Simulate / call check-sso with curl
by Christophe Lehingue
Hello,
Is it possible to perform the equivalent of the call to the javascript
function 'check-sso' in CURL ?
Est il possible de réaliser l'équivalent de l'appel à la fonction
javascript 'check-sso' en CURL ?
thank you for your help,
Merci à vous,
8 years, 1 month
Multi-country domain
by Raúl Medeiros
Hello,
We need to develop a domain with multiple countries and one admin per
country. Those admin users can only see, edit and create users that belong
to its country. I don't know if the best approach to set a country to a
user is as an attribute or creating one group per country.
I would like to know what would be the best approach to solve this and if
it's possible to restrict one admin user to manage only it's country users.
Thank you,
Raul
8 years, 1 month
Obtaining permissions for resources which are not registered as Keycloak Resources
by Marcel Német
Hi,
We have an application with a large number of documents which are being
sent between companies. A company can have multiple users. We have many
companies and users can (on behalf of their company) send documents to
other company. Then the document can be accessed either by the users of the
sending company or the users of the receiving company. All documents can be
also accessed by our customer-care operators (but this is a simple case
which can be easily covered by the role-based access control). Our data and
users are in SQL Server DB, so we would like to use user federation
interfaces to get the users.
I would like to solve the problem in following way:
1. Using the user federation "company ID" custom attribute to the identity
token of each user.
2. Write a rule-based Policy in Java or JavaScript named "Only users which
belong to a sender or receiver company"
3. When somebody wants to access a document with ID "abc-123" which was
sent by company "bbb" and received by company "ccc" the Java or JavaScript
policy could - based on the resource ID "abc-123" and based on the "company
ID" custom attribute - query our database to see whether the "company ID"
of the logged-in user is a sender company or a receiver company of a given
document
3*. Optionally the sender and receiver company of the document could be
sent along as additional attributes in the permission ticket by the policy
enforcer, then the resource server would do the reading from the database
and Keycloak Policy can decide without DB connection. But I am not sure
this is secure, the permission ticket from policy enforcer could be
manipulated and the company ID of a hacker's company could be added as a
sending company, then the hacker could access all documents. But I guess
permissions tickets are protected against manipulation.
The problems which I am facing:
Regarding the step 3., the only way to get "document ID" to the
$evaluation.permission variable of the Java/JavaScript Policy is to create
a Keycloak resource for every single document with a matching name and a
matching URI (e.g. name= "abc-123" and URI= "/document/ abc-123").
It seems complicated for me to create a resource for every document which
we have and then delete those resources when we delete the documents since
the same policy applies to all documents anyway. We have huge numbers of
documents being sent every day between companies. At the same time, if we
do not create a Keycloak resource for every document, then I believe we can
not configure the policy enforcer to use the "/document/{id}" wildcard. The
Authorisation server will not receive the document ID unless there is a
Keycloak resource with the same name. Ideally, the Keycloak server should
be able to grant permissions even if it does not have a resource registered
and apply policies registered with URI /document/*. The
$evaluation.permission variable should hold the also the full URI not the
one with a wildcard. I understand that currently, the URI in
$evaluation.permission will be "document/*" even when a user is accessing
"/document/abc-123" (unless we create a Keycloak resource for every
document with a matching URI).
To summarize:
It would be great if the policy enforcer could obtain permissions to access
document "abc-123" even without creating resource "abc-123" in Keycloak.
The idea is that the policy enforcer asks "Can this user access
document abc-123?"
and the Java policy in the Keycloak can decide based on the ID of the
resource and additional data inside the identity token or based on queries
to our DB.
Is there a workaround or recommended solution?
I have read through the previous mail-list topics below, and I saw that
some user "hacked" the policy enforcer to send the precise URI from the
policy enforcer. Or is there another way to pass the document ID to
Keycloak Policy (i.e. inside $evaluation.permission) without creating a
Keycloak resource for every document? Is there a feature request in Jira
which would cover such use cases? Allowing Keycloak to grant permissions
for resources without having to register all resources in Keycloak would
make it a more general solution.
Related topics from the mailing list:
"Performance with a large number of resources":
http://lists.jboss.org/pipermail/keycloak-user/2017-May/010583.html
and
"Additional attributes for an authorization request":
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Additional-attribu...
Kind regards,
Marcel
8 years, 1 month
2FA protection for a specific resource
by Malys
Hi,
I want to protect a high-level risk feature with 2FA. Historically, we use
2FA SMS. I want to propose the same feature but ideally, I wish to be able
to integrate also native Keycloak OTP authenticator (more secure).
That' s why based on keycloak-sms-authenticator-sns <http://
https://github.com/nickpack/keycloak-sms-authenticator-sns> , I have
improved this authenticator ( here
<https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS>
).
I have searched in Keycloak 3.4.3 documentation but using the same realm, I
haven't seen any feature to ask 2FA when the final user want to access to a
specific resource.
Role mechanism allows managing access (403 - 200) but it seems that it isn't
cover my use case.
I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It
isn't yet implemented.
Level of assurance seems very well but it isn't yet implemented and it would
be difficult to do it.
I could include a servlet filter on the business application (JBoss adapter)
to route user to 2FA authenticator when he wants to access the resource.
But in this case, I have to propagate a state between Keycloak and Java
adapter to not ask 2FA code for each access.
It could be a little bit tricky in cluster mode (stateless service).
Below, I describe the use case.
<http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_ma...>
Have you any idea to cover this use case easily based on native keycloak
features?
If that isn't the case, in your opinion, what is the best solution (see
above)? (easiest integration for maintainability, clustering support and 2FA
technic agnostic)
Thank you for sharing your experience.
