November 2018 - keycloak-user - Jboss List Archives

by Byrd, Rob M

I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists? OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sq.... Thanks! Rob Byrd DST Solutions Lead SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286 | m (816) 509-0119 rmbyrd(a)dstsystems.com<mailto:rmbyrd@dstsystems.com> | www.ssctech.com<http://www.ssctech.com/> Follow us: [cid:image001.png@01D412C1.A14C5770] <https://www.linkedin.com/company/ss-c-technologies/> | [cid:image002.png@01D412C1.A14C5770] <https://twitter.com/ssctechnologies> | [cid:image003.png@01D412C1.A14C5770] <https://www.facebook.com/ssctechnologies/> Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.

5 years, 4 months

4
11
0 / 0

Customize OpenID/OAuth token

by Francisco Javier Crujeiras

Hi, We're thinking on using Keycloak as our main IDP and SSO solution. At this time, we're using a "custom" IDP server based on Spring and we are investigating if we can migrate our client database to Keycloak without disturbing our users. So, we have seen that, by default, Keycloak answers a token request with a complete JWT token, like this one: { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEWk4wX1liZUZGNFZMUVdxQ2NWMGFWd0VFbXBlUGlnX1NFaWk3dkozSGRvIn0.eyJqdGkiOiI5YTc4MTY5NC04MGUwLTQ2OTEtOGY3Yi00MzQ5MzA3ZTBkYWIiLCJleHAiOjE1NDM1NzMxMDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOlsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImFjY291bnQiXSwic3ViIjoiYzgxNzYzNjgtMGI5NS00MWFmLTgzZDUtZTk4N2Y0ZWVlYTg3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xOC4wLjEiLCJjbGllbnRJZCI6Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtciIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTguMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtckBwbGFjZWhvbGRlci5vcmcifQ.BgF6v7VQGO4vH4Z0VLFZmiO1CARpaoE1V7MjaNIJB85QORfk3L431VFQr3WJdT5ZBeC0Q5mB5LB7f9gLAd2lso4P9AegYAi8PmjJRvI-oL59Qe0PfDn8fjfZdaC8i3K0ZrZNDS9ivTdqL-8Gvq2C1l8x4tZaSxw1Yu8hxrWEfgOfATdn9XL5cbYXWRkm6AoJkVFVd300fPr0k6f67Jb4WOJP72692g8QRTWkqCrZyz0DrJxgg7fSX6M_0bxOa-JOidmGuJIwScciT1b5IVvvcQi3hx4UMwRQFunq1j2T7iRCT_LB99oP480KtoSXyCUS3dDzj6wCp4BEHb5K792isg" , "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhNmQzZTgzZi1iZGUxLTQ3YjgtYmQ4Yy1hMjVhNDdjMmExZTYifQ.eyJqdGkiOiJmZWZhNTRjZS1hMjA0LTQ2NjAtODNkMC1kNDE0OWQwOTU0YWMiLCJleHAiOjE1NDM1NzQ2MDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJzdWIiOiJjODE3NjM2OC0wYjk1LTQxYWYtODNkNS1lOTg3ZjRlZWVhODciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.WTW9TwMnx4DSzRlLkDj_uXgabFAAUD4wDB5D084GMdY" , "token_type": "bearer", "not-before-policy": 0, "session_state": "72ecb798-db58-4161-8e09-4aaedb2eab8f", "scope": "profile email" } But, we'd like to send a "non-JWT" token, like this one: { "access_token": "laskddjfnasdf7-fas45nfdsa-56kr-8uy7-fasd87fyasdf", "token_type": "bearer", "expires_in": 3600, "scope": "scope-1 scope-2 scope-n" } We're not very experienced in Keycloak and we do not know if this is even possible, but any help will make us very happy. Thanks in advance! Regards,

5 years, 4 months

3
3
0 / 0

Keycloak user sessions persistence

by marco.scheuermann＠daimler.com

Hello Community, after redeployment of keycloak we mentioned that all existing session are gone. Is there any way to persist the session, so that the also exist after server restart or redeployment? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

5 years, 4 months

2
1
0 / 0

User session creation

by Erlend Hamnaberg

Hello all. This is a bit hard to explain. I have created a IDP which uses CAS ( Central Authentication Service) as its backend. Our KC instance is again used by a clients KC instance. They have chosen to disable their persistent cookie handling, and thereby our by passing "prompt=login" to the login request. We are passing on the prompt=login by passing on renew=true to CAS. We get a token back, and verify that. However; Since the user session is not refreshed by the cookie handling, it seems like we are then timing out intermittently. Is there a problem with creating/refreshing the user session in the authenticationFinished Method in the gist below? https://gist.github.com/hamnis/547c550a532be7e8235aa653725b2ba2 Thanks. /Erlend

