Keycloak CORS issue associated with login redirect
by ksl
I am using Keycloak 4.4.0 to secure my rest service, which is implemented
using Spring Boot and I am using React for the front end.
I get a CORS error when the front end (running on localhost:3000) makes an
API call to localhost:8080/login and is redirected to the Keycloak login
page.
The error is:
`localhost/:1 Failed to load http://localhost:8080/login: Redirect from
'http://localhost:8080/login' to
'http://localhost:9080/auth/realms/hbs/protocol/openid-connect/auth?respon...'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is
present on the requested resource. Origin 'http://localhost:3000' is
therefore not allowed access.`
I have added a single value of '*' to the Web Origins config section in the
Keycloak client.
I have annotated my REST controller as follows:
@RestController
class MyController
{
@CrossOrigin
@GetMapping("/login")
public ResponseEntity<Foo> getFoo(Principal principal)
{
return ResponseEntity.ok(new Foo("blah"));
}
}
I have enabled keycloak and cors in the application properties:
keycloak.cors = true
keycloak.enabled = true
If I disable keycloak the CORS problem goes away.
As described here <https://stackoverflow.com/a/46222250/820657> , I
suspect the issue is to do with the keycloak server not responding with any
ACCESS-CONTROL-ALLOW-ORIGIN headers despite "web Origins" being correctly
configured in the keycloak admin portal. But I'm not completely sure how to
confirm this.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
5 years, 7 months
Custom SPI (emailSender) working under Windows, not working in docker image
by Lukasz Lech
Hello,
I've created my own version of emailService, deployed it via copying into standalone/deployments and added section in standalone.xml:
<spi name="emailSender">
<default-provider>multipart</default-provider>
</spi>
Under both Windows and docker I get the warning that I'm implementing internal API, and confirmation that module was deployed.
Under Windows: in server-info I see now only my implementation of emailSender, sending emails goes through my sender.
In Docker image, I see BOTH default provider (default) and my own (emailSender), and sending email causes NullPointerException when FreeMarker tries to use the sender:
protected void send(Map<String, String> config, String subject, String textBody, String htmlBody) throws EmailException {
EmailSenderProvider emailSender = session.getProvider(EmailSenderProvider.class);
emailSender.send(config, user, subject, textBody, htmlBody);
}
In both cases, I'm using keycloak 4.5.0.Final and JDK 8. I don't see any other errors or warnings in log.
What could have gone wrong in docker image? Why keycloak behaves otherwise in both cases, and why switching SPI implementation didn't worked in dockerized version?
Best regards,
Lukasz Lech
5 years, 7 months
restricting user registration?
by Wyllys Ingersoll
Is it possible to configure user self-registration to a new realm such that
only users with specific token or link can register?
We want to allow self-registration, but do not want it to be open-ended,
but rather by invitation where the invitation would be an email or some OOB
mechanism that provides the user with a unique 1-time-only code to use to
authorize their registration.
Is this possible?
Thanks,
Wyllys Ingersoll
5 years, 7 months
Is it possible to update a Password using SAML
by Michael Meier
Hi all
Maybe it's a stupid question and that's maybe the reason I couldn't find
an answer for it on the internet.
But is it possible, that a service provider (in my case Nextcloud) uses
the SAML protocol to update the current users password on the IdP
(keycloak)?
If yes, does Keycloak support that?
thanks a lot for the information
Michael Meier
5 years, 7 months
Scalability of Keycloak Access Mgmt system for Self-care users
by kedar.budukh@ericsson.com
Hi,
I am currently evaluating Keycloak as one of IdM and Access Management
system. My client is Telecom Service Provider and have a requirement to
support the Self-care users with expected volume of 60 to 80 million users
with approximately 2000 to 3000 login requests per second. I want to use
Keycloak to Authenticate and Authorize (RBAC) end users using OpenID
Connect.
I tried searching for information on Keycloak scalability with Relational DB
or LDAP Services and the performance, however, I did not find much
information about the same.
The Keycloak documentation talks about Clustering feature but the stats are
not given.