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
8 years, 1 month
Keycloak 3.4.3: Login With Kerberos and Active Directory with multiple Domains. seem not to work.
by Kraenzlein, Ralph
Hi,
we try out to use Keycloak 3.4.3 as Federation Service With Kerberos and Active Directory with multiple Domains. (like ADFS)
First we only test authentication with Keycloak, Kerberos Ticket and Active Directory with multiple domains.
Problem:
Keycloak only seem to read the sAMAccountName from Kerberos Ticket. Not the realm/domain. If the sAMAccountName is in top level (or highest prio) Federation provider authentication is successful. If not it fails.
It is crucial that Keycloak knows in which AD Domain the user from Kerberos ticket is located. Unless Keycloak is not able to get the correct claims for the user.
Test environment:
Keycloak 3.4.3 standalone on Centos 7 with a Keycloak REALM EMP_AD.
We configured 3 LDAP Federation Providers (with Kerberos Integration) for 3 AD Domains: DE.MIT.NET, FR.MIT.NET and BE.MIT.NET.
Each Federation Provider has been configured with the following parameters: vendor:Active Directory, UserName LDAP attribute: sAMAccountName, Kerberos REALM: "Name of AD/Kerberos Domain", ...
sAMAccountName ist unique in each ad domain, but not in forest. In forest only userPrincipalName is unique.
We made the Kerberos Configuration as described in Keycloak-Doc. Also included a keytab file. Our productive company AD and KDCs are used.
2 Test user: john.smith(a)de.mit.net (upn in Domain DE.MIT.NET), john.smith(a)fr.mit.net (upn in Domain FR.MIT.NET). sAMAccountName for both user is john.smith .
Testing:
Since we just test how can handle Keycloak Kerberos, AD and multiple domains we just call the admin realm url for login tests: https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console
First scenario:
User john.smith is already authenticated in his Windows 7 Client (AD Domain DE.MIT.NET). In Keycloak only Federation Provider for AD Domain DE.MIT.NET is enabled.
When calling https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console user john.smith gets a Kerberos Ticket for Keycloak. In the Ticket the user is identified with his sAMAccountName and its Kerberos REALM (AD Domain):
klist:
Client: john.smith @ DE.MIT.NET
Server: HTTP/DUS212kcsrv.wert.net @ DAS.MIT.NET
KerbTicket (Verschlüsselungstyp): RSADSI RC4-HMAC(NT)
Ticketkennzeichen 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
...
Result: User john.smith from AD Domain DE.MIT.NET is automatically successfully authenticated in Keycloak. --> Successful
Second scenario:
Same as first scenario, but this time only Federation Provider for AD Domain FR.MIT.NET is enabled. (user john.smith is also available in domain FR.MIT.NET)
Even though Kerberos ticket from user john smith in AD Domain DE.MIT.NET is used, in Keycloak john.smith from AD domain FR.MIT.NET is authenticated.
--> NOT successful
Third scenario:
Same as first scenario, but this time all FPs are enabled in Keycloak. The FP for Domain BE.MADM.NET is on top of the list (or has the highest prio) In BE.MADM.NET user john.smith does not exist.
Keycloak only lookup in Federation Provider from Domain BE.MADM.NET for john.smith. Since there is no one, access to keycloak failed :
server.log:
2018-03-08 16:37:03,121 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-1) Kerberos/SPNEGO authentication succeeded with username [john.smith], but couldn't find or create user with federation provider [BE.MADM.NET]
2018-03-08 16:37:03,122 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=EMP_AD, clientId=security-admin-console, userId=null, ipAddress=10.12.45.34, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console/, code_id=27a1da71-b5f2-4416-a0dd-6005b409a60a, response_mode=fragment
Best regards
Ralph
Geschäftsanschrift/Business address: METRO SYSTEMS GmbH, Metro-Straße 12, 40235 Düsseldorf, Germany
Aufsichtsrat/Supervisory Board: Heiko Hutmacher (Vorsitzender/ Chairman)
Geschäftsführung/Management Board: Dr. Dirk Toepfer (Vorsitzender/CEO), Wim van Herwijnen
Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232
Betreffend Mails von *(a)metrosystems.net
Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind ausschließlich für den bezeichneten Adressaten bestimmt. Sie können rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und vernichten Sie die E-Mail.
Regarding mails from *(a)metrosystems.net
This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.
8 years, 1 month
Re: [keycloak-user] How to set PostgreSQL schema for Keycloak when using the Docker Image?
by Meissa M'baye Sakho
Stephen, the postgress-ha docker image is deprecated. It's clearly stated
in the following:
https://hub.docker.com/r/jboss/keycloak-postgres/
@Marco, I undestand your point.
Maybe do you need to extend the keyclaok image.
Meissa
On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen(a)chassi.com> wrote:
> Actually, the postgres-ha docker image that is tagged for 3.4.3.Final
> installs version 3.4.2. I had to rebuild that image myself and replace the
> "latest" tag with a "3.4.3.Final" tag in order to have the correct version.
>
> Regards,
> Stephen
>
> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <msakho(a)redhat.com>
> wrote:
>
>> Marco,
>> which docker image are you using?
>> The latest docker image the rely on Keycloak 3.4.3 has been updated to
>> handle either postgresql or mysql.
>> You'll find information you're looking for in the following link at the
>> PostgreSQL section.
>> https://hub.docker.com/r/jboss/keycloak/
>> thanks,
>> Meissa
>>
>>
>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas(a)gmail.com>
>> wrote:
>>
>> > Hi there,
>> >
>> > i am trying to use the Docker Image for Keycloak but I seem to be
>> unable to
>> > set a schema for the tables that are created in PostgreSQL. Currently
>> all
>> > tables end up in the public schema.
>> > Is there a way that i can instruct Keycloak to create the tables inside
>> a
>> > schema?
