Poor/buggy TypeScript adapter implementation
by Marcel Német
At the moment, there are multiple projects on GitHub which try to bring
advanced Keycloak functionality into angular 2+ projects.
There are projects which are based on the official keycloak javascript
adapter (these projects copy files from or import the official javascript
adapter) for example :
https://github.com/ssilvert/keycloak-schematic (works with angular 2+)
and
https://github.com/mauriciovigolo/keycloak-angular (works with angular 4.3+
and provides the implementation for the great HttpInterceptor (angular
4.3+) in order to add bearer tokens to HTTP requests)
Both of these projects are missing the implementation of Authorization
flow, and it is not easy to implement this when one tries to use the
official Keycloak javascript adapter with TypeScript. For example,
KeycloakAuthorization returns undefined when constructed and does not
return an observable after executing async HTTP request to
/.well-known/uma-configuration .
There is another project:
https://github.com/ebondu/angular2-keycloak
which is not using the official keycloak javascript adapter. Instead, the
authors have rewritten the code from official JS adapter into TypeScript.
It seems to address issues which I was not able to solve with the official
javascript adapter. For example, it notifies the initialization of
Authorization object (see
https://github.com/ebondu/angular2-keycloak/blob/b8dd423fefc98305ac2f2f9e...
).
But this project is not updated as often as the official javascript
adapter. For example, it does not support uma2 which is coming with 4.0.0.
I believe it would be good to invest some effort into making the basic
keycloak javascript adapter working well with angular/typescript. There is
clearly interest in building good libraries, but these have to be based on
a working, official and updated basic adapter. One option would be to pull
the code from https://github.com/ebondu/angular2-keycloak. Or endorse some
working implementation for TypeScript.
issue: https://issues.jboss.org/browse/KEYCLOAK-7021
Best regards
--
Marcel Német
marcel.nemet(a)gmail.com
6 years
reset password not working
by Oscar Cadena
Hi.
In this moment i'm, trying keycloak but i'm unable to make the update password function work's throught the rest api.
What i'm, doing is the following.
PUT
http://localhost:8080/auth/admin/realms/demo/users/94e2a91a-17bd-4133-b0f...
HEADERS
Content-Type
application/json
Authorization
bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkSU5nOVBFam9LMHNOd0dqMTY0Z0pzMDU4ZV9mZUliSzZGZE43NUEtb1AwIn0.eyJqdGkiOiI4OGRjZThhMS0yMmU3LTQ2YWQtYmVlYy1iYzA0MTE5ZDgwYzAiLCJleHAiOjE1MjI5NDUzODIsIm5iZiI6MCwiaWF0IjoxNTIyOTQ1MDgyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InZhbmlsbGEiLCJzdWIiOiI5NGUyYTkxYS0xN2JkLTQxMzMtYjBmZi01MDNjNzQyZDFmNTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ2YW5pbGxhIiwiYXV0aF90aW1lIjoxNTIyOTQ1MDY4LCJzZXNzaW9uX3N0YXRlIjoiNmRkNDBkNTgtZmM5My00ODFiLWJkOWEtOWZhOGE1NTQ3MWU0IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjU2ODE4LyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiSm9obiBEb2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqb2huZG9lIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6IkRvZSIsImVtYWlsIjoiaW5mb0BsZWdpcy5jb20ifQ.MZB8eNYQBueITmlFHWhZxg6sp9hx91DMbDuTJFB_KTcMINbMMqBAnbOaETUWhZ2nZ-005amOpdvZzQAqGFi-chs_Ylk-HrZtsmZKgH59Wf04UEXmTiJgNWnteE2Tb8gZbgJG3qXjeq_PynUMMTOdIXN-xJuYdp_lrsieU7pNxA7Y-k6v4j8OXuQI7hR7bslg82wbNeR8JEWBYYljSE9YT4O4kWOmngmkTYHzDAZQSo0rTIeMi70wVEvp6nDxpGN4qhuqgNVtMIoSJsQ-XBbjrdrnsZvmoiu7zdOSa1hdFFnbgexw8RDMCmOcoMN_KxedvgDJsd10CSmLacW7UD7baA
(I',m using the Access token here. )
And the body
["UPDATE_PASSWORD"]
But i'm getting always 403 Forbidden response. I dont know why.
