Custom password policy - i18n messages
by Lukasz Lech
Hello,
I've created my own password policy.
It gives back PolicyError with i18n key.
Where should I put the translations for that key? Do I need to append it to themes/base/login/messages/messages_XX.properties or I can provide them in other location (inside the jar, for example)?
Best regards,
Lukasz Lech
6 years, 2 months
Public key for verifying JWT?
by Wyllys Ingersoll
Im trying to verify a JWT access token from Keycloak using the python
jose-jwt library, but cannot seem to get it to succeed. When using the
HS512 algorithm, how does one retrieve the key needed to verify the JWT
tokens?
The JWT header decodes to something like this: {"alg":"HS512","typ" :
"JWT","kid" : "eb31076b-bce6-495a-9a4b-e3210e14b342"}, but I don't see how
to get the key associated with the given kid value above.
I tried using the "client secret" from the credential section, but thats
not working.
What am I missing?
thanks!
6 years, 2 months
Authorization: Upgrading to keycloak 4.4 results in {"error":"invalid_scope", "error_description":"Requires uma_protection scope."}
by Bruce Wings
I have upgraded from keycloak 4.3 to keycloak 4.4. I ahve exported the
realm from 4.3 and imported in 4.4.
The "policy-enforcer": {} in keycloak.json results in *403
: {"error":"invalid_scope","error_description":"Requires uma_protection
scope."}*
In keycloak 4.3 everything works fine. I have exported realm and used with
keycloak 4.4, but the policy-enforcer does not work. Is there some extra
step that is needed apart from exporting and importing json?
If I remove policy-enforcer line the app works fine.
*APP code:*
final String KEYCLOAK_JSON = //json path;
InputStream config =
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);
KeycloakInstalled keycloak = new KeycloakInstalled(config);
*Stack trace thrown at the time of starting app:*
java.lang.RuntimeException: Could not find resource
Logged in...
at
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:45)
at
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:228)
at
org.keycloak.adapters.authorization.PolicyEnforcer.configureAllPathsForResourceServer(PolicyEnforcer.java:225)
at
org.keycloak.adapters.authorization.PolicyEnforcer.configurePaths(PolicyEnforcer.java:157)
at
org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:77)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:143)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152)
at
org.keycloak.adapters.installed.KeycloakInstalled.<init>(KeycloakInstalled.java:94)
at
com.cadence.adw.common.auth.AuthenticationTest.main(AuthenticationTest.java:138)
Caused by: org.keycloak.authorization.client.AuthorizationDeniedException:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 403 / Forbidden / Response from server:
{"error":"invalid_scope","error_description":"Requires uma_protection
scope."}
at
org.keycloak.authorization.client.util.Throwables.handleAndWrapHttpResponseException(Throwables.java:96)
at
org.keycloak.authorization.client.util.Throwables.handleWrapException(Throwables.java:42)
at
org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:87)
at
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:181)
at
org.keycloak.authorization.client.resource.ProtectedResource.findAll(ProtectedResource.java:226)
... 7 more
Caused by: org.keycloak.authorization.client.util.HttpResponseException:
Unexpected response from server: 403 / Forbidden / Response from server:
{"error":"invalid_scope","error_description":"Requires uma_protection
scope."}
at
org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at
org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:175)
at
org.keycloak.authorization.client.resource.ProtectedResource$4.call(ProtectedResource.java:172)
at
org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:179)
... 8 more
6 years, 2 months
Problem to build Keycloak 4.4.0 and 4.5.0.
by Rafael Weingärtner
Hello Keycloakers,
I have been having some problem to build Keycloak 4.4.0 and 4.5.0, and so
far I have not been able to understand it. The error I am having is the
following:
> 20:12:00,549 INFO [org.keycloak.testsuite.ssl.TrustStoreEmailTest]
> [TrustStoreEmailTest] verifyEmailWithSslEnabled() FINISHED
> 20:12:00,554 INFO
> [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removing test
> realms after test class
> 20:12:01,451 INFO
> [org.keycloak.testsuite.arquillian.AuthServerTestEnricher] removed realms:
> test,
> Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 8.545 sec
> - in org.keycloak.testsuite.ssl.TrustStoreEmailTest
> 20:12:01,477 INFO
> [org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow] Stopping
> auth server.
> Results :
> Failed tests:
> JavascriptAdapterTest.fragmentInLoginFunction:564->assertOnTestAppUrl:102
> URL expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.fragmentInURLTest:551->assertOnTestAppUrl:102 URL
> expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.implicitFlowTest:229->assertOnTestAppUrl:102 URL
> expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.loginRequiredAction:326->assertOnTestAppUrl:102 URL
> expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.testGetProfile:164->assertOnTestAppUrl:102 URL
> expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.testLoginWithKCLocale:131->assertOnTestAppUrl:102
> URL expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.testRefreshToken:143->assertOnTestAppUrl:102 URL
> expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> JavascriptAdapterTest.testRefreshTokenIfUnder30s:152->assertOnTestAppUrl:102
> URL expected to begin with:
> http://localhost:8180/auth/realms/test/testing/javascript/index.html;
> actual URL:
> http://localhost:8180/auth/realms/test/login-actions/required-action?exec...
