Best setup to extend Keycloak
by Francis Zabala
Hello,
What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly?
Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification.
Regards,Francis
8 years
Microsoft social identity provider returns id_token while access_token is expected
by Sid 0
I am using keycloak 3.4.1.Final (deployed by docker). diving into the
issue, here are the logs:
WARN [org.keycloak.connections.httpclient.DefaultHttpClientFactory]
(default task-7) Truststore is disabled
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-7) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access token
available in OAuth server response: {"id_token":"eyJ0eXAiOi..."}
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getFederatedIdentity(AbstractOAuth2IdentityProvider.java:279)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
Note: with my current setup I don't have any issue with Google identity
provider.
Please let me know if more information needed for solving this issue,
thanks.
--
Sid
8 years, 1 month
How to stop the keycloak server from standalone sh
by Aritz Maeztu
Hello,
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
image).
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 1 month
Poor response time for User REST API
by Cedric Vidaillac
Hi all,
I have ~4k users imported in my (postgres) database, when I go for
GET /{realm}/users/
For max=100 (default) it takes about 20-22s to respond (60kb document).
For max=20, I still get 4s response time, which is kinda... not ideal.
I’m not sure if those response time are normal, and if not why is this so
slow ?
I’m guessing this overhead is caused by the JSON response, I tried on the
database (>20ms). -> is there a way to reduce the JSON data response
produced by Keycloak ? I only need usernames.
I didnt find anything on the docs, I tried ?fields=username in query param,
sadly it doesn’t work.
In case you’re wondering why I do that, I want to use an auto-complete on
my app, with usernames.)
Thanks for reading.
Cédric.
8 years, 1 month
Re: [keycloak-user] Kerberos & login, multiple environments with multiple users
by Ryan Slominski
I think whether or not session cookies are shared between browser tabs is browser specific, but in Firefox I believe they are shared. You can create separate Firefox "profiles" to get around it:
https://bugzilla.mozilla.org/show_bug.cgi?id=117222
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Dominik Guhr" <pinguwien(a)gmail.com>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, February 28, 2018 3:21:06 PM
Subject: Re: [keycloak-user] Kerberos & login, multiple environments with multiple users
I am not sure I understand correctly, but generally, Keycloak is browser
SSO and being logged in 2 browser tabs in 2 clients as different user is
something generally unsupported and can cause various kind of issues. If
you want something like this just for development, you can maybe use
different realms?
Marek
On 28/02/18 14:30, Dominik Guhr wrote:
> Hi everyone,
>
> so I've built a custom kerberos authenticator which should, depending on
> a querystring, not automatically login. So, when I add &login=manual to
> the url, kerberos authenticator starts, checks, and stops.
> Now everything is fine when I use this authenticator under normal
> conditions, in one tab, but:
>
> - As a dev, I sometimes have different tabs with different environments
> open. e.g. https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Dlocal&d=DwICA... , https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Ddev&d=DwICAg&... - these apps are
> different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev
>
> Now I get logged in via kerberos in myapp-local, logout in myapp-test
> and try to login with different credentials manually in myapp-test.
> Then, the AuthenticationProcessor raises the following exception when
> doing this with kerberos login-enabled browsers (chrome, ie):
>
> =====================
> 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2)
> type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null,
> ipAddress=10.242.50.137, error=different_user_authenticated,
> auth_method=openid-connect, auth_type=code, response_type=code,
> redirect_uri=https://urldefense.proofpoint.com/v2/url?u=https-3A__myurl_m... , consent=no_consent_required,
> previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997,
> code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query
> 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2)
> KC-SERVICES0013: Failed authentication:
> org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error
> at
> org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898)
> at
> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724)
> at
> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
> at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
>
> =================
> and in the browser I get an "unexpected error when handling request to
> identity provider" errormsg.
>
> When doing the same thing in firefox (no kerberos, manual login, open 2
> tabs in 2 different environments and login with different users), I get
> at least the errormsg "You are already authenticated as different user
> [name] in this session. Please logout first."
>
> So, my questions are:
> - Why is this not possible?
> - Is there anything I can do (having a custom authenticator for
> kerberos/AD and a custom userstorageprovider for applicationdb) to make
> it possible to have different users logged in in different tabs for
> different kc-clients in the same realm?
> - More specifically: Is there a possibility to use the
> AuthenticationProcessor in an SPI without having to make a custom
> keycloakbuild and remove the check in line 246/setAuthenticatedUser, or
> does this mess up the whole authentication session?
>
> Would be great to get a hint here.
>
> Thanks!
>
> Best regards,
> Dominik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
8 years, 1 month
Reset credentials flow loses context if browser cookie not present
by Jerry Saravia
Hey all,
I ran into an issue.
