Additional attributes for an authorization request
by Scott Elliott
Would therebe any way to pass additional attributes (say, something from a
REST API call's headers or body) to an authorization request, and access it
in a Javascript or rules based policy? I see that what is available in the
Evaluation API currently is pretty limited.
6 years, 7 months
UTF-8 character set support for user name and other fields / attributes
by Upananda Singha
Hi,
I am working with the Keycloak OIDC feature, and needed some clarification
regarding the character set it supports:
1. I have a requirement to use utf-8 characters (multi byte) in the
Username field
which seems to work fine while setting the user name and I can login to
Keycloak.
But it seems there are other related issues while generating / encoding the
tokens.
Sometimes (some characters) it works fine but for some multibye characters
it throws
{
"error": "invalid_grant",
"error_description": "Code not valid"
}
while trying to get the Tokens using the authorization code.
Can someone tell me if Keycloak actually supports utf-8 character set in
Username and other fields and also in Custom user attributes?
It would be of great help if anybody can share some information.
Thanks,
Upananda,
Motorola Solutions
6 years, 7 months
Re: [keycloak-user] Keycloak 4.0.0.Beta1 is out
by Stian Thorgersen
I missed one cool new feature. We also now have support for UMA 2.0
including allowing users to manage resource permissions in the account
management console.
On Thu, 22 Mar 2018, 21:04 Stian Thorgersen, <sthorger(a)redhat.com> wrote:
> I'm very pleased to announce the first release of Keycloak 4!
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
> HighlightsBrand new login pages
>
> The login pages have received a brand new look. They now look much more
> modern and clean!
> Themes and Theme Resources
>
> It's now possible to hot-deploy themes to Keycloak through a regular
> provider deployment. We've also added support for theme resources. Theme
> resources allows adding additional templates and resources without creating
> a theme. Perfect for custom authenticators that require additional pages
> added to the authentication flow.
>
> We've also added support to override the theme for specific clients. If
> that doesn't cover your needs, then there's a new Theme Selector SPI that
> allows you to implement custom logic to select the theme.
> Native promise support to keycloak.js
>
> The JavaScript adapter now supports native promises. Of course it still
> has support for the old style promises as well. Both can be used
> interchangeably.
> Edit links in documentation
>
> To make it easier to contribute changes to the documentation we have added
> links to all sections of the documentation. This brings you straight to the
> GitHub editor for the relevant AsciiDoctor file. There's also a quick link
> to report an issue on a specific page that will include the relevant page
> in the description.
> HTTPS support on keycloak.org
>
> Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
> keycloak.org. About time?
> Loads more..
>
> The full list of resolved issues is available in JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the upgrade
> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> anything that may have changed.
>
>
6 years, 8 months
Limiting user registrations to closed set
by Łukasz Dywicki
Hi all,
I have a case which is quite simple in terms of logic - I have existing
database of users with attributes such first and last name, as well as
email. I miss username and password or just password if I decide to use
email as login. I would like to use attributes I know for validation of
new user registrations.
Any registration attempt with uknown email, first and last should be denied.
Sadly due to necessity to host user self registration in mobile app I
had to move it outside of keycloak. This means I use a small utility to
create accounts using admin api.
I've tried to use UserStorageProvider, but this SPI is not permited to
"deny" user registration. When I try to add new user, it goes in even if
there is no matching combination of attributes. Which SPI is valid for
my use case?
Kind regards,
Lukasz
6 years, 8 months
"HTTPS Required"
by Lahari Guntha
Hi All,
I am using Keycloak of version 3.3.0.CR2...
I have launched keycloak as a container in a VM...
Whenever I try to access the "http" port of keycloak...It is showing "HRTPS REQUIRED"...
Even Setting of "Require SSL" to "none" Under Login tab of "Realm Settings" didnot help....
Is there any other solution we have to get this problem solved??
Thanks & Regards,
Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
6 years, 8 months
Could not obtain configuration from server
by Filip Kozjak
Hi everyone,
I am having troubles obtaining access token for my Java EE REST service
from Keycloak.
I have started Keycloak server at *http://localhost <http://localhost>*,
and I can access the admin console at
*http://localhost:8081/auth/admin/master/console/#/realms/demo
<http://localhost:8081/auth/admin/master/console/#/realms/demo>.*
Next, I created a new realm "demo" and registered my REST service there.
I've copied the generated *keycloak.json *to the WEB-INF of my service and
added what was needed to web.xml. This successfully protected my endpoint.
My REST service is up and running on *http://localhost:8080/
<http://localhost:8080/>.*
However, now I want to set up a client that would be authorized to access
the protected endpoint. The client is running at *http://localhost:9080
<http://localhost:9080>. *Again, it's a Java EE REST service that talks to
the protected service. I registered it as *OAuth Client* in the admin
console and again copied the *keycloak.json* to the resources of my app. I
am trying to obtain the access token like this:
AuthzClient authz = AuthzClient.create();
AccessTokenResponse tokenResponse = authzClient.obtainAccessToken();
This results in the following error:
java.lang.RuntimeException: Could not obtain configuration from server [
http://localhost:8081/auth/realms/demo/.well-known/uma-configuration].<br>
<div id="stack">at
org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:92)<br>at
org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:60)<br>at
org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:53)<br>at
hr.assecosee.three_ds_2.risk.services.ProxyServiceImpl.invokeRiskLevelApi(ProxyServiceImpl.java:28)<br>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>at
java.lang.reflect.Method.invoke(Method.java:498)<br>at
com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContainer.java:5316)<br>...