Can someone please help me as per your experience with Keycloak performance
and scalability to support the Self-care users of 60 to 80 million volume?
Also, kindly suggest if I should consider any other IdM and Access
Management system with above requirement of scalability for my evaluation.
Thanks and Regards,
Kedar
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
5 years, 7 months
How to have identity provider configuration page visible in Keycloak?
by Nicolas Delsaux
Hi all,
I'm writing a custom identity provider for Keycloa that I want to deploy
using the [deployer][1] method (since I want to deploy it in [Docker
containers][2]). Following an [example][3] I found on the web, I've
created a maven project where, using the maven-assembly-plugin, I build
a jar with dependencies (but I've filtered out the various services
implementations my dependencies provide me to just keep the identity
provider service).
Things seems to work partly correctly :
* Keycloak log indicates my id provider is loading/loaded :
`keycloak_1 | 09:23:20,056 INFO [org.jboss.as.server]
(ServerService Thread Pool -- 29) WFLYSRV0010: Deployed
"mycompnay-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar"
(runtime-name
:"mycompany-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar")`
* When I go in the *Identity Providers* panel, the new provider is
visible in the "Add provider ..."
But when I try to configure it, Keycloak redirects me to the resource
not found error page
The problem is that Keycloak outputs strictly no logs (even when I
configure log level to the max).
In my project, I have he following code organization (which gets
replicated in jar-with-dependencies)
+---src
+---build
| \---assembly
+---main
| +---java
| | \---com
| | \---mycompany
| | \---mygroup
| | \---security
| | \---oidc
| \---resources
| +---META-INF
| | \---services
| \---themes
| \---base
| \---admin
| \---resources
| \---partials
\---test
+---java
\---resources
What am I missing ?
I've already asked this question on StackOverflow (there
https://stackoverflow.com/q/52757115/15619) - and that's why the
formatting is quite poor, but Sebastien Blanc redirected me here (thanks
a lot Sebastien !)
Thanks a lot !
[1]:
https://www.keycloak.org/docs/4.5/server_development/index.html#using-the...
[2]: https://hub.docker.com/r/jboss/keycloak/
[3]: https://github.com/Reventl0v/KeycloakCAS
5 years, 7 months
Spring boot application with keycloak
by paolo lizarazu
Hi All,
I have an spring boot application that use keycloak adapter to handle the
security, here the scenario.
Kecloak 4.2.0
- has a realm and a client configured to confidential and secret generated
running in docker container
- the spring boot application run in my local machine and has configured
the secret and the required keycloak properties
-- spring boot app has
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.authorizeRequests()
.antMatchers("/customers*","/users*")
.hasAnyRole("USER", "ADMIN", "user", "admin", "users")
.anyRequest()
.permitAll();
}
on KeycloakWebSecurityConfigurerAdapter, as you can see we are validating
/customer* and users* path to has roles.
when I go to localhost:8080/users the application is redirected to keycloak
login page and after login success the page show 403 error, the log show
the connection with keycloak was well but seems i have user anonimus in my
request.
I think my user get session and this should save the token? sorry if this
is beginner question.
any help would be appreciate.
5 years, 7 months
Probable bug in permissions evaluation
by David Erie (US)
Hello,
I believe I found a bug in the permissions evaluation engine, and I didn't see anything in JIRA about this. I am running Keycloak 4.3.0.Final.
I configured some permissions such that a user would have access to the read scope on one resource, but not on another. When I evaluate permissions on each of the resources and read scope by themselves, they are properly granted and denied, as expected. However, when I evaluate both resources at the same time, the result is wrong, and it depends on the order in which I add the resources. If I add the allowed resource first, then they are both granted, but if I add the forbidden resource first, then they are both denied. What I expected is that one is allowed and the other is denied, regardless of the order I add them to the request.
I have verified this in the admin console and the REST and Java APIs, and it produces the same broken result.
Unless I'm missing something, this is a critical bug that would impact our planned usage of Keycloak.
Thank you,
Dave
5 years, 7 months
user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
5 years, 7 months