Suppose I go to my keycloak instance with this url ` auth/realms/myrealm /login-actions/reset-credentials?client_id=my_client_id`.
The reset email gets sent after entering my email. However, if I copy that link and open it in a separate browser session it fails to maintain the the client_id used in the original request. Instead it switches to client_id = account.
I know why this happens. In LoginActionsService there is this
@Path(RESET_CREDENTIALS_PATH)
@GET
public Response resetCredentialsGET(@QueryParam("code") String code,
@QueryParam("execution") String execution,
@QueryParam("client_id") String clientId) {
AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm);
// we allow applications to link to reset credentials without going through OAuth or SAML handshakes
if (authSession == null && code == null) {
if (!realm.isResetPasswordAllowed()) {
event.event(EventType.RESET_PASSWORD);
event.error(Errors.NOT_ALLOWED);
return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
}
authSession = createAuthenticationSessionForClient();
return processResetCredentials(false, null, authSession, null);
}
event.event(EventType.RESET_PASSWORD);
return resetCredentials(code, execution, clientId);
}
The getCurrentAuthenticationSession method checks a cookie to get the session, which isn’t present in a fresh browser session. Afterward, the `createAutenticationSessionForClient` doesn’t use the clientId query parameter and defaults to the account client.
Is this a bug? A security issue?
I couldn’t find a bug for it. Should I create a bug and fix it? It’s not easy to overwrite this but if you have any workarounds let me know. My current approach is going to be to attempt to create a realm resource that exhibits the right behavior.
Jerry S
Jerry Saravia
Senior Software Engineer
P (516) 603-6914
virginpulse.com
globalchallenge.virginpulse.com
75 Fountain Street, Suite 310, Providence, RI 02902
Australia | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this
e-mail, including any attachment(s), is intended solely for use by the
designated recipient(s). Unauthorized use, dissemination, distribution, or
reproduction of this message by anyone other than the intended recipient(s), or
a person designated as responsible for delivering such messages to the intended
recipient, is strictly prohibited and may be unlawful. This e-mail may contain
proprietary, confidential or privileged information. Any views or opinions
expressed are solely those of the author and do not necessarily represent those
of Virgin Pulse, Inc. If you have received this message in error, or are not
the named recipient(s), please immediately notify the sender and delete this
e-mail message.
8 years, 1 month
Verify email unwanted when users authenticate via Kerberos
by Ruch Grégory
Hi all,
I have configured a realm in which I have allowed user registration and Kerberos authentication. For user registration I have activated email address verification. Now my issue is that when I do the first login through Kerberos I also need to validate the email address.
I configured it in the same realm because I configured a SAML client application which both self-registered and Kerberos authenticated users need to access.
What I want is having self-registered users validating their email address and authenticating themselves with username/password and accessing all trusted applications with SSO. I want to have “corporate” users authenticate with Kerberos and access all trusted applications (same applications as self-registered users).
Is there another/ a right way to configure keycloak to do what I would like to do? Or should it be implemented as an option in ldap/Kerberos User federation provider such as “Trust email address” which will bypass the required action “verify email”?
Thank you in advance for your help,
Regards,
Greg
8 years, 1 month
SSO Session Idle timeout - strange behavior
by Jordan Keith
We have an angular application which is using keycloak js and keycloak 3.4.3. We set a token timeout of 15 minutes, but if the user closes the application and comes back after 15 minutes, they are not forced to log back in because Chrome does not delete session cookies if it is set to restore the browser session. When the application is loaded, we issue a call to keycloak similar to the following:
keycloakAuth.init({onLoad: 'login-required', checkLoginIframe: false}).success(...)
This is the only call made to keycloak on startup. After that, periodic updateToken calls are made.
We are trying to work around the persistent session cookie problem by setting the SSO Session Idle timeout to 15 minutes so that it matches our token timeout. I tested the behavior by issuing a refresh request 15 minutes after login. I received a 400 response as expected, but I'm encountering 2 issues:
1). If I close the browser tab and reopen it immediately after the idle timeout occurs, I will be logged right back in via keycloak as if nothing happened. If I close the tab and wait approximately 2 minutes (really about 1:45), only then will I be redirected to the login screen. If the session is invalid, why am I not redirected to the login page immediately after reopening the application? I've tried this with different SSO Session Idle timeout values, and the time I need to wait is always the same.
2). After the idle timeout occurs and I reopen the tab (after waiting 2 minutes), when I attempt to log in, I receive a message that I took too long to login and am forced to log in a second time. This occurs even if I try to log back in immediately after opening the tab.
If it matters, these are my login-related timeouts:
Client login timeout = 1 minute
Login timeout = 30 minutes
Login action timeout = 30 minutes
Any help would be appreciated.
Thanks,
Jordan Keith
8 years, 1 month
