator Kasuga

Any idea about how can i solve this issue please? Thanks in advance

8 years, 9 months

1
0
0 / 0

Re: [keycloak-user] OAuth 2.0 JWT Bearer flow

by Shailesh Kochhar

Hello everyone, I'm working on integrating Keycloak into a multi-party authentication system where I need to use the OAuth 2.0 JWT bearer flow as described in this document: https://help.salesforce.com/articleView?id= remoteaccess_oauth_jwt_flow.htm&type=0. I wanted to know if Keycloak could support this token bearer flow. I was able to find some documentation about client authentication with a signed JWT. Despite searching through the list archives and the server admin docs, I cannot tell there is a similar flow which could be used to authenticate the user as well. Any pointers in figuring out if this is feasible would be really helpful. Thanks a lot! Shailesh

8 years, 9 months

1
1
0 / 0

Initial state transfer times out for cache loginFailures

by Dan Corbett

We have a 3 node cluster of Keycloak 3.1.0.Final (WildFly Core 2.0.10.Final) running in Docker AWS ECS. It all has been running smoothly for many months, through various versions, deployments and recycles. Just recently, when one of the containers was terminated, the new container was run by ECS but could not start Keycloak and join the cluster. Error is: Failed to start service jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures, Initial state transfer timed out for cache loginFailures We also see some of the following, which may be related? 2017-06-27 05:54:01,914 DEBUG [org.infinispan.remoting.inboundhandler.NonTotalOrderPerCacheInboundInvocationHandler] (remote-thread--p10-t3) ISPN000311: Received a command from an outdated topology, returning the exception to caller: org.infinispan.statetransfer.OutdatedTopologyException: Cache topology changed while the command was executing: expected 1962, got 1963 We enabled various Debug log levels but haven’t yet found anything conclusive. We tried clearing caches via Infinispan JMX tooling etc, but still could not start the new node. The two remaining instances were still clustered OK. We provisioned additional cluster and it's working as expected, so don’t believe at this stage it’s a network communication issue. Found this report for Redhat SSO, seems similar? I can’t see solution. https://access.redhat.com/solutions/2841711 Any info on possible cause or how to debug/investigate further would be a great help. Configs and logs below.. Thanks Dan Our cache config is: <subsystem xmlns="urn:jboss:domain:infinispan:4.0"> <cache-container name="keycloak" jndi-name="infinispan/Keycloak"> <transport lock-timeout="60000"/> <local-cache name="realms"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> <local-cache name="users"> <eviction max-entries="10000" strategy="LRU"/> </local-cache> <distributed-cache name="sessions" mode="SYNC" owners="5" /> <distributed-cache name="offlineSessions" mode="SYNC" owners="1" /> <distributed-cache name="loginFailures" mode="SYNC" owners="1"/> <distributed-cache name="authorization" mode="SYNC" owners="1"/> <replicated-cache name="work" mode="SYNC"/> <local-cache name="keys"> <eviction max-entries="1000" strategy="LRU"/> <expiration max-idle="3600000"/> </local-cache> </cache-container> <cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server"> <transport lock-timeout="60000"/> <replicated-cache name="default" mode="SYNC"> <transaction mode="BATCH"/> </replicated-cache> </cache-container> <cache-container name="web" default-cache="dist" module="org.wildfly.clustering.web.infinispan"> <transport lock-timeout="60000"/> <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0" owners="2"> <locking isolation="REPEATABLE_READ"/> <transaction mode="BATCH"/> <file-store/> </distributed-cache> </cache-container> <cache-container name="ejb" aliases="sfsb" default-cache="dist" module="org.wildfly.clustering.ejb.infinispan"> <transport lock-timeout="60000"/> <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0" owners="2"> <locking isolation="REPEATABLE_READ"/> <transaction mode="BATCH"/> <file-store/> </distributed-cache> </cache-container> <cache-container name="hibernate" default-cache="local-query" module="org.hibernate.infinispan"> <transport lock-timeout="60000"/> <local-cache name="local-query"> <eviction strategy="LRU" max-entries="10000"/> <expiration max-idle="100000"/> </local-cache> <invalidation-cache name="entity" mode="SYNC"> <transaction mode="NON_XA"/> <eviction strategy="LRU" max-entries="10000"/> <expiration max-idle="100000"/> </invalidation-cache> <replicated-cache name="timestamps" mode="ASYNC"/> </cache-container> </subsystem> Snip of error log below. 02:49:49,248 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0002: Started sessions cache from keycloak container 02:53:48,262 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 53) MSC000001: Failed to start service jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl at org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(AsynchronousServiceBuilder.java:107) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl at org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:172) at org.infinispan.factories.AbstractComponentRegistry$PrioritizedMethod.invoke(AbstractComponentRegistry.java:870) at org.infinispan.factories.AbstractComponentRegistry.invokeStartMethods(AbstractComponentRegistry.java:639) at org.infinispan.factories.AbstractComponentRegistry.internalStart(AbstractComponentRegistry.java:628) at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:531) at org.infinispan.factories.ComponentRegistry.start(ComponentRegistry.java:222) at org.infinispan.cache.impl.CacheImpl.start(CacheImpl.java:849) at org.infinispan.manager.DefaultCacheManager.wireAndStartCache(DefaultCacheManager.java:621) at org.infinispan.manager.DefaultCacheManager.createCache(DefaultCacheManager.java:572) at org.infinispan.manager.DefaultCacheManager.getCache(DefaultCacheManager.java:440) at org.jboss.as.clustering.infinispan.DefaultCacheContainer.lambda$getCache$6(DefaultCacheContainer.java:119) at org.jboss.as.clustering.infinispan.DefaultCacheContainer.getCache(DefaultCacheContainer.java:120) at org.jboss.as.clustering.infinispan.DefaultCacheContainer.getCache(DefaultCacheContainer.java:114) at org.wildfly.clustering.infinispan.spi.service.CacheBuilder.start(CacheBuilder.java:80) at org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(AsynchronousServiceBuilder.java:102) ... 4 more Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d at org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:224) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:168) ... 18 more 02:53:48,275 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,276 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "backup-for") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,276 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "backups") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,277 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "eviction") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,277 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "expiration") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,277 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "locking") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,278 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "partition-handling") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,278 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "state-transfer") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,279 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("component" => "transaction") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,279 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "infinispan"), ("cache-container" => "keycloak"), ("distributed-cache" => "loginFailures"), ("store" => "none") ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.infinispan.keycloak.loginFailures" => "org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl Caused by: org.infinispan.commons.CacheException: Initial state transfer timed out for cache loginFailures on 9c8ea5960a4d"}} 02:53:48,350 INFO [org.jboss.as.server] (ServerService Thread Pool -- 51) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 02:53:48,369 INFO [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.infinispan.keycloak.loginFailures: org.jboss.msc.service.StartException in service jboss.infinispan.keycloak.loginFailures: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl

8 years, 9 months

2
1
0 / 0

Activating events-listener SPI on keycloak startup

by Vanecek Stepan

Hello, I implemented my own events-listener SPI based on the documentation example (https://keycloak.gitbooks.io/documentation/server_development/topics/prov...). Now I want to activate the event listener. I can do so in the admin console (Events->Config) but I would like to activate it automatically on startup. I tried modifying the standalone.xml but it did not help, probably I am missing something. Could you please help me on how to activate the event listener implemented in the SPI on startup of keycloak? Regards, Stepan Vanecek

