RHT SSO 7.1 + OAuth2 Identity Provider
by Brent Yarger
Hello,
Keycloak / RHT SSO supports social login and custom / user-defined IDPs.
The options for custom IDP are SAML v2.0, OIDC v1.0, and Keycloak OIDC.
Does keycloak support a user-defined IDP that uses OAuth2? If not, is this
possible to implement / what is the process to add an OAuth2 IDP?
Thanks,
Brent
7 years, 3 months
Nodejs adapter - session object not persisting redirect_uri
by Robert Parker
Hi,
I am trying to use the nodejs adapter with my express application and I am encountering issues when the adapter tries to exchange my user's authorization code for an access token.
I have been debugging the calls made from the adapter library, and can see after the user has been authorised, an obtainFromCode function is invoked in the grant-manager module (keycloak-auth-utils\lib\grant-manager.js) and in particular there is the following line of code present:
redirect_uri: request.session ? request.session.auth_redirect_uri : {}
Adding a breakpoint to this, I can see a session object is present on the request object, but there is no auth_redirect_uri property present.
This ends up sending an empty redirect_uri param in the POST request being made to my keycloak server, and I get back an invalid_code error. I can replicate the same behaviour if I make the requests using Postman, and can fix and get an access token back if I set to the correct redirect_uri as configured against my client in the keycloak admin portal.
I can see in the initial request sent out when first authorising the user that this contains a redirect_uri query string param also.
I have my node express application using a mongoDB session store (using express-session), so am using the same store when configuring keycloak with my express app instance. I followed the example in the keycloak-nodejs-connect library here<https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/i...>
Can anyone suggest what may be going on for me here, why this redirect_uri is not being set on the session object so it can be read in my the nodejs adapter library?
Thanks
* Rob
________________________________
Robert Parker - Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
Robert.Parker(a)weareACT.com
www.weareACT.com<http://www.weareact.com>
Registered in England : 04476799
________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales).
The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.
[http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email.
________________________________
7 years, 3 months
Group Policy - Claim?
by christian lutz
Hello,
yesterday I played a bit with the Group Policy. https://issues.jboss.org/browse/KEYCLOAK-3168
But I didn't understand how it should work, the documentation for it is missing.
Assume I do have a user X part of the group A/B/C
All I expected to be required in the group policy is that I had to select a group like A/B/C.
During the policy check the corresponding identity groups will be loaded and checked against the group policy groups.
So with this mental model I am complete wrong, because of the group claim. Within the policy I have to provide a group claim
and within the GroupPolicyProvider based an the group claim a identity (user) attribute will be loaded.
Please could somebody explain to me how this is expected to work?
Mit freundlichen Grüßen / with best regards
christian lutz / B. Sc.
software engineering
inovel elektronik gmbh
inovel systeme AG
gebhardstr. 7
88046 friedrichshafen
phone +49 (0) 7541 39900-35
fax +49 (0) 7541 39900-99
mail christianlutz(a)inovel.de
web www.inovel.de
inovel elektronik gmbh
general manager: axel dittus, robert steinhauser
hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597
inovel systeme AG
board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser
chairman of the supervisory board: joachim zodel
registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877
This email (including any attachments) may contain confidential and/or privileged information or information otherwise
protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this
message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this
message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus
corrupted, altered or falsified.
7 years, 3 months
Enabling Brute Force detection on account management changes
by John D. Ament
Hi,
Very obscure pattern here. We want to be able trigger brute force tracking
when someone incorrectly enters their current password on the change
password screen. It looks like we can do this in events, but wondering if
this is a common use case that makes sense to do in core of keycloak?
John
7 years, 3 months
Adding user attributes at the time of self registration
by Akshat Jiwan Sharma
Hi All,
Thank you for creating keycloak! As I understand keycloak has a facility to
allow for self registration of users. In addition using the admin panel you
can also add additional attributes for a user. I wanted to know if it's
possible to add custom user attributes at the time of registration? Maybe
by supplying additional fields during registration process or by making api
calls at the time of successful registration redirect? If not is it
possible for the user to log into key cloak server and specify additional
fields themselves?
