September 2017 - keycloak-user - Jboss List Archives

OIDC access_token URL parameter rather than Bearer Authentication header

by Gabriel Lavoie

Hi, we have one use case where we want to use a access_token URL parameter rather than the Authorization: Bearer header, to allow SSO from a mobile app to Safari. KeycloakAuthenticationProcessingFilter.java ( https://github.com/keycloak/keycloak/blob/2cadf0a2602065c32140de5c1c73949...), the authentication flow is different when using the query param vs the Authorization header. Any reason for this? - Header: Upon successful authentication, the filter chain is processed to the requested page. - Query param: Upon successful authentication, default success handler is called and user is redirected to a target page (/ by default) (first condition of KeycloakAuthenticationProcessingFilter.successfulAuthentication(): if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request))) { super.successfulAuthentication(request, response, chain, authResult); return; } Thanks, Gabriel -- Gabriel Lavoie glavoie(a)gmail.com

6 years, 7 months

2
4
0 / 0

OIDC Client dynamic registration

by Виталий Ищенко

Hi I was playing with example from openid-client nodejs package, it has examples with custom keys and key signing/encryption algorithms Some registration requests fail with NPE exception like this Caused by: java.lang.NullPointerException at org.keycloak.util.JWKSUtils.getKeyForUse(JWKSUtils.java:49) at org.keycloak.services.clientregistration.oidc.DescriptionConverter.setPublicKey(DescriptionConverter.java:135) at org.keycloak.services.clientregistration.oidc.DescriptionConverter.toInternal(DescriptionConverter.java:102) at org.keycloak.services.clientregistration.oidc.OIDCClientRegistrationProvider.createOIDC(OIDCClientRegistrationProvider.java:74) Registration request was following { "post_logout_redirect_uris": [ "http://localhost:3000/" ], "redirect_uris": [ "http://localhost:3000/cb" ], "grant_types": [ "authorization_code" ], "response_types": [ "code" ], "userinfo_encrypted_response_alg": "ECDH-ES+A128KW", "jwks": { "keys": [ { "kty": "EC", "kid": "pZtihA2ZjNh3qrPg3OUSZdpWatODXiUw_6ThWYqJ7gw", "crv": "P-256", "x": "qoBR4Zhj1RlMIF4TVfibVkApY1j2J1NdPUWTx_gKFlQ", "y": "cbZ3J1Y_OZXF0YhOerMVoqq5hRoe6G3xw21va5drqf0" } ] } } I overcome this issue by patching library and adding use: sig attribute to jwks key, but it seems that this attribute is not required by spec https://tools.ietf.org/html/rfc7517#section-4.2, and even if it is required from app perspective, NPE should be replaced with something more meaningful Other issues that I've faced after bypassing NPE -- registrations, that use unsupported algorithms like above doesn't fail, is it correct behaviour?

6 years, 7 months

1
0
0 / 0

Re: [keycloak-user] How to implement "Forgot Password" using Keycloak Admin Client?

by Jonathan Lin

It’s as simple as Realm Settings > Login > Forgot password

6 years, 7 months

1
0
0 / 0

Extend Keycloak API

by LAGIER Aymeric

Hi, I try to perform a custom user search based on custom attributes. In my example, I’m using the default storage (keycloak database) to store users. I try to use the following example (https://github.com/keycloak/keycloak/tree/master/examples/providers/rest) and copy paste the content of the getUsers() methods from org.keycloak.services.resources.admin.UsersResource Code : https://pastebin.com/wbaEc8Pz In my example, after deploying the new jar, I try to call the http://localhost:8080/auth/realms/<my realm>/hello<http://localhost:8080/auth/realms/%3cmy%20realm%3e/hello> endpoint with an authorization header containing a valid access_token. For the moment it returns a NullPointerException when trying to access the auth variable. Am I on the right way ? Thanks in advance, Regards Aymeric

6 years, 7 months

1
0
0 / 0

Determine users roles using the JavaScript adapter

by Robert Parker

After authenticating a user using the JavaScript adapter, how can I determine what roles a user has? Robert Parker- Front End Developer Applied Card Technologies Ltd Cardiff Office 14 St Andrews Crescent Caerdydd Cardiff CF10 3DD +44 (0) 2922 331860 robert.parker(a)weareact.com www.weareACT.com Registered in England : 04476799

6 years, 7 months

1
0
0 / 0

How to implement "Forgot Password" using Keycloak Admin Client?

by Celso Agra

Hi all, I'm trying to creat a feature to do the password recovery using Keycloak Admin Client. I looked for a solution on the documentation [ www.keycloak.org/docs-api/2.5/rest-api/], but I did not find this specific result. Does anyone know how to implement the "forgot password feature" using Keycloak Admin Client? -- --- *Celso Agra*

6 years, 7 months

1
0
0 / 0

How to disable Tomcat JSESSIONID

by shimin q

Hi, I have several apps deployed in Tomcat 7, and use Keycloak to manage user login and logout of these apps. Clicking on the Logout link does not log the user out and redirect to Keycloak's login page. Then I found the JSESSIONID cookie is still present, once I deleted the JSESSIONID cookie, the logout link works as expected. So I tried to disable Tomcat's session by putting <%@ page session="false" %> in the header of my app's JSP page. Unfortunately, this still does not disable Tomcat's session. I am wondering if anyone has a solution to this problem? I believe the presence of the Tomcat session interferes with the Keycloak's SSO session, and causes Keycloak logout link to not work. This has to be a common problem Keycloak users encounter, Tomcat is so widely used for web apps. How does Keycloak resolve the issue when its session conflict with Tomcat session? Would appreciate any tips on how we should handle this!

6 years, 7 months

1
0
0 / 0

How to change email and send a verification in the Keycloak Admin Client?

by Celso Agra

Hi all, I have an question about Keycloak Admin Client and email verification. I'd like to know if would be possible to create a feature to change email with a verification url. So, I need change the email, and then send a verification to complete this feature. Does anyone know if Keycloak Admin Client has this feature? Best Regards, -- --- *Celso Agra*

6 years, 7 months

1
0
0 / 0

OTP Policy updates not reflects at Google Authenticator

by Eswara Akurathi

Dear all, We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working. A sequence of steps : 1) create realm, create user 2) enable OTP 3) login with the newly created user 4) system asks you to configure OTP 5) update OTP policy such as number of digits from 6 to 8 6) try login again 7) system asks you to enter OTP but authentication fails We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails. Your response is highly appreciated !!! Thanks in advance Regards Krishna Kumar Akurathi

6 years, 7 months

1
0
0 / 0

SAML Identiy broker mode bypasses any authentication after logout

by Pieter Lukasse

Hi, I have a spring-security based application that connects to keycloak via SAML. Keycloak itself is configured to connect via SAML to another external identity provider (so Keycloak is just the identity broker in this case). When I logout from my web application by going to https://<app_url>/saml/logout?local=false, a LogoutRequest is sent to keycloak, followed by a LogoutRequest to the external IDP. There is *no* LogoutResponse. Strangely, when I try to access my web application again, I am not asked to login and can access it as if the session is still valid. No AuthnRequest is seen in this case. What could be wrong? It seems that either the web application or the Keycloak is caching the session and not invalidating it upon a LogoutRequest. Maybe someone can help shed some light on this. Thanks, Pieter We empower scientists by building on open source software

6 years, 7 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user September 2017