${url.resourcesPath} not working in email-verification.ftl template
by Antonia Nicolaou
Hello,
I am using single sign on service from redhat v7.1 and I am developing a
custom template (in a custom theme) for verification email.
In the email, I am using ${url.resourcesPath}
for <img src="${url.resourcesPath}/img/image.jpg">
and is not working.
The template is not used when I use it.
Could you help me?
Thank you in advanced.
Sincerely,
Antonia Nicolaou
5 years, 10 months
Keycloak Adapter validating tokens issued by different realms
by Niels Bertram
Hi everyone,
has anyone ever had a requirement to validate access tokens issued by 2 or
more issuers in the Keycloak Java or NodeJS adapters? I found KEYCLOAK-5014
which loosely talks about it but there is no feedback.
We are currently using the client adapter from MitreId (in Spring) which
can be configured via StaticClientConfigurationService.java
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob...>
to
validate an inbound token against multiple realms.
Would love to find out if anyone has done this in keycloak or if there are
others out there that have this need.
Kind Regards,
Niels
5 years, 10 months
SAML HttpServletRequest.logout() support
by Jason Spittel
I'm having trouble with SAML Logout. I have a JEE app that uses Keycloak as an identity broker to ADFS.
Following these instructions:Logout | Keycloak Documentation
|
|
| |
Logout | Keycloak Documentation
|
|
|
I should be able to just call HttpServletRequest.logout(). But that doesn't do anything.
Searching Jira I see this a reported issue.
[KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue Tracker
|
|
| |
[KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue T...
|
|
|
While that's being worked on, are there workarounds to do a SAML logout through Keycloak?
Thanks,
Jason
5 years, 10 months
Application to application: could Keycloak implement this?
by Tech
Dear experts,
I want to bring you this use case to understand if you might be able to
support me.
Our architecture is based in java, where we might have two kind of clients:
* Fat java clients
* Browsers
Application servers with:
* Web containers performing local and remote EJB calls + remote WS calls
* EJB container performing local and remote EJB calls + remote WS calls
* A remote EJB server performing local and remote EJB calls + remote
WS calls
* Ws implemeting SOAP or REST
* Server SSO able to protect what described above
The goal is to allow the clients (thin and fat) to authenticate on the
SSO server and to propagate the user identity on these requests:
* Fat client authenticated -> EJB secure -> WS secure
* Browser authenticated -> Web container -> EJB secure -> WS secure
The solution could use a secure token OAuth, OIDC or SAML.
The token propagation should be based on standards JAAS and WS-Security.
We saw that is possible to implement something similar in some SAML
Login Modules on JBoss Enterprise server, but we are not finding
anything equivalent in Keycloak.
We cannot neither find, for example, not neither for a STS server, that
are the required elements to transform this kind of tokens.
Did anybody faced a similar experience?
Thanks for your support!
5 years, 10 months
Fwd: CORS's problem with JavaScript's library
by Sebastien Blanc
(forgot including user list)
Are you using keycloak-auth-utils on your frontend application ? Why not
the JavaScript library ?
Also have you configured the "Web Origins" field of your client in the
Keycloak Web Console ?
On Wed, Jun 28, 2017 at 3:09 PM, Karol Buler <K.Buler(a)adbglobal.com> wrote:
> Hi Everyone,
>
> We have problem with CORS. We are using this lib:
> https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript
> application.
>
> When we try to get AccessToken we are getting this message:
>
> Fetch API cannot load http://<keycloak_address>/auth
> /realms/master/protocol/openid-connect/token. Request header field
> x-client is not allowed by Access-Control-Allow-Headers in preflight
> response.
>
> We tried to modify CORS headers in standalone.xml file of Keycloak's
> server, but we found that CORS headers are hardcoded and added "in air".
>
> Best regards,
> Karol Buler
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> connecting lives
> connecting worlds
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5 years, 10 months
LDAP User Federation: Issue with Hardcoded Roles
by Gabriel Lavoie
Hi,
I've been trying to setup a LDAP user federation with a hardcoded
admin role on Keycloak 2.1.0.Final, on the master realm. The role is
granted to the user as expected, but not the composite roles attached to
the "admin" role.
