Keycloak realm detection from email domain
by Scott Hezzell
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
7 years, 5 months
Organization Based Accounts and Permissions
by Charles Henck
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
7 years, 5 months
LDAP user group membership not syncing
by Luiz Carlos
Hi everyone
I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
--
Luiz Carlos
7 years, 6 months
user storage ldap or keycloak
by Istvan Orban
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
support SSO.
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
--
Kind Regards,
*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
7 years, 6 months
Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names
by Niels Bertram
Hi there,
we have a requirement to set the jndi datasource name on a UserFederation
provider when added to a realm to support connecting different realms in
the same Keycloak server to different databases. Been through the examples
and read a few emails from around 2016 in the developer list but do not
find anyone who'd actually done this before. we could create a user managed
EntityManagerFactory within the federation provider factory but the
question is then how can we inject it into the container context and enlist
our transactions in the JTA?
Has anyone ever had to implement something like that?
Cheers,
NIels
7 years, 7 months
Group-Mapping
by Lahari Guntha
Hi All,
We are using keycloak of version 3.3.0.CR2.
I have my Keycloak integrated with LDAP.
I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.
eg:
Users in LDAP: "user1"
Groups in LDAP: "group1","group2"
When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it.
Now I add the user "user1" into another group "group2"...
But now the newly added group is not reflected when click on User> Group Mapping.
Why Is this happening??
What is the solution to continuously sync the users with the groups they are present in/added newly automatically????
Thanks,
Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
7 years, 7 months
Keycloak Java Servlet Filter Adapter.
by Luis Rodríguez Fernández
Hello there,
I am using the java servlet filter adapter (
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet...)
in apache-tomcat 9 and it works like a charm, thanks! The filter class
is org.keycloak.adapters.saml.servlet.SamlFilter
I would like to fully externalize the keycloak configuration from the
deployed applications. I know that I can set the keycloack config file via
the filter config param keycloak.config.file, to some external path like
/usr/local/my-keycloak-saml.xml, brilliant!
In the other hand the SamlFilter(
https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-fi...)
looks for the keystores inside of the application context: usually
something like /WEB-INF/my-keystore.jks. This is due the implementation of
the ResourceLoader.getResourceAsStream(String resource) function. It looks
like something like this:
ResourceLoader loader = new ResourceLoader() {
@Override
public InputStream getResourceAsStream(String resource) {
return filterConfig.getServletContext().getResourceAsStream(resource);
}
};
In ServletContext.getResourceAsStream(java.lang.String path) the path param
must begin with a "/" and it is interpreted as relative to the current
context root. I would be in favor of having the possibility of externalize
this resource, perhaps having somethig like:
//First try the original one
InputStream is =
filterConfig.getServletContext().getResourceAsStream(resource);
if(is=null) {
// Try with an external one
try {
is = new FileInputStream(resource);
} catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
}
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
7 years, 8 months
Keycloak & Okta
by John D. Ament
Hi
Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to
authenticate (both SP initiated and IdP initiated) it fails with this error
01:40:54,626 WARN [org.keycloak.events] (default task-7)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-7) staleCodeMessage
I suspect its a setup issue on my side, so was hoping someone else has
tried this and can give tips. I even tried the import feature, no luck.
John
7 years, 10 months
KeyCloak and Azure Active Directory / response_type
by Robin Diederen
Hello all,
I’m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.
After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I’m presented with an error.
Upon further investigation I’ve noticed that KeyCloak reports this error in its logs: “Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.”. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being “response_type=token_id”. KeyCloak however does include “response_type=code”, yet Microsoft doesn’t seem to like this.
So here’s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I’ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.
Any help is greatly appreciated.
Best, Robin
7 years, 11 months
Additional attributes for an authorization request
by Scott Elliott
Would therebe any way to pass additional attributes (say, something from a
REST API call's headers or body) to an authorization request, and access it
in a Javascript or rules based policy? I see that what is available in the
Evaluation API currently is pretty limited.
7 years, 11 months
UTF-8 character set support for user name and other fields / attributes
by Upananda Singha
Hi,
I am working with the Keycloak OIDC feature, and needed some clarification
regarding the character set it supports:
1. I have a requirement to use utf-8 characters (multi byte) in the
Username field
which seems to work fine while setting the user name and I can login to
Keycloak.
But it seems there are other related issues while generating / encoding the
tokens.
Sometimes (some characters) it works fine but for some multibye characters
it throws
{
"error": "invalid_grant",
"error_description": "Code not valid"
}
while trying to get the Tokens using the authorization code.