I'm looking for a way in which I can add custom data to a user without any
manual intervention as an admin. What would be the best way to do that?
Thanks,
Akshat
7 years, 3 months
photoz example set owner via Admin REST API
by christian lutz
Hello,
in the photoz example you use a policy to check against the resource owner.
$permission.resource != null && $permission.resource.owner.equals($identity.id)
Is there a way to set the owner via the Admin REST API? I tried (see below) but this doesn't work
ResourceOwnerRepresentation owner = new ResourceOwnerRepresentation();
resourceOwnerRepresentation.setName("Me"));
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource Me");
resource.setOwner(resourceOwnerRepresentation);
resource.setUri("/cxf/api/v1/customers/Me/*);
client.authorization().resources().create(resource);
I didn't even find a way to set the owner via WebUI. But this isn't important for me.
Mit freundlichen Grüßen / with best regards
christian lutz / B. Sc.
software engineering
inovel elektronik gmbh
inovel systeme AG
gebhardstr. 7
88046 friedrichshafen
phone +49 (0) 7541 39900-35
fax +49 (0) 7541 39900-99
mail christianlutz(a)inovel.de
web www.inovel.de
inovel elektronik gmbh
general manager: axel dittus, robert steinhauser
hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597
inovel systeme AG
board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser
chairman of the supervisory board: joachim zodel
registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877
This email (including any attachments) may contain confidential and/or privileged information or information otherwise
protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this
message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this
message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus
corrupted, altered or falsified.
7 years, 3 months
Assign role to user using keycloak settings
by Krishna Kuntala
Hi All,
I have enabled the email verfication flow for user registration. However, I
am wondering whether there is any way to assign a role to the user once
Email has been verified. I understand that this could be achieved by
calling REST APIs but can we do this through some keycloak configuration?
Also, is there any way to assign a role after user successfully links his
profile with one of the IdP (e.g. Google, Facebook)?
Thanks and Regards,
KK
7 years, 3 months
IllegalStateException when trying to run app-profile-jee-vanilla from keycloak-quickstarters
by Muehlburger, Herbert
Hi,
I'm following the steps described under http://www.keycloak.org/docs/3.3/getting_started/topics/secure-jboss-app/... and get the following Exception:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.375 s
[INFO] Finished at: 2017-08-29T17:02:57+02:00
[INFO] Final Memory: 44M/911M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project keycloak-app-profile-jee-vanilla: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./vanilla" => "java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory.
[ERROR] Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory.
[ERROR] Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory."}}}}
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project keycloak-app-profile-jee-vanilla: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./vanilla" => "java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory.
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory.
Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory."}}}}
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./vanilla" => "java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory.
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory.
Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available in mechanisms [KEYCLOAK] from the HttpAuthenticationFactory."}}}}
at org.wildfly.plugin.deployment.AbstractDeployment.execute(AbstractDeployment.java:148)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
... 20 more
[ERROR]
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
mvn clean wildfly:deploy -e -DskipTests 18,76s user 0,40s system 228% cpu 8,390 total
Steps to reproduce:
* $ git clone https://github.com/keycloak/keycloak-quickstarts
* $ cd keycloak-quickstarts/app-profile-jee-vanilla
* $ mvn clean wildfly:deploy
I'm running the newly released Keycloak 3.3.0.CR1 standalone downloaded from the official download (https://downloads.jboss.org/keycloak/3.3.0.CR1/keycloak-3.3.0.CR1.tar.gz)
The spring-boot apps also produce build errors when following the official guide at https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-springboot
Thank you for any help!
Best,
Herbert
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
7 years, 3 months
![http://www.weareact.com/media/11610/email_footer_tree.gif]Please](http://www.weareact.com/media/11610/email_footer_tree.gif]Please){kind=link}