how to setup an admin user for selective realms?
by Jason Wang
Hi all,
In a multi-tenant environment (multiple organisations using one keycloak),
I would like to setup some privileged users who can manage other users,
setting up LDAP for the realm that user belongs to.
Role based permissions would be ideal, but I have not figured out how to
associate roles with permissions. Wishing there is resource based ACL lists
to query and manage.
Whats the best way to achieve this?
Many thanks
Jason
6 years, 10 months
Keycloak's database
by hmidi slim
Hi,
I didn't find any section in the official documentation talking about the
different tables contained in the keycloak database. Is there any link
describes the different tables and their relations with the admin
console.For example which table contains the permissions given for a
ressource and so on.
Best Reagrds,
Slim.
6 years, 10 months
Mail System Error - Returned Mail
by Mail Administrator
Your message was not delivered due to the following reason(s):
Your message was not delivered because the destination computer was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message could not be delivered within 5 days:
Host 33.117.234.98 is not responding.
The following recipients did not receive this message:
<keycloak-user(a)lists.jboss.org>
Please reply to postmaster(a)lists.jboss.org
if you feel this message to be in error.
6 years, 10 months
Reset credentials flow loses context if browser cookie not present
by Jerry Saravia
NOTE: This is a potential double posting since I posted on Feb 28th and thought this might be lost since we’re in March now. Apologies in advance.
Hey all,
I ran into an issue.
Suppose I go to my keycloak instance with this url ` auth/realms/myrealm /login-actions/reset-credentials?client_id=my_client_id`.
The reset email gets sent after entering my email. However, if I copy that link and open it in a separate browser session it fails to maintain the the client_id used in the original request. Instead it switches to client_id = account.
I know why this happens. In LoginActionsService there is this
@Path(RESET_CREDENTIALS_PATH)
@GET
public Response resetCredentialsGET(@QueryParam("code") String code,
@QueryParam("execution") String execution,
@QueryParam("client_id") String clientId) {
AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm);
// we allow applications to link to reset credentials without going through OAuth or SAML handshakes
if (authSession == null && code == null) {
if (!realm.isResetPasswordAllowed()) {
event.event(EventType.RESET_PASSWORD);
event.error(Errors.NOT_ALLOWED);
return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
}
authSession = createAuthenticationSessionForClient();
return processResetCredentials(false, null, authSession, null);
}
event.event(EventType.RESET_PASSWORD);
return resetCredentials(code, execution, clientId);
}
The getCurrentAuthenticationSession method checks a cookie to get the session, which isn’t present in a fresh browser session. Afterward, the `createAutenticationSessionForClient` doesn’t use the clientId query parameter and defaults to the account client.
Is this a bug? A security issue?
I couldn’t find a bug for it in Jira. Should I create a bug and fix it? It’s not easy to overwrite this but if you have any workarounds let me know. My current approach is going to be to attempt to create a realm resource that exhibits the right behavior.
Jerry S
Jerry Saravia
Senior Software Engineer
P (516) 603-6914
virginpulse.com
globalchallenge.virginpulse.com
75 Fountain Street, Suite 310, Providence, RI 02902
Australia | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this
e-mail, including any attachment(s), is intended solely for use by the
designated recipient(s). Unauthorized use, dissemination, distribution, or
reproduction of this message by anyone other than the intended recipient(s), or
a person designated as responsible for delivering such messages to the intended
recipient, is strictly prohibited and may be unlawful. This e-mail may contain
proprietary, confidential or privileged information. Any views or opinions
expressed are solely those of the author and do not necessarily represent those
of Virgin Pulse, Inc. If you have received this message in error, or are not
the named recipient(s), please immediately notify the sender and delete this
e-mail message.
6 years, 10 months
Keycloak Client doesn't have secret available with Access Type Public
by Sachin Rastogi
Hi all,
I am using Keycloak 3.4.3 and protecting Spring based Rest service.
Below is Keycloak client configuration:
Client Protocol: openid-connect
Access Type: public
Standard Flow Enabled: ON
Implicit Flow
Direct Access Grants Enabled: ON
Authorization Enabled: OFF
Is it important to provide secret with Access Type as public. If yes, how
can I provide sceret as I couldn't find any option in the Keycloak client
configuration. Please help.
2018-02-28 15:19:10.216 WARN 7813 --- [nio-8080-exec-2] a.a.
ClientIdAndSecretCredentialsProvider : Client 'democlientid' doesn't have
secret available 2018-02-28 15:19:10.375 ERROR 7813 --- [nio-8080-exec-2]
o.k.adapters.OAuthRequestAuthenticator : failed to turn code into token
java.net.ConnectException: Connection refused (Connection refused) at
java.base/java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:na] at
java.base/java.net.AbstractPlainSocketImpl.doConnect(
AbstractPlainSocketImpl.java:400) ~[na:na] at java.base/java.net.
AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:243)
~[na:na] at java.base/java.net.AbstractPlainSocketImpl.connect(
AbstractPlainSocketImpl.java:225) ~[na:na] at java.base/java.net.
SocksSocketImpl.connect(SocksSocketImpl.java:402) ~[na:na] at
java.base/java.net.Socket.connect(Socket.java:591) ~[na:na] at
org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.conn.
DefaultClientConnectionOperator.openConnection(
DefaultClientConnectionOperator.java:180) ~[httpclient-4.5.5.jar!/:4.5.5]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.conn.
AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
CloseableHttpClient.execute(CloseableHttpClient.java:83)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
CloseableHttpClient.execute(CloseableHttpClient.java:108)
~[httpclient-4.5.5.jar!/:4.5.5] at org.apache.http.impl.client.
CloseableHttpClient.execute(CloseableHttpClient.java:56)
~[httpclient-4.5.5.jar!/:4.5.5] at org.keycloak.adapters.ServerRequest.
invokeAccessCodeToToken(ServerRequest.java:111)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final] at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
OAuthRequestAuthenticator.java:336)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(
OAuthRequestAuthenticator.java:281)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final]
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:139)
~[keycloak-adapter-core-3.4.3.Final.jar!/:3.4.3.Final] at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV
alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:203)
~[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final] at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(
KeycloakAuthenticatorValve.java:50)
[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final]
at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.doAuthenticate(
KeycloakAuthenticatorValve.java:57)
[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:586)
[tomcat-embed-core-8.5.27.jar!/:8.5.27] at org.keycloak.adapters.tomcat.
AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
~[spring-boot-container-bundle-3.4.3.Final.jar!/:3.4.3.Final] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
[tomcat-embed-core-8.5.27.jar!/:8.5.27]
Regards,
6 years, 10 months
Unable to load Spring Framework Libraries in Wildfly accessible to deployed JAR
by Sachin Rastogi
Hi all,
I am writing a custom Keycloak User Storage SPI, which is JAR file. I would
like to use Spring DI in the JAR. I have added Spring JARs as Modules in
Keycloak's Wildfly server.
Also, not able to load Spring context as Keycloak User Storage SPI initiate
from META-INF.services "org.keycloak.storage.UserStorageProviderFactory"
and invokes UserStorageProviderFactory.init method.
It also doesn't read the properties file inside resources directory.
Please advise how can I make this work.
Regards,
6 years, 10 months
Poor response time for User REST API
by Cedric Vidaillac
Hi all,
I have ~4k users imported in my (postgres) database, when I go for
GET /{realm}/users/
For max=100 (default) it takes about 20-22s to respond (60kb document).
For max=20, I still get 4s response time, which is kinda... not ideal.
I’m not sure if those response time are normal, and if not why is this so
slow ?
I’m guessing this overhead is caused by the JSON response, I tried on the
database (>20ms). -> is there a way to reduce the JSON data response
produced by Keycloak ? I only need usernames.
I didnt find anything on the docs, I tried ?fields=username in query param,
sadly it doesn’t work.
In case you’re wondering why I do that, I want to use an auto-complete on
my app, with usernames.)
Thanks for reading.
Cédric.
6 years, 10 months
Re: [keycloak-user] Kerberos & login, multiple environments with multiple users
by Ryan Slominski
I think whether or not session cookies are shared between browser tabs is browser specific, but in Firefox I believe they are shared. You can create separate Firefox "profiles" to get around it:
https://bugzilla.mozilla.org/show_bug.cgi?id=117222
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Dominik Guhr" <pinguwien(a)gmail.com>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, February 28, 2018 3:21:06 PM
Subject: Re: [keycloak-user] Kerberos & login, multiple environments with multiple users
I am not sure I understand correctly, but generally, Keycloak is browser
SSO and being logged in 2 browser tabs in 2 clients as different user is
something generally unsupported and can cause various kind of issues. If
you want something like this just for development, you can maybe use
different realms?
Marek
On 28/02/18 14:30, Dominik Guhr wrote:
> Hi everyone,
>
> so I've built a custom kerberos authenticator which should, depending on
> a querystring, not automatically login. So, when I add &login=manual to
> the url, kerberos authenticator starts, checks, and stops.
> Now everything is fine when I use this authenticator under normal
> conditions, in one tab, but:
>
> - As a dev, I sometimes have different tabs with different environments
> open. e.g. https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Dlocal&d=DwICA... , https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Ddev&d=DwICAg&... - these apps are
> different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev
>
> Now I get logged in via kerberos in myapp-local, logout in myapp-test
> and try to login with different credentials manually in myapp-test.
> Then, the AuthenticationProcessor raises the following exception when
> doing this with kerberos login-enabled browsers (chrome, ie):
>
> =====================
> 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2)
> type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null,
> ipAddress=10.242.50.137, error=different_user_authenticated,
> auth_method=openid-connect, auth_type=code, response_type=code,
> redirect_uri=https://urldefense.proofpoint.com/v2/url?u=https-3A__myurl_m... , consent=no_consent_required,
> previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997,
> code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query
> 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2)
> KC-SERVICES0013: Failed authentication:
> org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error
> at
> org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898)
> at
> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724)
> at
> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
> at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
>
> =================
> and in the browser I get an "unexpected error when handling request to
> identity provider" errormsg.
>
> When doing the same thing in firefox (no kerberos, manual login, open 2
> tabs in 2 different environments and login with different users), I get
> at least the errormsg "You are already authenticated as different user
> [name] in this session. Please logout first."
>
> So, my questions are:
> - Why is this not possible?
> - Is there anything I can do (having a custom authenticator for
> kerberos/AD and a custom userstorageprovider for applicationdb) to make
> it possible to have different users logged in in different tabs for
> different kc-clients in the same realm?
> - More specifically: Is there a possibility to use the
> AuthenticationProcessor in an SPI without having to make a custom
> keycloakbuild and remove the check in line 246/setAuthenticatedUser, or
> does this mess up the whole authentication session?
>
> Would be great to get a hint here.
>
> Thanks!
>
> Best regards,
> Dominik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 10 months
