Fwd: Undeclared namespace prefix "dsig" - still a problem in keycloak 3.3.0 CR2.
by Michael Mok
Hi there
In regards to issuee 4818 (https://issues.jboss.org/browse/KEYCLOAK-4818),
we are still encountering issue with recognising dsig.
06:54:51,265 WARN [org.keycloak.saml.common] (default task-110) XML
External Entity switches are not supported. You may get XML injection
vulnerabilities.
09:19:31,939 ERROR [io.undertow.request] (default task-245) UT005023:
Exception handling request to
/auth/realms/demo/login-actions/first-broker-login:
org.jboss.resteasy.spi.UnhandledExcept
ion: java.lang.RuntimeException: java.lang.RuntimeException:
com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "dsig"
at [row,col {unknown-source}]: [1,914]
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
ExceptionHandler.java:78)
at org.jboss.resteasy.core.ExceptionHandler.handleException(
ExceptionHandler.java:222)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(
SynchronousDispatcher.java:179)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:422)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
KeycloakSessionServletFilter.java:90)
7 years, 2 months
Overriding Cookie Paths
by John D. Ament
Hi,
I noticed in OAuthRequestAuthenticator that the cookie path being set is to
null. From what I can tell, this means in most containers if my first
release is to /foo/bar/baz/bar that the path saved to the cookie is
"/foo/bar/baz". This is typically not an issue, however I have a legacy
app I'm trying to integrate with Keycloak, so the cookie state is very
important. By setting the path to a low level when I later access
/foo/home.xhtml it causes the cookie to not get populated (which causes a
400 bad request later on).
I'm wondering, does it make sense to add something to KeycloakDeployment
that lists the cookie path, defaulting to null if its not set.
John
7 years, 2 months
Multi realms approach
by Matthias ANGLADE
Hi,
I'm currently working on a project with specific requirements. Actually
what we are trying to do is to setup a Keycloak in order to protect several
applications. Each of these applications will potentially have their own
set of webapps and micro-services. What we intended to do is to declare a
realm per app (and each component of the app would be a client within it's
own realm).
We need to setup some cross-realm features such as realm selection,
multi-realm authentication (i.e not being forced to re-login when switchin
from one realm to another).
I'm looking for advices or feedbacks in implementing such a case. Would you
have any ?
Yours,
7 years, 2 months
LDAP Role Mapper big groups issue (role-ldap-mapper)
by Adam Lis
Hi!
I've role-ldap-mapper defined for my LDAP federation.
I can see on user logon, KeyCloak is issuing LDAP search with filter build
on role-ldap-mapper conditions.
KeyCloak is requesting whole resource from LDAP - in my case groups are
quite big.
If I understand correctly, only 'dn' attribute could be requested, since
query is being done anyway for each user on his logon.
In my case current approach results in waiting for LDAP response for over
20 seconds. In case only "dn" attribute for group would be requested, LDAP
response time is very short.
Is there a way to instruct role-ldap-mapper to retrieve only 'dn'
attribute, and assing a requesting user all groups based only by retrieved
'dn' attributes?
AdamLis;
7 years, 3 months
Re: [keycloak-user] [keycloak-dev] Incompatiblity of UserRepresentation (and other Reps) between 2.5.5.Final and 3.3.0.CR2
by Stian Thorgersen
Adding list back..
On 28 September 2017 at 13:57, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Yes in the case of 2.5.5.Final it won't help but we can fix it there
> ourselves, since the version is "fixed".
> However for future versions if Keycloak it would be good to have a
> smoother upgrade process.
>
> I think in this case it is a trade-off between robustness and evolvability.
> If you want to make it easy for people to upgrade to newer Keycloak
> versions it would
> help to relax the handling of unknown fields a bit.
>
> The rest is a question of how the API is tested. A test suite can also
> discover problems
> such as broken request / response objects by verifying the outcome of an
> operation.
> Also one could argue that having typos in a structured request is not very
> likely - if the user
> users the libraries / structures provided by Keycloak, otherwise (JS...)
> they can happen of course.
>
I'm thinking about the case when users don't use the libraries provided by
Keycloak, basically anyone not using Java (there's a few of them out there
you know ;)).
>
> But again users need to verify themselves via tests whether or not a
> request succeeds.
> Even if they have no typo in a field name but a wrong value the request
> would (should) still fail.
>
> Other options to deal with this would of course be to version the API,
> however having a full blown versioning mechanism
> that effectivly copies the whole REST interface would be very much
> overkill.
>
> A leaner approch could be to let the client tell the server which version
> of Keycloak they are compatible with via an Header.
> e.g.: x-keycloak-version: 2.5.5.Final
> The server REST infrastructure could then inspect that header and
> dynamically add Jackson Mixins for request / response messages
> to maintain compatibility - if this is possible / makes sense.
>
> E.g. Keycloak server could support basic operations for older clients,
> even with support for newer features by applying sane defaults.
