Extend keycloak notifications
by David Monichi
Hi,
I'm considering to create a new application and for sure I'll use
keycloak as user backend. It's really cool stuff what you guys created.
I thought about various solutions for notifications of my application
and was wondering if you guys already thought about to extend your
e-mail notification to a more general and flexible system. So that not
only keycloak e-mails will be sent over keycloak but also other
applications e-mails and even more notifications can be send over
keycloak (I'm thinking here of SMS, etc.). Therefore applications would
need to upload any kind of templates to keycloak and somehow be able to
manage them. There are 2 reasons for such a step. First of all keycloak
already provides such basic functionality to sent notifications and so
extending it could be done with lower overhead. Second, keycloak already
owns the recipient data, if applications manage users over keycloak.
As additional feature of course a proper monitoring should be placed in
such a feature, since notifications are really vital to modern applications.
We would be able to provide programming resources for such a feature but
of course working together, specially for the design phase, with you guys.
The alternative would be to provide a different notification system and
forward keycloak e-mails to that service (actually the event to sent a
notification). Don't know if this actually is the way to go ...
My motivation for such a feature is, that a single application should be
responsible for sending notifications of any kind and not be widespread
over various applications.
Any ideas welcome ;) Eventually I overlooked something in my design ...
Thx in advance for all your thoughts & all the best
/david
5 years, 5 months
Authorize Url
by Fabio Ebner
I using SpringBoot 2.0.5 and keycloak 4.5.0.Final so it's possible to
secure an URL using:
@PreAuthorize("hasRole('USER')")
@GetMapping("/mensagem/enviada/t")
instead the
.antMatchers("/mensagem/enviada/**").hasRole("USER")
5 years, 5 months
Running Keycloak examples
by Pritha Srivastava
Hi All,
I am trying to setup a Keycloak server and run the examples, for which I did the following:
1. Downloaded 4.5.0.Final Standalone Server distribution, and started the server using ./standalone.sh, which worked fine.
2. Downlaoded keycloak-examples-4.5.0.Final, and for the preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and the second step gave me this error - UT010039: Unknown authentication mechanism KEYCLOAK
3. To solve the error in 2.0, I downloaded the wildfly adapter keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - ./bin/jboss-cli.sh --file=adapter-install.cli --connect --controller=127.0.0.1:9990 which gave the following response:
{"outcome" => "success"}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}
I am not sure how to solve the above problem. Any help is greatly appreciated.
P.S.: I am completely new to Jboss, Wildfly etc.
Thanks,
Pritha
5 years, 5 months
How update the locale value in user profile with REST API ?
by David F
Hi,
I use the doc to update my profile with REST API
PUT /{realm}/users/{id}
but if I want to change the locale value ("en", "fr"...), it's impossible.
I have this response "Unrecognized field "locale" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable" because in my body object I use "locale" key for "en" value for example.
I don't see in the doc how send my new locale value in my body object.
Thanks for your help 😊
5 years, 5 months
Regarding keycloak REST api
by Sharlet Wilson
Hi,
I have a user's keycloak access token on my backend Node.js application.
Would like to know how I can use it to authorize a user to access my custom
REST apis. (I am using the
/auth/realms/<realm-name>/protocol/openid-connect/token
api to get the user's access token).
Regards,
Sharlet Hannah Wilson
5 years, 5 months
Add CA certificates for LDAPS ?
by Mathieu Poussin
Hello.
What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked :
- The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server.
- Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server.
This is the error I am getting :
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 99 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 105 more
Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that?
Connecting over LDAP is not an option a this prevent some features to work like password reset.
Thanks.
5 years, 5 months
There is already a httpSessionManager
by Calixto Meleán
I’m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0. When I start the app, I am getting the following error:
org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'httpSessionManager' defined in class path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot register bean definition [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=securityConfig; factoryMethodName=httpSessionManager; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/example/demo/configuration/SecurityConfig.class]] for bean 'httpSessionManager': There is already [Generic bean: class [org.keycloak.adapters.springsecurity.management.HttpSessionManager]; scope=singleton; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m!
2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]] bound.
Relevant maven dependencies I have are:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
SecurityConfig.class is:
@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
/**
* Registers the KeycloakAuthenticationProvider with the authentication manager.
*/
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(keycloakAuthenticationProvider());
}
/**
* Defines the session authentication strategy.
*/
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}
@Override
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/customers*").hasRole("pharmacist")
.anyRequest().permitAll();
}
}
Appreciate any help. Thanks
5 years, 5 months
Mobile app authentication flow
by Joe Livu
Hi,
I came across KeyCloak while searching for a security provider and was
immediately impressed.
I am planning on building a REST API using ASP.NET <http://asp.net/> Core
Web API to be consumed by a mobile application to be built using Google's
Flutter framework. I have a few questions.
1. Would KeyCloak be suitable for securing my REST API Whig is built using
C# (ASP.NET <http://asp.net/> Core Web API)? If so, can I get a brief
explanation and steps that need to be taken to achieve this?
2. Now I need my mobile app to consume the REST API secured by KeyCloak.
For authenticating users (e.g., via login screen using username/password
credentials), how would this be done? Which grant type and flow will be
suitable? The Web application demos shows a redirect to the KeyCloak server
for authentication and then back to the app. It seems this cannot be
applied for mobile apps (correct me if am wrong), so what would be the best
approach for a mobile application? I would think KeyCloak would provide a
REST API for such cases but I can only find an Admin REST API for admin
purposes only Any help regarding this would very much appreciated.
Kind regards,
Joe Livu
5 years, 5 months