Can someone tell me if Keycloak actually supports utf-8 character set in
Username and other fields and also in Custom user attributes?
It would be of great help if anybody can share some information.
Thanks,
Upananda,
Motorola Solutions
7 years, 11 months
Re: [keycloak-user] Keycloak 4.0.0.Beta1 is out
by Stian Thorgersen
I missed one cool new feature. We also now have support for UMA 2.0
including allowing users to manage resource permissions in the account
management console.
On Thu, 22 Mar 2018, 21:04 Stian Thorgersen, <sthorger(a)redhat.com> wrote:
> I'm very pleased to announce the first release of Keycloak 4!
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
> HighlightsBrand new login pages
>
> The login pages have received a brand new look. They now look much more
> modern and clean!
> Themes and Theme Resources
>
> It's now possible to hot-deploy themes to Keycloak through a regular
> provider deployment. We've also added support for theme resources. Theme
> resources allows adding additional templates and resources without creating
> a theme. Perfect for custom authenticators that require additional pages
> added to the authentication flow.
>
> We've also added support to override the theme for specific clients. If
> that doesn't cover your needs, then there's a new Theme Selector SPI that
> allows you to implement custom logic to select the theme.
> Native promise support to keycloak.js
>
> The JavaScript adapter now supports native promises. Of course it still
> has support for the old style promises as well. Both can be used
> interchangeably.
> Edit links in documentation
>
> To make it easier to contribute changes to the documentation we have added
> links to all sections of the documentation. This brings you straight to the
> GitHub editor for the relevant AsciiDoctor file. There's also a quick link
> to report an issue on a specific page that will include the relevant page
> in the description.
> HTTPS support on keycloak.org
>
> Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
> keycloak.org. About time?
> Loads more..
>
> The full list of resolved issues is available in JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the upgrade
> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> anything that may have changed.
>
>
8 years
Limiting user registrations to closed set
by Łukasz Dywicki
Hi all,
I have a case which is quite simple in terms of logic - I have existing
database of users with attributes such first and last name, as well as
email. I miss username and password or just password if I decide to use
email as login. I would like to use attributes I know for validation of
new user registrations.
Any registration attempt with uknown email, first and last should be denied.
Sadly due to necessity to host user self registration in mobile app I
had to move it outside of keycloak. This means I use a small utility to
create accounts using admin api.
I've tried to use UserStorageProvider, but this SPI is not permited to
"deny" user registration. When I try to add new user, it goes in even if
there is no matching combination of attributes. Which SPI is valid for
my use case?
Kind regards,
Lukasz
8 years
"HTTPS Required"
by Lahari Guntha
Hi All,
I am using Keycloak of version 3.3.0.CR2...
I have launched keycloak as a container in a VM...
Whenever I try to access the "http" port of keycloak...It is showing "HRTPS REQUIRED"...
Even Setting of "Require SSL" to "none" Under Login tab of "Realm Settings" didnot help....
Is there any other solution we have to get this problem solved??
Thanks & Regards,
Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
8 years
Could not obtain configuration from server
by Filip Kozjak
Hi everyone,
I am having troubles obtaining access token for my Java EE REST service
from Keycloak.
I have started Keycloak server at *http://localhost <http://localhost>*,
and I can access the admin console at
*http://localhost:8081/auth/admin/master/console/#/realms/demo
<http://localhost:8081/auth/admin/master/console/#/realms/demo>.*
Next, I created a new realm "demo" and registered my REST service there.
I've copied the generated *keycloak.json *to the WEB-INF of my service and
added what was needed to web.xml. This successfully protected my endpoint.
My REST service is up and running on *http://localhost:8080/
<http://localhost:8080/>.*
However, now I want to set up a client that would be authorized to access
the protected endpoint. The client is running at *http://localhost:9080
<http://localhost:9080>. *Again, it's a Java EE REST service that talks to
the protected service. I registered it as *OAuth Client* in the admin
console and again copied the *keycloak.json* to the resources of my app. I
am trying to obtain the access token like this:
AuthzClient authz = AuthzClient.create();
AccessTokenResponse tokenResponse = authzClient.obtainAccessToken();
This results in the following error:
java.lang.RuntimeException: Could not obtain configuration from server [
http://localhost:8081/auth/realms/demo/.well-known/uma-configuration].<br>
<div id="stack">at
org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:92)<br>at
org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:60)<br>at
org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:53)<br>at
hr.assecosee.three_ds_2.risk.services.ProxyServiceImpl.invokeRiskLevelApi(ProxyServiceImpl.java:28)<br>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>at
java.lang.reflect.Method.invoke(Method.java:498)<br>at
com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContainer.java:5316)<br>...