8 years, 9 months

2
1
0 / 0

java.lang.ClassNotFoundException when running Keycloak with an spi that is using Akka

by Jonas Schönenberger

Hi everyone I am writing an Keycloak SPI that will modify clients based on events. Therefore I use the EventListenerProvider. In the SPI code, that is written in Scala, I am using the Akka library for certain tasks. Unfortunately I get an ClassNotFoundException for the class akka.event.DefaultLoggingFilter when I run Keycloak with the spi. I've built an spi before, that is not using Akka and it worked. The class is available inside the spi .jar-file. I found a ticket on Keycloak's Jira Board (https://issues.jboss.org/browse/KEYCLOAK-4738) and updated to Keycloak version 3.1.0.Final, that contains the fix for this ticket - didn't help. Here is the full error message I get: 09:47:49,003 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 52) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > ... 6 more > Caused by: java.lang.ClassNotFoundException: > akka.event.DefaultLoggingFilter from [Module > "deployment.keycloak-server.war:main" from Service Module Loader] > at > org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) > at > org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at > org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) > at > org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:348) > at > akka.actor.ReflectiveDynamicAccess.$anonfun$getClassFor$1(ReflectiveDynamicAccess.scala:21) > at scala.util.Try$.apply(Try.scala:209) > at > akka.actor.ReflectiveDynamicAccess.getClassFor(ReflectiveDynamicAccess.scala:20) > at > akka.actor.ReflectiveDynamicAccess.createInstanceFor(ReflectiveDynamicAccess.scala:38) > at akka.actor.ActorSystemImpl.<init>(ActorSystem.scala:758) > at akka.actor.ActorSystem$.apply(ActorSystem.scala:245) > at akka.actor.ActorSystem$.apply(ActorSystem.scala:288) > at akka.actor.ActorSystem$.apply(ActorSystem.scala:263) > at > some.package.keycloak.keycloak.REST.KeycloakAdminClient.<init>(REST.scala:592) > at > some.package.keycloak.keycloak.KeycloakConfigurator.<init>(KeycloakConfigurator.scala:21) > at > some.package.keycloak.MyEventListenerProviderFactory.init(MyEventListenerProvider.scala:50) > at > org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:209) > at > org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:76) > at > org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:313) > at > org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:110) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ... 19 more > 09:47:49,010 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: > ([("deployment" => "keycloak-server.war")]) - failure description: > {"WFLYCTL0080: Failed services" => > {"jboss.undertow.deployment.default-server.default-host./auth" => > "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: java.lang.ClassNotFoundException: > akka.event.DefaultLoggingFilter from [Module > \"deployment.keycloak-server.war:main\" from Service Module Loader]"}} Do you guys have an idea what can cause this error and how to solve it? Thank you for your help and Best Regards Jonas

8 years, 9 months

2
1
0 / 0

Re: [keycloak-user] Review Japanese PR

by Stian Thorgersen

Thanks. Just add a comment to the PR if it's OK or not. On 27 June 2017 at 10:53, Masanobu Hatanaka <mhatanak(a)redhat.com> wrote: > I will check this request. > > Thanks, > Masanobu Hatanaka > > On 2017年06月27日 15:43, Stian Thorgersen wrote: > > There's a PR for fixes to the Japanese translations. Could someone review > > it please? > > > > https://github.com/keycloak/keycloak/pull/4245 > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >

8 years, 9 months

1
0
0 / 0

Authentication SPI and connection management

by Max Musternam

Hello, I've followed the instructions from https://keycloak.gitbooks.io/documentation/server_installation/topics/dat... But instead of changing the existing DS and provider, I added another one, because I have to implement additional check and/or actions against the data in the second database: <subsystem xmlns="urn:jboss:domain:datasources:4.0"> <datasources> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"> ... </datasource> <datasource jndi-name="java:jboss/datasources/myDbDS" pool-name="mydb" enabled="true" use-java-context="true"> <connection-url>jdbc:postgresql://192.168.XX.XX/myproject</connection-url> <driver>postgresql</driver> <pool> <max-pool-size>20</max-pool-size> </pool> <security> <user-name>user</user-name> <password>password</password> </security> </datasource> </datasources> </subsystem> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <spi name="connectionsJpa"> <provider name="default" enabled="true"> ... </provider> <provider name="mydb" enabled="true"> <properties> <property name="dataSource" value="java:jboss/datasources/myDbDS"/> <property name="initializeEmpty" value="false"/> <property name="migrationStrategy" value="validate"/> </properties> </provider> </spi> ... </subsystem> Now I can't find this connection provider in the admin console. Only the default is listed in Server Info > Providers. In the log file I've found initialization of both datasources (MSC service thread 1-8) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/myDbDS but only one PersistenceUnit was processed: HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] As result the call context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class, "default") does return me an instance of JpaConnectionProvider Class, but the call context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class, "mydb") returns null. Would you suggest possible solution of the problem? Server Version: 3.1.0.Final Thank a lot in advance.

8 years, 9 months

1
0
0 / 0

Review German PR

by Stian Thorgersen

Can someone please review fixes to the German translations in PR https://github.com/keycloak/keycloak/pull/4234?

8 years, 9 months

1
0
0 / 0

Review Japanese PR

by Stian Thorgersen

There's a PR for fixes to the Japanese translations. Could someone review it please? https://github.com/keycloak/keycloak/pull/4245

8 years, 9 months

1
0
0 / 0

Authentication SPI and connection management

by Julian Wermes

Hello, I've followed the instructions from https://keycloak.gitbooks.io/documentation/server_installation/topics/dat... But instead of changing the existing DS and provider, I added another one, because I have to implement additional check and/or actions against the data in the second database: <subsystem xmlns="urn:jboss:domain:datasources:4.0"> <datasources> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"> ... </datasource> <datasource jndi-name="java:jboss/datasources/myDbDS" pool-name="mydb" enabled="true" use-java-context="true"> <connection-url>jdbc:postgresql://192.168.XX.XX/myproject</connection-url> <driver>postgresql</driver> <pool> <max-pool-size>20</max-pool-size> </pool> <security> <user-name>user</user-name> <password>password</password> </security> </datasource> </datasources> </subsystem> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> <spi name="connectionsJpa"> <provider name="default" enabled="true"> ... </provider> <provider name="mydb" enabled="true"> <properties> <property name="dataSource" value="java:jboss/datasources/myDbDS"/> <property name="initializeEmpty" value="false"/> <property name="migrationStrategy" value="validate"/> </properties> </provider> </spi> ... </subsystem> Now I can't find this connection provider in the admin console. Only the default is listed in Server Info > Providers. In the log file I've found initialization of both datasources (MSC service thread 1-8) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/myDbDS but only one PersistenceUnit was processed: HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] As result the call context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class, "default") does return me an instance of JpaConnectionProvider Class, but the call context.getSession().keycloakSession.getProvider(JpaConnectionProvider.class, "mydb") returns null. Would you suggest possible solution of the problem? Server Version: 3.1.0.Final Thank a lot in advance. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Authentication-SPI... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 9 months

1
0
0 / 0

Behavior of back-channel logout for starter application

by José Eduardo Paiva Dâmaso

Hello, We are observing an issue with the back-channel logout functionality on our clustered application. The application is clustered on 2 nodes and exposed via an Apache based load balancer (the load balancer URL is configured as Admin URL in Keycloak). The issue is as follows: · The user logs in to the application and starts an HTTP session on node 2 · The user logs out (HttpServletRequest.logout) · Keycloak starts the single-log-out process and sends a ‘k_logout’ POST to our cluster · The ‘k_logout’ POST is served by node 1, which seems to become deadlocked when trying to invalidate the clustered session (probably because it’s owned by node 2) · The ‘k_logout’ request is aborted by our load balancer (2 minute timeout) and we have an exception on node 1: o 19:11:08,118 WARN [org.jboss.as.clustering.web.infinispan] (JBossWeb-threads - 38) JBAS010322: Failed to load session 2Jd1GWNi9IITsG-1F37d9VLa: java.lang.IllegalStateException: AtomicMap stored under key 2Jd1GWNi9IITsG-1F37d9VLa has been concurrently removed My question is why is Keycloak trying to back-channel logout the same client application that started the login process? Is this the intended behavior, or do we have some wrong configuration? Our application is mostly standard Java EE deployed on JBoss EAP 6.4 and uses keycloak-adapter 2.5.1. Our Keycloak server is version 2.5.0. Thanks, José Dâmaso

8 years, 9 months

2
4
0 / 0

Brokering tenant SSO (instead of social SSO)

by Peter K. Boucher

We have an app that is multi-tenanted (the app is provisioned in a realm per tenant, with some code that knows which keycloak.json to load for the appropriate realm). We want to support SSO from the tenants using SAML. Ideally, the tenant's user would be logged into their own intranet, and from there, they would click on a link and end up logged into our app without having to see any login page or SSO provider selection page. We were thinking that one way this could be done would be to shortcut steps 3 and 4 in the diagram at https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-brok er/overview.html (maybe by writing javascript code in the in the page to automatically select the tenant appropriate for the current realm and submit it in order carry out the rest of the SSO without asking the user to click on anything). Is there a way to do this without kludging javascript into the SSO provider selection page? Thanks! Regards, Peter K. Boucher

