JS adapter constantly refreshing page
by sesnor.silva@sapo.pt
Hello,
I'm trying to integrate keycloak's JS adapater into an application.
However for some reason the page keeps refreshing (every 5 seconds or
so?) after successfully logging in.
I managed to reproduce the problem with the following minimal code:
<!-- index.html FILE -->
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<script type="text/javascript"
src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script>
<script type="text/javascript" src="<MY KEYCLOAK
SERVER>/auth/js/keycloak.js"></script>
<script type="text/javascript">
angular.element(document).ready(function() {
var keycloakAuth = Keycloak('keycloak.json');
keycloakAuth.init({
onLoad: 'login-required'
}).success(function(authenticated) {
keycloakAuth.loadUserInfo().success(function (userInfo) {
console.log(userInfo)
});
}).error(function() {
var error = "There was an error initializing the
authentication module.";
console.error(error);
});
});
</script>
</body>
</html>
I tried searching around but I didn't find too many answers. I tried
to base my implementation around:
https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl...
and
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...
But I get the same behavior every time: The page just keeps refreshing.
It seems to be related to blocking third-party cookies on the
browser. I use Firefox 53. Since my Keycloak isn't on the same host
as the application, I think the browser rejects the keycloak's
cookies. If this is the case, what could be a workaround for this? Is
there any option on the adapter's side? I'm worried some browser might
block third-party cookies by default (Opera and Brave Browser come to
mind).
Thank you,
My best regards,
Silva
6 years, 4 months
How to display user information from keycloak SAML adapter assertions/session?
by ken edward
Hello,
I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp.
I created a simple web app with a protected /saml directory. It seems
to work. BUT how can I display the logged in user information after
the user is authenticated?
org.keycloak.adapters.saml.SamlSession :
org.keycloak.adapters.saml.SamlSession@13a50bc9
Ken
6 years, 4 months
Force token refresh with the Spring Security adapter
by Aritz Maeztu
I'm using keycloak in a java client, configured with the Spring Security
adapter.
I've got a custom mapper in my keycloak configuration, so when the
access token is refreshed, keycloak accesses an endpoint to retrieve
some user permissions and they're stored in the token itself. Later on,
my client application checks the token without having to perform the
access to the permission endpoint itself (increased performance).
However, when an admin user changes his own permissions, I would like
the keycloak adapter to refresh the token after the permissions are
stored, this way the admin user is not required to have its token
refreshed or to re-login to load his new permissions.
Is there a way to achieve it? Some kind of operation to refresh current
session's token?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 6 months
programmatic authentication flow
by Steve Favez
Hi all,
I'd like to implement the following use case. I need a Browser
authentication flow that will add, after User / Password Form
Authenticator, a kind of "access rules" authenticator, that will, according
to some request parameters, (for example, ip address, or application) will
add dynamically a second factor authenticator in the flow. (Like OTP or
SMS).
Furthermore, I'd like to be able to provide a choice of 2FA systems to the
end user (For example, we provide a set of second factory, and the end user
can choose the one he'd like to use).
So, if some "strong authentication" criteria are matched during browser
authentication process, after providing user and password, user will get a
form allowing him to choose the second factory system he'd like to use to
authenticate.
My goal is to be able to reuse existing authenticator. (So, not to write a
big 2fa authenticator with all authenticators duplicated inside).
Thanks in advance for your valuable input
Cheers
St
6 years, 7 months
Upgrading from Red Hat SSO 7.0 to Keycloak 3.1
by Marcelo Nardelli
Hi,
At work, we have an installation of Red Hat SSO 7.0 and we were going to
upgrade it to version 7.1. However, I was told that the our Red Hat
subscription won't be renewed, so now we want to upgrade to the last
Keycloak version. Is this (upgrade from SSO 7.0 to Keycloak 3.1) supported?
I've been trying to follow the instructions on the documentation (
https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...),
but it's not working. Specifically, when I try to run the migration script
(after copying the old standalone.xml and the keycloak-server.json file)
jboss-cli.sh --file=migrate-standalone.cli
I get this error:
Cannot start embedded server: WFLYEMB0021: Cannot start embedded
process: Operation failed: WFLYSRV0056: Server boot has failed in an
unrecoverable manner; exiting. See previous messages for details.
I suppose the Keycloak version used in SSO 7.0 is too old and I will have
to do some manual work here, but I wanted to know if there is some specific
advice for this case...
Thanks,
Marcelo Nardelli
6 years, 7 months
Using Keycloak with Microsoft Azure Active Directory
by Reed Lewis
I am attempting to use Microsoft Azure Active Directory with Keycloak.
It is not working correctly.
Here is how I have it configured:
OpenID Connect V1.0
Enabled: On
Store Tokens: On
Store Tokens Readable: On
Trust Email: On
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Token URL: https://login.microsoftonline.com/common/oauth2/token
Logout URL: <none>
Backchannel Logout: Off
User Info URL: <blank>
First Login Flow: First Broker Login
It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address.
Is there something I have configured incorrectly?
I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory.
Thank you,
Reed Lewis
6 years, 7 months
Keycloak Spring Boot Bearer Authentication
by Mcshane, James P
I am working on a set of Spring Boot modules all within the same Realm in Keycloak. I would like the service to have bearer only authentication so that the service can only be accessed by authorized clients. For the spring-security adapter, I see the KeycloakRestTemplate, but the factory there requires the SecurityContextHolder, which isn’t present out of the box in the authentication mechanism for the spring-boot adapter.
Is there a different rest template that could use the different container auth solutions provided by the KeycloakAutoConfiguration class? Clearly accessing the bearer authentication values from these systems is app server dependent, so it would seem to make sense to have a KeycloakClientRequestFactory provider that can handle the different types of container auth that is being done by the spring-boot adapter. Has this been done already, but not yet documented? In either case, I would be happy to contribute docs or code that deals with these different implementations.
Thanks,
James
________________________________
This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the individual responsible for delivering the e-mail to the intended recipient, please be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.
If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. Disclaimer R001.0
6 years, 8 months
Authorization services without User Access token (Mqtt Broker / IoT)
by Brahim Ait elhaj
Hi everyone,
Lately i was playing with Keycloak (KC), evaluating it for an IoT project
and i have a question regarding the authorization services.
One of my use case is : devices that connect to an MQTT Broker using X.509
client authentication.
Note : when i talk about device, you must understand KC user (device =
user).
For several reasons/constraints that i won't explain here, i can't have my
devices connect first to Keycloak to obtain a token (using their X.509
certificates as KC supports it) and then connect to the MQTT Broker passing
this token. They connect directly to the MQTT Broker, each device
presenting its X.509 certificate to the Broker. After connection, the
Broker doesn't know client private key.
My need is to have my MQTT Broker (ideally through KC) authorize/reject
MQTT client to publish/subscribe to specific topic.
MQTT Topic being some kind of uri/path, i already have an idea of how to
configure KC (client, resource, policy, permission ...) to authorize/reject
these access.
However, as i understand it, the starting point for all the « authorization
services » (Authorization API, Entitlement API ... ) is a « user Access
Token ».
In my case, i don't have a user access token ... so i'm kind of stuck to
use any of the K.C API (unless i missed something).
Hence, My question is how can i make my MQTT Broker (.ie : resource server)
interact with KC to enforce/evaluate policy ? Is it possible without the
user access token ?
Hope i made myself clear and thanks in advance for any help ...
Best regards,
Brahim
6 years, 8 months
