Client side token verification
by Rudolf Jurišić
Can the verification of jwt token be done on the client side, assuming the
client has the (same) secret that the server uses to sign the tokens?
Is this a good idea?
Or is it necessary to ask the server?
My components:
1. Web app - resource consumer
2. Resource server - Keycloak registered client, REST API, bearer-only
3. Keycloak - authorization server
Thanks
6 years, 9 months
Microsoft social identity provider returns id_token while access_token is expected
by Sid 0
I am using keycloak 3.4.1.Final (deployed by docker). diving into the
issue, here are the logs:
WARN [org.keycloak.connections.httpclient.DefaultHttpClientFactory]
(default task-7) Truststore is disabled
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-7) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access token
available in OAuth server response: {"id_token":"eyJ0eXAiOi..."}
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getFederatedIdentity(AbstractOAuth2IdentityProvider.java:279)
at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:399)
Note: with my current setup I don't have any issue with Google identity
provider.
Please let me know if more information needed for solving this issue,
thanks.
--
Sid
6 years, 9 months
How to stop the keycloak server from standalone sh
by Aritz Maeztu
Hello,
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
image).
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 10 months
Stop keycloak server
by hmidi slim
Hi,
I'm looking for an option or a method to stop a running keycloak server in
docker to make the export of files. Is there any argument to pass to the
standalone.sh to stop the server?
6 years, 10 months
STOP KEYCLOAK SERVER IN DOCKER CONTAINER
by hmidi slim
When I tried to stop the server using ./bin/jboss-cli.sh shutdown, I got
this message:
*[disconnected /] command terminated with exit code 137*
And I'm redirected out of the container.Anyone knows how to shutdown the
server in docker without exiting the container?
6 years, 10 months
REST API: Get List of users
by José Miguel Gonçalves
Hi,
How can I add permissions to all users (or a group of users) on a newly
created Realm to be able to access the list of users for that Realm?
Out of the box, if I perform;
GET /admin/realms/{realm}/users
I get a 403 Forbidden.
Best regards,
José Gonçalves
6 years, 10 months
Authorization issue (missing customized provider roles)
by Luis Villaça
Greetings,
I am implementing a strategy to reuse our company´s authentication /
authorization strategy with Keycloak. I´ve read the documentation and
started a use case based on the links below:
http://www.keycloak.org/docs/3.3/server_development/topics/providers.html...
http://www.keycloak.org/docs/3.0/server_development/topics/user-storage/s...
So far I have a class that implements UserStorageProviderFactory and
instantiates my own Provider (implementing UserStorageProvider,
UserLookupProvider and CredentialInputValidator). For the last one
I´ve overridden the method "isValid..", where I am validating
UserModel by calling our solution, using credentials captured in
Keycloak login screen, which works fine.
Now, at this same place I am also setting this user´s roles (those
roles were never included in Keycloak Realm, I am pulling from my
provider), and the way I was able to push those into UserModel was
calling grantRole method of my UserModel, and providing a UserAdapter
for that (AbstractUserAdapter throws a ReadOnlyException). I am able
to include my roles by using getRoleMappingsInternal (I use my own
Set<RoleModel>), so that in my SpringBoot configuration I am able to
use the setting bellow:
.antMatchers("/monitoring/**").hasRole("MONITOR_PORTAL")
The issue starts only when my access token lifespan expires (I´ve test
it with different settings). It does a call to keycloak, retrieves the
authenticated User, redirects back to my app, but the role I included
right after I logged in is lost.
I couldn´t find anywhere in the server how to adjust this behavior, or
at least some point to intercept the event of token refresh. So I
couple questions here:
1) Am I in the right path? Maybe I am overcomplicating something that
should be simpler.
2) How is UserModel rebuilt after refreshing the token?
3) Is there another SPI interface indicated for my case?
Appreciate your attention, thanks in advance!
Follow my SpringBoot settings:
application.yml
=============
keycloak:
realm: SpringBootCA4
auth-server-url: http://10.30.211.101:8081/auth
ssl-required: external
resource: dashboard
credentials:
secret: 2xxxxxxf
autodetect-bearer-only: true
confidential-port: 0
principal-attribute: preferred_username
build.gradle
===========
compile("org.springframework.boot:spring-boot-starter-web")
testCompile("org.springframework.boot:spring-boot-starter-test")
compile group: 'javax.servlet', name: 'javax.servlet-api', version: '4.0.0'
compile group: 'org.json', name: 'json', version: '20171018'
compile group: 'org.apache.poi', name: 'poi-ooxml', version: '3.17'
compile group: 'commons-io', name: 'commons-io', version: '2.6'
compile group: 'mysql', name: 'mysql-connector-java', version: '6.0.6'
compile group: 'org.springframework.boot', name:
'spring-boot-starter-security', version: '1.5.10.RELEASE'
compile group: 'org.keycloak', name: 'keycloak-tomcat8-adapter',
version: '3.4.3.Final'
compile group: 'org.keycloak', name:
'keycloak-spring-boot-adapter', version: '3.4.3.Final'
6 years, 10 months
Login width AD FS avoiding login page
by Fernando Quiroga
Hie everyone,
I'm following this post
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
to configure my application to login with AD FS with SAML protocol.
My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app
starts I launch Keycloak.init({ onLoad: 'login-required'}) method for
making the Keycloak login page to appear. right now I'm able to login usin
email and password or by clicking the SAML SSO button and login thorught
the AD FS login page.
What I want to do? I want to Keycloak to trigger the SAML SSO before
showing the login screen, I mean, if in my pc I'm loged with and AD FS
account I want Keycloak to log me in directly with this account and only
get me to the login page if I'm not a member of the AD FS so I'm could be
able to login via email and password.
Regards
Fernando
6 years, 10 months