8 years, 9 months

1
0
0 / 0

Supporting forceAuthn on a per scenario basis

by John D. Ament

Hi, I have a use case where I need to support the SAML forceAuthn on a per scenario basis. E.g. when a user does action 1, need to send the forceAuthn flag, but when they do any other action don't send it. When I look at the code in SAMLIdentityProvider, I see this being built: SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder() .assertionConsumerUrl(assertionConsumerServiceUrl) .destination(destinationUrl) .issuer(issuerURL) .forceAuthn(getConfig().isForceAuthn()) .protocolBinding(protocolBinding) .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat)); so it always looks at the config. If we wanted to support a forceAuthn behavior based on other actions, how could that work? I was thinking the oidc prompt attribute could be used, but I don't seem to have the OIDC request available in this class. John

8 years, 9 months

1
0
0 / 0

KeyCloak pose no login challenge

by shimin q

I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7. I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app. 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml: <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" > <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF: { "realm": "rtna", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", "auth-server-url": "https://135.112.180.27:8666/auth", "ssl-required": "external", "resource": "rtna2", "public-client": true} 5. modify rtna2/WEB-INF/web.xml: <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" > <module-name>rtna2</module-name><welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>rtna2</web-resource-name> <url-pattern>/rtna2/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>rtna</realm-name> </login-config> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>sudo</role-name> </security-role></web-app> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work 6. in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm: client id: rtna2Access type: public (tried "confidential" also)Authorization enabled: on ("off" also)Root URL: https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/* I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error. But once I put the absolute paths, it took me right to the web app without posing the login challenge! What could possibly be wrong? Please advise! Thanks!!

8 years, 9 months

4
12
0 / 0

User Attributes value length

by Matt Evans

Hi We're using keycloak with postgresql and we've just hit a problem where one of our user attribute values is long, and it's longer than the max of the fed_user_attribute.value column, which is varchar(2024). Was there a reason it's set to 2024? Is there a reason for me not to alter the column to a text type (or unbound varchar)? Thanks Matt

8 years, 9 months

1
0
0 / 0

Fwd: Error when session expired and ajax request execute in Keycloak?

by Adam Daduev

After login, i get in my app, and for all my ajax request from page to backing bean, i receive response 401 even if the session is still alive. If removed autodetect-bearer-only option, all work fine, but going back to the old error. XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/ realms/azovstal/protocol/openid-connect/auth?…ml&state= 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. ---------- Forwarded message --------- From: Adam Daduev <daduev.ad(a)gmail.com> Date: вт, 10 янв. 2017 г. в 14:08 Subject: Re: [keycloak-user] Error when session expired and ajax request execute in Keycloak? To: <stian(a)redhat.com> I tried, but does not work. Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly not started, he not know autodetect-bearer-only option, then, i added via json, wildfly started and app was deployed. Secondly, on my ajax request to backing bean, i receive response 401 and does not happend. This is my keycloak.json { "realm": "azovstal", "auth-server-url": "http://dc09-apps-06:8090/auth", "ssl-required": "none", "resource": "web-test", "public-client": true, "use-resource-role-mappings": true, "autodetect-bearer-only": true } вт, 10 янв. 2017 г. в 10:19, <daduev.ad(a)gmail.com>: Ok, I try, thanks. 10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger(a)redhat.com> написал(а): In that case take a look at the new autodetect-bearer-only option. You'll need 2.5.0.Final for that. On 9 January 2017 at 19:18, <daduev.ad(a)gmail.com> wrote: No, I have jsf 2 app with richfaces framework, which deploy on wildfly 10.1. 9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger(a)redhat.com> написал(а): [Adding list back] A web app redirects the user to a login page if not authenticated, while a service should return a 401. It sounds like what you have is a JS application with a service backend. In Keycloak you should have two separate types of clients for that. The JS application should be a public client, while the services a bearer-only client. On 9 January 2017 at 13:39, Adam Daduev <daduev.ad(a)gmail.com> wrote: Thanks for the answer. Yes i have confidential client, i have web application, that asks Keycloak server to authenticate a user for them. As I understand, bearer-only is for web services clients. I probably something do not understand? 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>: Looks like your services are configured as confidential clients rather than bearer-only and hence is sending a login request back rather than a 401. You should either swap your service war to be a bearer-only client or use the new autodetect-bearer-only option in adapters if you have both web pages and services in the same war. On 8 January 2017 at 23:29, Adam Daduev <daduev.ad(a)gmail.com> wrote: Hi, can you help me! When session expired and ajax request execute in Keycloak, i have error in browser console: XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/ realms/azovstal/protocol/openid-connect/auth?…ml&state= 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. I add in Keycloak admin console, in the client setting, Web Origins= http://localhost:8080 (or *), and enabled cors in app, but still has error in console. I used Keycloak 2.5.0 _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 9 months

3
5
0 / 0

How to create a Camel Route with Keycloak Admin Client in JBoss Fuse 6.3.0?

by Celso Agra

Hi all, I'm trying to use the keycloak admin client in JBoss Fuse 6.3.0. Everything works fine when I run the java main class, but when I put this in the JBoss Fuse (with Karaf) I got an error, because the keycloak are using the resteasy, and the OSGI is totally different. So, does anyone knows how to do the same keycloak admin client configuration using this environment? Here is my log: javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:289) at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:454) at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105) at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) at com.sun.proxy.$Proxy85.grantToken(Unknown Source) at > org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89) at > org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69) at > org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64) at > org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52) at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431) at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105) at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) at com.sun.proxy.$Proxy88.create(Unknown Source) at > pe.gov.br.ati.service.KeycloakAdminManager.createUserKeycloak(KeycloakAdminManager.java:64) at > pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:20) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at > org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408) at > org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279) at > org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252) at > org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177) at > org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77) at > org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163) at > org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468) at > org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196) at org.apache.camel.processor.Pipeline.process(Pipeline.java:121) at org.apache.camel.processor.Pipeline.process(Pipeline.java:83) at > org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196) at > org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62) at > org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145) at > org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77) at > org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:163) at > org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468) at > org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196) at org.apache.camel.processor.Pipeline.process(Pipeline.java:121) at org.apache.camel.processor.Pipeline.process(Pipeline.java:83) at > org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196) at > org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109) at > org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:91) at > org.apache.camel.component.restlet.RestletConsumer$1.handle(RestletConsumer.java:68) at > org.apache.camel.component.restlet.MethodBasedRouter.handle(MethodBasedRouter.java:54) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.restlet.routing.Router.handle(Router.java:639) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.restlet.routing.Router.handle(Router.java:639) at org.restlet.routing.Filter.doHandle(Filter.java:150) at > org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202) at org.restlet.Component.handle(Component.java:408) at org.restlet.Server.handle(Server.java:507) at > org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63) at > org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143) at > org.restlet.engine.connector.HttpServerHelper$1.handle(HttpServerHelper.java:64) at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79) at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83) at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82) at > sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675) at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79) at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647) at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: javax.ws.rs.ProcessingException: RESTEASY003215: could not find > writer for content-type application/x-www-form-urlencoded type: > javax.ws.rs.core.Form$1 at > org.jboss.resteasy.core.interception.jaxrs.ClientWriterInterceptorContext.throwWriterNotFoundException(ClientWriterInterceptorContext.java:40) at > org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.getWriter(AbstractWriterInterceptorContext.java:146) at > org.jboss.resteasy.core.interception.jaxrs.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:121) at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.writeRequestBody(ClientInvocation.java:388) at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:589) at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.buildEntity(ApacheHttpClient4Engine.java:557) at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.loadHttpMethod(ApacheHttpClient4Engine.java:456) at > org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283) ... 70 more Thanks for the attention. -- --- *Celso Agra*

8 years, 9 months

2
3
0 / 0

Unicast

by Marc Tempelmeier

Hi, does someone here use unicast instead of multicast to form a cluster? If yes, I would be interested in the config :) Best regards Marc