16 more<br>
</div>Caused by:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 404 / Not Found<br>
I posted a question about it on StackOverflow too:
https://stackoverflow.com/questions/49534589/404-not-found-while-requesti...
Is there something I am missing?
8 years
delete all users
by Matthew Broadhead
is there a way to flush all of the users from a realm during testing?
8 years
Forwarding header fields in the Keycloak Proxy
by David Moeyersons
Hi,
The following page: http://www.keycloak.org/docs/3.4/server_installation/index.html#header-na... talks about forwarding header fields to a proxied server using a Keycloak Proxy, but the process on how to forward these fields is described nowhere.
Also the example doesn't contain valid json code:
{
"header-names" {
"keycloak-subject": "MY_SUBJECT"
}
}
When I add a colon after "header-names" the Keycloak Proxy seems to accept the statement, but no header fields are forwarded to my end server. (except for the realm - WWW-Authenticate: Basic realm="TestRealm")
Is the part about forwarding header fields in the Keycloak Proxy documented somewhere? I don't seem to find anything about it.
Kind regards,
David Moeyersons
Disclaimer: www.vmm.be/disclaimer
Kent u onze nieuwsbrief al? www.vmm.be/nieuwsbrief
8 years
Client vs resource
by Daya Gnanasekaran
I'm planning to use keyclok to secure our product and i have doubts around
defining clients and resoureces,
Our product consists of 4 major components, lets say A,B,C,D and each
components has a set of APIs. Component A intracts with B and C. Component
B interacts with C. There can be multiple instances of C connected to B and
there can be multiple instances of D connected to C. The users in an
organization can have various roles like admin or read-only user on each
component. User, who is an admin for componet A can be a read-only user in
component B and same applies for various instances of C.
Now i'm stuck at whether to create multiple clients, one per component or
create one client and make each of this component a resource.
Your thoughts?
Daya
8 years
Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
by Schenk, Manfred
Hello Luis,
Your approach will not work for me: In my setup there is no predefined set of secure and unsecure URLs: there are many URLs which can be accessed without any login and also with login. But the content which is displayed when accessing these URLs depends if the user is authenticated or not.
That’s the reason why all those filters and valves will not work for me.
My idea is as follows:
When a request comes in, I will check if it contains some token. If yes, the system should try to identify the user using keycloak, otherwise the username iss et to anonymous.
In the next step the system checks if the user has sufficient rights for viewing/editing/deleting the entity identified by the requested URL. If the rights are sufficient (even with the anonymous user) all as well, otherwise the system will redirect to the keycloak server to obtain such a token mentioned above.
But I haven’t found any detailed documentation on that use case.
Regards,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
Von: Luis Rodríguez Fernández <uo67113(a)gmail.com>
Gesendet: Donnerstag, 29. März 2018 15:13
An: Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de>
Betreff: Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
Hello Schenk,
If your Identity Provider "speaks" SAML, you can give a try to http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet.... I am testing it for some of our tomcat-based application and it works out-of-the-box (BTW thanks keycloak folks!).
My deployment descriptors (web.xml) looks like this:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
<init-param>
<param-name>keycloak.config.file</param-name>
<param-value>/usr/local/tomcat/keycloak-saml-servlet-adapter.xml</param-value>
</init-param>
</filter>
<!-- From the docs: "You must have a filter mapping that covers /saml. -->
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this way, just playing with the url-patterns of my resources I can make them private or public. E.g.
<servlet-mapping>
<servlet-name>SessionExampleServlet</servlet-name>
<url-pattern>/SessionExample</url-pattern>
<url-pattern>/secure/SessionExample</url-pattern>
</servlet-mapping>
Hope it helps,
Luis
2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de<mailto:Manfred.Schenk@iosb.fraunhofer.de>>:
Hello,
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391<tel:%2B49%20721%206091-391>
mailto:Manfred.Schenk@iosb.fraunhofer.de<mailto:Manfred.Schenk@iosb.fraunhofer.de>
http://www.iosb.fraunhofer.de
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
8 years
Get JWT from Keycloak For a SAML based client
by Pulkit Gupta
Hi Team,
We are using SAML based clients for our applications but we also need a JWT
to pass to other systems so that they can also do their validation.