> Tests in error:
>
> JavascriptAdapterTest.grantBrowserBasedApp:206->lambda$grantBrowserBasedApp$99c597a6$2:206
> ? Runtime
> JavascriptAdapterTest.implicitFlowCertEndpoint:283 ? WebDriver
> {"errorMessage"...
> JavascriptAdapterTest.implicitFlowOnTokenExpireTest:270 ? WebDriver
> {"errorMes...
> JavascriptAdapterTest.implicitFlowRefreshTokenTest:258 ? WebDriver
> {"errorMess...
> JavascriptAdapterTest.initializeWithRefreshToken:515 ? WebDriver
> {"errorMessag...
> JavascriptAdapterTest.initializeWithTimeSkew:480 ? WebDriver
> {"errorMessage":"...
> JavascriptAdapterTest.initializeWithTokenTest:453 ? WebDriver
> {"errorMessage":...
> JavascriptAdapterTest.reentrancyCallbackTest:527 ? WebDriver
> {"errorMessage":"...
> JavascriptAdapterTest.testBearerRequest:310 ? WebDriver
> {"errorMessage":"Can't...
> JavascriptAdapterTest.testCertEndpoint:236 ? WebDriver
> {"errorMessage":"Can't ...
> Tests run: 2062, Failures: 8, Errors: 10, Skipped: 195
>
I have no clues on why this is happening. Does anybody here have any ideas
on how to proceed debugging?
The command I am using is the following:
> mvn clean install –Pdistribution
>
My Maven and Java version are the following:
> root@f48b9f8e1312:~/keycloak# mvn --version
> Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe;
> 2018-06-17T18:33:14Z)
> Maven home: /root/apache-maven-3.5.4
> Java version: 1.8.0_181, vendor: Oracle Corporation, runtime:
> /root/jdk1.8.0_181/jre
> Default locale: en_US, platform encoding: ANSI_X3.4-1968
> OS name: "linux", version: "4.4.0-130-generic", arch: "amd64", family:
> "unix"
>
The Phanton version is:
> root@f48b9f8e1312:~/keycloak# phantomjs --version
> 2.1.1
>
It is interesting that with the machine (Java, PhatonJS, and Maven) I am
able to build the 4.0.0 version. However, I have not been able to build
4.4.0 at all.
Any help is welcome here :)
--
Rafael Weingärtner
6 years, 2 months
realm templates?
by Wyllys Ingersoll
Does keycloak support the ability to create a "template" of a realm that
can be imported to create a new realm (with a new name and description).
The idea is that we want to be able to quickly provision new realms (think:
a "realm" per unique organization) without having to recreate the
associated clients, roles, scopes, policies, permissions, etc. This will
allow us to have all of the supported realms have the same structure and
rules, but remain in completely isolated namespaces and have unique users
and resource instances.
I have been able to sort-of achieve this using the json created by the
"Partial export" (including groups, roles, and clients) and then editing
the json to change the name of the realm and remove all of the unique "id"
fields to avoid DB conflicts upon import, but that still leaves out the
resource authorization settings (though I suppose those can be exported and
imported as a 2nd step).
thanks,
Wyllys Ingersoll
6 years, 2 months
Set Browser Authentication Order
by Matt Penna
Hello.
We currently are using Keycloak with Kerberos and SAML browser authentication (both set to ALTERNATIVE). We have a requirement to try SAML authentication first then try Kerberos. This works properly when attempting from outside the Kerberos domain. When trying inside the domain Kerberos always win out. Is it possible to set the authentication order to try SAML first then Kerberos? I am not sure if this is possible or not with Keycloak but wanted more info on if this is possible or not. If it is possible how would we configure this?
Thanks!!!!
6 years, 2 months
Is the Keycloak JavaScript adapter vulnerable to Session fixation?
by Don Reynolds (dreynold)
Hello,
Using the Keycloak JavaScript adapter (keycloak.js) from an HTML5/Angular application, when the login page is displayed, the response header from the "Auth" endpoint includes a "Set-Cookie: AUTH_SESSION_ID=xxx". Upon successfully logging in, it would appear that the value for the "AUTH_SESSION_ID" remains the same as it was prior to the login.
According to the Keycloak documentation, some of the adapters support changing the session id upon login so that the "AUTH_SESSION_ID" is changed upon login, but this does not look like the case for the JavaScript adapter. I also came across https://issues.jboss.org/browse/KEYCLOAK-4820 which describes how some adapters change the session id upon log in, but others do not support it.
Since the JavaScript adapter is not changing the session id upon successful login, it would be my understanding that this would make it vulnerable to Session fixation (https://www.owasp.org/index.php/Session_fixation).
Is my understanding correct?
If so, is there a way to solve this for the JavaScript adapter (keycloak.js)?
If my understanding is not correct, can anyone explain why this would not be considered being vulnerable to session fixation?
Thanks in advance for any advice in this area.
Thanks,
Don
6 years, 2 months
Integration with OpenID provider
by Karol Buler
Hi,
I am trying to add Identity Broker based on OpenID Connect to my
Keycloak. Everything is fine, redirecting to login page is working,
but... always is "but" :) I've got error in Keycloak:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.
What I found is that the Keycloak doesn't send the "Authorization"
header in request "code-to-token". Is it bug/feature or am I missing
some configuration?
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
6 years, 2 months