8 years, 9 months

4
5
0 / 0

Re: [keycloak-user] clientSecret passing upon Client creation

by Marko Strukelj

While nobody can give any guarantees about the future of a community project (as opposed to a commercial product like RH-SSO), it is reasonable to expect that "secret" field will remain for as long as there is Admin REST API. There will most likely be another version of Admin REST API in the future, but that would almost certainly be parallel to the current one. On Wed, Jun 21, 2017 at 4:26 PM, Adam Lis <adam.lis(a)gmail.com> wrote: > Hi! > > Thanks for your response. > > This is indeed what I needed. > > As far as I understand, since 'secret' field name is present in > ClientRepresentation in http://www.keycloak.org/ > docs-api/3.1/rest-api/index.html#_clientrepresentation - I can be sure > that support of that field remain in e.g. next versions of KeyCloak? > > AdamLis; > > > > 2017-06-21 15:58 GMT+02:00 Marko Strukelj <mstrukel(a)redhat.com>: > >> Your use case is indeed rather poorly documented, and requires some >> exploration, especially when using kcadm.sh or Admin Client API you need to >> also consult Admin REST API documentation (http://www.keycloak.org/docs- >> api/3.1/rest-api/index.html#_clientrepresentation) or directly explore >> the code for Admin REST endpoint (https://github.com/keycloak/k >> eycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak >> /services/resources/admin/ClientsResource.java#L146). >> >> Here's how you can set the secret for the client: >> >> $ cat > client.json << EOF >> { >> "clientId" : "test-cli", >> "enabled" : true, >> "clientAuthenticatorType" : "client-secret", >> "secret" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d000" >> } >> >> The key here are the properties "clientAuthenticatorType", and "secret". >> You can safely get away by only setting "secret" since "client-secret' is >> default for "clientAuthenticatorType". >> >> $ kcadm.sh create clients -r REALM_NAME -f client.json -i >> >> If you want to check the value of secret you need to perform another REST >> call as it's not returned as part of client GET. >> >> $ kcadm.sh get clients/$CID/client-secret >> >> Which will return CredentialRepresentation (http://www.keycloak.org/docs- >> api/3.1/rest-api/index.html#_getclientsecret): >> { >> "type" : "secret", >> "value" : "d0b8122f-8dfb-46b7-b68a-f5cc4e25d737" >> } >> >> Hopefully that addresses your problem. >> >> >> On Tue, Jun 20, 2017 at 5:07 PM, Adam Lis <adam.lis(a)gmail.com> wrote: >> >>> Hi! >>> >>> Thanks for response. >>> >>> Re what I'd like to achieve: I'd like to give some people pair >>> Client/ClientSecret so they could use my Keycloak instance. Since this >>> instance gets recreated using config management utility very often (e.g. >>> 5 >>> times a day), I need a functionality to be able to specify ClientSecret >>> when "provisioning" Keycloak instance. >>> >>> So for my needs - export-import is not good solution - since my server is >>> started using standalone.sh script as PID=1 inside docker container. Also >>> it would be hard to execute Export in my case, since docker container >>> shutdown is also done by config management system - and I'd need to start >>> standalone.sh again with export set. BTW: when export/import is involved >>> by >>> migration.action - it seems strange that main server thread is also >>> starting. >>> >>> So I've read >>> https://keycloak.gitbooks.io/documentation/server_admin/topi >>> cs/admin-cli.html >>> and >>> https://keycloak.gitbooks.io/documentation/securing_apps/top >>> ics/client-registration/client-registration-cli.html >>> >>> In above documents there is describes process of e.g. defining new >>> Clients. >>> But it does not answer my question at all. >>> >>> So maybe once again my question: >>> Is specifying 'secret' parameter >>> into >>> JSON creating new Client using e.g. "kcadm.sh create clients -r >>> REALM_NAME >>> -f JSON_FILE.json -i" proper and supported way of passing ClientSecret >>> value to newly created Client? <<< >>> >>> AdamLis; >>> >>> >>> 2017-06-20 16:17 GMT+02:00 Marko Strukelj <mstrukel(a)redhat.com>: >>> >>> > You can find doumentation for kcadm.sh at: https://keycloak.gitbooks. >>> > io/documentation/server_admin/topics/admin-cli.html >>> > >>> > Maybe for your usecase you might also want to use kcreg.sh, >>> documentation >>> > for which you can find at: https://keycloak.gitbooks. >>> > io/documentation/securing_apps/topics/client-registration/client- >>> > registration-cli.html >>> > >>> > kcreg.sh is meant for use by application developers to self-provision >>> > clients in order to integrate their apps with a Keycloak Server. >>> > >>> > There is also a boot time import functionality which you can use to >>> import >>> > the whole realm: https://keycloak.gitbooks.io/documentation/ >>> > server_admin/topics/export-import.html >>> > >>> > As to your question whether you can base realm / client creation on >>> > Keycloak's export / import functionality or CLI tools the answer is - >>> yes, >>> > that's the idea. If you can't achieve something basic and obvious then >>> the >>> > tools have to be improved. >>> > >>> > If you can be more specific what you are trying to achieve and what >>> > exactly you do, then I can give you more specific advice. >>> > >>> > Also, if you can be more specific what you were not able to find in the >>> > documentation, we can add it or make it easier to find. >>> > >>> > On Tue, Jun 20, 2017 at 2:24 PM, Adam Lis <adam.lis(a)gmail.com> wrote: >>> > >>> >> Hi! >>> >> >>> >> I've tried to search for this information in documentation, but not >>> >> succeeded. >>> >> >>> >> Let's assume I'm using keycloak docker container. >>> >> >>> >> Inside running instance I'm willing to add new Client like this: >>> >> >>> >> /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f >>> >> FILE_CONTAINING_DEFINITION.json -i >>> >> >>> >> So I'm getting actual contents of JSON file for example by exporting >>> >> existing Client (since I see no example in documentation as well) >>> >> >>> >> But in the export software is not setting 'secret' value in case >>> >> 'clientAuthenticatorType' is set to 'client-secret'. >>> >> >>> >> I've anyway tried to add 'secret' field to JSON and it has been >>> accepted >>> >> by >>> >> Keycloak - so Keycloak has created Client with ClientSecret value >>> passed >>> >> by >>> >> JSON file in field named 'secret'. >>> >> >>> >> My question and concern is: does this functionality (setting desired >>> >> ClientSecret on Client creation from JSON) work intended way? Can I >>> base >>> >> my >>> >> whole Realm/Client creation solution on that functionality? >>> >> >>> >> A little background: I'm willing to run Keycloak deployment with >>> docker >>> >> container as part of configuration management - so I'm storing Realm >>> and >>> >> Client data in outside storage and I'm willing to pass these >>> configuration >>> >> pieces into newly started Keycloak inside docker container. >>> >> >>> >> Thanks; >>> >> AdamLis; >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user(a)lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >

8 years, 9 months

1
0
0 / 0

clientSecret passing upon Client creation

by Adam Lis

Hi! I've tried to search for this information in documentation, but not succeeded. Let's assume I'm using keycloak docker container. Inside running instance I'm willing to add new Client like this: /opt/jboss/keycloak/bin/kcadm.sh create clients -r REALM_NAME -f FILE_CONTAINING_DEFINITION.json -i So I'm getting actual contents of JSON file for example by exporting existing Client (since I see no example in documentation as well) But in the export software is not setting 'secret' value in case 'clientAuthenticatorType' is set to 'client-secret'. I've anyway tried to add 'secret' field to JSON and it has been accepted by Keycloak - so Keycloak has created Client with ClientSecret value passed by JSON file in field named 'secret'. My question and concern is: does this functionality (setting desired ClientSecret on Client creation from JSON) work intended way? Can I base my whole Realm/Client creation solution on that functionality? A little background: I'm willing to run Keycloak deployment with docker container as part of configuration management - so I'm storing Realm and Client data in outside storage and I'm willing to pass these configuration pieces into newly started Keycloak inside docker container. Thanks; AdamLis;

8 years, 9 months

2
4
0 / 0

Re: [keycloak-user] Refesh token error

by Thomas Darimont

Hi Thomas, Great you figured this out. Would you mind elaborating a bit about what you did with respect to session fixation prevention? Cheers, Thomas Am 21.06.2017 2:55 nachm. schrieb "Göttlich, Thomas" < thomas.goettlich(a)it-informatik.de>: Never mind, I found the problem (at least I think I did): - SSO session idle: 1 minute - Access token lifespan: 1 minute When the access token has timed out and the application needs to refresh it the sso session has also timed out already, hence the error. Setting SSO session idle to 2 minutes or more fixes the issue. Mit freundlichen Grüßen i. A. Thomas Göttlich ------------------------------------------------------------- Entwicklung factor:plus +49 (0)731 / 9 35 42 -301 thomas.goettlich(a)it-informatik.de ------------------------------------------------------------- IT-Informatik GmbH Magirus-Deutz-Straße 17, 89077 Ulm Fax: +49 (0)731 / 9 35 42 - 130 www.it-informatik.de ------------------------------------------------------------- Amtsgericht Ulm: HRB 2662 Sitz der Gesellschaft: Ulm USt-IdNr.: DE 145567338 Geschäftsführender Gesellschafter: Günter Nägele -----Ursprüngliche Nachricht----- Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@ lists.jboss.org] Im Auftrag von Göttlich, Thomas Gesendet: Mittwoch, 21. Juni 2017 13:14 An: keycloak-user(a)lists.jboss.org Betreff: [keycloak-user] Refesh token error Hi there, we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side. The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling. It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error: - Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"} - Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client- secret So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty. For testing purposes we have set the following timeouts: - SSO session idle: 1 minute - SSO session max: 10 hours - Access token lifespan: 1 minute - Access token lifespan for implicit flow: 1 minute The client has the following settings: - Only standard flow enabled - Access type: confidential - Client protocol: openid-connect Any idea what could cause that error or where we should look at? Thanks in advance, Thomas _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 9 months