> "New" fields (introduced after x-keycloak-version) would then just be
> excluded in the response.
>
We'll probably have to add versions for REST APIs regardless so it might be
better to just leverage that than to introduce yet another mechanism.
>
> Cheers,
> Thomas
>
> 2017-09-28 12:13 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
>
>> Would be good to have backwards compatibility, but:
>>
>> * Adding to reps wouldn't help for admin client 2.5.5, and we're not
>> doing a new release of the admin client for 2.5.x.
>> * Server side shouldn't ignore unknown fields as that could mask issues.
>> For instance a typing error would just result in ignoring rather than an
>> error.
>>
>> On 28 September 2017 at 10:11, Thomas Darimont <
>> thomas.darimont(a)googlemail.com> wrote:
>>
>>> Hello,
>>>
>>> I just noticed that it isn't possible to create a user with the old
>>> keycloak admin client (2.5.5.Final)
>>> on the Keycloak Server (3.3.0.CR2). See the exception below.
>>>
>>> It turns out that the recently introduced field "notBefore" on
>>> UserRepresentation in KEYCLOAK-5293 is the cause.
>>> Other representations like ClientRepresentation (unknown field "access")
>>> and ProviderRepresentation (unknown field "order")
>>> have the same problem.
>>>
>>> How about adding... @JsonIgnoreProperties(ignoreUnknown = true) ... to
>>> all
>>> representations (org.keycloak.representations.idm.*) to stay backwards
>>> compatible for old clients?
>>>
>>> I gave this a spin locally (by patching the keycloak-core jar) and it is
>>> working fine.
>>>
>>> Cheers,
>>> Thomas
>>>
>>>
>>> javax.ws.rs.client.ResponseProcessingException:
>>> javax.ws.rs.ProcessingException:
>>> com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
>>> Unrecognized field "notBefore" (class
>>> org.keycloak.representations.idm.UserRepresentation), not marked as
>>> ignorable (24 known properties: "disableableCredentialTypes", "enabled",
>>> "emailVerified", "origin", "self", "applicationRoles",
>>> "createdTimestamp",
>>> "clientRoles", "groups", "username", "totp", "id", "email",
>>> "federationLink", "serviceAccountClientId", "lastName", "clientConsents",
>>> "socialLinks", "realmRoles", "attributes", "firstName", "credentials",
>>> "requiredActions", "federatedIdentities"])
>>> at [Source: org.apache.http.conn.EofSensorInputStream@2663e964; line:
>>> 1,
>>> column: 308] (through reference chain:
>>> java.util.ArrayList[0]->org.keycloak.representations.idm.Use
>>> rRepresentation["notBefore"])
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.ex
>>> tractResult(ClientInvocation.java:141)
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.Bo
>>> dyEntityExtractor.extractEntity(BodyEntityExtractor.java:59)
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker
>>> .invoke(ClientInvoker.java:104)
>>> at
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.i
>>> nvoke(ClientProxy.java:64)
>>> at com.sun.proxy.$Proxy32.search(Unknown Source)
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>
>
7 years, 3 months
Force token refresh with the Spring Security adapter
by Aritz Maeztu
I'm using keycloak in a java client, configured with the Spring Security
adapter.
I've got a custom mapper in my keycloak configuration, so when the
access token is refreshed, keycloak accesses an endpoint to retrieve
some user permissions and they're stored in the token itself. Later on,
my client application checks the token without having to perform the
access to the permission endpoint itself (increased performance).
However, when an admin user changes his own permissions, I would like
the keycloak adapter to refresh the token after the permissions are
stored, this way the admin user is not required to have its token
refreshed or to re-login to load his new permissions.
Is there a way to achieve it? Some kind of operation to refresh current
session's token?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
7 years, 3 months
can not deploy quick start "app-authz-jee-servlet"
by Masanobu Hatanaka
Hi,
I'm trying to deploy quick start application "app-authz-jee-servlet" here:
https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.1.x/app...
and follow the configuration steps.
However, "mvn install wildfly:deploy" command failed and the following
exception is logged.
Do I need to configure others to use this sample?
Kind regards,
Masanobu.
------------------
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy
(default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute
goal deploy: {"WFLYCTL0062: 複合演算が失敗しロールバックされました。失敗した操作:"
=> {"操作 step-1" => {"WFLYCTL0080: サービスに問題がありました" =>
{"jboss.undertow.deployment.default-server.default-host./authz-servlet"
=> "org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./authz-servlet:
java.lang.RuntimeException: Could not find resource.
[ERROR] Caused by: java.lang.RuntimeException: Could not find resource.
[ERROR] Caused by:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 501 / Not Implemented"}}}}
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy
(default-cli) on project rh-sso-app-authz-jee-servlet: Failed to execute
goal deploy: {"WFLYCTL0062: 複合演算が失敗しロールバックされました。失敗した操作:"
=> {"操作 step-1" => {"WFLYCTL0080: サービスに問題がありました" =>
{"jboss.undertow.deployment.default-server.default-host./authz-servlet"
=> "org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./authz-servlet:
java.lang.RuntimeException: Could not find resource.