I tried reproducing the issue with the latest Keycloak but encountered a
different problem. When I try to add the hardcoded role mapper and add the
"admin" role to it, the role displays as "a" in the field (after
selection), and I get an error on save. I get the following exception in
the log:
2017-07-06 14:43:36,727 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-18) RESTEASY002005: Failed executing POST
/admin/realms/master/components: org.jboss.resteasy.spi.ReaderException:
com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
instance of java.util.ArrayList out of VALUE_STRING token
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1611369f;
line: 1, column: 12] (through reference chain:
org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["role"])
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
at
org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not
deserialize instance of java.util.ArrayList out of VALUE_STRING token
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1611369f;
line: 1, column: 12] (through reference chain:
org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["role"])
at
com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
at
com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
at
com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
at
com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
at
com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
at
com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
at
com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
at
com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
at
com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
at
com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
at
com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
at
org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
at
org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
at
org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
... 48 more
Any idea of what could be wrong? Bug?
Thank you,
Gabriel
--
Gabriel Lavoie
glavoie(a)gmail.com
5 years, 10 months
LDAP attributes & caching
by Dmitry Telegin
Hi,
I've got a LDAP federation configured with Import Users = ON and
mappers like firstName/lastName having Always Read Value From LDAP =
ON.
If the corresponding attribute is changed in LDAP, it will show
immediately in the "View all users" list. However, it won't be
reflected in user details, top-right corner or account page until user
cache is cleared.
Dmitry
5 years, 10 months
Re: [keycloak-user] Identity provider, keycloak js adapter and session management
by Peter Nalyvayko
Some additional info: we can also reproduce the same behavior using the Pairwise subject identifier, i.e. users keep getting logged out after 5 seconds.
--------------------------------------------
On Thu, 7/6/17, Peter Nalyvayko <petervn1(a)yahoo.com> wrote:
Subject: Identity provider, keycloak js adapter and session management
To: keycloak-user(a)lists.jboss.org
Date: Thursday, July 6, 2017, 12:10 PM
Hi,
We've hit a bit of a snag while setting
up our one page js client. Changing the value of the "sub"
claim to anything other than the unique identifier of the
keycloak user causes the keycloak adapter to detect the
changes to the session and clear out the tokens, forcing the
users to re-log in after every 5 seconds.
We are using the version 2.3.0 of
keycloak. Our app is set up to use keycloak.js adapter for
all things related to OIDC. The adapter is configured to use
the "code authorization" (standard) flow. The instance of
keycloak is configured to use an external OIDC identity
provider and the users are uniquely identified by their
e-mails. Naturally, we wanted that the "sub" claim in the
claim set returned by calling the keycloak's OIDC /token
endpoint would return the unique identity of the external
user rather than the internal identifier of the keycloak
user, so we re-configured the keycloak client by adding a
property mapper to map the user's email to the "sub" claim,
here the example of the access token:
{
"sub": "user(a)company.com",
"iat": 223235098325,
"email": "user(a)company.com",
...
}
Once we had implemented these changes
on the keycloak side, our users were able to initially sign
into the application, but when they tried to access any
functionality within the app, they would be prompted to sign
in again. The problem seems to related to the OIDC session
management and the assumption and the "sub" claim always
matches the keycloak user's unique identifier.
We narrowed the problem down to four
components:
- keycloak.js
- login-status-iframe.html
-
services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java
-
services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java
In keycloak.js, line 637, the
implementation creates a session id to be used to check the
session state. Notice that the code uses the value from the
"sub" claim:
var sessionId = kc.realm + "/"
+ kc.tokenParsed.sub;
In
AuthenticationManager.createLoginCookie, line 306, the value
of the "SESSION_COOKIE" is set to:
String sessionCookieValue =
realm.getName() + "/" + user.getId();
Sadly, in our configuration, the value
returned of by user.getId() is not the same as the value
stored in the "sub" claim, thus causing the session
management code in login-status-iframe.html, line 53 to
clear out any tokens and force the users to re-login the
next time it checks the session state (default is 5 second
intervals):
var cookie = getCookie();
if (sessionState == cookie) {
... } else { callback("changed"); }
Looking at the
LoginStatusIframeEndpoint.preCheck
(LoginSatusIframeEndpoint.java, lines 71-93), we've noticed
that the implementation does not even make use of the user
identity, only the session id.