>> >
>> > Kind regards,
>> > Marco Pas
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
8 years, 1 month
How to set PostgreSQL schema for Keycloak when using the Docker Image?
by Marco Pas
Hi there,
i am trying to use the Docker Image for Keycloak but I seem to be unable to
set a schema for the tables that are created in PostgreSQL. Currently all
tables end up in the public schema.
Is there a way that i can instruct Keycloak to create the tables inside a
schema?
Kind regards,
Marco Pas
8 years, 1 month
Keycloak with XA Datasource and Timeout Errors
by Niels Bertram
Hi there,
we have a user federation provider that requires us to run Keycloak JPA
datasource with XA. Things do appear to work but when a user times out on
the login page or like, I get below error in the logs.
I don't want to mute the logger in case of real errors but I also don't
want to get errors for normal use cases. Can this be silenced otherwise?
Cheers,
Niels
15:35:12,425 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-12) Uncaught server error: java.lang.RuntimeException:
javax.transaction.RollbackException: ARJUNA016102: The transaction is not
active! Uid is 0:ffffc0a85667:-3663f319:5aa4b6ff:228
at
org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:77)
at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)
at
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
at
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
at
org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165)
at
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.transaction.RollbackException: ARJUNA016102: The
transaction is not active! Uid is 0:ffffc0a85667:-3663f319:5aa4b6ff:228
at
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1279)
at
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
at
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
at
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73)
at
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
... 54 more
8 years, 1 month
Run commands with jboss-cli when server is off.
by hmidi slim
Hi,
I want to add some system properties with jboss-cli:
jboss-cli.sh --connect
--commands="/system-property=keycloak.migration.action/:add(value=export)","/system-property=keycloak.migration.provider/:add(value=dir)","/system-property=keycloak.migration.dir/:add(value=export_dir)".
this instruction will be executed only if the server is launched. Can I
execute this instruction when the server is off?
8 years, 1 month
Create realm from java admin client with access token vs username+password
by Nhut Thai Le
Hello,
In the admin client i see there is an overload method to create Keycloak
instance using a token, (Keycloak.getInstance(serverUrl, realm, clientId,
authToken)), is this considered more secure than using the
username+password since if i'm using the access token in the method above,
i still need to make another call earlier with the username + password to
get the token, either way, the username +password will be in my code repo.
I think i can create an account in the master realm with role create-realm,
can I use that as a service account or there is an existing service account
somewhere in the master realm?
I'm trying to integrate keycloak to my multitenancy application where each
client has his own realm to config his security. My application need to
create the realm when the client register to my app.
Thai
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
8 years, 1 month
Login issue when using KeyCloak as an identity broker
by The, Andrew
Hi,
I have configured KeyCloak as an Identity broker for OIDC use, and we are experiencing an issue when attempting to log in. I would appreciate some help regarding this situation.
Here are the steps we are using to experience the issue:
1) Connect to the SP, who redirects the user to sign on with KeyCloak;
2) The KeyCloak login page is displayed;
3) Select that IdP configured in KeyCloak; KeyCloak redirects the user to the IdP login page;
4) Login on that page; IdP redirects user to KeyCloak;
5) KeyCloak displays the "We're sorry ." page.
Here is the error message found in the logs:
12:15:24,530 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-15) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:444)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:346)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
at sun.reflect.GeneratedMethodAccessor828.invoke(Unknown Source)
<snip>
My understanding is that KeyCloak requests a 'response_type' of 'code' flow for communication with the IdP. However when the IdP responds, KeyCloak appears to require a 'token' response.
The closest JIRA I found was https://issues.jboss.org/browse/KEYCLOAK-5441.
Thank you,
--
Andrew The | Director Consulting
Global delivery center - Saguenay | CGI
930, Jacques Cartier Est, 3rd floor, Chicoutimi (Québec) G7H 7K9
T: 877 696 6780 #1653251 | P: +1 418 696 6780 #1653251 | C: +1 418 540 4475
andrew.the(a)cgi.com
CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.
8 years, 1 month
Viewing permissions
by Corentin Dupont
Hi all,
I have a question around the representation and result of permissions.
Say I have an application that manages socks inventory. The UI is
displaying a button to delete socks. However, some user doesn't have the
right to delete socks!
So, I perform a request to Keycloak to get the permission.
It works well: if the user doesn't have permission, the message
"authorization denied" is displayed on the screen.
However, it would be nicer to remove the "delete" button entirely.
My policies are quite complex and multi-dimensional: You can delete socks
if you are admin, but also if it belongs to you, you belong to some groups
etc.
So anticipating the reply to an authorization request can be very hard.
What do you suggest? Should we perform a "test" authorization request
before display the "delete" button?
8 years, 1 month
mandatory fields when create new realm from admin-client
by Nhut Thai Le
Hello,
I used the admin-client to create a new realm and i just want the default
settings so i only set the name and enabled:
Keycloak keycloak = Keycloak.getInstance("http://localhost:8180/auth",
"master", "admin", "admin", "admin-cli");
RealmRepresentation newRealm = new RealmRepresentation();
newRealm.setRealm(realmName);
newRealm.setEnabled(true);
keycloak.realms().create(newRealm);
I can see the realm created and enabled but seem like i cannot use it, when
i select the newly created realm, there is only 1 General tab and no menu
on the left to config the realm, roles, clients,... I cant even delete the
realm since there is no delete button, trying to delete it from master
realm clients give the following error: org.h2.jdbc.JdbcSQLException:
Referential integrity constraint violation: "FK_TRAF444KK6QRKMS7N56AIWQ5Y:
PUBLIC.REALM FOREIGN KEY(MASTER_ADMIN_CLIENT) REFERENCES PUBLIC.CLIENT(ID)
('9626e6d0-bbd6-44bc-8b61-06be07d08a17')"; SQL statement:
delete from CLIENT where ID=? [23503-193]
As I look at the RealmRepresentation (
http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_realmrepresenta...),
all the fields are optional which i assume they have default values if not
specified. If this is a wrong assumption, could anyone tell me which fields
i should set to have a working realm?
