October 2018 - keycloak-user - Jboss List Archives

Java admin client API - encrypt password

by Andreas Lau

Hey community, I have a program that has to create user accounts programmatically. So I use the keycloak java client api like this: Keycloak kc = KeycloakBuilder.builder() .serverUrl("http://your.keycloak.domain/auth") .realm("master") .username("admin") .password("secret") .clientId("admin-cli") .resteasyClient( new ResteasyClientBuilder() .connectionPoolSize(10).build() ).build(); UserRepresentation userRepresentation = new UserRepresentation(); String email = "test(a)test.de"; userRepresentation.setEmail(email); userRepresentation.setUsername(email); kc.realm("myclientapp").users().create(userRepresentation); I have a couple of questions regarding the code: - Is this a proper way of using the java client api? - Is there a way of encrypt the password (I am usually not a big fan of dealing with clear text passwords inside the code)? - Currently I use the master admin user to connect to keycloak. How can I create, and restrict a user-mgmt-admin that is restricted to only handle user mgmt tasks? I hope some of you can provide me some help, Thanks in advance. Andreas

6 years, 2 months

1
0
0 / 0

Could not obtain grant code: 401:Unauthorized on access to protected url behind reverse proxy

by Roman O

Hi, would be happy if you can help me. I'm trying to access protected by Keycloak url - */hello* in the browser. The url is served by the node.js app This error is thrown by the following code <https://github.com/keycloak/keycloak-nodejs-connect/blob/54815e742a931fe6...> : after the following sequence of actions: 1) adding client and user to keycloak to KeyCloak master realm 2) protecting express node.js app's url: var Keycloak = require('keycloak-connect'); let kcConfig = { clientId: 'test_ui', // secret : "d31c4718-12e9-407b-9bf2-cb72734a23f0", public: true, serverUrl: https://127.0.0.1/auth, resource: "test_ui", realm: 'master'}var session = require('express-session');var memoryStore = new session.MemoryStore() var keycloak = new Keycloak( {store : memoryStore}, kcConfig); this.app.use(session({ secret: 'mySecret', // resave: false, // saveUninitialized: true, store: memoryStore })); this.app.use( keycloak.middleware() );this.app.get( '/hello', keycloak.protect()); 3) accessing the protected url in the browser, being redirected to Keycloak login screen, authenticating... then ther error is popped. The following sequence of requests is seen in the wireshark: /auth/realms/master/protocol/openid-connect/auth?client_id=test_ui&state=504b250d-8616-4685-8c8d-5032713c883a&redirect_uri=https://127.0.0.1/hello/auth_callback&scope=openid&response_type=code after the authentication in login screen: /auth/realms/master/login-actions/authenticate?session_code=TwhsWxUig85PFHfiv-31OTHQl3aApD6z0lMdOr8hgDc&execution=d58a2cad-2be2-4797-b35a-d7b606945b14&client_id=test_ui&tab_id=ywQfz51qnM0 I thought about adding sslRequired: "none" to kcConfig, but doing seems to have no effect. Tried to use also confidential client instead of the public one to no avail. *package.json* contents: "express": "4.16.2","keycloak-connect" : "4.3.0","express-session" : "1.15.6" Keycloak 4.3 is used. What is the cause of the issue and how to fix this error? *Update* Added process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; to *node.js* app following response <http://lists.jboss.org/pipermail/keycloak-user/2018-April/013667.html> in Keycloak mailing list and now getting error: Could not obtain grant code: 401:Unauthorized I tried to use the the example <https://github.com/keycloak/keycloak-nodejs-connect/tree/54815e742a931fe6...>. It works without using the proxy (getting access token, etc...) But when the same code is run behind reverse proxy, getting the same error as above. Manually exchanging the authorization code extracted from the request which results in error for token using PostMan works as well. How to cause the example app to work behind reverse proxy. Regards Thanks in advance.

