August 2017 - keycloak-user - Jboss List Archives

How to use tomcat adapter for both saml and basic/form authentication?

by ken edward

Hello, I have implemented the keycloak tomcat adapter with ADFS as the IDP. All works fine, but if the user can not authenticate via SAML, how can I implement a fall back to a form based authentication? Ken

6 years, 8 months

1
0
0 / 0

Issue with authorization configuration in a Spring Boot environment

by Matthias ANGLADE

Hi, I'm facing an issue. I'm running a Spring Boot App and wishes to use the authorizations services. Permissions are defined in Keycloak for my client and using the evaluation the work as expected. On my app though I have an issue, authorization are checked correctly (using the right resources etc) I can see in the logs that the verification are done correctly but the access is always granted whereas it should be denied in certains cases. When I test the permission that should be denied using the evaluation page of Keycloak access is correctly denied. To activate the authorization in the app I added the following settings : keycloak.policy-enforcer-config.on-deny-redirect-to=/ keycloak.securityConstraints[0].authRoles[0]=user keycloak.securityConstraints[0].securityCollections[0].name=protected keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/* Any ideas ?

6 years, 8 months

2
1
0 / 0

Lifespan query parameter missing in UserResource#executeActionsEmail in keycloak-admin-client library

by Edgar Vonk - Info.nl

Hi all, It seems the keycloak-admin-client library’s UserResource#executeActionsEmail is missing the ‘lifespan’ parameter while this is present in the REST endpoint of the Keycloak admin API. We very much would like to set this parameter while using the admin client lib so I took the liberty of creating a JIRA issue for this: https://issues.jboss.org/browse/KEYCLOAK-5262 cheers Edgar

6 years, 8 months

1
0
0 / 0

basic-auth

by Amat, Juan (Nokia - US)

Hello, As we need to support some legacy applications we are enabling basic auth in the wildfly adapater of our REST oidc clients. What I have noticed is that for every REST call, a 'session' is created on the keycloak server. Is there a way to not create this session? We do have perf tests that will call those REST apis a lot and I am concerned that we will use memory for nothing. Another concern is that during those perf tests we noticed that the keycloak server was using a lot of CPU. A large part of it was used checking the password (the same user was used for all those calls). For legacy reason we cannot ask the caller to first get a token and use it for subsequent calls. So I am wondering if there is a way to configure some 'authentication cache'. (I guess that I am asking for something like the JBossCachedAuthenticationManager for those who know JBoss EAP/Wildfly). In fact I would not even care about the token too and just an OK/NOK from the keycloak server would be needed. This is probably too much to ask and I could do all this from my end. But then to support new clients that are OAuth aware I would need to replicate what the adapter is doing.

6 years, 8 months

2
1
0 / 0

Cookie Store

by Amat, Juan (Nokia - US)

Hello, I was doing some experiment with the cookie store with the wildfly oidc adapater and In one scenario I was not able to login as the cookie was too long. This happened because the user that I was login as had a lot of Roles. This is with keycloak 2.5.5 (but I do not think that this matters). This could be a problem as using the cookie store is one of the suggested option for Application clustering. I guess that one option would be to split the cookie in multiple cookies. Should I open a ticket about that or did I miss something?

6 years, 8 months

1
0
0 / 0

Ideas on how to implement fallback form based login?

by ken edward

Hello, I have implemented the keycloak tomcat adapter with ADFS as the IDP. All works fine, but should the user not authenticate via SAML, how can I implement a fall back to a form based authentication? Ken

6 years, 8 months

1
0
0 / 0

Unable to get first and last name of newly created user during register event

by Danny Im

Hi, I created a class implementing the EventListenerProvider interface, and on the 'register' event, when I retrieve the newly created user, both the first and last name are set to null. The newly created user has their first and last name set later on, but I was wondering if it was possible to get that information during the 'register' event. public class MyListenerProvider implements EventListenerProvider { private KeycloakSession session; public MyListenerProvider(KeycloakSession session) { this.session = session; } public void onEvent(Event event) { EventType eventType = event.getType(); if(eventType.equals(EventType.REGISTER)) { String realmId = event.getRealmId(); String userId = event.getUserId(); RealmModel realm = session.getContext().getRealm(); UserModel user = session.users().getUserById(userId, realm); String username = user.getUsername(); // the following are null for newly created users String firstName = user.getFirstName(); String lastName = user.getLastName(); } } public void onEvent(AdminEvent event, boolean includeRepresentation) { } public void close() { } } Thanks! -- Danny Im Software Developer Polar Geospatial Center University of Minnesota

6 years, 8 months

1
0
0 / 0

Restrict access from web app client

by Pablo Fernandez

Dear Keycloakers, I am (almost) new to Keycloak and having trouble, and I thought I should ask you after exhausting other options, so here I am. What I would like to find is a way to confine certain web apps (with a registered client in Keycloak) from accessing any other client that is not supposed to. Specifically, I have an oidc client named 'keystone' that handles all OpenStack authentication and another oidc client 'simplewebapp' that is a webapp that I want to give access to 'keystone' while NOT giving access to any of the other clients (e.g. account, admin-cli, broker, etc.) Is there a way to do this? I thought about Scopes, but I see they are basically linked to Roles that I think have nothing to do with what I am doing (I tried, though creating new roles but it seems to me they don't prevent anything from happening). If I have to use Scopes, then how? Is there a Role that I can use to deny - or exclusively grant - access to another client? I also tried changing the Default Policy in 'keystone' Authorization tab to something like this (the opposite of what I wanted to do, to make it fail and see if I can use this mechanism), without success: --- // by default, grants any permission associated with this policy //$evaluation.grant(); var context = $evaluation.getContext(); var contextAttributes = context.getAttributes(); if (contextAttributes.containsValue('kc.client.id', 'simplewebapp')) { $evaluation.deny(); } $evaluation.grant(); --- I googled and browsed and tried many different setting combinations without success, so I hope someone here could give me a hint. Thanks! Pablo Fernandez

6 years, 8 months

4
8
0 / 0

Initial configuration

by Vanecek Stepan

Hello everyone, we are trying to automate the initial configuration of Kyecloak(realm creation,...). We would like to use KyecloakSession for that. At the moment, it is available in class MyEventListenerProvider that defines our Event Listener SPI's onEvent methods. Is it possible to use this KeycloakSession outside of that class as well? For example, we thought of running a separate thread in MyEventListenerProviderFactory in init function that would sleep until keycloak is up and then perform the initial configuration with KeycloakSession. If so, how? If not, is there any other possibility? Thank you very much in advance. Kind regards, Stepan Vanecek

6 years, 8 months

3
2
0 / 0

default redirect url

by mj

Hi, Our keycloak install is on https://keycloak.company.com, proxied by apache to localhost:8080 Some of our end-users remember that address, and browse directly to it. So they end-up in the "welcome to keycloak" page, with links to login the Admin Console etc. But is there a way to make the keycloak "account" client become the default page, so that the base url would be redirected to https://keycloak.company.com/auth/realms/our_realm/account Since apache proxies the base keycloak url (localhost:8080), I guess this would have to be done by keycloak itself. Is this possible? MJ

6 years, 8 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2017