Caused by: java.lang.RuntimeException: Could not find resource.
Caused by:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 501 / Not Implemented"}}}}
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:213)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
at
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at
org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at
org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at
org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at
org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Failed to
execute goal deploy: {"WFLYCTL0062: 複合演算が失敗しロールバックされました。失敗した操作:"
=> {"操作 step-1" => {"WFLYCTL0080: サービスに問題がありました" =>
{"jboss.undertow.deployment.default-server.default-host./authz-servlet"
=> "org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./authz-servlet:
java.lang.RuntimeException: Could not find resource.
Caused by: java.lang.RuntimeException: Could not find resource.
Caused by:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 501 / Not Implemented"}}}}
at
org.wildfly.plugin.deployment.AbstractDeployment.execute(AbstractDeployment.java:148)
at
org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
... 20 more
--------------------------
SSO server side, the following error is displayed
--------------------------
:00,353 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-113) RESTEASY002010: Failed to execute:
javax.ws.rs.WebApplicationException: Feature not enabled
at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32)
at
org.keycloak.services.resources.RealmsResource.getAuthorizationService(RealmsResource.java:268)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
--------------------------
7 years, 3 months
Using Direct Grant Access in Android app
by Maxime Cadoret
Hello everyone,
I am currently working on an Android project and I'm trying to use KeyCloak as an authentication module.
[Disclaimer] I'm still a student so my questions might appear completely off-mark, i managed to get KeyCloak to work by testing every scrap of code i found about the subject on the internet so it might not be the right way to do things, still doing what I need though.
(mostly from this post : http://lists.jboss.org/pipermail/keycloak-user/2016-January/004445.html)
I previously managed to connect to keycloak by :
1 - using a webview
2 - loading the login page url
3 - get the user to provide login/pwd on the page
4 - get a code back with the previous url (protocol/openid-connect/auth?response_type=code&client_id=android_app&redirect_uri=android://app");
5 - send this code towards another url in a form :
RestTemplate template = new RestTemplate();
template.getMessageConverters().add(new FormHttpMessageConverter());
template.getMessageConverters().add(new MappingJackson2HttpMessageConverter());
MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("grant_type", "authorization_code");
form.add("client_id", "android_app");
form.add("code", code);
form.add("redirect_uri", "android://app");
ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity(
"xxx/auth/realms/{realm}/protocol/openid-connect/token", form,
AccessTokenResponse.class);
6 - parse this JWT into what I need.
I found that you could use Direct Grant Access to avoid using the "keycloak login page" and I am wondering if I'm doing things right when I use it.
I'm actually trying to provide the login and password by an NFC TAG and it can't really work with the usual page.
What I'm doing now is :
1 - Create a form containing my password and login (as clear as water)
2 - send it to KeyCloak
RestTemplate template = new RestTemplate();
template.getMessageConverters().add(new FormHttpMessageConverter());
template.getMessageConverters().add(new MappingJackson2HttpMessageConverter());
MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("grant_type", "password");
form.add("client_id", "android_app");
form.add("username", "test");
form.add("password", "test");
form.add("redirect_uri", "android://app");
ResponseEntity<AccessTokenResponse> rssResponse = template.postForEntity(
"xxx/auth/realms/{realm}/protocol/openid-connect/token", form,
AccessTokenResponse.class);
But I'm worried about the login and password in this message.
Isn't it vunerable as I'm using HTTP ? Or if I add HTTPS will it be secured enough ?
I'm really not familiar with this process so I'm open for any suggestion or explainations.
Thanks in advance for reading (sorry for my english if there are mistakes).
Best regards,
Maxime.
7 years, 3 months
Weblogic Keycloak Adapter
by Elvira Ramondino
Hi,
I'm using Keycloak as authentication and authorization server for some
client application that I must deploy on different application servers.
I need to know if the Weblogic Adapter for Keycloak is in development and if
there is a release date.
If there's not a date, my team could start the development of the adapter,
but we need some suggestions based on your experience. Can we use the tomcat
adapter as base for the weblogic adapter? And what could be the effort?
Thanks in advance,
Elvira
7 years, 3 months
Realm Keys Public Access
by Russell Davies
Is there any way to access the realm keys without making an authenticated
request? That is by making a GET request to `/auth/admin/realms/{realm
name}/keys` without an authorization token.
I ask because when I add a new service, that needs to verify a JWT sent to
it, I have to manually authenticate, get the public key and then configure
a JWK from that. It would be easier if I could just tell me service the URL
and it would fetch the public key from the Keycloak API.
The response for the keys doesn't include any private information so I
don't see any issue in regard to security. Or am I missing something, or is
there another way to do this?
7 years, 3 months
