Cors
by Fabio Ebner
I tryng to get a token with a JS Client. so I configu my client just like
the image, and this is my code (Axios) to try to get the token:
this.axios.post('
http://localhost:9090/auth/realms/Lumera/protocol/openid-connect/token', {
username: this.email,
password: this.senha,
grant_type: 'password',
client_id: 'central-api'
},
{
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
},
).then((response) => {
console.log('ok');
},
).catch((error) => {
console.log('erro');
});
but I got the error:
Failed to load
http://localhost:9090/auth/realms/Lumera/protocol/openid-connect/token: No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access. The
response had HTTP status code 400.
[image: Screen Shot 2018-10-15 at 21.00.51.png]
If i use postman to get a token works fine. so the Web Origins should works
in this case?
tks
7 years, 5 months
Usiing Annotations to secure method
by Fabio Ebner
It's possible to use the annotation:
@Secured()
in my method to secure instead:
@Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http
.authorizeRequests()
.antMatchers("/estado/*").hasRole("CARTORIO")
.antMatchers("/natureza/*").hasRole("CLIENTE")
.anyRequest().permitAll();
}
tks
7 years, 5 months
Disable certain account management tabs?
by Craig Setera
(Apologies for all of the questions lately... I'm busy digging in and that
leads me to questions!)
Is it possible to disable some of the tabs in the user account management
application without changing the theme FTL? For instance, if I wanted to
remove the "Sessions" tab, can that be done without rewriting the
Freemarker template? (It doesn't look like it from the code, but I figured
it was worth asking)
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
7 years, 5 months
Unrecognized field "authenticationFlowBindingOverrides"
by Fabio Ebner
When I try to get my client wit this code:
ClientRepresentation app1Client =
realmResource.clients().findByClientId("central-api").get(0);
that error return:
javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "authenticationFlowBindingOverrides" (class
org.keycloak.representations.idm.ClientRepresentation), not marked as
ignorable (38 known properties: "enabled", "clientAuthenticatorType",
"redirectUris", "clientId", "authorizationServicesEnabled", "name",
"implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout",
"publicClient", "attributes", "protocol", "webOrigins", "protocolMappers",
"id", "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed",
"frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl",
"secret", "useTemplateMappers", "notBefore", "useTemplateScope",
"standardFlowEnabled", "description", "directAccessGrantsEnabled",
"useTemplateConfig", "serviceAccountsEnabled", "consentRequired", "access",
"bearerOnly", "registrationAccessToken", "defaultRoles",
"authorizationSettings"])
this is my pom.
<!--keycloak-->
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
<version>3.4.3.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>3.4.3.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>3.4.3.Final</version>
</dependency>
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
<version>2.1</version>
</dependency>
<!--resteasy-->
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>3.1.3.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jackson2-provider</artifactId>
<version>3.1.3.Final</version>
</dependency>
7 years, 6 months
Setting authentication execution requirement via kcadm.sh?
by Craig Setera
I'm trying to figure out if it is possible to set the "requirement" level
of an execution that is created for an authentication flow via the kcadm
tool. I have a shell script that I'm using to set up the Keycloak
configuration that looks like the following:
*echo "Creating new authentication flow..."AUTO_LINK_FLOW_ID=`${KCADM}
create authentication/flows --id -r ${REALM_NAME} -s
alias="FirstBrokerLoginAutoLink" -s providerId="basic-flow" -s
topLevel=true`*
*echo "Adding unique authenticator..."${KCADM} create
authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r
${REALM_NAME} \ -s provider=idp-create-user-if-unique -s
requirement=ALTERNATIVE -s priority=10*
*echo "Adding auto link authenticator..."${KCADM} create
authentication/flows/FirstBrokerLoginAutoLink/executions/execution -r
${REALM_NAME} \ -s provider=idp-auto-link -s requirement=ALTERNATIVE -s
priority=20*
With this script, I'm seeing the flow and executions created, but the
requirement seems to be ignored. In this case, the executions are always
set to DISABLED. I've tried to follow that up with an update call that
looks like this:
*echo "Adding unique authenticator..."EXECUTION_ID=`${KCADM} create
authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r
${REALM_NAME} \ -s provider=idp-create-user-if-unique -s
requirement=ALTERNATIVE -s priority=10`${KCADM} update
authentication/flows/FirstBrokerLoginAutoLink/executions -r ${REALM_NAME}
\ -s id=${EXECUTION_ID} -s requirement=ALTERNATIVE*
However, that is failing with the following error:
*HTTP request error: Can not deserialize instance of
com.fasterxml.jackson.databind.node.ObjectNode out of START_ARRAY tokenat
[Source: [B@527ee8a7; line: 1, column: 1]*
Can anyone offer any suggestions on how to get this authentication flow
properly configured so that the executions are set to ALTERNATIVE?
Thanks!
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
7 years, 6 months
possible encoding issue in the CLI tool
by triton oidc
Hi,
for keycloak to be use in my entreprise, i need to pass somes tests,
one of those is importing a data of test users with non conventional
character.
When i use the GUI, i got no issues.