5 years, 4 months

1
2
0 / 0

Send welcome mail after successful registration

by Andreas Lau

Hey, i'd like keycloak to send a welcome mail after the user has successfully registered and verified his email. Currently I don't know how to do it. I found jira [1] feature request proposing a extension to support welcome email by configuration (I think). In the comments someone suggested to use SMTP provider and EventListener. The next comment has a Link [3] to a EventListener sample but I can not figure out what I have to do. I think they suggested the follwing workflow: 1. registration finished 2. listener invokes - how to tell Listener to listen on the registration event (how is the event named) 3. SMTP provider sends a email Hope someone is able to help me out. Andreas [1] https://issues.jboss.org/browse/KEYCLOAK-1835 [2] https://github.com/keycloak/keycloak/tree/master/examples/providers/event...

5 years, 4 months

2
2
0 / 0

Issue with CORS on Keycloak

by Joao Paulo Ramos

Hi guys, Sorry if it's not the correct place to make this question (please guide me to the correct place). I'm facing some problems with CORS when using rh-sso 7.1. I'm using the following environment: - JBoss EAP 7.1 with Resteasy in the backend -> localhost:8080/accountmovement/api - ReactJS in the frontend -> localhost:3000 - RH-SSO -> localhost:8180 The JBoss EAP is using the Wildfly/EAP Adapter from Red Hat, with the configurations made on the standalone.xml file as a subsystem: <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="accountmovement.war"> <realm>demo</realm> <resource>accountmovement-backend</resource> <use-resource-role-mappings>true</use-resource-role-mappings> <public-client>true</public-client> <auth-server-url>http://localhost:8180/auth </auth-server-url> <ssl-required>EXTERNAL</ssl-required> <enable-cors>true</enable-cors> </secure-deployment> </subsystem> I Already enabled the Web Origins to " * " in the RH-SSO Admin console for both of the clients I'm using. The error I receive is the following: "" Failed to load http://localhost:8080/accountmovement/api/accounts?_=1543522008489: Redirect from ' http://localhost:8080/accountmovement/api/accounts?_=1543522008489' to ' http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth?respo...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. "" Do you have any idea for what can I do? If you need more information just let me know! Thank you, JOÃO PAULO RAMOS BUSINESS FINANCE - DATA SCIENCE INTERN Red Hat Brasil jramos(a)redhat.com M: +55-11-96505-6159 <https://red.ht/sig>

5 years, 4 months

1
0
0 / 0

Access to security-admin-console via SSL is prohibited?

by dominic.michel01＠realdigital.de

Hi. I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL. Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?clien... But this request ends in status 400 with the response "Invalid parameter: redirect_uri" On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely. I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/) which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http --- Content Security Policy: The page’s settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-stat... (“frame-src”). --- So it looks like i'm effectively locked out. Based on my current situation i have three questions. 1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed? 2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is? 3. Does anybody know what to change now (via admin cli i guess) to get access to the UI? Thanks for your help. Kind regards, Dominic real,- Digital Services GmbH, Sitz: Duesseldorf Amtsgericht Duesseldorf, HRB 75643 Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.