2
2
0 / 0

Refesh token error

by Göttlich, Thomas

Hi there, we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side. The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling. It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error: - Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"} - Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty. For testing purposes we have set the following timeouts: - SSO session idle: 1 minute - SSO session max: 10 hours - Access token lifespan: 1 minute - Access token lifespan for implicit flow: 1 minute The client has the following settings: - Only standard flow enabled - Access type: confidential - Client protocol: openid-connect Any idea what could cause that error or where we should look at? Thanks in advance, Thomas

8 years, 9 months

1
1
0 / 0

IDP Broker (SAML) - add LDAP attributes from ReadOnly LDAP.

by Marc Jadoul

Hello, I am trying to configure RH SSO 7.0 (available as container in Openshift V3.2), to obtain attributes and roles from a read-only LDAP. User are authenticated using SAML, but applications do need additional attributes. The LDAP server has those attributes but do not provide user authentication, which is provided by Kerberos or SAML. Kerberos + LDAP is not really an option as it authenticate only a part of the users of the organization while SAML + LDAP could works for all. I found a couple of related issues: https://issues.jboss.org/browse/KEYCLOAK-4171 But solutions proposed does not work for me.... May be because my LDAP does not allows authentication? I get this error: 09:13:07,510 WARN [org.keycloak.events] (default task-320) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId= http://testapp.example.corp/mellon/metadata, userId=null, ipAddress=10.0.0.20, error=invalid_user_credentials, identity_provider=hub-i-saml2, auth_method=saml, redirect_uri= http://testapp.example.corp/mellon/postResponse, identity_provider_identity=testuser, code_id=... Or this one (if in first login I allows user re-authentication) but then I am prompted for a password which fail authenticating as the LDAP does not know my password. 09:13:07,510 WARN [org.keycloak.events] (default task-320) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=DevRealm, clientId= http://testapp.example.corp/mellon/metadata, userId=fa84a028-e28f-4d06-a72f-aad9c51d88f2, ipAddress=10.0.0.20, error=invalid_user_credentials, identity_provider=hub-i-saml2, auth_method=saml, redirect_uri= http://testapp.example.corp/mellon/postResponse, identity_provider_identity=testuser, code_id=... Is there a solution out of the box for my use case? Adding additional information about users from an ldap connection, read-only and without re-authentication? Regards, Marc

8 years, 9 months

2
1
0 / 0

Does keycloak tomcat valve need connectivity to IDP?

by ken edward

Hello, Does the keycloak tomcat saml valve need connectivity to the IDP (in my case ADFS)? Or does is only the client browser connecting to the IDP via redirects from the tomcat server? Ken

8 years, 9 months

2
1
0 / 0

Development help

by Tomás García

Hi, I've developed an API service for Keycloak. It's a bit complex algorithm where the clientSession needs to be recovered later if something happens, so I put a note in the style of HMAC + Session ID as Keycloak does in other places and then next, when the algorithm needs to continue in the following request to the same endpoint, I recover the session. Inside the API service, I'm adding users so I have to commit the transaction just in case a ModelDuplicateException happens, as I've seen in other places of Keycloak's code. So I'm receiving this exception when I recover the client session from the note (note: a user was added and committed previously). I've tried to start a new transaction after committing, but yet I still get the same exception. Any help or ideas will be welcome. Thanks. 09:06:48,748 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/realms/test/testApi/speciallogin : org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalStateException: Cannot access delegate without a transaction at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja va:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:4 3) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.IllegalStateException: Cannot access delegate without a transaction at org.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:97) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:182) at org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:282) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:794) at com.test.keycloak.api.services.specialLogin(TestAPIService.java:157) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more

8 years, 9 months

1
2
0 / 0

A bug in the Brute Force Detection mechanism?

by Wieloch, Marcin

Hi, One day I was looking for a workaround for a lacking feature (KEYCLOAK-4204), and I have encountered a problem with Brute Force Detection mechanism. For some specific settings (e.g., MaxLoginFailures = 3, WaitIncrement = 24855 days, Max Wait = 24855 days, FailureResetTime = 24855 days) the mechanism does not work, i.e., I am still able to login after 3 (or more) failed login attempts. I think it is caused by integer overflows happening in lines 121 and 133 of DefaultBruteForceProtector (v. 3.1.0.Final). Could you please confirm this is a bug? I would then create an issue in your JIRA. Best regards, Marcin The information in this email and any attachments is confidential and intended solely for the use of the individual(s) to whom it is addressed or otherwise directed. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The Company accepts no liability for any damage caused by any virus transmitted by this email.

8 years, 9 months

1
0
0 / 0

Keycloak use-case with Android and custom API

by César Augusto Ribeiro

Hello, I have an APP (Android + NativeScript) and a custom NodeJS API that serves it.My idea is to let my API handle any authentication/authorization stuff through Keycloak - with keycloak-nodejs-connect. So we could have the following flow: - APP sends user and pass to this custom API;- API calls Keycloak to authenticate the user with data provided (/token, scope='offline_access' - to a public Keycloak client);- Keycloak returns a token to the API;- API returns the access token to the app, which holds it to be used in subsequent calls (Authorization Bearer ... header). In my tests through HTTP clients, simulating the flow I would have in the real case, I get HTTP Status 403 - Forbidden after token expiration. I have the impression that the refreshing of the token should be automatically done, but that doesn't seems to be happening. Small pieces of code: app.use(session({ secret: '...', resave: false, saveUninitialized: true, store: memoryStore, })); var keycloak = new Keycloak({ store: memoryStore, scope: 'offline_access' }, 'keycloak.json'); app.use(keycloak.middleware()); app.post('/login', function (req, res) { keycloak.grantManager.obtainDirectly('USER', 'PASS').then(grant => { keycloak.storeGrant(grant, req, res); ... }, error => { ... }); }); app.get('/someProtectedEndpoint', keycloak.protect(), function (req, res, next) { ... }); Do you see anything wrong in this use-case? Maybe I also need to store the refresh token in the client and use it to somehow force token refresh? Maybe it's not a good auth flow at all? For who wants some SO points: https://stackoverflow.com/q/44656168/643416 Thanks in advance!

8 years, 9 months

1
0
0 / 0

How to disable user roles updates with subsequent idp logins?

by Корчемкин Дмитрий

Hello, I have a following scenario: user logs in for the first time from AD FS. There is a mapper in place that assigns him a role. He is then assigned some more roles manually. When he logs in second time, all the roles added by hand are being removed. I've tried looking for something to disable this on keycloak side, but i don't see anything relevant in documentation. Unfortunately, i don't have access to that particular AD FS. Is there a way to stop this overriding on Keycloak side, or is assigning all roles by mappers the only way? Best regards, Dmitry

8 years, 9 months

2
2
0 / 0

How to handle multivalued custom attributes in account client?

by Federico Navarro Polo - Info.nl

Hello, I’m facing a scenario where I have defined a custom attribute as multivalued. It works all fine using the REST admin API, and while in the Keycloak admin console is displayed as a ‘##’ separated string, it’s also functional in terms of displaying/editing the values. However, when it comes to adding the attribute to the account client, it apparently only shows the first element of the attribute, and I get the following log trace: >>> [org.keycloak.forms.account.freemarker.model.AccountBean] (default task-41) There are more values for attribute 'additionalProductIds' of user 'somebody(a)somewhere.com' . Will display just first value Am I overlooking some configuration to enable the handling of multivalued custom attributes? Met vriendelijke groet, Federico Navarro backend developer federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<http://www.linkedin.com/in/jasperleferink> | +31 (0)2 05 30 91 61<tel:+31205309161> info.nl<http://www.info.nl/> Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>