I'm using 3.4.3Final by the way.
Thai
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
8 years, 1 month
Authenticate against multiple realm management clients simultaneously
by moritz.becker@gmx.at
Hi,
I use Keycloak to secure an application that has two types of users: vendors
and customers.
I created one 'customer-realm' and one 'vendor-realm'.
Each realm also has one client which the application authenticates against,
depending on whether the vendor login or the customer login is used.
I also have a backoffice application that is separate from my main
application. Backoffice users should be able to manage both vendors and
customers.
I planned to utilize the auto-created realm management clients in the master
realm called 'customer-realm-realm' and 'vendor-realm-realm' that would
allow me to assign permissions to users in the master realm to manage the
other realms as needed.
However, when a user logs in to the backoffice application, it can only
authenticate against one of the realm management clients and not both (as
far as I see). So the user
would only receive half of the required permissions.
What is the best approach here?
Thank you!
8 years, 1 month
Keycloak - Application Clustering with sticky session
by Ariel Carrera
When you use "application.session.host" in the client's admin url, in some
environments there is no way to reach to the exact application node (with
session created) to send a logout signal.
Keycloak doesn't have inside "application.session.host" information about
port number and it is impossible to reach the exact application server node.
So... when your environment have more than one application server (wildfly,
jboss, etc) listening using port offsets... Keycloak try to reach
application.session.host (port 80) but it's not a valid endpoint.
Is there a variable available to this (something like
"application.session.port")?
Thanks,
--
Ariel Carrera
8 years, 1 month
Re: [keycloak-user] [keycloak-dev] Running Keycloak in a clustered mode
by Marek Posolda
On 07/03/18 13:51, Chervine Majeri wrote:
> Hi,
> We're considering attempting the exact same setup, with 2 standalone
> keycloaks connected to the same backend DB.
>
> User session is one example. There are some other things, which won't
>
> work. We never tried to test such setup and I wouldn't do it.
>
> From what I've seen, only what's stored in the cache ends up being
> different, meaning the HA models really only differ in that they have
> a distributed cache. Is this correct? Or does it affect the connection
> to the DB too?
>
> From that assumption, seeing the content of "standalone-ha.xml", I see
> that it's mostly session related stuff and things like loginFailures
> that end up in the distributed cache.
> Since we have a session cookie, unique for every session, can we use
> session stickiness in the reverse-proxy to circumvent most the issues?
The session stickyness is usually not sufficient. The OpenID Connect
specification uses some "backchannel" requests, which are not sent as
part of browser session, but they are sent directly between client
application and Keycloak (For example code-to-token request, Refresh
token request etc). Those requests won't see sticky session cookie, and
hence can be directed to the other node, then the one who owns the session.
Only possibility, when everything may work is, if all your clients are
using keycloak.js adapter (javascript clients run fully inside browser
and so they can participate in sticky session as backchannel requests
are sent from browser as well).
There are also some other cases when sticky session is not sufficient.
For example in scenarios when mail is sent to user (EG. "Forget
password" functionality) and user clicks on the link, but the link is
opened in the other browser then the one, who "owns" sticky session
cookie. Then it may happen that request is served on the other browser
then the one, who owns the session.
Finally invalidations won't work. Keycloak uses caches to cache some
data for performance reasons. Those caches are "realms", "users" and
"keys" . Every cluster node cache the data locally, however when some
change happens (data are updated), then the node, who did the update,
must notify other nodes in cluster about the change. If you don't use
cluster, this won't work and other cluster nodes won't be notified and
will still see stale data in their caches. In other words, when for
example you update user "john" on node1, then node2 won't be aware about
this update and will still see stale (old) data of user "john" in it's
cache. The only possibilities how to workaround is:
- Disable cache entirely (See our docs for more details)
- Ensure that cache is cleared after every update (This is usually not
possible to achieve unless you have some special kind of deployment (EG.
something close to read-only deployment)).
Marek
>
> Obviously the loginFailures feature wouldn't work all that well, but
> that would be acceptable for my use-case.
>
> Thanks,
> Chervine.
8 years, 1 month
Login UI locale reverting to browser's on wrong user/password
by Carlos Villegas
Hi,
I'm using the docker image version 3.4.0.Final. I've setup a realm and enabled internationalization, set default locale to English.
I'm using the Javascript adapter and I set the locale I want in the login options. I have a custom theme where I've hidden Keycloak's login screen Locale selection menu. I'm sending the locale using the login options of the login call of the Javascript adapter.
The keycloak login screen comes up in the correct locale I requested in the login options. However, if I put the wrong password and submit, the next error screen comes in what it seems is the web browser's default language.
For example, in a English Windows 10 installation using Chrome which is in English, I request Japanese locale. The Keycloak login screen comes correctly in Japanese, but if I enter the wrong password, next error screen requesting to reenter login info is in English, all labels and error messages in English. It seems Keycloak's forgetting my locale option and using the browser's.
Using the same server, from a Japanese Windows 10 machine, using Chrome in Japanese, the user requests English locale, it gets correctly the English login screen. Enters the wrong password, and the next error screen is in Japanese!. Note that this is not even the default locale I've set up in Keycloak which is English.
I see in the login URL sent from the client that the ui_locales parameter is properly set to the value I want, as I said the first login screen is in the correct locale I've requested. The problem is if there's any error, the screens with error messages don't have the correct locale.
Any idea of what can be happening, and if by any change this has been corrected the latest version of Keycloak. I'm haven't had the chance to test the latest version yet.
Cheers,
Carlos
8 years, 1 month
Restrict Enduser Access to some Clients.
by Jakob Ackermann
Hello Keycloak users,
I'm trying to archive the following scenario with Keycloak and failing.