Do we have a straight forward way of getting a JWT Token for a SAML based
client from Keycloak.
--
PULKIT GUPTA
8 years, 1 month
Single login page for all realms
by Pedro Pedro
Hi,
I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier. Example: user(a)myTenant.com
Now in keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the tenant in the username.
Is there such behaviour available in keycloak? I tested with v3.4.3 and did not found, neither in the docs mention any info.
If this is not currently supported, what is the best approach for implementing it?
This the idea I comeup with:
To extend keycloak login/authentication to be in two steps: 1 user first enters username and clicks continue button 2 the custom logic in keycloak to extract the tenant(realm) from the username and initiate login request, now that I have the realm 3 realm login page is loaded with username populated (if I pass login_hint=username, the field should be populated) 4 user enters password and clicks login button
What you guys think of this approach?
I found a thread on the mailing list (that I cant find now...) that discussed the same problem. It was something along the lines of - create a main realm that will "proxy" to the others, but I'm not quite sure how to do that.
Hope to get some insight soon.
Pedro.
8 years, 1 month
Realm as identity provider
by Matthias ANGLADE
Hello,
I'm currently working on a use case for which I need to use a realm as an
identity provider for others realms. Everything is working fine except that
the "realm_access" claim that I originally obtain from the parent realm
isn't propagated in the token I finally retrieve. Considering the schema in
the relevant section of the docs I guess the child realm forge it's own
token based on the one received from the parent realm.
Anyway, is there anyway to concatenate le realm_access claim ? So far, I've
tried to do it by defining identity provider mappers but without any
success.
Yours,
8 years, 1 month
trigger events
by Matthew Broadhead
i was wondering if there is a way to trigger events. like if a user
logs in through facebook it could make a RPC to allow the system to
update their photo or something. or if a user requests a password reset
it could mail the admin user and say "xyz requested a password reset"
8 years, 1 month
Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
by Schenk, Manfred
Hello,
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
8 years, 1 month
Re: [keycloak-user] Authenticating to a client with another client's service account
by Paolo Tedesco
I've found out that the problem was in the audience validation of my API.
The access token I get from keycloak when I authenticate my confidential client has always
aud = confidential_client_id
How am I supposed to get a token with a difference audience value?
I tried specifying in the POST request to the token endpoint
resource = client_id_of_the_api
which works with ADFS 2016, but seems to be ignored by Keycloak.
Thanks,
Paolo
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Paolo Tedesco
Sent: Friday, 23 March, 2018 11:11
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Authenticating to a client with another client's service account
Hi all,
I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials.
I've set the access type of both API and application to "confidential".
>From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters:
client_id = confidential_client
client_secret = <confidential client secret> grant_type = client_credentials
>From this, I obtain a token, that looks like this:
{
"access_token": "eyJhbG...Z0qmQ"
// other stuff
}
Then, I try to call my API with an authentication header with
Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
However, this does not seem to work, and the API acts like the user is not authenticated.
Any idea of what I'm doing wrong?
Thanks,
Paolo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 1 month
Performance
by Hammarberg, Daniel
Hi all,
In our currently running project, we are moving to Keycloak as SSO for a few sites with about 180000 active users, a large hierarchy of groups and peaks with thousands of calls per second. We are starting to get a feeling that Keycloak cannot handle such a large amount of data and traffic. Is there any documentation anywhere on server sizing and expected performance for large sites? Has anyone run peak tests and endurance tests on Keycloak and in that case, what was the outcome? Does anyone have experience in using Keycloak for sites of this size?
Best regards
/Daniel
_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services
Capgemini Sweden | Göteborg
________________________________
Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
8 years, 1 month
kcadm.sh - Updating existing LDAP confg.
by Yavuz Selim Polat
Hi,
In Keycloak- User Federation, I already configured a LDAP with below
attributes. As an operation reason, we are developing a script to be able
operate user (import,resync etc.) with LDAP integration.
I found that AdminCLI documentation and on linux side we can perform some
operation via “kcadm.sh”. My question is, how can I update yellow
highlighted attributes (Users DN and Custom User LDAP Filter) for existing
LDAP confg.?
If I can update Users DN and add “tuser” to Custom User LDAP Filter
attribute successfully via kcadm.sh. I will have a chance to do some user
operations anyway, like I mentioned above, I just need to update current
LDAP configuration. I couldn’t find in AdminCLI doc for updating operation.