6 years, 2 months

1
0
0 / 0

CDI weld subsystem not enabled by default

by Juan Pablo Perata

Hi, I wonder why CDI subsystem is not enabled in keycloak standalone.xml by default? Any inconvenients? Thanks, Juan

6 years, 2 months

1
0
0 / 0

Keycloak invalid redirect_uri with port 0?

by Dean Poulin

Hi everyone, First email to the group here. I’ve been heavily underway implementing Keycloak for my app’s auth needs and very impressed with the product. I’ve delayed emailing the group until I’ve spent hours of time trying to figure out this weird issue I’m experiencing. This might not be the best place to post this, but figured I’d start here. For some reason, when I visit my spring boot webapp that’s protected by keycloak it’s redirecting to keycloak as expected but the redirect_uri is being set with a port of 0 which is causing me to get an error on the keycloak login page saying “invalid redirect_uri.” I’ve googled this and I’ve found some people having similar issues, but couldn’t find solutions (e.g. https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...>, https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...>). My prod/test environment uses an nginx reverse proxy in front of my apps. I followed these steps: https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... <https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...>. The url that was throwing that error looked like this (see the port of 0 in the url): https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...>%3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid The keycloak logs contained this error for the above url: Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri=https://www.example.com <https://www.example.com/>:0/sso/login As you can see for some reason the redirect_uri is being set with a port of 0. I put in the url with port 0 (https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>) into the keycloak client config under Valid Redirect URIs and that removed the invalid redirect_url issue and the login page was now rendering without an error. However, when the redirect is performed after login, the browser gets screwed up with having port 0 in there… Google Chrome has this error: This site can’t be reached The webpage at https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...> might be temporarily down or it may have moved permanently to a new web address. ERR_ADDRESS_INVALID Here’s my architecture: USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8042* —> SPRING BOOT APP (v2.0.5.RELEASE) USER —> *HTTPS Standard Port 443* —> NGINX —> *HTTP Port 8080* —> KEYCLOAK SERVER (v4.4.0.Final) Spring Boot App: <dependency> <groupId>org.keycloak.bom</groupId> <artifactId>keycloak-adapter-bom</artifactId> <version>4.4.0.Final</version> <type>pom</type> <scope>import</scope> </dependency> ... <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-spring-boot-starter</artifactId> </dependency> Config yaml: keycloak: auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth> realm: my-app public-client: true resource: my-client ssl-required: external Nginx is configured as a reverse proxy with these settings for the spring boot app: upstream app { server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; } server { listen 443; server_name www.example.com <http://www.example.com/>; ... location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port 443; proxy_next_upstream error timeout invalid_header http_500; proxy_connect_timeout 2; proxy_pass http://app <http://app/>; } } Nginx is configured as a reverse proxy with these settings for the keycloak server: upstream sso { server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; } server { listen 443; server_name sso.example.com <http://sso.example.com/>; ... location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port 443; proxy_next_upstream error timeout invalid_header http_500; proxy_connect_timeout 2; proxy_pass http://sso <http://sso/>; } } My keycloak configuration for standalone.xml has these settings: Undertow config: <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" enable-http2="true" proxy-address-forwarding="true"/> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/> <host name="default-host" alias="localhost"> <http-invoker security-realm="ApplicationRealm"/> </host> </server> … Socket Bindings: <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" port="${jboss.http.port:8080}"/> <socket-binding name="proxy-https" port="443"/> <socket-binding name="https" port="${jboss.https.port:8443}"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <outbound-socket-binding name="mail-smtp"> <remote-destination host="localhost" port="25"/> </outbound-socket-binding> </socket-binding-group> Thanks for your help, I must have missed something somewhere. I just can’t for the life of me find out where that port 0 is coming from. Dean Poulin Owner & Principal Software Engineer edgewood software email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>