5 years, 4 months

2
3
0 / 0

WG: Using keycloak for SAML integration. confused by documentation. login loop

by Manuel Waltschek

Hello, I am resending this, since I needed to confirm my subscription to this mailing list first and I got the "not allowed" message when I sent it fort he first time. Regards, Manuel Waltschek Von: Manuel Waltschek Gesendet: Donnerstag, 29. November 2018 18:27 An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org> Betreff: Using keycloak for SAML integration. confused by documentation. login loop Hello there, I'm sorry to bother you since this might have been asked quite a lot, but I am not able to configure my application as a SAML service provider to authenticate against an external IdP like https://samltest.id/saml/idp . I tried to use keycloak server as an identity broker but ran into different issues. I tried to follow instructions of this documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html If you want details on my configuration you can check out https://stackoverflow.com/questions/53487692/keycloak-saml-as-identity-br... but some aspects might have changed, since I tried an alternative. Alternatively I tried to configure the Wildfly 10 system/application to use the external IdP directly, which kind of works. At least I am able to authenticate at the IdPs Website when I try to access a protected resource of my application, but when I get redirected to application-name/saml (which is my defined endpoint since it is described like this in the documentation. I do not understand how this should even work) I do not know how to access the assertion / the SAMLprincipal at this stage and if I register a ServletFilter in web.xml with an URL-pattern of /saml/* or /saml it won't trigger. Also I do not know if this is even how it should work out, since I don't get how the keycloak server even fits into the equation, since it is not called or anything when SP communicates automatically with the external IdP. Also why does the KeycloakLoginModule never get called? What is it for? And how does the assertion actually get processed? I cannot find any reference on these topics. I am getting really frustrated about this since the documentation is unclear (for me) about SAML and the use case I described and there are really no answers on public websites. I will be really happy if anyone could help me solve this issue. Do not hesitate to ask for more information/details. Thank you in advance, [relaunch]<https://www.prisma-solutions.com/> Unsere Website erstrahlt im neuen Glanz und ganz im Corporate und selbstverständlich Responsive Design. Wenn Sie wissen wollen, wie wir Verkehrsmanagement digital unterstützen, wie Städte eine vielfältige Fahrradkultur etablieren können, wo automatisierte Kleinbusse uns in Zukunft hinbringen werden oder wie die Lebenszykluskosten von Straßeninfrastruktur evaluiert und optimiert werden, dann schauen Sie doch auf https://www.prisma-solutions.com vorbei! [Logo] Manuel Waltschek BSc. +43 660 86655 47<tel:+436608665547> manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at> https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 Mödling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt

5 years, 4 months

1
0
0 / 0

back channel logout in case of keycloak adapter sitting behind reverse proxy.

by Madhu

Hi, I am exploring on how to implement back channel logouts/ sso logout properly and have a question in this regard. I have a set of applications (say App1, App2, App3) which are integreated with keycloak through servelet adapter (keycloak-servlet-adapters and keycloak-spring-boot2-adapters).. Each of this application for HA/scalablity resons sit behind their own reverse proxies.. So typically there will be multiple instance of each application App1-Node1, App1-Node2.. App1-Node'n' , like wise App2-Node1,App2-Node2,App2-Node'n'.. and so on for each of the Apps. When a user u1,logs on to App1 and App2 an SSO session is establised in keycloak, and in the user sessions i see that user has connected to clients App1 and App2 ( app1 and app2 are clients in keycloak realm).. When user logged on App1-Node1 took the request, and for App2, App2-Node2 took the request.. On the keycloak side, the admin urls are configured with the Reverse proxy url of the each Apps ( same as the valid rediect and base url). When a SSO logout happens, how can i ensure that the keycloak server sends the SSO logout signal (k_logout) to the correct node? Will keycloak preserve the headers which came at the time of orignial login request and use them while sending admin requests as well ? ( so that the reverse proxy could dispatch the request to correct node, assuming that the application is configured to be sticky).. Regards,Madhu

5 years, 4 months

1
0
0 / 0

Re: [keycloak-user] permanent configuration for Keycloak

by Bruno Oliveira

features Reply-To: In-Reply-To: <CADNp1BaSBngh+DecKghGjT5_FUnD3CeaKtZSyxq7CG5ZY9Yqsw(a)mail.gmail.com> Hi Max, if the documentation lacks of more information. Please, do not hesitate to create a Jira mentioned which part is missing. That helps us to improve the docs. Indeed, the profile.properties file is the best place to put the permanent configuration. For that, just create a file inside $KEYCLOAK_SERVER/standalone/configuration called profile.properties, with the following content: feature.scripts=enabled I created the following Jira to track this: https://issues.jboss.org/browse/KEYCLOAK-8979 On 2018-11-29, Max Allan wrote: > As I start my keycloak with systemd, (following the wildfly setup > instructions). Rather than logging in and running standalone.sh all the > time, can you give more details about where to add this config to make it > permanent and upgrade resistant? > > Would you recommend adding JAVA_OPTS to wildfly.conf? > JAVA_OPTS=-Dkeycloak.profile.feature.scripts=enabled > OR the documentation mentions a file called "profile.properties" without > giving any idea where it can be found. That sounds ideal, if only it was > clearer how to use it. Much cleaner than this -D on startup command line > mess that was created. > > Also, I've added to KEYCLOAK-8872 that the other documentation needs fixing > : > https://www.keycloak.org/docs/latest/server_installation/index.html#profiles > States that "scripts" is called "script" and that it is enabled by default. > And the profile.properties file is mentioned without a location. > > > Max -- abstractj

5 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2018