If you know, please share me J
Regards
Console Display Name - ldap
Priority - 0
Import Users - On
Edit Mode - READ_ONLY
Sync Registrations - On
Vendor - On
Username LDAP attribute - uid
RDN LDAP attribute - uid
UUID LDAP attribute - uid
User Object Classes - inetOrgPerson, organizationalPerson
Connection URL - ldap://ldap:3333
Users DN - dc=entp,dc=abc
Authentication Type - single
Bind Credential – N/A
Custom User LDAP Filter - (uid=user)
Search Scope - Subtree
Use Truststore SPI - Only for ldaps
Connection Pooling - Off
Connection Timeout - <Blank>
Read Timeout - 600000
Pagination - Off
Allow Kerberos authentication - Off
Use Kerberos For Password Authentication - Off
Batch Size - 1000
Periodic Full Sync - Off
Periodic Changed Users Sync - Off
Cache Policy - DEFAULT
8 years, 1 month
keycloak ldap Oracle Identity Directory
by Remco Cats
Hi All,
I have a question about keycloak. We have the following situation:
In our LDAP environment we have Groups and Role stored.
In the LDAP environment is a relationship between them via a attribute
uniquemember.
The relationship is then a many to many relationship that is not supported
in keycloak.
So I want to import the groups into groups an roles into roles so that
everything is inside keycloak.
But I also want the relationship between the GROUP and the ROL.
I have already import the groups and roles separately but I cannot map the
relationship between there. And by hand is not the ideal situation.
Does anyone have this issue.
best regards,
Remco
8 years, 1 month
Domain mode cluster, slave authentication?
by Max Allan
Hi,
Has anyone used the latest WildFly 11 version of Keycloak in domain mode?
I could get it to work on a local instance with host-master and host-slave
config files. But using the same host-slave config on a different instance
it would fail to authenticate.
Error :
[Host Controller] 09:07:25,741 INFO [org.jboss.remoting] (MSC service
thread 1-1) JBoss Remoting version 5.0.5.Final
[Host Controller] 09:07:25,874 INFO [org.jboss.as.remoting] (MSC service
thread 1-2) WFLYRMT0001: Listening on 127.0.0.1:3456
[Host Controller] 09:07:26,167 WARN [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0001: Could not connect to remote domain
controller remote://192.168.33.10:9999: java.lang.IllegalStateException:
WFLYHC0043: Unable to connect due to authentication failure.
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.rethrowIrrecoverableConnectionFailures(
RemoteDomainConnectionService.java:674)
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:293)
[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.connectToDomainMaster(
DomainModelControllerService.java:938)
[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.boot(DomainModelControllerService.java:692)
[Host Controller] at org.jboss.as.controller.AbstractControllerService$1.
run(AbstractControllerService.java:370)
[Host Controller] at java.lang.Thread.run(Thread.java:748)
[Host Controller] Caused by: javax.security.sasl.SaslException:
Authentication failed: all available authentication mechanisms failed:
[Host Controller] DIGEST-MD5: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener.allMechanismsFailed(
ClientConnectionOpenListener.java:109)
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:446)
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:242)
[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)
[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)
[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
[Host Controller] at ...asynchronous invocation...(Unknown Source)
[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:570)
[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:532)
[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:520)
[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.connect(
ProtocolConnectionUtils.java:204)
[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.
connectSync(ProtocolConnectionUtils.java:120)
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:
223)
[Host Controller] at org.wildfly.common.context.
Contextual.runExceptionAction(Contextual.java:108)
[Host Controller] at org.wildfly.security.auth.client.AuthenticationContext.
run(AuthenticationContext.java:268)
[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
openConnection(RemoteDomainConnection.java:223)
[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection$
InitialConnectTask.connect(RemoteDomainConnection.java:592)
[Host Controller] at org.jboss.as.protocol.ProtocolConnectionManager.
connect(ProtocolConnectionManager.java:70)
[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
connect(RemoteDomainConnection.java:147)
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:288)
[Host Controller] ... 4 more
[Host Controller] Suppressed: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:736)
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:578)
[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)
[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)
[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
[Host Controller]
[Host Controller] 09:07:26,169 WARN [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0147: No domain controller discovery options
remain.