8 years, 9 months

2
1
0 / 0

Conflicting logins with admin console

by Kyle Swensson

Hello, (I have asked this question before to no avail, but the wording was poor so I want to rephrase it in hopes of getting more help) I am having an issue with conflicting logins from a user application and the keycloak admin console The issue arises when I authenticate on my user application as a basic user, using Tomcat. Then, I navigate to the Keycloak Admin Console login page on a different window. Despite being logged in as a basic user on my user application, I am still shown the empty login page for the keycloak admin console. After navigating to the Keycloak admin console login page, my session on my user application becomes broken, and I'm not sure why. At this point if I refresh the page containing my application I will find a 403 error in my console, however I can still access everything in my user application normally. Additionally, for some reason I can no longer log out from my session like i normally would (by hitting the authorization endpoint), when I try to log out nothing happens. The only way that I can get it out of this permanently logged in state is by going to "account" and manually ending all of the sessions for my user. It may be worth noting that I can also still log in to the admin console with a different user, and use the admin console as normal while this is happening. If I log onto the admin console while this is happening and look at all of the active sessions, I can see that there is indeed still an active session for the basic user using the user application. I assume that is the root of the problem, but I'm not sure what's causing this to happen. Setting the "Revoke Refresh Token" option in the keycloak admin console to ON does prevent this from happening, however it also makes the rest of my application become very buggy and slow so leaving that on isn't really a viable option. I'm wondering if this might be an actual bug with Keycloak, or if this is just being caused by some configuration error on my side. I am currently using Keycloak 2.3 for my application, but I have tried temporarily upgrading to Keycloak 3.1 and that didn't help the issue.

8 years, 9 months

2
6
0 / 0

Social Logins - Allow only specific Domains to authenticate

by Michel Laporte

Hi there, Is there any way of configuring social clients to whitelist domains? At the moment, we are looking to externalise a service and any Google account can authenticate with Google on the service, we want to limit it to only the allowed domains specific or specify accounts to log in. Is this do-able? Another thread stated authentication flows is do-able but he link explaining how was dead as it went to Githubs Keycloak page which is now non existent and the Authentication Flows documentation is not too clear. Thanks -- *Michel Laporte* DevOps Engineer T: +44 20 7758 7162 UK House • 180 Oxford Street • London • W1D 1NN -- ------------------------------------- essencedigital.com <http://www.essencedigital.com/> Google+ <https://plus.google.com/102138558390623994587/about> • Facebook <http://www.facebook.com/essencedigital> • Twitter <https://twitter.com/essencedigital> • YouTube <http://www.youtube.com/essencedigitalvideos>

8 years, 9 months

3
3
0 / 0

Is there a way to return a customized error message from servlet interception of keycloak.

by rafterjiang

We are using spring boot to do the web api/url authentication. We have set up the auth roles and patterns in application.properties. Everything works fine. Only problem is, when web API auth fails,keycloak returns a either 401 or 403 to client. For example: { "status": "401", "errorCode": "SERVER_ERROR", "message": "internal server error" } or { "status": "403", "errorCode": "SERVER_ERROR", "message": "internal server error" } The error message is too vague, is it possible to customize the error message so client knows clearly what goes wrong? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Is-there-a-way-to-return-a-custo... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 9 months

1
0
0 / 0

SAML Client Error Code 431

by Vogel, Sven

Hi Anybody, we have a problem to get saml to work with cloudstack. Maybe anybody can help. 1. We created a saml client. 2. We filled all information in cloudstack a. saml2.default.idpid -->http://192.168.85.40:8080/auth/realms/example.cloud/protocol/saml b. saml2.idp.metadata.url --> http://192.168.85.36/metadata.xml (we used the SAML Metadata IDPSSODescriptor) 3. When we use login on the saml provider from cloudstack we get the following error a. { loginresponse: { uuidList: [ ], errorcode: 431, errortext: "IdP ID (http://192.168.85.40:8080/auth/realms/example.cloud) has no Single Sign On URL defined please contact null <null>, cannot proceed." } } Is there anybody who can help? Maybe it's a problem that we forgott something. Before we used ipsilon and the things work. Maybe we have not enough knowledge. Thanks Sven

8 years, 9 months

1
0
0 / 0

Rest api - missing group info and non-individual attributes in the response

by Dirk Franssen

Hi all, I have defined several groups in Keycloak 3.0.0.Final with some users and via the java library I make rest calls to retrieve the list of users via realmResource.users().search(), but the response does not contain the groups info (UserRepresentation.getGroups() is null)? So I added a client mapper of type Group Membership with claim name myGroups (add to ID token, access token and userinfo). After a login into the application I do have an otherClaims of myGroups with the groupnames the user belongs to. But the rest call response does not contain the info ( UserRepresentation.getAttributes() is null) Also the group attributes (with a new mapper) do not appear in the response of the rest call. It seems that only individual user attributes are returned in the rest call response? Is this by design? I know there is the possibility to extend the rest api via a custom provider, but this seem cumbersome to just know to which group the user belongs to... Currently I query for each group the members separately via realmResource.groups().group(groupid).members(). This is kind of ok as there are currently only 4 groups. Kind regards, Dirk Franssen

8 years, 9 months

2
1
0 / 0

Can we forbib mail change?

by Marc Tempelmeier

Hi, Subject says it all, but can we forbid that a user can change it´s mail? Best regards Marc

8 years, 9 months

2
1
0 / 0

decouple Keycloak from Active Directory

by Adrian Matei

Hi guys, We've made the initial mistake to store our users in Active Directory. After the number of Keycloak-AD issues increased significantly, we are considering using just Keycloak DB to store the users. Is there a way to migrate the users from AD to Keycloak, without forcing them to update their passwords? If I remove the User-Federation AD Provider all users are gone... Thanks, Adrian

8 years, 9 months

2
1
0 / 0

Tomcat fails to start if client in keycloak configured as bearer only

by Yevgeni Kovelman

Tomcat 7.0.77 Keycloak libs in the lib folder I have a client configured as Opened-connect Confidential All good, as soon as I switch to Bearer only, restart Tomcat There is a failure Httpresponseexception: unexpected response from server 400/bad request. Any ideas? Thanks Sent from my iPhone

8 years, 9 months

1
0
0 / 0

Custom logout using Java servlet adaptor

by Prapti Mittal

Dear Keycloak Community, Do we have any mechanism for post logout activity on Client application using java servlet adaptor of Keycloak IDP? https://stackoverflow.com/q/44407928/2604398 Two possible solutions that I can think of are below, but neither is very maintainable. 1. We can modify the servlet filter to notify the logout event to the event listeners and then add the event listeners for the custom code. 2. Define another custom filter for the logout callback path and then use filter chain to call the Keycloak java servlet filter. Please suggest the right way to go about. Regards, Prapti Mittal

8 years, 9 months

1
0
0 / 0

How to implement fallback form auth with keycloak SAML adapter tomcat??

by ken edward

Hello, I have implemented the keycloak tomcat adapter with ADFS as the IDP. All works fine, but should the user not authenticate via SAML, how can I implement a fall back to a form based authentication? Ken

8 years, 9 months

1
0
0 / 0

PHP library

by Cortes, Juan

Hello all, Does anybody know of a php library that will work with keycloak's openId connect? Am currently trying OpenIDConnectClient.php and I keep on getting a "Code not valid" exception. Thank you

8 years, 9 months

1
0
0 / 0

Client Mapper mutiple value

by Denny Israel

Hi, i specified a user attribute mapper for a client and set Multivalued to true. The values i want to map are attributes specified in groups. The idea is to collect the attributes with the same name in all groups and make them available as list in the tokens. When i use the mapper i can see a value of one group but not the values of other groups. When the mapper does not collect the attributes from all groups what is the purpose of the multivalued flag? I cannot specify more than one attribute with the same name in the user or in one group so i never see mutiple values. Thanks Best regards Denny

8 years, 9 months

1
0
0 / 0

KeyCloak behind reverse proxy - hostname incorrect

by jim-keycloak＠spudsoft.co.uk

Hi, We are trying to use KeyCloak behind a reverse proxy. There are lots of discussions about doing this online, but they are all concerned about getting the protocol correct - which we are not having a problem with. Our problem is that the reverse proxy has a completely different name from the KeyCloak host and this seems to be confusing KeyCloak. Our reverse proxy ("external") is on https and our KeyCloak server ("internal") is on http. There are two examples that we have seen of this: 1. In the UI templates the url.loginAction variable is https://internal 2. In JWTs generated by KeyCloak the iss is https://internal This seems to be resulting in all tokens being refused by introspection. Our reverse proxy is adding both X-Forwarded-Proto and X-Forwarded-Server headers (we can change these easily). It would be acceptable for us if KeyCloak were only accessible via the reverse proxy. We are using KeyCloak 3.0.0.FINAL. How can we get this working? Thanks Jim