I've read through documentation and could not find how I suppose to solve
this. If someone could help me to point to the right direction it would be
much appreciated.
Realm: organization
clients:
google (as SP)
custom01
custom02 (without access to check for roles in the authentication script)
user roles:
user-google
user-custom01
user-custom02
users:
user1 -> roles: user-google, user-custom01
user2 -> roles: user-custom02
How can I permit only users with role user-google to access the the google
client? For custom clients I can change the code to look for the role but
most SSO setups like Google don't have an option to do this. Is there a way
in Keycloak to restrict access?
Thanks so much.
8 years, 1 month
Java client for managing keycloak
by Nhut Thai Le
Hello,
Is there a java libraries that correspond to the Keycloak admin REST API ?
I just want to make
sure i don't reinvent the wheel by using Apache httpclient to call Keycloak
admin API.
Thank you
Thai
--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montréal, Québec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle(a)castortech.com
www.castortech.com
CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est
confidentiel, peut être protégé par le secret professionnel et est réservé
à l'usage exclusif du destinataire. Toute autre personne est par les
présentes avisée qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez reçu cette communication par erreur,
veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.
8 years, 1 month
How do I set a field for idToken when implementing custom Provider / Authenticator?
by Dominik Guhr
Hi all,
so I create3d a custom Provider for my legacy db and a custom
authenticator due to special requirements.
Now when I debug in validatePassword in
AbstractUsernameFormAuthenticator.java, I get the user entity with all
the fields I need.
Now my conrecete question is: How do I map these fields to the idtoken
to use them in my application?
I tried adding a User Attribute Mapper to my client directly, but this
gives me a nullpointerexception.
Also, in Admin Interface, the Field "Mappers" is missing from my custom
Provider. Perhaps this is the fault? Did I forget to implement one
thing? I used the storage-jpa example.
Any hints would be highly appreciated. If some code is needed, just ask :-)
Best regards,
Dominik
8 years, 1 month
Cannot create users when a Kerberos Federation is configured but the KDC is unreachable
by Jim Groffen
Hello folks,
I am using KeyCloak (3.4.3) with a Kerberos based User Federation - using a
keytab only with no communication available between the KDC and the
KeyCloak server. Note that no connection between the KDC and KeyCloak is
possible in my scenario so I need to rely on the keytab alone for
authentication.
This works well - new users from the network that can perform Kerberos auth
just need to add any missing information on first login. I have noticed the
following problem though:
I also need to add users manually to KeyCloak. I find that I have to
disable the Kerberos based User Federation to create a non-Kerberos based
user, or I get an error.
Digging in to the logs I find that KeyCloak is attempting to query the KDC
directly, which fails with:
DEBUG
[org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator]
(default task-10) Message from kerberos: Cannot locate KDC
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-10) Uncaught server error: org.keycloak.models.ModelException:
Kerberos unreachable
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
...
Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
...
Caused by: KrbException: Cannot locate KDC
at sun.security.krb5.Config.getKDCList(Config.java:1084)
...
Caused by: KrbException: Generic error (description in e-text) (60) -
Unable to locate KDC for realm XXXXXXX
I have verified that I can successfully create a user in KeyCloak if the
KDC is accessible. In this case KeyCloak logs no error, simply reporting
that the user was not found in the KDC.
Given the above, I have a few questions I'm hoping you can help me with:
1: Am I trying to do something that is unsupported by KeyCloak?
2: If this is currently unsupported, would you like me to raise a feature
request?
3: If it should be supported, is it possible I mis-configured something, or
should I raise a bug report?
KeyCloak is behaving how I want for the most part. With some advice /
direction I could work on a pull request targeting this.
Thanks in advance,
Jim Groffen.
8 years, 1 month
How to communicate access token in microservice architecture
by hmidi slim
HI,
I have a node.js app designed with microservice architecutre and I'm trying
to add some roles for each service to deny the access. Supposed that the
app consists of 3 services called service1, service2 and service3.
To access the main page of the app, a user should enter a login and
password to authenticate the keycloak server. If the authentication
succeeds it will show the index page. In the index page there are two
choices: resource B and resource C.
If a user check resource B a query will be send to service2 to get all the
data contained on it.
If a user check resource C a query will be send to service 3 to get all the
data.
In Keycloak admin console I created a realm MyApp with some realm role
RA_r (resourceA read) and RB_r (resource read) RC_r (resourceC read).
Then I created 3 clients called resource A and resource B resource C.
I created also a User called user and I associate for him the RB_r.
For each service I installed keycloak-connect and make the configurations
and I added the keycloak.json for each of them (
{
"serverUrl": url_auth_server,
"realm": "MyApp",
"clientId": "resource X",
"bearerOnly": true
}
)
In the service 2 I want to protect the get route:
app.get('resource', keycloak.protect('realm:RB_r'), handler)
The query starts from the first service (service1) and arrives to service
2. I got a status code of 403. However when I delete
keycloak.protect('realm:RB_r') I receive the data.
I decode the access token from the headers using jwt.io and I found that
the realm role (RB_r) exists.
So how can I transfer the access token between different service and
protect them using RBAC mechanism? Did I miss something in the config or
should I added a specific configuration?
8 years, 1 month
Guest account
by Corentin Dupont
Hi all,
I have a javascript web app using keycloak for authentication.
When the user opens the app, he is first redirected to the Keycloak login
screen.
However it's a bit annoying for the user to have to create an account
before seeing anything.
Personally I close this kind of application :)
I would like that the application uses a "guest" account if the user is not
registered.
"guest" is a real keycloak account that have particular access rights.
How to do that? My application probably needs to provide login/password for
guest and store the token.