The workaround, at least temporary, for
us was to add the "id" claim containing the user identity
internal to keycloak, and modify the keycloak JS adapter
code to look for the "id" claim and use its value instead of
the value in the "sub" claim when creating the session id,
i.e.:
var sessionId;
if (kc.tokenParsed.id) {
sessionId =
kc.realm + "/" + kc.tokenParsed.id;
} else {
sessionId =
kc.realm + "/" + kc.tokenParsed.sub;
}
Is this a bug, or does it work as
intended, i.e. the users should never set the "sub" claim to
anything other than the keycloak's user identity? If this is
a bug, I can submit a JIRA request and a fix as long as the
workaround above seems like an acceptable solution
Any comments are welcome
Regards,
Peter
5 years, 10 months
Error 403 Java Spring Boot
by Dennis H
I receive a http error 403 when accessing a bearer-only resource with
Postman that is secured with keycloak.
The user has the needed role.
Debug logs: BEARER AUTHENTICATED.
What could be the problem here?
*Application.properties*
keycloak.realm=myrealm
keycloak.bearer-only=true
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=external
keycloak.resource=my-app
keycloak.use-resource-role-mappings=true
keycloak.securityConstraints[0].securityCollections[0].name=secured
keycloak.securityConstraints[0].authRoles[0]=app-user
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/secured/*
logging.level.org.keycloak=DEBUG
*Postman*
http://localhost:8081/secured/posts/0/10
Authorization: Bearer aDSFla56s...
*Debug*
2017-07-11 19:53:41.306 DEBUG 22556 --- [nio-8081-exec-1]
o.k.adapters.PreAuthActionsHandler : adminRequest
http://localhost:8081/secured/posts/0/10
2017-07-11 19:53:41.313 DEBUG 22556 --- [nio-8081-exec-1]
o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for
authentication of client 'my-app'
2017-07-11 19:53:41.314 DEBUG 22556 --- [nio-8081-exec-1]
o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider
secret
2017-07-11 19:53:41.315 DEBUG 22556 --- [nio-8081-exec-1]
o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider
jwt
2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1]
o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider
secret
2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1]
o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider
jwt
2017-07-11 19:53:41.354 DEBUG 22556 --- [nio-8081-exec-1]
o.keycloak.adapters.KeycloakDeployment : resolveUrls
2017-07-11 19:53:41.356 DEBUG 22556 --- [nio-8081-exec-1]
o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl:
http://localhost:8080/auth, tokenUrl:
http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token,
relativeUrls: NEVER
2017-07-11 19:53:41.631 DEBUG 22556 --- [nio-8081-exec-1]
o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully
retrieved for client my-app. New kids: [NsYwvDAUJYY3ioS9-0mpo]
2017-07-11 19:53:41.641 DEBUG 22556 --- [nio-8081-exec-1]
o.k.adapters.RequestAuthenticator : User
'c1ed6bf7-5dd-988-94fab8ecf' invoking '
http://localhost:8081/secured/posts/0/10' on client 'my-app'
2017-07-11 19:53:41.642 DEBUG 22556 --- [nio-8081-exec-1]
o.k.adapters.RequestAuthenticator : *Bearer AUTHENTICATED*
5 years, 10 months
KeyCloak Clustering and High Availability question
by Reza Shams Amiri
Hi,
I am also evaluating KeyCloak for my organization. I have a question about how failover in KeyCloak works.
From what I understood from the documentation, it says that the application scalability is handled by wildfly clustering but with a shared database.
I couldn’t find a documentation about what we should do in case of database failure?
We want to have two different clustered nodes in two different continents for idp and we mainly have mysql databases. Clustering them is actually painful and done through rabbitMQ synced messages and in some custom ways. So how can we handle database failure in KeyCloak let’s say if the link between Sweden and USA is completely broken?
Thanks a lot
/Reza
5 years, 10 months
