Using impersonation API to obtain token for public client
by Nuanced Actor
Hi!
I have webapp1 which has to authenticate against a legacy backend,and won't
be integrated with Keycloak for the foreseeable future.
So, upon successful authentication, i use the impersonate API to get an
access token for the current user.
Later on, the user will open webapp2 from webapp1. The user should not have
to perform a login in Webapp2. Webapp2 uses the Keycloak Javascript
adapter. I use the access/refresh token i gained earlier to initialize the
adapter. It sends the refresh token to the token endpoint, but gets a
statuscode 400 error "Unmatching clients".
Request:
grant_type=refresh_token
refresh_token=<encoded token>
client_id=webapp2
These are the relevant fields from the token:
aud: "webapp2"
azp: "impersonator"
So i guess the problem is, that azp does not match client_id. In order to
get a token for the correct client, i use the token exchange endpoint and
the access token i got via the impersonation API
map.add("client_id", impersonator)
map.add("client_secret", <impersonator_secret>)
map.add("grant_type",
"urn:ietf:params:oauth:grant-type:token-exchange")
map.add("subject_token",<access token>)
map.add("audience", "webapp2")
That gives me a new token, but for the same client. At this point i'm
stumped and pretty sure i misunderstood something basic. Can anybody give
me a pointer in the right direction?
Cheers,
Till
6 years, 2 months
Authroization: Receiving "Failed to enforce policy decisions" for valid token after sometime
by Bruce Wings
Steps:
1. After obtaining a token from keycloak, I am able to
authenticate/authorize user with this token.
2. After sometime(15-20 minutes), I start receiving *"Failed to enforce
policy decisions"*. If the same token was valid a few minutes before,
shouldn't I get the "*token expired*" message instead of "*Failed to
enforce policy decisions*"?
My access token lifespan is set to 8 hours. Still I see this behavior after
just 15-20 minutes. Attached image for token expiry settings:
[image: image.png]
6 years, 2 months
Helps
by Fabio Ebner
Someone can help me to secure my project?
I have one springboot rest api (my backend)
and one front-end in vuejs
So I wanna to when my user try to access my app, he wanna to get a token in
keycloak and with this token access my rest-api and in my rest-api I need
to get the user's info (name, email and etc)
tks
6 years, 2 months
keycloak 4.5 client integration with spring boot and spring security problem
by ZKX
We are doing a POC with a spring boot/security project with keycloak.
Initially we only had keycloak-spring-boot-starter without directly reference with spring security. It is very straightforward with just setting the keycloak properties in the application.properties file.
Later on we need to use @PreAuthorize("hasRole('admin')") to enforce security check on some services, therefore, we added spring security library with additional security configuration:
as mentioned in the keycloak document. Mostly as the described in this tutorial: https://www.baeldung.com/spring-boot-keycloak
Everything works fine with keycloak 4.3/4.4, we still can use the keycloak config in application.properties file together with spring security, since we had following code in our spring boot configuration: @Bean public KeycloakSpringBootConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); }
However, recently we upgrade our spring boot keycloak starter to 4.5, and our application failed to start with following error:
Error creating bean with name 'KeycloakSpringBootConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference?
Just wondering how to resolve this?Anyone use spring boot with spring security together with keycloak starter 4.5 successfully?
Thanks,Kevin
6 years, 2 months
invalid_code error when using openidconnect.net to test auth code flow
by David Erie (US)
Hello,
I am using https://openidconnect.net to test out the authorization code flow on my Keycloak installation, but I am always getting this error in the log and no token in the response:
type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=..., error=invalid_code
Here's an example of the request:
POST http://myserver:8447/auth/realms/myrealm/protocol/openid-connect/token
grant_type=authorization_code
&client_id=oidc-playground
&client_secret=19709e24-cac8-4ece-8b03-0a40e5c0c765
&redirect_url=https://openidconnect.net/callback
&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..w7Pc9yB_htF5F2_cgqDtZA.Ru7B5B-MgYT6mbGy8ykT2dyFVPRSj11HvgJV6rrFownvVUjKYQ90FaiU17rCxpREWC-znDyhzsz4gV7thmz2okswrIUezzgCtzzRqiXo8EidSFZk51qrs1C7UiYklQjMdqyt0qcDRtuhv6eV8YE-t31l3eeuMmKKrT6ikGy_HazJpoOamGyKbGQBGqaJoi8-dNmTVORC7mVHcvX7IEECA0RaSY-gAoNEFPy4ViaGX0JvHGUjUByFsOrQHUea9Fgm.TZbp9Kkt8IEB_JrOALBCYg
Any help would be appreciated.
Thanks,
Dave
6 years, 2 months
Scalability of Keycloak Access Mgmt system for Self-care users
by kedar.budukh@ericsson.com
Hi,
I am currently evaluating Keycloak as one of IdM and Access Management
system. My client is Telecom Service Provider and have a requirement to
support the Self-care users with expected volume of 60 to 80 million users
with approximately 2000 to 3000 login requests per second. I want to use
Keycloak to Authenticate and Authorize (RBAC) end users using OpenID
Connect.
I tried searching for information on Keycloak scalability with Relational DB
or Directory Services and the performance, however, I did not find much
information about the same.
The Keycloak documentation talks about Clustering feature but the stats are
not given.
Can someone please help me as per your experience with Keycloak performance
and scalability to support the Self-care users of 60 to 80 million volume?
Also, kindly suggest if I should consider any other IdM and Access
Management system with above requirement of scalability for my evaluation.
Thanks and Regards,
Kedar
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
6 years, 2 months
Keycloak as an LDAP server
by Victor Bail
Hi all,
I wanted to know if Keycloak can act as an LDAP server. I mean, after sync
Keycloak with an LDAP server, will we be able to query keycloak in the same
way as we query a LDAP server?
Can I configure keycloak as an LDAP server in a remote device? For example,
with a printer so the printer can sync all users with keycloak and sync
once per day to keep the users updated?
Thanks!
Victor.
6 years, 2 months
is Entitlement API deprecated
by Ratna Kamireddy
Hi folks,
Thanks for accepting my request. Here is my first question.
We were looking at entitlement API documentation and by mistake we started
looking at Entitlement API documentation in 3.3 and tried to test below API
http://localhost:8081/auth/realms/development/authz/entitlement/masterdata
or
GET /auth/realms/development/authz/entitlement/masterdata HTTP/1.1
Host: localhost
Content-Type: application/json
cache-control: no-cache
Postman-Token: 0dd585f5-f2e5-447a-99a9-3e7281856b6a
We getting 404 exception, after a while I found that we were looking at 3.3
and check latest docs and found that there is no Entitlement API but I see
in the architecture diagram.
Please let me know what am i Missing here.
Regards
Ratna
6 years, 2 months
Keycloak SAML tomcat adapter and correct log-out
by Leonid Rozenblyum
Hello!
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
Thanks
6 years, 2 months
