Session management vs servlet adapter?
by Craig Setera
Can anyone tell me how Java sessions are managed relative to the servlet
adapter? As we are switching over from JSESSIONID-based authentication to
Keycloak, we have other non-security based services that are using
@SessionScoped beans. While we can continue to reflect JSESSIONID are
there any cases with Keycloak will invalidate and/or switch the HttpSession
from request to request?
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
5 years, 6 months
LDAP at Log in page
by So Be
Hi,
I have integrated our jupyterhub with keycloak. it works fine.
Now, I want to add LDAP as additional identity provider with Github.
I have configured the realm with our LDAP server but I can not see LDAP
button with the others in the log in page.
What I am doing wrong?
Thank you.
5 years, 6 months
Notifying user about a login attempt
by GARDAIS Ionel
Hi,
Is there a way to notify user by email whenever the user is logged through a client of the realm ?
Like "You've been logged by <Client Name> with your account <account_id>".
Thanks,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
5 years, 6 months
How to get a link to password reset from keycloak api
by Andreas Lau
Hello,
we have a application where we managed to create a user account over the REST API. Now instead creating a temporary password for the new user and forcing the user to login and change the password the very first time he/she logs in, we'd like to create a link, where he/she has to enter a password and gets logged in (exactly like it is done in the functionality password reset), and send it to the user via mail.
I've googled around and the only hints I can find is how to call reset password via API. But with this we only trigger keycloak to send a mail with such a link. But as I said we like to get the link itself. Is this possible somehow?
Can you give us a helping hand?
Thanks.
Andreas
5 years, 6 months
open-id/connect endpoint giving unexpected result
by Ulrik Sjölin
Hello,
I am using 4.5.0 and have a simple setup with 2 users (Alice and Jdoe) each
of them has a UMA-resource. Jdoe is sharing his
resource with Alice (all scopes). Running “evaluate” in the admin-web-ui
everything looks correct: Alice does have Delete-Scope (and 4 other scopes)
on JdoeResource.
I use a simple curl script but it does however not give the same result as
the evaluate-web-ui does:
Using the /openid-connect/token, “permission=#Delete” and
subject_token=$ALICE_TOKEN, I get the expected result (both Alice and Jdoes
resources are returned correctly):
[{"scopes":["Delete"],"rsid":"c7fc0515-90f7-4485-a3c7-a8f62d64740c","rsname”:”AliceResource”},{“scopes":["Delete","Read","Write","Admin","Peek"],"rsid":"854b0ac8-8504-4b92-b642-1c959a1f8de0","rsname”:”JdoeResource”}]
changing to “permission=AlliceResource#Delete” everything looks like
expected:
[{"scopes":["Delete"],"rsid":"c7fc0515-90f7-4485-a3c7-a8f62d64740c","rsname”:”AliceResource”}]
Changing again to the id of JoeResource i.e
“permission=854b0ac8-8504-4b92-b642-1c959a1f8de0#Delete", I get:
[{"scopes":["Delete","Read","Write","Admin","Peek"],"rsid":"854b0ac8-8504-4b92-b642-1c959a1f8de0","rsname":"JdoeResource"}]
But changing to “permission=JdoeResource#Delete”, I get, what I think is
unexpected:
{"error":"invalid_resource","error_description":"Resource with id
[JdoeResource] does not exist."}
Is this expected behavior? Is there something I am doing wrong?
Best Regards,
Ulrik
5 years, 6 months
Can i integrate External PHP hash provider library with keycloak
by Deepa Gaddigoudar
Hello All,
Previously I have used SimpleLoginSecure
<http://dialect.ca/code/ci-simple-login-secure/> to secure my
application user passwords, thus i dont know the *salt* used by this
library. Now i want to migrate my users to keycloak without asking them
to reset their password. Is there is a way to integrate
SimpleLoginSecure library with keycloak as a PasswordHash Provider?. If
yes, How do i do that ?
Regards,
Deepa M G
------------------------------------------------------------------------
*Deepa M Gaddigoudar | Software Developer*
Aissel Technologies Pvt. Ltd.
A Block, Floor 2, IT Park, Hubli – 580029. India
Ph (Ind) : +91 836-235-1011 l Ph: +1 347-966-8181
Cell: +91 8951519616
E-Mail: deepag(a)aissel.com
5 years, 6 months
SSSD integration with password expiry
by Callum Smith
Dear All,
My google-fu has turned up some results of people doing bits of this using LDAP, but I was wondering if there was anyway of handling users with expired passwords through Keycloak's UI. So the issue is that with FreeIPA as an authentication backend, when a user is created their password is expired (for lots of good reasons). This forces them to change the password on their first login, which works with ssh, gnome, but not Keycloak. Is this because of something I have misconfigured (or yet to configure) or is it just not supported?
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
5 years, 6 months
password reset email REST api?
by Wyllys Ingersoll
Is there ( or are they plans to add one) a REST API endpoint for sending a
user a password reset email link?
Im looking for a way to simulate what happens when the "reset password"
form is used but without using the form itself, so that an application
could make the request without requiring a UI.
This is different from having an administrator manually reset a password, I
want the user to just get a secure link to reset their own password when
necessary.
thanks,
Wyllys Ingersoll
5 years, 6 months
Self Service for User ( using admin-cli)
by Madhu
Hi I have a query on user self service (Auth service),
I have a realm with few admin users (who has manage *, view *) in realm-management client.
I also have ordinary users, who do not have any access in realm-management client.
I would like write a rest service, where the logged in user ( the user id in the bearker token), will be able to perform a) GET realms/realmName/users/<uid> b) and PUT realms/realmName/users/<uid>
on the following conditions the bearer token should be an admin's bearer token or the logged in user should be editing his own record (sub in jwt should be same as the <uid> in url)
Between, i am using admin-cli for these operation.
Please guid on how to go about this.
RegardsMadhu
5 years, 6 months