However when i use the CLI, i loose some specials character somewhere
i reproduiced the issue in my dev envoronement :
here is what i do to create the test user :
SSO_DEMO_USERNAME=anakin; ${JBOSS_HOME}/bin/kcadm.sh create users -r
"$SSO_REALM" -s username="$SSO_DEMO_USERNAME" -s
firstName='Roma.العربية.Việt Nam.中国.中國' -s lastName='Roma.العربية.Việt
Nam.中国.中國' -s email=$SSO_DEMO_USERNAME(a)mail.com -s enabled
d=true
The result is :
Created new user with id '8c6e99cb-58ad-45ae-a217-84e4dfd15c0b'
Here is a print screen with the previous command, the displayed
firstname/lastname associated (anakin user)
and the same one created with the GUI : obiwan
[image: image.png]
As you can see, only the one crated with the GUI do
I don't know if it's a bug or not.
if so should i created the a github issue with it ?
i tried to escape the characters with simple or double quotes : same
results.
The keycloak version i use is comming from displays the name correctly
https://access.redhat.com/containers/?tab=tech-details#/registry.access.r...
i think it's base on the 4.X realease, but there was no --version on the
kacadm binary, so i'm not sure
Thanks for any help
Amaury
7 years, 6 months
Testing SAML Identity Brokering
by Craig Setera
I'm attempting to set up a test of identity brokering all within a single
Keycloak server. I have two realms set up. The "saml-demo" realm is set
up with a SAML client. I've exported the SAML definition from that client
and imported it into the Identity Brokering for the second realm.
Unfortunately, I can't seem to get to the login page of the "saml-demo"
when navigating from the second realm. When I click on the identity broker
realm link, I'm seeing the following in the logs:
keycloak_1 | Caused by: java.security.SignatureException: Signature length
not correct: got 256 but was expecting 128
keycloak_1 | at
sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
keycloak_1 | at
java.security.Signature$Delegate.engineVerify(Signature.java:1222)
keycloak_1 | at java.security.Signature.verify(Signature.java:655)
keycloak_1 | at
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.verify(DOMSignatureMethod.java:236)
I've turned up logging for all of the Keycloak SAML functionality as well
as for java.security. However, I'm struggling to figure out where the
mismatch is located in the configuration and not quite sure where to even
look.
Can anyone offer suggestions on how to go about setting this up or
troubleshooting what I'm doing?
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
7 years, 6 months
roles in the user-info response
by Simon Payne
Hi,
We have an existing system which we would like to integrate with keycloak.
This system has a legacy authorization model, which is fairly complex and
fine grained.
Users of this system have many hundreds of roles which in some cases
results in the token being too large, breaking the header size.
I was hoping that by limiting the roles within the token, through scope,
and an endpoint similar to user-info or token introspection, we could
determine which roles or resources the user is allowed to access through
validated identity.
however, i found that by limiting the scope for the access token, the roles
are not returned as part of the user-info response.
is anyone aware of any alternatives which will allow me to test roles
associated with the user , at the resource server, without them being
present in the access token?
thanks
Simon.
7 years, 6 months
401 when try to create an user
by Fabio Ebner
I trying to use the keycloak admin client to create one user:
my keycloak user are: keycloak and password are k3ycl0@k
So in using this code:
String serverUrl = "http://localhost:9090/auth/admin";
String realm = "Lumera";
String clientId = "admin-cli";
String clientSecret = "b1bc8d8e-2cff-4d6d-9cbd-d5fcfe82d1bc";
Keycloak keycloak = KeycloakBuilder.builder() //
.serverUrl(serverUrl)
.realm(realm)
.clientId(clientId)
// .clientSecret(clientSecret)
.username("keycloak")
.password("k3ycl0@k")
.build();
UserRepresentation user = new UserRepresentation();
user.setEnabled(true);
user.setUsername("tester1");
user.setEmail("te(a)teste.com.br");
user.setAttributes(Collections.singletonMap("origin",
Arrays.asList("demo")));
RealmResource realmResource = keycloak.realm(realm);
UsersResource userRessource = realmResource.users();
javax.ws.rs.core.Response response = userRessource.create(user);
System.out.println(response.getLocation());
String userId =
response.getLocation().getPath().replaceAll(".*/([^/]+)$", "$1");
RoleRepresentation testerRealmRole =
realmResource.roles().get("tester").toRepresentation();
userRessource.get(userId).roles().realmLevel().add(Arrays.asList(testerRealmRole));
ClientRepresentation app1Client =
realmResource.clients().findByClientId("app1").get(0);
RoleRepresentation userClientRole =
realmResource.clients().get(app1Client.getId()).roles().get("user").toRepresentation();
userRessource.get(userId).roles().clientLevel(app1Client.getId()).add(Arrays.asList(userClientRole));
CredentialRepresentation passwordCred = new
CredentialRepresentation();
passwordCred.setTemporary(false);
passwordCred.setType(CredentialRepresentation.PASSWORD);
passwordCred.setValue("test");
userRessource.get(userId).resetPassword(passwordCred);
But returns: Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401
Unauthorized in line javax.ws.rs.core.Response response =
userRessource.create(user);
I using springboot 1.5.16
7 years, 6 months
