Keycloak realm detection from email domain
by Scott Hezzell
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
2 years, 2 months
Organization Based Accounts and Permissions
by Charles Henck
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
2 years, 2 months
LDAP user group membership not syncing
by Luiz Carlos
Hi everyone
I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
--
Luiz Carlos
2 years, 2 months
user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
2 years, 3 months
Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names
by Niels Bertram
Hi there,
we have a requirement to set the jndi datasource name on a UserFederation
provider when added to a realm to support connecting different realms in
the same Keycloak server to different databases. Been through the examples
and read a few emails from around 2016 in the developer list but do not
find anyone who'd actually done this before. we could create a user managed
EntityManagerFactory within the federation provider factory but the
question is then how can we inject it into the container context and enlist
our transactions in the JTA?
Has anyone ever had to implement something like that?
Cheers,
NIels
2 years, 4 months
Keycloak & Okta
by John D. Ament
Hi
Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to
authenticate (both SP initiated and IdP initiated) it fails with this error
01:40:54,626 WARN [org.keycloak.events] (default task-7)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-7) staleCodeMessage
I suspect its a setup issue on my side, so was hoping someone else has
tried this and can give tips. I even tried the import feature, no luck.
John
2 years, 6 months
KeyCloak and Azure Active Directory / response_type
by Robin Diederen
Hello all,
I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.
After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I’m presented with an error.
Upon further investigation I’ve noticed that KeyCloak reports this error in its logs: “Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being “response_type=token_id”. KeyCloak however does include “response_type=code”, yet Microsoft doesn’t seem to like this.
So here’s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I’ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.
Any help is greatly appreciated.
Best, Robin
2 years, 8 months
Additional attributes for an authorization request
by Scott Elliott
Would therebe any way to pass additional attributes (say, something from a
REST API call's headers or body) to an authorization request, and access it
in a Javascript or rules based policy? I see that what is available in the
Evaluation API currently is pretty limited.
2 years, 8 months
Token exchange without configured policy
by Виталий Ищенко
Hi
I've been experimenting with internal to internal token exchange [1] and
managed to exchange token without configured policy
My original token belongs to public client (token_owner_klient_id) and I'm
trying to exchange it with audience set
to a confidential client that allows only client credentials grant
(confidential_client).
If I execute request as provided in documentation access is denied, but if
I'll provide confidential_client+confidential_client_secret
exchange operation succeeds.
The only difference in tokens issued with and without policy is that with
policy azp claim is set correctly to token_owner_klient_id.
The question is -- is it correct behaviour from the perspective of token
exchange?
curl -v -X POST --user confidential_client:confidential_client_secret \
-d "client_id=token_owner_klient_id" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=${TOKEN}" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
-d "audience=confidential_client" \
http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...
2 years, 10 months
