Hardcoded Group IdP mapper
by John Kalantzis
Hello,
I have a use case for which I need to add users created during the broker
login flow to a group depending on their IdP. So similar to the Hardcoded
Role mapper but with a group.
I know this is possible with a custom mapper which is what I will fall back
on but, to save myself some trouble, can anyone think of another way to do
it?
I know there is a script authenticator but there isn't a lot of
documentation about it so not sure if I can add it there somehow?
6 years, 9 months
Mod_auth_openidc vs keycloak proxy
by abhishek raghav
Hi
I have been using mod_auth_openidc for a while and its kind of a cool
solution for a header based authentication for some legacy systems.
But i am sort of doubtful about the use cases i am building around and
nature of setup we have.
I have sort of different components which maintains their own sessions but
all linking via keycloak as IDP.
Few months back i have heard about new generation keycloak proxy plan in
the same maili chain. It was very cool and since it is going to be
supported and inbuilt in keyclok, i was exited to see it in action. But
since then i never saw any updates around that.
Does keycloak team has any near future plans to implements this cool new
version of keyclaok proxy.
I am really looking forward to having that as that would be a big add to
support legacy systems which do not support oidc or saml.
Thanks Abhishek
via Newton Mail
[https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.8.195&pv=11.2.6&source=emai...]
6 years, 9 months
Mapping a user attribute to a custom claim
by Paolo Tedesco
Hi all,
I've configured Google and Github as Identity Providers.
I would like to have one of the user attributes, the email, mapped to a custom claim, called "userPrincipalName".
I tried creating an Attribute Importer mapper, with
Social Profile JSON Field Path = emailaddress
User Attribute Name = userPrincipalName
but this does not seem to work.
Is there a way to log the JSON token obtained from the identity provider, so that I can have an idea of what should go in the " Social Profile JSON Field Path" field?
Thanks,
Paolo
6 years, 9 months
Identity brokering - invalid request issue
by Yuriy Yunikov
Hello,
I'm using identity brokering
<http://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker>
with Identity
Provider Redirector for browser sessions, so as of my understanding it
works this way (simplified):
1) User access application page;
2) It gets redirected to KeyCloak;
3) KeyCloak redirects to IDP login page;
4) User performs login, IDP redirects to KeyCloak;
5) KeyCloak grants a token;
Sometimes during this flow, users get "Invalid Request" error page.
Here are the logs:
2018-03-16 09:19:48,125 DEBUG
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
Invalid request. Authorization code, clientId or tabId was null.
Code=Ut8RrxKbNTPrAFcgxOEjx-r0n2-mUQW7, clientId=null, tabID=null
2018-03-16 09:19:48,129 WARN [org.keycloak.events] (default task-1)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=test, clientId=null,
userId=null, ipAddress=182.190.32.17, error=invalidRequestMessage
2018-03-16 09:19:48,130 ERROR
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
invalidRequestMessage
Here is a line of code where it happens:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
The way I'm aware this can be reproduced is by accessing IDP login page
directly, this way step 1 and 2 are skipped and IDP doesn't know for which
client to perform grant a token, so clientId is null.
However there were cases when users were accessing application page and all
redirect flows happened as they should have. I know that this occurred
after 1-2 days of inactivity in browser, but I don't know how to reproduce
it.
Are there any ideas, suggestions how this "Invalid Request" problem can be
resolved?
Regards,
Yuriy
6 years, 9 months
A question on how to connect two keycloak servers
by Matthew Beliveau
Hello,
I have five VMs running, one with an Apache protected app connected to a keycloak (Keycloak A) server through mod_auth_mellon. This Keycloak Server is connected to an IPA server (IPA A). I also have another Keycloak(keycloak B) server connected to another IPA server(IPA B). What I want to happen is when I log in to the Apache app, I want the first keycloak(A) server to connect to the second keycloak(B) server and obtain the users info on the IPA Server(B). Then I want to user's info to be updated on the first IPA server(A) and if the user doesn't exist then I want the user to be made. I want to know if that is possible right now to do and if it isn't how should I go about achieving my goal. I also want to know if it involves writing a plug in, where in the keycloak or IPA code should I look.
Any help would be gratefully appreciated, and sorry if this is the wrong place to ask this question.
Thank you,
Matthew Beliveau
6 years, 9 months
Redirect to Keycloak without Adapter Error
by Bruno Palermo
Hi,
Currently I'm using the JavaScript adapter to create the registration URL,
but we are facing some issues with Googlebot regarding the site redirection.
I tried to create manually the registration page url:
https://localhost:8080/auth/realms/<realm>/protocol/openid-connect/registrat
ions?client_id=<client-id>&redirect_uri=<redirect-uri>&state=<random-uuid>&n
once=<random-uuid>&response_mode=fragment&response_type=code&scope=openid
Unfortunately something when the user click on the link sometimes happens an
error: "Page has expired. To restart the login process. To continue the
login process".
It's possible to redirect to the registration page without using the
Keycloak adapter?
Thanks,
Bruno
6 years, 9 months
"You took too long to login" after first login request after SSO session idle occurs (NOT login timeout)
by Jordan Keith
We have set the SSO Session Idle to 13 minutes to match our access token lifespace of 15 minutes in order to workaround the fact that browsers may not delete session cookies. This has caused another issue, whereby the user receives the error "You took too long to login. Login process starting from beginning" even when they spend no time waiting on the login screen in a certain scenario. Here's the scenario:
1). Log into application.
2). Close browser tab containing application.
3). Wait 15 minutes (SSO idle + 2 minute grace period)
4). Open application again. You'll be directed to the login page by keycloak.
5). Attempt to login and receive the error "You took too long to login. Login process starting from beginning."
Why do I receive this error even when I attempt to login immediately after opening the log in page?
6 years, 9 months
How does OKTA compares to KEYCLOAK
by Soumya Mishra
Hello All,
Okta seems to have a better UI than keycloak but mostly seems to do a lot
of similar things. If anyone has already compared both the systems please
can you let me know what are the differences and advantages.
Any links blogs or text will be appreciated.
Regards,
Soumya
6 years, 9 months
jetty need restart after policy changed on keycloak
by Nhut Thai Le
Hello,
I have a few applications that are running on jetty, they are configured to
be protected by keycloak with authorization enabled. While running some
tests which requires dropping the realm and recreating it (programatically)
I observer that if i don't restart jetty after recreating the
realm/clients/policy/permission,... then i always get forbidden (403) when
i try to access the protected app. Restarting jetty solves this problem. Is
this a normal behavior ? If not how can I fix this?
Thank you
Thai
6 years, 9 months