I use keycloak-js library. Now my login code is standard:
var keycloak = Keycloak({
url: config.keycloakUrl,
realm: config.realm,
clientId: config.clientId
});
keycloak.init({ onLoad: 'login-required', checkLoginIframe: false
}).success(authenticated => {
if (authenticated) {
store.getState().keycloak = keycloak;
setInterval(() => {
keycloak.updateToken(3600).success(function (refreshed) {
getSensors();
getUsers();
}).error(function () {
alert('Your session has expired, please log in again');
keycloak.logout();
})
}, 10000);
displayPage();
}
}).error(function (error) {
console.log("Authentication error. Check Keycloak params and cors
issues.");
});
8 years, 1 month
Unable to access a resource with a given realm role
by hmidi slim
Hi,
I'm trying to protect some resources of my node.js app using RBAC mechanism.
I have creted a realm called MyApp and a user called user, then I create
some realm roles such as: res_r (read resource), res_u (update resource),
res_d (delete_resource), res_c(create resource).
Then I tried to give the user User the realm roles: res_r
After I configure keycloak using keycloak-connect, I added:
const router = require('express').Router();
router.get('resource', keycloak.protect('realm: res_r'), handler)
However I'm not able to read the resource. I decode the authorization with
jwt I got in the token:
"realm_access": {
"roles": [
"res_r",
"uma_authorization",
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
How can I fix the probelm?
8 years, 1 month
(no subject)
by hmidi slim
Hi,
I'm trying to protect some resources of my node.js app using RBAC mechanism.
I have creted a realm called MyApp and a user called user, then I create
some realm roles such as: res_r (read resource), res_u (update resource),
res_d (delete_resource), res_c(create resource).
Then I tried to give the user User the realm roles: res_r
After I configure keycloak using keycloak-connect, I added:
const router = require('express').Router();
router.get('resource', keycloak.protect('realm: res_r'), handler)
However I'm not able to read the resource. I decode the authorization with
jwt I got in the token:
"realm_access": {
"roles": [
"res_r",
"uma_authorization",
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
How can I fix the probelm?
8 years, 1 month
Question on Node.js adapter - Wrong response code when not logged in, maybe
by Luke Holmquist
Hi,
given this example application
https://github.com/bucharest-gold/nodejs-rest-http-secured , there is 1
endpoint "/api/greeting", it is protected with the basic keycloak-connect
setup.
https://github.com/bucharest-gold/nodejs-rest-http-secured/blob/master/ap...
If we run this locally, with "npm start", and just curl that endpoint,
"curl http://localhost:3000/api/greeting" it will return with a 403.
There was an issue raised that it should be a 401,
https://github.com/bucharest-gold/nodejs-rest-http-secured/issues/52
The way this comment makes it sound,
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#...
is
that the 403 is correct
If we look at the complimentary vert.x and swarm examples,
https://github.com/openshiftio-vertx-boosters/vertx-secured-http-booster and
https://github.com/wildfly-swarm-openshiftio-boosters/wfswarm-rest-http-s...
a similar curl will result in a 401 when not logged in.
I'm just wondering if that 403 the node adapter is correct and if so, why
does it differ from the other runtimes
-Luke
8 years, 1 month
How to setup CORS for Angular frontend and Spring Boot backend
by Peemöller, Björn
Hi,
I'm struggling to setup our application with Keycloak. First, let me explain our setup:
- We have an Angular 5 application as the frontend.
- We have a Spring Boot application providing a REST api as our backend.
- During build, the frontend is placed into the webapp folder, such that it is delivered as static content by the backend.
- The backend is secured using Keycloak.
- The user is automatically authenticated using Kerberos.
If I build the application and then request the frontend's index.html, then a redirect to /sso/login occurs, which redirects to Keycloak, which redirects back to the application, and authentication is successful. After that, calls to our backend api (for which the user must be authenticated and authorized), are also successful.
During development, however, the frontend is served using webpack (angular-cli), and the backend is served individually. In this setup, the index.html can be loaded without authentication, and the frontend then starts to call the backend API. At first, the backend directly returned a 401 Unauthorized, and I figured out that this was raised at the KeycloakAuthenticationEntryPoint since the request was considered to be an API request. To work around this problem, I replaced the KeycloakAuthenticationEntryPoint by a subclass not checking for API requests. After that, the API request is now redirected to /sso/login, which then redirects to Keycloak. Since now the host has changed, the invoking browser has to perform a CORS request, and thus issued a CORS preflight request using the OPTIONS method, to which Keycloak answers with a 204 No Content without any CORS headers, such that the preflight fails, even though the Keycloak client has been configured to allow CORS requests. In consequence, the backend API cannot be reached.
My questions now are:
- Is there some configuration that we are missing to allow authentication during API requests?
- The behavioral change of the KeycloakAuthenticationEntryPoint seems incorrect to me, as if I'm working against the intended design. Could you provide me some guidance on how to setup my frontend and backend? I can think of doing authentication directly in the frontend using the Keycloak JS library, but have found no indication that a REST API should not do (Kerberos) authentication itself.
Many thanks in advance,
Björn
Björn Peemöller
IT & IT Operations
BERENBERG
Joh. Berenberg, Gossler & Co. KG
Neuer Jungfernstieg 20
20354 Hamburg
Telefon +49 40 350 60-8548
Telefax +49 40 350 60-900
E-Mail bjoern.peemoeller(a)berenberg.de<mailto:bjoern.peemoeller@berenberg.de>
www.berenberg.de<http://www.berenberg.de/>
Sitz: Hamburg - Amtsgericht Hamburg HRA 42659
Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen.
Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info(a)berenberg.de. Please refer to http://www.berenberg.de/my_berenberg/disclaimer_e.html for our confidentiality notice.