6 years, 2 months

2
5
0 / 0

Re: [keycloak-user] keycloak-user Digest, Vol 58, Issue 18

by Olivier Refalo

unsubscribe > On Oct 5, 2018, at 2:26 PM, keycloak-user-request(a)lists.jboss.org wrote: > > Send keycloak-user mailing list submissions to > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> > or, via email, send a message with subject or body 'help' to > keycloak-user-request(a)lists.jboss.org <mailto:keycloak-user-request@lists.jboss.org> > > You can reach the person managing the list at > keycloak-user-owner(a)lists.jboss.org <mailto:keycloak-user-owner@lists.jboss.org> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Keycloak invalid redirect_uri with port 0? (Sebastien Blanc) > 2. Re: Too many redirects with remember me checked (Amritha Amarnath) > 3. Custom password policy - i18n messages (Lukasz Lech) > 4. Re: Keycloak invalid redirect_uri with port 0? (Dean Poulin) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 5 Oct 2018 11:37:29 +0200 > From: Sebastien Blanc <sblanc(a)redhat.com <mailto:sblanc@redhat.com>> > Subject: Re: [keycloak-user] Keycloak invalid redirect_uri with port > 0? > To: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com> > Cc: keycloak userlist <keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>> > Message-ID: > <CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA(a)mail.gmail.com <mailto:CAMZCGg-L5cCCnsR_9TkkxAD5DJRyrgZc=Lo7b1rFMOCFJ7M2JA@mail.gmail.com>> > Content-Type: text/plain; charset="UTF-8" > > TBH No idea if it helps in your case but there is a config property called > "redirect-rewrite-rules" that may help you : > https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt... <https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapt...> > > > On Fri, Oct 5, 2018 at 11:30 AM Dean Poulin <dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>> > wrote: > >> Hi, >> >> I?ve tried a couple things in that comment so far: >> >> 1) Verified I?m sending through the headers and the spring boot app is >> receiving the headers: >> >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: 2018-10-05 >> 05:15:27.576 INFO 25117 --- [nio-8042-exec-2] >> a.c.u.server.controller.IndexController : host=www.example.com <http://www.example.com/> >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-real-ip=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-for=1.2.3.4 >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-proto=https >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-host=www.example.com <http://www.example.com/> >> Oct 05 05:15:27 server01.edgewoodsoftware.com <http://server01.edgewoodsoftware.com/> java[25117]: >> x-forwarded-port=443 >> >> I tried setting the spring boot keycloak config setting: >> >> keycloak.ssl-required = none >> >> That did remove the port 0 in the redirect_uri being generated but it also >> set the redirect uri to be http instead of https, which seems like it?d be >> bad. I do have nginx set to redirect all http requests to https anyway. >> >> Is there something else I need to do to get the spring boot app to >> generate the correct redirect_uri with https? There must be like some magic >> config setting I?ve missed somewhere. I?ll keep digging and share what I >> find. >> >> Thanks, >> >> Dean Poulin >> Owner & Principal Software Engineer >> edgewood software >> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com> >> >> >> On Oct 5, 2018, at 4:52 AM, Sebastien Blanc <sblanc(a)redhat.com <mailto:sblanc@redhat.com>> wrote: >> >> Hi, >> >> We have a ticket concerning the 0 added as port : >> https://issues.jboss.org/browse/KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237> but we still need to plan >> it to work on it. But look at the comments, looks like there are some >> workarounds for now (the last comment). >> >> Sebi >> >> >> On Fri, Oct 5, 2018 at 10:45 AM Dean Poulin <dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>> >> wrote: >> >>> Hi everyone, >>> >>> First email to the group here. I?ve been heavily underway implementing >>> Keycloak for my app?s auth needs and very impressed with the product. I?ve >>> delayed emailing the group until I?ve spent hours of time trying to figure >>> out this weird issue I?m experiencing. This might not be the best place to >>> post this, but figured I?d start here. >>> >>> For some reason, when I visit my spring boot webapp that?s protected by >>> keycloak it?s redirecting to keycloak as expected but the redirect_uri is >>> being set with a port of 0 which is causing me to get an error on the >>> keycloak login page saying ?invalid redirect_uri.? >>> >>> I?ve googled this and I?ve found some people having similar issues, but >>> couldn?t find solutions (e.g. >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...