[Host Controller] 09:07:26,169 ERROR [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0002: Could not connect to master. Error
was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain
controller discovery option(s) but unable to connect
[Host Controller] 09:07:26,170 FATAL [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0178: Aborting with exit code 99
After poking around a bit I found the slave makes a connection with this
bit of host-slave.xml :
<domain-controller>
<remote username="$local" security-realm="ManagementRealm">
<discovery-options>
<static-discovery name="primary"
protocol="${jboss.domain.master.protocol:remote}"
host="${jboss.domain.master.address:192.168.33.10}"
port="${jboss.domain.master.port:9999}"/>
</discovery-options>
</remote>
</domain-controller>
I changed $local to admin and it connects fine. But if I understand
Wildfly, then you shouldn't need to specify a username at all, and the
remote server will interpret $local (or none) as the local default user,
which would be "admin".
I tried leaving out the username and that didn't work either.
Have I managed to configure my user wrong on the master somehow? I used
this command (and obviously have the correct secret in the host-slave.xml) :
bin/add-user.sh -u admin -p password -r ManagementRealm -ds -e
Or is this actually expected behaviour?
8 years, 1 month
How to import keycloak-authz from keycloak-js npm package in TypeScript?
by Marcel Német
I can easily import Keycloak.d.ts from keycloak-js npm module using
import * as Keycloak from 'keycloak-js';
but I am failing to import the keycloak-authz.d.ts file and
the KeycloakAuthorization which is defined inside it.
I wonder if anybody knows how to do it or did it previously. Not sure
whether keycloak-authz is made available at the npm package level.
A loosely related issue I found online is:
https://issues.jboss.org/browse/KEYCLOAK-4822
--
Marcel Német
marcel.nemet(a)gmail.com
0795153648
8 years, 1 month
High throughput communication- Use of a transparent (by value) token
by Omri Tavor
Hi,
I have two backend servers that needs to communicate at a high throughput (1000s request per second).
I don't want each of the requests to block/slow down by the server contacting the Keycloak server to verify the token.
Is there a way, I can create a transparent token that could be verified without having to access the KeyCloak server in each request?
Thanks,
Omri.
8 years, 1 month
Direct grant flow using a CAS token as a credential.
by Rodolfo de Paula
Greetings,
We started doing a proof of concept with Keycloak only 2 weeks ago. We already have a small SPA in Vue.js with authentication using the direct grant flow.
Since we have a legacy users database, we plugged a custom UserFederationProvider implementation.
This custom provider helped us to support these 2 cenarios:
1) Users authenticating against our legacy database.2) Users authenticating against our CAS server. Since the user storage provider has access to user/password, our implementation will also try to get a Service Token from our CAS server and in case of success, it will set a a value to a custom user attribute "CAS_TOKEN" so the SPA will have access to it and use when it's needed (links to CAS protected resources).
This works for our POC but we have a third scenario: We want to authenticate an user coming to our resources but with a token (CAS) appended to the url. With the CAS token, we would need to 1) validate the ticket, 2) get user identity in order to authenticate it. But we have been studying that providers/authenticator example from Keycloak source but it doesn't seems to be useful since we are using direct grant flow.
So can someone please give me a hint on this? Is there any other (better/cleaner) way to do this?
Thanks in advance!
8 years, 1 month
Re: [keycloak-user] [Proposal] Hard Code the Composite Role Relationship of Admin Role into Java code not Database Records?
by Mingjun Liu
Hi Team,
I found that the admin role in master realm will have all roles in
xxxx-realm type client in master realm as composite. This design will have
a lots of rows to be inserted into database.
However, the admin role is targeted for super privilideged users to have
all privilidges on all resources in keycloak server, there is rarely
reasons to change this scenario.
One observation is that when there is 6K realms in database, the getRole
method of admin role would take more than *1 SECOND*. It will result in
bad response for admin rest api.
Benifit:
We are allieviated from lots of database write/read, especially when realm
number grows to thousands and more.
We are more confident to support large number of realms.
Drawbacks: we need carefully implement logics on the special admin role,
multiple places needs work.
Please let me know your concerns. Thank you!
Regards,
Mingjun Liu
8 years, 1 month
403 on /sso/login with Spring Boot and Keycloak Adapter
by Marc Logemann
Hi,
i have a little Spring Boot Application and it runs pretty nice
together with the keycloak setup on my dev machine. Now when deploying
the same application to another server i get something strange:
When trying to access a protected resource, my browser gets a 302 to
/sso/login which is ok but this URL should also produce a 302 to the
final Keycloak Login Page. Instead i get a 403 on the sso/login
request. The crazy thing is, on my local dev machine the /sso/login
doesnt get a 403 but a 302 with the resulting valid and perfect URL
(http://localhost:16177/auth/realms/XXXX/protocol/openid-connect/auth?resp...)