16 more<br>
</div>Caused by:
org.keycloak.authorization.client.util.HttpResponseException: Unexpected
response from server: 404 / Not Found<br>
I posted a question about it on StackOverflow too:
https://stackoverflow.com/questions/49534589/404-not-found-while-requesti...
Is there something I am missing?
6 years, 9 months
delete all users
by Matthew Broadhead
is there a way to flush all of the users from a realm during testing?
6 years, 9 months
Forwarding header fields in the Keycloak Proxy
by David Moeyersons
Hi,
The following page: http://www.keycloak.org/docs/3.4/server_installation/index.html#header-na... talks about forwarding header fields to a proxied server using a Keycloak Proxy, but the process on how to forward these fields is described nowhere.
Also the example doesn't contain valid json code:
{
"header-names" {
"keycloak-subject": "MY_SUBJECT"
}
}
When I add a colon after "header-names" the Keycloak Proxy seems to accept the statement, but no header fields are forwarded to my end server. (except for the realm - WWW-Authenticate: Basic realm="TestRealm")
Is the part about forwarding header fields in the Keycloak Proxy documented somewhere? I don't seem to find anything about it.
Kind regards,
David Moeyersons
Disclaimer: www.vmm.be/disclaimer
Kent u onze nieuwsbrief al? www.vmm.be/nieuwsbrief
6 years, 9 months
Client vs resource
by Daya Gnanasekaran
I'm planning to use keyclok to secure our product and i have doubts around
defining clients and resoureces,
Our product consists of 4 major components, lets say A,B,C,D and each
components has a set of APIs. Component A intracts with B and C. Component
B interacts with C. There can be multiple instances of C connected to B and
there can be multiple instances of D connected to C. The users in an
organization can have various roles like admin or read-only user on each
component. User, who is an admin for componet A can be a read-only user in
component B and same applies for various instances of C.
Now i'm stuck at whether to create multiple clients, one per component or
create one client and make each of this component a resource.
Your thoughts?
Daya
6 years, 9 months
Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
by Schenk, Manfred
Hello Luis,
Your approach will not work for me: In my setup there is no predefined set of secure and unsecure URLs: there are many URLs which can be accessed without any login and also with login. But the content which is displayed when accessing these URLs depends if the user is authenticated or not.
That’s the reason why all those filters and valves will not work for me.
My idea is as follows:
When a request comes in, I will check if it contains some token. If yes, the system should try to identify the user using keycloak, otherwise the username iss et to anonymous.
In the next step the system checks if the user has sufficient rights for viewing/editing/deleting the entity identified by the requested URL. If the rights are sufficient (even with the anonymous user) all as well, otherwise the system will redirect to the keycloak server to obtain such a token mentioned above.
But I haven’t found any detailed documentation on that use case.
Regards,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk@iosb.fraunhofer.de
http://www.iosb.fraunhofer.de
Von: Luis Rodríguez Fernández <uo67113(a)gmail.com>
Gesendet: Donnerstag, 29. März 2018 15:13
An: Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de>
Betreff: Re: [keycloak-user] Securing tomcat-based web applications without using container-security(i.e. without using filters, constraints and valves)?
Hello Schenk,
If your Identity Provider "speaks" SAML, you can give a try to http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet.... I am testing it for some of our tomcat-based application and it works out-of-the-box (BTW thanks keycloak folks!).
My deployment descriptors (web.xml) looks like this:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
<init-param>
<param-name>keycloak.config.file</param-name>
<param-value>/usr/local/tomcat/keycloak-saml-servlet-adapter.xml</param-value>
</init-param>
</filter>
<!-- From the docs: "You must have a filter mapping that covers /saml. -->
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/saml</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this way, just playing with the url-patterns of my resources I can make them private or public. E.g.
<servlet-mapping>
<servlet-name>SessionExampleServlet</servlet-name>
<url-pattern>/SessionExample</url-pattern>
<url-pattern>/secure/SessionExample</url-pattern>
</servlet-mapping>
Hope it helps,
Luis
2018-03-29 14:38 GMT+02:00 Schenk, Manfred <Manfred.Schenk(a)iosb.fraunhofer.de<mailto:Manfred.Schenk@iosb.fraunhofer.de>>:
Hello,
I want to use keycloak for user Authentication in my tomcat based web application.
But since the web application should also be accessible without any login, I think I will not be able to use the container-based security and handle the keycloak communication by myself from within my web application.
Are there any tutorials or recommandation around for my use case?
Which (keycloak-)jars do I need for this task?
Thanks in advance,
Manfred
--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstraße 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391<tel:%2B49%20721%206091-391>
mailto:Manfred.Schenk@iosb.fraunhofer.de<mailto:Manfred.Schenk@iosb.fraunhofer.de>
http://www.iosb.fraunhofer.de
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 9 months