> >>> < >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...>>, >>> >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...> >>> < >>> https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add... <https://stackoverflow.com/questions/51121234/keycloak-redirect-uri-is-add...> >>>> ). >>> >>> My prod/test environment uses an nginx reverse proxy in front of my apps. >>> >>> I followed these steps: >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... <https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...> >>> < >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_sett... <https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...> >>>> . >>> >>> The url that was throwing that error looked like this (see the port of 0 >>> in the url): >>> >>> >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...> >>> < >>> https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r... <https://sso.example.com/auth/realms/my-app/protocol/openid-connect/auth?r...> >>>> %3A0%2Fsso%2Flogin&state=c4a0f8fc-8ac7-4da0-a82c-e58bc7107f5d&login=true&scope=openid >>> >>> The keycloak logs contained this error for the above url: >>> >>> Oct 05 02:39:40 sso01.example.com <http://sso01.example.com/> <http://sso01.example.com/ <http://sso01.example.com/>> >>> standalone.sh[20517]: 02:39:40,888 WARN [org.keycloak.events] (default >>> task-21) type=LOGIN_ERROR, realmId=my-app, clientId=my-client, userId=null, >>> ipAddress=123.111.222.111, error=invalid_redirect_uri, redirect_uri= >>> https://www.example.com <https://www.example.com/> <https://www.example.com/ <https://www.example.com/>>:0/sso/login >>> >>> As you can see for some reason the redirect_uri is being set with a port >>> of 0. >>> >>> I put in the url with port 0 (https://www.example.com:0/sso/login <https://www.example.com:0/sso/login> < >>> https://www.example.com:0/sso/login <https://www.example.com:0/sso/login>>) into the keycloak client config >>> under Valid Redirect URIs and that removed the invalid redirect_url issue >>> and the login page was now rendering without an error. >>> >>> However, when the redirect is performed after login, the browser gets >>> screwed up with having port 0 in there? Google Chrome has this error: >>> >>> This site can?t be reached >>> The webpage at >>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...> >>> < >>> https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71... <https://www.example.com:0/sso/login?state=c4a0f8fc-8ac7-4da0-a82c-e58bc71...>> >>> might be temporarily down or it may have moved permanently to a new web >>> address. >>> ERR_ADDRESS_INVALID >>> >>> Here?s my architecture: >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8042* >>> ?> SPRING BOOT APP (v2.0.5.RELEASE) >>> >>> USER ?> *HTTPS Standard Port 443* ?> NGINX ?> *HTTP Port 8080* >>> ?> KEYCLOAK SERVER (v4.4.0.Final) >>> >>> Spring Boot App: >>> >>> <dependency> >>> <groupId>org.keycloak.bom</groupId> >>> <artifactId>keycloak-adapter-bom</artifactId> >>> <version>4.4.0.Final</version> >>> <type>pom</type> >>> <scope>import</scope> >>> </dependency> >>> >>> ... >>> >>> <dependency> >>> <groupId>org.keycloak</groupId> >>> <artifactId>keycloak-spring-boot-starter</artifactId> >>> </dependency> >>> >>> Config yaml: >>> >>> keycloak: >>> auth-server-url: https://sso.example.com/auth <https://sso.example.com/auth> < >>> https://sso.example.com/auth <https://sso.example.com/auth>> >>> realm: my-app >>> public-client: true >>> resource: my-client >>> ssl-required: external >>> >>> >>> >>> Nginx is configured as a reverse proxy with these settings for the spring >>> boot app: >>> >>> upstream app { >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8042 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name www.example.com <http://www.example.com/> <http://www.example.com/ <http://www.example.com/>>; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://app <http://app/> <http://app/ <http://app/>>; >>> } >>> } >>> >>> Nginx is configured as a reverse proxy with these settings for the >>> keycloak server: >>> >>> >>> upstream sso { >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> server 1.2.3.4:8080 max_fails=1 fail_timeout=60s; >>> } >>> >>> server { >>> listen 443; >>> server_name sso.example.com <http://sso.example.com/> <http://sso.example.com/ <http://sso.example.com/>>; >>> >>> ... >>> >>> location / { >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Port 443; >>> proxy_next_upstream error timeout invalid_header http_500; >>> proxy_connect_timeout 2; >>> >>> proxy_pass http://sso <http://sso/> <http://sso/ <http://sso/>>; >>> } >>> } >>> >>> My keycloak configuration for standalone.xml has these settings: >>> >>> Undertow config: >>> >>> <server name="default-server"> >>> <http-listener name="default" socket-binding="http" >>> redirect-socket="proxy-https" enable-http2="true" >>> proxy-address-forwarding="true"/> >>> <https-listener name="https" socket-binding="https" >>> security-realm="ApplicationRealm" enable-http2="true"/> >>> <host name="default-host" alias="localhost"> >>> <http-invoker security-realm="ApplicationRealm"/> >>> </host> >>> </server> >>> >>> ? >>> >>> Socket Bindings: >>> >>> <socket-binding-group name="standard-sockets" default-interface="public" >>> port-offset="${jboss.socket.binding.port-offset:0}"> >>> <socket-binding name="management-http" interface="management" >>> port="${jboss.management.http.port:9990}"/> >>> <socket-binding name="management-https" interface="management" >>> port="${jboss.management.https.port:9993}"/> >>> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> >>> <socket-binding name="http" port="${jboss.http.port:8080}"/> >>> <socket-binding name="proxy-https" port="443"/> >>> <socket-binding name="https" port="${jboss.https.port:8443}"/> >>> <socket-binding name="txn-recovery-environment" port="4712"/> >>> <socket-binding name="txn-status-manager" port="4713"/> >>> <outbound-socket-binding name="mail-smtp"> >>> <remote-destination host="localhost" port="25"/> >>> </outbound-socket-binding> >>> </socket-binding-group> >>> >>> >>> >>> >>> >>> Thanks for your help, I must have missed something somewhere. I just >>> can?t for the life of me find out where that port 0 is coming from. >>> >>> >>> Dean Poulin >>> Owner & Principal Software Engineer >>> edgewood software >>> email: dean(a)edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com> <mailto:dean@edgewoodsoftware.com <mailto:dean@edgewoodsoftware.com>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> >> >> >> > > > ------------------------------ > > Message: 2 > Date: Fri, 5 Oct 2018 15:45:30 +0530 (GMT+05:30) > From: Amritha Amarnath <amritha_amarnath(a)amritatech.com <mailto:amritha_amarnath@amritatech.com>> > Subject: Re: [keycloak-user] Too many redirects with remember me > checked > To: Martin Kanis <mkanis(a)redhat.com <mailto:mkanis@redhat.com>> > Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > Message-ID: > <3312779.577271538734530914.JavaMail.root(a)atmail.amritatech.com <mailto:3312779.577271538734530914.JavaMail.root@atmail.amritatech.com>> > Content-Type: text/plain; charset="utf-8" > > > Hello , > > > > Application is using keycloak-4.1.0.Final . For keycloak log please find attachment > > > > -- > With Regards, > Amms > > > > ----- Original Message ----- > From: "Martin Kanis" <mkanis(a)redhat.com <mailto:mkanis@redhat.com>> > To: "amritha amarnath" <amritha_amarnath(a)amritatech.com <mailto:amritha_amarnath@amritatech.com>> > Cc: keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > Sent: Friday, October 5, 2018 2:02:36 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi > Subject: Re: [keycloak-user] Too many redirects with remember me checked > > > Hello, > > > what version of Keycloak do you have? Can you provide a Keycloak log? > > > Regards, > Martin > > > On Fri, Oct 5, 2018 at 8:51 AM Amritha Amarnath < amritha_amarnath(a)amritatech.com <mailto:amritha_amarnath@amritatech.com> > wrote: > > > > > > Hello, > > > My application have been deployed in Wildfly 11 and is integrated with standalone Keycloak and works fine. But the issue is, when the application is logged in with Remember-me checkbox checked, its showing too many redirects when restart the browser , even though the user session is valid. It leads to logout my application session manually from keycloak admin console. > > Wildfly log says: Account was not in session, returning null , there was no code > > > Once the user session also get expired its showing the login page with pre-filled username and remember-me checked as expected. > > > I am new to keycloak. So any idea regarding too many redirects with remember-me checked ? > > -- > With Regards, > Amms > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> > > > > >