8 years, 1 month
"Error! Realm with same name exists" when trying to change theme
by Dominik Guhr
Hi all,
So I tried to crete a new realm and use a theme used also in a different
realm, but all I get is the errormessage "Error! Realm with same name
exists" when trying to apply the theme (click on save).
Logs are stating this:
2018-03-06 10:50:32,065 INFO
[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default
task-25) HHH000010: On release of batch it still contained JDBC statements
2018-03-06 10:51:38,652 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-50) SQL
Error: 1400, SQLState: 23000
2018-03-06 10:51:38,653 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-50)
ORA-01400: Insert NULL in ("MY_TEST"."REALM_SUPPORTED_LOCALES"."VALUE")
not possible*
Steps:
- I created one realm called "MYREALM" and applied the logintheme there
without a problem (used kc standard for admin and so on).
- Then I created the other one "MYREALM_DEV" and tried to apply the
custom theme.
- To check if its depending on the theme, I tried to apply the base
keycloak theme, same effect.
This workflow worked for another application perfectly with one theme
for different realms.
seems very weird, as if the realm is created on db-level with same name
as the old one instead of my given name.
So, Could anybody give me a hint why SQL fails here? Or point me to the
relating DB Tables please so I could investigate further myself? Thanks
in advance!
Best regards,
Dominik
*: freely translated from german database locale ;)
8 years, 1 month
Weird reload issue in Keycloak + OIDC integrated application
by Pulkit Gupta
Hi Team,
We have integrated one of our Angular 1.X + REST based application with
RH-SSO 7.1.
The application is working fine and we are able to make all the
authorization and authentication functionality work.
We are using the standard flow with auth and refresh token.
However we are seeing an issue which we are not able to fix even after
multiple hit and try.
It goes like this:
When we open the application the adapter checks and redirect us from
authentication. SSO works and we are redirected to the application and are
logged in successfully. Everything works and now we are using the
application. Suddenly after 5 mins the site reloads even if we are actively
using the application. The reloads works and now again we can use the
application for any duration and it never reloads again by itself and we
can work smoothly without any interruptions.
Please let me know in case someone has seen such an issue or can suggest
something which I can try.
--
PULKIT GUPTA
8 years, 1 month
Register new ProviderFactorys to Mappers
by Chris Brandhorst
We have developed a customised OIDCIdentityProviderFactory and OIDCIdentityProvider because some IdP does not fully adhere to the standards. However, when using this Provider, the UserAttributeMapper (and other mappers) are not used because they have a fixed list of COMPATIBLE_PROVIDERS.
We would suggest adding a registerCompatibleProvider to the IdentityProviderMapper in order to extend the usage of these mappers.
Just checking before we take the effort of creating a nice PR: is this something you would see fly? If yes, would you suggest changing COMPATIBLE_PROVIDERS to a List<String> or a List<IdentityProviderFactory> and subsequently changing the getCompatibleProviders() implementations?
Thanks,
Chris
8 years, 1 month
Keycloak client hangs after creating 9 users
by Maickel Hagemann
Hi all,
I'm having some trouble with creating users, using the Keycloak Admin REST API in Java.
I'm trying to create a few dozen users in Keycloak and I want to send each user an email to notify them to update their passwords in a for-loop.
But everytime, after creating a user and sending an email for 9 users, the Keycloak client hangs indefinitely when it's trying to send an email for the 10th user.
Im running Keycloak in a docker container with PostgreSQL and MailHog.
Do any of you have any ideas?
Regards,
Maickel
8 years, 1 month
User Role(s) in Event
by vrinda nayak
Hello All,
For our dcm4che archive, we use Keycloak as an Authentification layer. We
have built a custom Dcm4cheEventListenerProvider which implements
Keycloak's EventListenerProvider to listen to the LOGIN and LOGOUT events.
The Event class does not have roles of a user in the details. Based on
role(s) of a user, we have to emit specific audit messages.
Can someone please advise how we can extract the role(s) of a user when
events are being listened?
Thanks in advance.
Best Regards
Vrinda Nayak
8 years, 1 month
How to get permission to all child resources
by Nhut Thai Le
Hello,
We are new to Keycloak and we are exploring its abilities for securing our
web api. One things we are trying to do is to get all permissions
associated with a user for all child resources in a RPT. For example, let's
say I'm trying to expose the folder Document on my file system to the
network via REST. This Document folder may have millions of files and
subfolders, most of them are accessible by all Users, some are only
available to Admin, and some are for Customers only.
On Keycloak server, i would define 3 resources named:
"All Docs" with URL /Document/* and Role policy granting access to all Users
"For Admin" with URL /Document/Administration/* and Role policy granting
access to only Admins
"For Customer" with URL /Document/Products/* and Role policy granting
access to only Customers
If i use the entitlement API, i can ask if Sarah who is a Users and a
Customers can access "All Docs". However, if Sarah want to know/list all
files under /Document/Administration/Contracts/Sarah/* then how should i
ask entitlement API since this URL is not declared as a resource in
Keycloak? If i can call the API for this path, I would like to receive from
the API some permissions info starting from /Document/Administration
because this is the closest ancestor known to Keycloak regarding the path
being asked.
Hope to get some insight soon
Thai
8 years, 1 month
Spring Boot with multiple Keycloak instances
by Cedric Thiebault
Hello,
We are developing a REST API (Spring Boot micro-services) secured by Keycloak.
We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side when modifying internal services...
Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks guys!). But I don't see in documentation how use 2 Keycloak instances as we always refer to a single keycloak.json.
Is securing a Spring Boot app with 2 different Keycloak instances possible?
Thanks for your help!
Cedric
8 years, 1 month
stop keyclaok server
by hmidi slim
Hi,
I'm trying to stop a server using this command:
*./bin/standalone.sh && ./bin/jboss-cli.sh -c --commands=shutdown*
The server was launched and it did not been stopped. Is not possible to
excute this two instructions sequentially?