What i want to say is.... i dont have a clue why i get a 403 on a
resource /sso/login, which as i assume, is provided by spring keycloak
adapter. And even crazier... its the same application.
thanks for any hints.
marc
8 years, 1 month
A few questions about OIDC Key Rotation in Keycloak
by Yaroslav Skopets
Hi guys!
I've got a few questions about OIDC Key Rotation in Keycloak:
1) Does Keycloak support fully automatic rotation of OIDC keys ?
From a user perspective, I'd like to be able to set a rule ala "rotate
keys every 24 hours".
I see that https://issues.jboss.org/browse/KEYCLOAK-905 had a similar
intent: "Option to enable automatic period rotation of keys (in cluster
make sure only one node does it)"
Was it actually implemented ?
2) As a user, I'd like to automate rotation of OIDC keys.
I see that through Admin REST API I can create/activate/delete keys.
However, does Keycloak allow me as a user to attach custom meta data to
those keys ? Such as `time when the key was created`, `time when the key
was made active`, `time when the key was deactivated`, etc
My goal is to implement a key rotation policy based on those extra
pieces of meta data.
Thanks in advance!
--
Best regards,
Yaroslav Skopets
8 years, 1 month
Identity Brokering, external IDP require nonce
by triton oidc
Hi,
in my scenario, i'm using Keycloak as an IDP broker.
It works fine with a lot of configuration.
I build keycloak from source 3 weeks ago.
However the IDP i'm trying to integrate right now requires a nonce in the
first call on the authorization endpoint.
https://myidp.com/authorize?scope=openid+profile&state=state&response_typ...
fails
but if i manually add "&nonce=1234" in the url it works
I could not find an option in the external IDP concerning this nonce
generation.
Did i miss something ?
Should i ask for a feature and i'll wait for someone to look at it ?
any help would be appreciated
Thanks a lot
Amaury
8 years, 1 month
Help for configuring keycloak with existing GWT amalgamated Spring application
by mukesh Harshwal
Hi team,
I am having an existing GWT amalgamated Spring application which is currently configured with JOSSO by using Spring Security. In order to revive the application security I want to plug-out JOSSO and integrate Keycloak. I've seen few examples for Keycloak integration with Springboot application but not finding any example for simple Spring application's integration with Keycloak.Any help would be appreciated gratefully.
Thanks,Mukesh
8 years, 1 month
Keycloak will run server-jre only
by Subodh Joshi
Hi Team,
Is their any restriction that keycloak will work with server-jre only and
not with client-jre ?
In my linux machine we have following version installed
/usr/sbin/alternatives --config java
There are 2 programs which provide 'java'.
Selection Command
-----------------------------------------------
* 1 java-1.8.0-openjdk.x86_64
(/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
+ 2 /usr/java/jre1.8.0_102/bin/java
Then its working fine with openjdk but keycloak not coming up with Oracle
client-jre and giving this exception
2018-03-22 12:30:56,163 ERROR
[org.jboss.as.controller.management-operation] (ServerService Thread
Pool -- 26) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "KeycloakDS")
]): org.jboss.as.server.services.security.VaultReaderException:
WFLYSRV0227: Security exception accessing the vault
at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:124)
at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341)
at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)
at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:868)
at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1269)
at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:438)
at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:619)
at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:683)
at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:642)
at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:616)
at org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:35)
at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:178)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd.secondRuntimeStep(AbstractDataSourceAdd.java:348)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceAdd$1.execute(AbstractDataSourceAdd.java:133)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:980)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:726)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:450)
at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:386)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: org.jboss.security.vault.SecurityVaultException:
java.security.InvalidKeyException: Illegal key size or default
parameters
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
at org.jboss.as.server.services.security.RuntimeVaultReader.getValue(RuntimeVaultReader.java:157)
at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:110)
... 25 more
Caused by: java.security.InvalidKeyException: Illegal key size or
default parameters
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1026)
at javax.crypto.Cipher.implInit(Cipher.java:801)
But same setup working with *open-jdk *without any issue after that i
updated the Oracle Java and used *server-jre *
[root@ha1 ~]# /usr/sbin/alternatives --config java
There are 2 programs which provide 'java'.
Selection Command
-----------------------------------------------
* 1 java-1.8.0-openjdk.x86_64
(/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-2.b16.el7_4.x86_64/jre/bin/java)
+ 2 /usr/java/jre1.8.0_102/bin/java
This time it worked totally fine and keycloak running without any issue .