6 years, 2 months

1
0
0 / 0

Keycloak and Kubernetes

by Fox, Kevin M

I saw in the most recent CNCF TOC meeting notes, that there is a good amount of Kubernetes/OpenShift based Keycloak deployments. How are these being done? The example demo youtube link looks to just be kubectling stuff. What is the recommended way to do this? Is the helm chart at github.com/helm/charts/tree/master/stable/keycloak the way this is usually done? Some other way? Thanks, Kevin

6 years, 2 months

2
5
0 / 0

Private Address ranges

by Graham Burgess

I know that Keycloak, if configured to, will allow HTTP traffic (instead of HTTPS) from private address ranges. Is there a way to add to that list? Use case: My K8s cluster uses 100.64.0.0/10 for containers and for short while I would like to allow HTTP from that range too. Longer term, I am going to implement TLS but that isn't quite at the top of the roadmap yet. Best regards, Graham Burgess RΛZΞR|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess(a)razer.com DID: (415) 374 0639 [http://assets.razerzone.com/email/email-sig.jpg] Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/> [https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200p...]<https://www.facebook.com/Razer> [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer> [glyph-logo_May2016] <https://www.instagram.com/razer/> [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1> Razer Inc. (San Francisco) 201 3rd Street, Suite 900 San Francisco CA 94103, USA Tel: +1 (415) 266 5300 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.

6 years, 2 months

1
0
0 / 0

SamlAuthenticatorValve in apache tomee for a ear application

by Luis Rodríguez Fernández

Hello there, OS Version: CentOS Linux release 7.5.1804 (Core) 3.10.0-862.11.6.el7.x86_64 Server version: Apache Tomcat/8.5.32 (TomEE 7.0.5) Keycloak: 4.2.1 final Tomcat SAML adapter: org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve The adapter is working, great, piece of cake, thank you keycloack crew! However I have a big .ear application composed by multiple modules (.war). Some modules use resources (.js, .css, images, etc) from other modules and this resources are protected. For instance: /Document/Claims/TravelRequest wants to use a calendar.gif that is stored in the /main application. This last one declares "/*" as the url-pattern in its security-constraint and is also secured with the SamlAuthenticatorValve. I have tried enabling at the same time the "org.apache.catalina.authenticator.SingleSignOn in tomcat but no luck. Also forcing "/" via the tomcat global context (sessionCookiePath="/"), no luck either, sigh... Any thoughts on this? Thanks in advance, Luis -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett

6 years, 2 months

1
0
0 / 0

Using your SPI provider instead of default one

by Lukasz Lech

Hello, There is something that I have missed in provider's documentation ( https://www.keycloak.org/docs/3.3/server_development/topics/providers.htm ). I've implemented my own SPI (EmailTemplateProvider -mock implementation that logs on console using slf4j instead of sending anything). I've dropped jar in deployments folder. I see message my SPI got registerd and it's listed in server info. However, when I try to register, a default (freemarker) email template provider is called. How can I choose, which SPI will be used for my realm? Or there can be only one? Best regards, Lukasz Lech

6 years, 2 months

2
3
0 / 0

Restricting access to the Keycloak Admin Console

by hugh shangguan

Hi there, Is there any way to configure Keycloak so that the admin console is not accessible from a remote IP? Basically, I'd like to set it up Keycloak admin console where you can access it locally on the server but cannot access it remotely. This process is just like that setup your Keycloak admin console at the first time. For the authentication, users still can login remotely to Keycloak server for tokens. Any help? Cheers. -- Hugh Zhaohui Shangguan

6 years, 2 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2018