8 years, 1 month
Client side token verification
by Rudolf Jurišić
Can the verification of jwt token be done on the client side, assuming the
client has the (same) secret that the server uses to sign the tokens?
Is this a good idea?
Or is it necessary to ask the server?
My components:
1. Web app - resource consumer
2. Resource server - Keycloak registered client, REST API, bearer-only
3. Keycloak - authorization server
Thanks
8 years, 1 month
Microsoft social identity provider returns id_token while access_token is expected
by Sid 0
I am using keycloak 3.4.1.Final (deployed by docker). diving into the
issue, here are the logs:
WARN [org.keycloak.connections.httpclient.DefaultHttpClientFactory]
(default task-7) Truststore is disabled
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-7) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access token
available in OAuth server response: {"id_token":"eyJ0eXAiOi..."}
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getFederatedIdentity(AbstractOAuth2IdentityProvider.java:279)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
Note: with my current setup I don't have any issue with Google identity
provider.
Please let me know if more information needed for solving this issue,
thanks.
--
Sid
8 years, 1 month
How to stop the keycloak server from standalone sh
by Aritz Maeztu
Hello,
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
image).
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 1 month
Stop keycloak server
by hmidi slim
Hi,
I'm looking for an option or a method to stop a running keycloak server in
docker to make the export of files. Is there any argument to pass to the
standalone.sh to stop the server?
8 years, 1 month
STOP KEYCLOAK SERVER IN DOCKER CONTAINER
by hmidi slim
When I tried to stop the server using ./bin/jboss-cli.sh shutdown, I got
this message:
*[disconnected /] command terminated with exit code 137*
And I'm redirected out of the container.Anyone knows how to shutdown the
server in docker without exiting the container?
8 years, 1 month
REST API: Get List of users
by José Miguel Gonçalves
Hi,
How can I add permissions to all users (or a group of users) on a newly
created Realm to be able to access the list of users for that Realm?
Out of the box, if I perform;
GET /admin/realms/{realm}/users
I get a 403 Forbidden.
Best regards,
José Gonçalves
8 years, 1 month
Authorization issue (missing customized provider roles)
by Luis Villaça
Greetings,
I am implementing a strategy to reuse our company´s authentication /
authorization strategy with Keycloak. I´ve read the documentation and
started a use case based on the links below:
http://www.keycloak.org/docs/3.3/server_development/topics/providers.html...
http://www.keycloak.org/docs/3.0/server_development/topics/user-storage/s...
So far I have a class that implements UserStorageProviderFactory and
instantiates my own Provider (implementing UserStorageProvider,
UserLookupProvider and CredentialInputValidator). For the last one
I´ve overridden the method "isValid..", where I am validating
UserModel by calling our solution, using credentials captured in
Keycloak login screen, which works fine.
Now, at this same place I am also setting this user´s roles (those
roles were never included in Keycloak Realm, I am pulling from my
provider), and the way I was able to push those into UserModel was
calling grantRole method of my UserModel, and providing a UserAdapter
for that (AbstractUserAdapter throws a ReadOnlyException). I am able
to include my roles by using getRoleMappingsInternal (I use my own
Set<RoleModel>), so that in my SpringBoot configuration I am able to
use the setting bellow:
.antMatchers("/monitoring/**").hasRole("MONITOR_PORTAL")
The issue starts only when my access token lifespan expires (I´ve test
it with different settings). It does a call to keycloak, retrieves the
authenticated User, redirects back to my app, but the role I included
right after I logged in is lost.
I couldn´t find anywhere in the server how to adjust this behavior, or
at least some point to intercept the event of token refresh. So I
couple questions here:
1) Am I in the right path? Maybe I am overcomplicating something that
should be simpler.
2) How is UserModel rebuilt after refreshing the token?
3) Is there another SPI interface indicated for my case?
Appreciate your attention, thanks in advance!
Follow my SpringBoot settings:
application.yml
=============
keycloak:
realm: SpringBootCA4
auth-server-url: http://10.30.211.101:8081/auth
ssl-required: external
resource: dashboard
credentials:
secret: 2xxxxxxf
autodetect-bearer-only: true
confidential-port: 0
principal-attribute: preferred_username
build.gradle
===========
compile("org.springframework.boot:spring-boot-starter-web")
testCompile("org.springframework.boot:spring-boot-starter-test")
compile group: 'javax.servlet', name: 'javax.servlet-api', version: '4.0.0'
compile group: 'org.json', name: 'json', version: '20171018'
compile group: 'org.apache.poi', name: 'poi-ooxml', version: '3.17'
compile group: 'commons-io', name: 'commons-io', version: '2.6'
compile group: 'mysql', name: 'mysql-connector-java', version: '6.0.6'
compile group: 'org.springframework.boot', name:
'spring-boot-starter-security', version: '1.5.10.RELEASE'
compile group: 'org.keycloak', name: 'keycloak-tomcat8-adapter',
version: '3.4.3.Final'
compile group: 'org.keycloak', name:
'keycloak-spring-boot-adapter', version: '3.4.3.Final'
8 years, 1 month
Login width AD FS avoiding login page
by Fernando Quiroga
Hie everyone,
I'm following this post
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
to configure my application to login with AD FS with SAML protocol.
My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app
starts I launch Keycloak.init({ onLoad: 'login-required'}) method for
making the Keycloak login page to appear. right now I'm able to login usin
email and password or by clicking the SAML SSO button and login thorught
the AD FS login page.
What I want to do? I want to Keycloak to trigger the SAML SSO before
showing the login screen, I mean, if in my pc I'm loged with and AD FS
account I want Keycloak to log me in directly with this account and only
get me to the login page if I'm not a member of the AD FS so I'm could be
able to login via email and password.
Regards
Fernando
8 years, 1 month