8 years, 9 months

2
1
0 / 0

Keycloak support for Infinispan 9.x

by Vikrant Singh

Hi, Is there any plan to upgrade keycloak's Infinispan to latest 9.x version, if yes what is the timeline we are looking at? Current keycloak still uses old 8.1.x version of Infinispan. There are few new features of Infinispan which I would like to use, Is there any risk if I change Infinispan version in current Keycloak to 9.x? Thanks, Vikrant

8 years, 9 months

3
2
0 / 0

Not able to setup Keycloak to fully replicate user sessions in cluster

by Jyoti Kumar Singh

Hi Team, We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full user sessions replication in a cloud system, i.e. when one node goes down then user will keep logged in on other node. I have setup cluster by using standalone-ha.xml and having infinispan cache as mentioned below:- <cache-container name="keycloak" jndi-name="infinispan/Keycloak"> <transport lock-timeout="60000"/> <invalidation-cache name="realms" mode="SYNC"/> <invalidation-cache name="users" mode="SYNC"/> <distributed-cache name="sessions" mode="SYNC" owners="2"/> <distributed-cache name="loginFailures" mode="SYNC" owners="2"/> </cache-container> Every thing works fine except below use case:- 1. Node 1 and Node 2 both are up and user logged in - User session is getting generated by Node 1 2. Node 1 is now stopped and user session is getting replicated in Node 2 - User is still able to use the Keycloak console 3. Node 1 is up again and request is being transferred from LB to Node 1 - User is asked to log in again because session cache is not replicated to Node 1 immediately once it is up I saw one option to add *start="EAGER" *in cache-container to fix this but looks like with latest version of WildFly it is no longer supported. Do we have any other way to fix this issue ? -- *With Regards, Jyoti Kumar Singh*

8 years, 9 months

3
5
0 / 0

X509 Identity Brokering

by Thiago Presa

Hi, Does Keycloak support some sort of Identity Brokering through X509? I managed to configure the X509 Client Certificate, but it only replaces the password, and requires the user to be already registered. What I would like to achieve is to automatically register the users who present a valid X509 Certificate. Is that possible? Best regards, Thiago Presa

8 years, 9 months

3
4
0 / 0

Group policy for authorization.

by rafterjiang

Hello, Is there a *group policy *that we can use for authorization? This way we can simply add new user to the group that we have created and the user can automatically gain access to the resource. Right now we have to create policy for every single new user and assign to the resource. Thanks, R -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Group-policy-for-authorization-t... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 9 months

3
4
0 / 0

Third slave disconnects random slave

by Marc Tempelmeier

Hi, I want to connect 3 slaves in Domain Mode, everything works fine for 2 slaves, but if I connect a third one random of the former two get disconnected after a cluster-wide rebalance: slave1_1 | [Server:slave1] slave3_1 | [Server:slave3] 06:58:42,688 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 54) HV000001: Hibernate Validator 5.2.3.Final slave1_1 | 06:58:42,675 INFO [org.jboss.as.process.Server:slave1.status] (reaper for Server:slave1) WFLYPC0011: Process 'Server:slave1' finished with an exit status of 137 slave1_1 | [Host Controller] 06:58:42,877 INFO [org.jboss.as.host.controller] (ProcessControllerConnection-thread - 2) WFLYHC0027: Unregistering server slave1 I think there is some setting I missed? Best regards and thanks Marc

8 years, 9 months

1
0
0 / 0

Cache-Control set to private

by Dana Danet

Using a vanilla Spring Boot / Keycloak implementation. springBootVersion = '1.5.2.RELEASE’ keycloakAdminClient : "org.keycloak:keycloak-admin-client:3.0.0.Final”, keycloakSpringBootAdapter : "org.keycloak:keycloak-spring-boot-adapter:3.0.0.Final”, keycloakTomcatAdapter : "org.keycloak:keycloak-tomcat8-adapter:3.0.0.Final", I’m having difficulty updating the Cache-Control from private to anything else. It appears that this is a Tomcat setting that usually is set via Spring Security. Unfortunately I cannot find anyway to affect this value unless I listen for the lifecycle event and then configure the KeycloakAuthenticatorValve. What am I doing wrong here? @Configuration public class KeycloakAuthenticatorValveCustomizerConfig implements EmbeddedServletContainerCustomizer, LifecycleListener { private TomcatEmbeddedServletContainerFactory container; @Override public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) { container = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer; container.addContextLifecycleListeners(this); } @Override public void lifecycleEvent(LifecycleEvent event) { if (event.getLifecycle().getState() == INITIALIZED) { configureKeycloakValve(); } } private void configureKeycloakValve() { for (Valve valve : container.getContextValves()) { if (valve instanceof KeycloakAuthenticatorValve) { KeycloakAuthenticatorValve keycloakAuthenticatorValve = (KeycloakAuthenticatorValve) valve; keycloakAuthenticatorValve.setSecurePagesWithPragma(true); } } } } Within org.apache.catalina.authenticator.AuthenticatorBase securePagesWithPragma is now set to true. if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) { if (securePagesWithPragma) { // Note: These can cause problems with downloading files with IE response.setHeader("Pragma", "No-cache"); response.setHeader("Cache-Control", "no-cache"); } else { response.setHeader("Cache-Control", "private"); } response.setHeader("Expires", DATE_ONE); } -dana

8 years, 9 months

1
0
0 / 0

For tomcat SAML adapter, is /saml required in URL?

by ken edward

Hello, I am implementing the tomcat SAML adapter with the IdP being ADFS. QUESTION: 1.) I see the below reference in the doc that seems to say the /saml needs to the appended to the URL of the SP? or is this only for servlet adapter and NOT tomcat adapter that my have servlets? "For each servlet-based adapter, the endpoint you register for the assert consumer service URL and and single logout service must be the base URL of your servlet application with /saml appended to it, that is, https://example.com/contextPath/saml." as in the below ??? <SP entityID="http://localhost:8081/sales-post-sig/saml" sslPolicy="EXTERNAL" nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" logoutPage="/saml/logout.jsp" forceAuthentication="false" isPassive="false" turnOffChangeSessionIdOnLogin="false"> <Keys> <Key signing="true" > <KeyStore resource="/WEB-INF/keystore.jks" password="store123"> <PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/> <Certificate alias="http://localhost:8080/sales-post-sig/"/> </KeyStore> </Key> </Keys> Ken

8 years, 9 months

2
2
0 / 0

IDToken vs AccessToken

by John D. Ament

Hi I noticed that when using Bearer, an AccessToken gets set in the KeycloakPrincipal's SecurityContext. However, when I do an SP initiated login the IDToken gets set. I was wondering if these two could be consistent, or if the inconsistency were at least explainable? I'm also wondering, will the presence of a bearer header cause the keycloak adapter cookie to get set? John

8 years, 9 months

3
3
0 / 0

Does keycloak tomcat adapter require IDP metadata.xml ??

by ken edward

Hello, I have installed the keycloak tomcat adapter in my tomcat 8 instance. I want to use ADFS as my IDP (no keycloak server) QUESTION: 1.) I configured the keycloak-saml.xml to point to the ADFS IDP. But I am surprised that there is no reference to the IDP metadata.xml file that I received from my ADFS admin? Is it used at all? How? Ken

8 years, 9 months

2
1
0 / 0

Invalid token issuer when running as docker service

by Tom Braun

Hello, got the follwing setup: - frontend (oauth, angular2) - rest-backend (bearerOnly, spring-boot with spring-security) - keycloak (standalone) If I run the three as "ordinary" processes, everything works fine. However, if I try to run them as services within a docker (swarm mode) the rest-backend keeps complaining about: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://myhost:8180/auth/realms/myrealm', but was 'http://localhost:8180/auth/realms/myrealm' I inserted myhost into my /etc/hosts to point to the IP of docker0. So far it works, I can access the frontend on port 80 and keycloak on port 8180. Is there a way to make keycloak report as myhost in the issuer token and not as localhost? Tried running keycloak behind a reverse-proxy - no change.