--
Subodh Chandra Joshi
<subodh1_joshi82(a)yahoo.co.in>
http://www.questioninmind.com
8 years, 1 month
Does Keycloak Support EAR deployments
by matt prpic
Hello,
I've been searching for this question online and on Keycloak's community pages, but I cannot find the answer anywhere. I have an EAR file with a JAR file within it. The JAR file is an application with various EJBs. The EAR file is deployed on a Wildfly 11 server and the Keycloak Adapter was installed using the CLI (adapter-elyton-install-offline.cli). I have tried calling one of my service's EJBs using a JNDI lookup through a test application, but there is no mention of any Keycloak authentication. I can only authenticate if I use one of the Wildfly users, which tells me that Keycloak is not participating in this authentication at all. Below is my configuration:
EJB
@SecurityDomain("keycloak")
@Stateless(name="TestBean")
@RemoteHome(TestBeanHome.class)
@TransactionAttribute(value=TransactionAttributeType.REQUIRED)
public class TestBean implements ITestBean {
...
Standalone.xml
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="testapplication.ear">
<realm>testrealm</realm>
<auth-server-url>http://localhost:8180/auth</auth-server-url>
<public-client>true</public-client>
<ssl-required>EXTERNAL</ssl-required>
<resource>testclient</resource>
<credential name="secret">password</credential>
</secure-deployment>
My question is: Does Keycloak support this project setup? The documentation only mentions WAR files, which is not an option for me. Any help would be appreciated.
Thanks,
Matt
8 years, 1 month
Keycloak SAML Elytron adapter with aggregate-realm
by Zoltán Kukk
Hi all,
I tried to use Keycloak SAML adapter in Wildlfy 11 but I have to
enrich SAML claim
with local roles so I have grouped KeycloakSAMLRealm as authentication realm and
a properties-realm as authorization realm with an aggregate-realm.
I have figured out it is not working because Elytron properties-realm
limited to use
NamePrincipal only and Keycloak returning SamlPrincipal.
Can you suggest a solution to add roles to a SAML claim from local
store (file or database)?
Best regards,
Zoltán Kukk
8 years, 1 month
mappers and user federation
by Corbetta, Francesco
Hello
I wrote a JPA federation provider which works perfectly but I'm not able to add claims via the client mappers table.
For example, I have a User property "gender" which is mapped to my UserModel getGender method, which does mapping to the underline hibernate entity.
I configured the mapper as:
Consent required: Off
Mapper Type: user Property
Property: gender
Token Claim Name: person_gender
Clain JSON Type: string
Add ID token: ON
Add to Access Token: ON
Add to userinfo: ON
While the hibernate entity correctly loads the value, the claim is never included in the userinfo object.
To develop the provider I basically followed the user-storage-jpa example.
Server version is 3.4.0.Final
Best regards
Francesco
8 years, 1 month
Token exchange without configured policy
by Виталий Ищенко
Hi
I've been experimenting with internal to internal token exchange [1] and
managed to exchange token without configured policy
My original token belongs to public client (token_owner_klient_id) and I'm
trying to exchange it with audience set
to a confidential client that allows only client credentials grant
(confidential_client).
If I execute request as provided in documentation access is denied, but if
I'll provide confidential_client+confidential_client_secret
exchange operation succeeds.
The only difference in tokens issued with and without policy is that with
policy azp claim is set correctly to token_owner_klient_id.
The question is -- is it correct behaviour from the perspective of token
exchange?
curl -v -X POST --user confidential_client:confidential_client_secret \
-d "client_id=token_owner_klient_id" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=${TOKEN}" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
-d "audience=confidential_client" \
http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...
8 years, 1 month
How to add user attribute through admin-cli
by Subodh Joshi
I am trying to add three attributes of user and used below admin-cli
command
/opt/keycloak/bin/kcadm.sh create components -r master -s
name=user-attribute -s providerId=user-attribute -s
parentId=1295a70f-25f7-4e45-bcb8-285d750 1c6d9 -s
'config."appid"=["SURE_APP"]' -s 'config."tenantId"=["T0"]' -s
'config."ugId"=["Admin_UserGroup"]'
but its throwing
No server or realm specified. Use --server, --realm, or 'kcadm.sh config
credentials'.
Can someone please let me know what wrong with above command?
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.questioninmind.com
8 years, 1 month
