Keycloak, iframe, Safari and cookies
by Kristoffer Skaret
Our organization is implementing an OIDC platform based on Keycloak, and so
far we are over all happy with the result. But we are left with one major
issue regarding cookies and iframes.
Background:
- Our OIDC platform will be exposed through public domain on the
Internet, and will be used as an authentication service in a long range of
different web sites
- As a result, the clients to our service will run on different domains
- Many of the client applications will prefer to present the OIDC user
interface in an iFrame
The problem came up when we tried running with this setup using the Safari
browser. As it seems, Safari treats cookies presented in an iframe as 3rd
party cookies. So the browser will refuse to save these, unless a similar
cookie has already been presented.
- Has anybody else experience with this issue?
- Any suggested solutions?
As we have learned, Keycloak is very dependent upon cookies regarding many
different aspects of the functionality. However, we are considering the
option to try and make a fork of Keycloak without the need for cookies.
Many aspects, such as cookie-based SSO are not relevant In our solution.
Thanks,
Kristoffer
7 years
Change root of activation URL
by Sebastian Wilhelm
I have two services, one is my rest-service the other one is the keycloak
service.
When I am using the keycloak-admin-client for triggering features in
keycloak like sending a verification email, I get an Email with the
activation URL like: localhost:xyz
auth/realms/wienenergie/login-actions/action-token?
I am calling the rest-api of keycloak internally per localhost:xyz. What I
wish to do is changing this internal local URL to my external URL in the
admin-console.
Is this possible?
7 years
Accessing redirect url
by Hylton Peimer
Inside a custom Authenticator I am trying to access the original URL
entered at the user's browser.
How can I access this URL in the method:
authenticate(AuthenticationFlowContext) of interface Authenticator?
7 years
GET users endpoint is making lots of requests to the database (its really slow!)
by Cesar Salazar
Hi,
First of all, thanks for the great work on keycloak!
We are using keycloak for an application, and it was working great (until
we launched to production)
We have 150 users which are connected to an Active Directory using the
Federation functionality.
It works, but the endpoint GET /{realm}/users takes about 23 seconds to
respond (Keycloak running on a container in GKE backed by a mysql server on
Google Cloud SQL).
I enabled mysql logging and the problem seems to be that just for
responding this endpoint, the server makes 901 queries to the database!
These are the queries:
First query, to get the users:
select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_,
userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as
FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_,
userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as
REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_,
userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where
userentity0_.REALM_ID='my-realm' and
(userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by
userentity0_.USERNAME
Then,* for each user *a query like this, (getting user attributes I guess)
select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as
ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_,
attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_
from USER_ATTRIBUTE attributes0_ where
attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70'
Then,* for each user* 4 queries similar to this, (getting credentials I
guess)
select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_,
credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as
CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as
DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_,
credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_,
credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_,
credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where
credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and
credential0_.TYPE='totp'
A query with type *totp* is queried 2 times, the other 2 times are queried
with type *hotp* and *password*
and finally one more query* for each user* (getting required actions I
guess)
select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION
as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_,
requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION
requiredac0_ where
requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa'
So, in total, for 150 users, Keycloak is making 901 requests to the
database! If I increase the number to 500 users, will it be 30001
requests???
How can this be improved? Is there something wrong I'm doing in the
configuration? Does this happens only with Federated users?
Thanks!
--
*Cesar Salazar*
Development Manager
DEVSU | www.devsu.com
skype: cesarsalazar007
P: (213)-291-0752
M: +593 9 2917 160 (Ecuador)
7 years
implicitly pick the IdP for brokering
by Sud Ramasamy
As I understand it currently keycloak expects a kc_idp_hint URL attribute if we want to redirect to a brokering IdP from a set of configured IdPs in the realm. Is it possible to accomplish the same behavior without having the specify the kc_id_hint attribute.
We don’t want the user to have to specify the kc_idp_hint URL attribute when accessing our SaaS application. But we also don’t want to add any URL rewrites in front of the application or in front of Keycloak where the kc_idp_hint param gets set if we can avoid it. We could add a Servlet Filter in the application that sets the kc_idp_hint parameter before passing the request to the Keycloak Java Adapter filter that we use in the application.
Outside of the custom filter option we were wondering if we were to do this entirely in Keycloak was that even possible and what would that look like.
Thanks
-sud
7 years
REGISTER event: firstName & lastName always NULL
by Thilo Frotscher
Hi all,
In our project there is a requirement to execute some actions after successful
user registrations. I implemented an EventListenerProvider that listens to events
of type REGISTER. The details of this event type only contain the "username" of
the user that just registered, but first name and last name are missing.
So I thought I could retrieve this information from the user storage. But no
matter how I try to read the user information from the user storage, firstName
and lastName are always null.
Is this a bug or a feature? When manually logging on to the Admin Console,
I can see that firstName and lastName have been correctly saved. But how
can I programmatically retrieve the first name and last name of the user
that just registered in my event listener?
Sample code:
public void onEvent(Event event) {
if (!EventType.REGISTER.equals(event.getType())) {
LOGGER.info("Ignoring event of type " + event.getType());
return;
}
String realmId = event.getRealmId();
RealmModel realm = session.realms().getRealm(realmId);
String userId = event.getUserId();
Map<String, String> details = event.getDetails();
String username = details.get("username");
printUser(session.users().getUserByUsername(username, realm));
printUser(session.userLocalStorage().getUserByUsername(username, realm));
printUser(session.userCache().getUserByUsername(username, realm));
printUser(session.userStorageManager().getUserByUsername(username, realm));
}
private void printUser(UserModel user) {
if (user==null) {
LOGGER.info("User is null");
} else {
LOGGER.info(user.getFirstName()); // always null
LOGGER.info(user.getLastName()); // always null
LOGGER.info(user.getId());
LOGGER.info(user.getEmail());
LOGGER.info(user.getUsername());
}
}
Actually, I believe firstName and lastName should be part of the event details
in the first place...
Thanks for your help!
Cheers,
Thilo
7 years
overriding built-in verify-email RequiredAction
by The Fredo
Hello all,
I need to extend a bit the built-in VerifyEmail RequiredAction (i.e. adding a specific attribute in the LoginFormsProvider, so that the login-verify-email.ftl template displays accordingly).What would be the right way to do this ?
I tried to build a new RequiredAction based on the existing VerifyEmail RequiredAction, but it happened to be far too complex for me.
(The only way I made it work was modifying the existing code (of VerifyEmail.java), it allowed to test that my data are available for the freemarker template).
Thanks in advance !
regards
Keycloak 3.2.1
7 years
How to pass custom parameter to Keycloak SAML authenticationn endpoint
by Pankaj Mahajan
Hi Team,
I have multiple clients(OIDC and SAML both) in a single realm with multiple Identity providers in the same realm. I need to pass custom parameter in authentication request based on which within Keycloak I will be able to determine to which IDP this request need to be forwarded instead of displaying Keycloak login page.
For OIDC applications the kc_idp_hint query parameter can be used, but I would like to achieve this behavior for SAML applications.
Please let me know, if there is already a provision in Keycloak to achieve the above behavior. If not then please share your thoughts/pointers if any. Thank you in advance.
Thanks & regards,
Pankaj Mahajan
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
7 years