8 years, 9 months

2
1
0 / 0

Adding permissions programmatically

by matteo restelli

Hi guys, how can I add permissions programmatically for a specific resource? Thank you in advance, Matteo

8 years, 9 months

3
3
0 / 0

Manage VerifyEmail outside Keycloak?

by Alex Berg

Is anyone else managing email verification outside Keycloak? I'm considering doing it, so I'd like past experience reports. It seems like I could - Create a user in Keycloak using the Admin REST API when a user registers in my app's UI, then immediately craft a "verify email" email to send to them with a key I craft and a link back to my app. - My app later receives this key, gets the associated email ownership claim, and updates the user's record in Keycloak to remove the "Verify Email" required action and set the "Email Verified" field to true. Should work, right?

8 years, 10 months

1
0
0 / 0

Global vs per realm SMTP

by John D. Ament

Hi I was wondering if the SMTP configuration can be done on a global basis, instead of a per realm? John

8 years, 10 months

1
0
0 / 0

XML parsing issues after upgrading RH_SSO from 7.0 to 7.1

by Pulkit Gupta

Hi Team, We have a bunch of application working with RH_SSO. The applications were using SAML adapter 7.0 for EAP6 and all was working fine. However we upgraded the SAML adapter to 7.1 at out SP side. Soon after the upgrade we are now seeing XML parsing exceptions in the /wapps/xxx/saml endpoint created by the adapter. These are also not consistent and most of the applications works fine most of the time however we get this mostly with one of our SP. Please find the stack trace below 2017-06-09 03:17:42,370 [wapps-external-exec-threads - 161] ERROR [org.keycloak.saml.common] Error in base64 decoding saml message: java.lang.RuntimeException: javax.xml.stream.XMLStreamException: java.net.MalformedURLException 2017-06-09 03:17:42,370 [wapps-external-exec-threads - 161] ERROR [org.apache.catalina.connector] JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.NullPointerException at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:179) at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:224) at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:174) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:356) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at com.redhat.container.redirect.RedirectToInternalValve.invoke(RedirectToInternalValve.java:61) at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:511) at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33) at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808) at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45) at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:849) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:122) -- PULKIT GUPTA SENIOR SOFTWARE APPLICATIONS ENGINEER Red Hat IN IT GBD <https://www.redhat.com/> Pune - India pulgupta(a)redhat.com T: +91-2066817536 <http://redhatemailsignature-marketing.itos.redhat.com/> IM: pulgupta <https://red.ht/sig>

8 years, 10 months

1
0
0 / 0

Exception in Kerberos Credential Delegation example

by Nirmal Kumar

Hi Keycloak, I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*. Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/ and the login page is bypassed as expected. However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page. The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs. 2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx(a)IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is HTTP/192.168.xx.xx(a)IMPETUS.CO.IN 2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab 2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded 2017-06-07 10:46:04,335 INFO [stdout] (default task-42) *2017-06-07 10:46:04,337 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration* 2017-06-07 10:46:04,337 INFO [stdout] (default task-42) [Krb5LoginModule]: Entering logout 2017-06-07 10:46:04,338 INFO [stdout] (default task-42) [Krb5LoginModule]: logged out Subject I troubles hooted for quite a long time but cannot understand where the problem is. Can you please give me some pointers to look for? Thanks, -Nirmal ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

8 years, 10 months

2
2
0 / 0

Get Access Token to service account using Java code

by Hylton Peimer

I have written a provider which implements the UserStorageProviderFactory to connect Keycloak to a legacy system. I need to get an AccessToken (for a realm service account) in the Java code. Is there a way to achieve this in Java, without a network call to "/protocol/openid-connect/token"?

8 years, 10 months

1
0
0 / 0

Login to Admin REST API from client

by Cesar Salazar

Hi, I'm trying to access the admin REST API from a microservice, in order to create a realm. In the documentation says that I should get a an access token in order to be able to make calls to the rest API. The problem is: I wouldn't like to use a username and password to get it, is it possible to get it from the clientId and clientSecret? I mean, how do I make calls to the admin REST API using client credentials? I couldn't find anything in the documentation. https://keycloak.gitbooks.io/documentation/server_development/topics/admi... Or is the documentation somewhere else? Thanks! -- *Cesar Salazar* Development Manager DEVSU | www.devsu.com

8 years, 10 months

2
1
0 / 0

"Verify Email" email isn't sent on initial login when using OIC

by Alex Berg

I create a new user via the Admin REST API, then I immediately try to login as that use via OpenID Connect protocol. I get a login error, saying "invalid_grant" and "Account is not fully set up", which I expect, but Keycloak doesn't perform the "Verify Email" required action. If I login via the Keycloak-provided account login - " http://localhost:8080/auth/realms/MyRealm/account/" - Keycloak *does* send a "Verify Email" email with the appropriate email template. Has anyone else experienced this issue?

8 years, 10 months

1
0
0 / 0

Whitelisting Google Domain

by Michel Laporte

Hi there, We have Keycloak set up and we have 2 business Google Apps domain registered. How do we whitelist the 2 domains we have for Keycloak Authentication. We have it working using SAML but it allows all Google domains to be authenticated. Thanks -- *Michel Laporte* DevOps Engineer T: +44 20 7758 7162 UK House • 180 Oxford Street • London • W1D 1NN -- ------------------------------------- essencedigital.com <http://www.essencedigital.com/> Google+ <https://plus.google.com/102138558390623994587/about> • Facebook <http://www.facebook.com/essencedigital> • Twitter <https://twitter.com/essencedigital> • YouTube <http://www.youtube.com/essencedigitalvideos>

8 years, 10 months

1
0
0 / 0

Keycloak Java adapter & ADFS

by Cat Mucius

Good day, I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft ADFS (on IdP side). As I understood from this article [1], ADFS expects to receive <KeyInfo> element in <Signature> of SAMLRequest in specific format: "Importantly, then the SAML Signature Key Name field that shows after enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate." But the Java adapter sends <KeyInfo> in another format – the <KeyValue> format [2]: <dsig:KeyInfo> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus> <dsig:Exponent>AQAB</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </dsig:KeyInfo> So I have two questions: a. Is it really a problem? Has anyone used the Java adapter successfully to authenticate against ADFS? b. If it is, is there a way to instruct the adapter to send <KeyInfo> in some another format? Thanks, Mucius. Links: [1] http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html [2] http://coheigea.blogspot.co.il/2013/03/signature-and-encryption-key.html

8 years, 10 months

2
1
0 / 0

Fwd: Login a Java Fat Client with Windows Kerberos Token agains Keycloak backed by AD?

by Malte Finsterwalder

Hi Marek, thanks for the quick response. Do you have an ID for the Jira bug? I couldn't find it. I must say I'm completely new to Keycloak and Kerberos etc. I noticed, that the keycloak-authz-client uses an http-client under the hood. Do I understand correctly, that the server still recognizes this type of client as something different and uses the "Direct Grant" Authentication flow and not the "Browser" flow? So I would have to create a new Authenticator SPI implementation, that is then deployed on the Keycloak server and integrated into the "Direct Grant"-Flow to integrate Kerberos Authentication into this flow? And do I also have to program something into the client? Would it also be feasible to access Keycloak like a browser instead? Since then Keycloak already supports Kerberos SSO, as far as I know. Or why is the Fat Client using a completely different flow in the first place? Greetings, Malte On 7 June 2017 at 22:04, Marek Posolda <mposolda(a)redhat.com> wrote: > It's not yet supported OOTB. There is already JIRA opened for the long > time. Feel free to add a vote :) > > However it should be already possible to implement it if you write custom > authenticator and put it into the "Direct Grant Flow" authentication flow > for the realm. Then your Java Fat Client will be able to send the token in > the "Authorization: Negotiate token" header and your authenticator can then > authenticate this request. Feel free to send PR if you manage to have it > working. > > See our docs and examples for Authentication SPI for more details. > > Marek > > > On 07/06/17 15:13, Malte Finsterwalder wrote: > >> Hi, >> >> I have the following setup: >> >> I'm programming a Java Fat Client application. I want to integrate it into >> SSO with Keycloak. >> Our Keycloak is connected to our Windows Active Directory (AD). >> >> So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and >> sends that to Keycloak. Keycloak should authorize the token agains the AD >> and send back an authorization token to the Fat Client, so I can later use >> this Keycloak token to access other Rest-Services. >> >> Fat Client (with Kerberos Token) -> Keycloak -> AD >> Fat Client (with Keycloak Token) -> REST-Service >> >> I can't find anything in the documentation regarding this szenario. >> Is this possible? And if so, how? >> >> Greetings, >> Malte >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >

8 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2017