Any help related would be appreciated.
Best regards.
Oscar.
AVISO LEGAL:
Este correo electrónico contiene información confidencial de LEGIS. Si Usted no es el destinatario, le informamos que no podrá usar, retener, imprimir, copiar, distribuir o hacer público su contenido, de hacerlo podría tener consecuencias legales. Si ha recibido este correo por error, por favor infórmenos a seguridad(a)legis.com.co y bórrelo. Si usted es el destinatario, le solicitamos mantener reserva sobre el contenido, los datos o información de contacto del remitente y en general sobre la información de este documento y/o archivos adjuntos, a no ser que exista una autorización explícita.
LEGAL NOTICE:
This e-mail transmission contains confidential information of LEGIS. If you are not the intended recipient, you should not use, hold, print, copy, distribute or make public its content, on the contrary it could have legal.If you have received this e-mail transmission in error, please inform us at seguridad(a)legis.com.co and erase it. If you are the intended recipient, we ask you not to make public the content, the data or contact information of the sender and in general the information of this document or attached file, unless a written authorization exists.
6 years
Re: [keycloak-user] Keycloak 4.0.0.Beta1 is out
by Stian Thorgersen
I missed one cool new feature. We also now have support for UMA 2.0
including allowing users to manage resource permissions in the account
management console.
On Thu, 22 Mar 2018, 21:04 Stian Thorgersen, <sthorger(a)redhat.com> wrote:
> I'm very pleased to announce the first release of Keycloak 4!
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
> HighlightsBrand new login pages
>
> The login pages have received a brand new look. They now look much more
> modern and clean!
> Themes and Theme Resources
>
> It's now possible to hot-deploy themes to Keycloak through a regular
> provider deployment. We've also added support for theme resources. Theme
> resources allows adding additional templates and resources without creating
> a theme. Perfect for custom authenticators that require additional pages
> added to the authentication flow.
>
> We've also added support to override the theme for specific clients. If
> that doesn't cover your needs, then there's a new Theme Selector SPI that
> allows you to implement custom logic to select the theme.
> Native promise support to keycloak.js
>
> The JavaScript adapter now supports native promises. Of course it still
> has support for the old style promises as well. Both can be used
> interchangeably.
> Edit links in documentation
>
> To make it easier to contribute changes to the documentation we have added
> links to all sections of the documentation. This brings you straight to the
> GitHub editor for the relevant AsciiDoctor file. There's also a quick link
> to report an issue on a specific page that will include the relevant page
> in the description.
> HTTPS support on keycloak.org
>
> Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
> keycloak.org. About time?
> Loads more..
>
> The full list of resolved issues is available in JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the upgrade
> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> anything that may have changed.
>
>
6 years
Keycloak X GLPI
by Elie Ferron
Hello all,
I wanted to know if anyone had already linked keycloak with GLPI for the SSO part.
Regards;
6 years
Spring Security Adapter working but no Principal
by Marc Logemann
Hi,
i have a weird thing going on. My keycloak Spring Security adapter
works as expected. But i am unable to retrieve the principal. I am
requesting a REST service with a valid Bearer Token. In the REST
controller i want to see the principal via:
Principal userPrincipal = request.getUserPrincipal();
or
Authentication authentication =
SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();
But everything is null. Funny thing is, the Keycloak Filter set the
Authentication correctly but at the end, in my controller, its not
there anymore.
here is my filter list:
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
KeycloakPreAuthActionsFilter
LogoutFilter
KeycloakAuthenticationProcessingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
Has anyone experienced something like this or has an idea?
Thanks
Marc
6 years
Limiting user registrations to closed set
by Łukasz Dywicki
Hi all,
I have a case which is quite simple in terms of logic - I have existing
database of users with attributes such first and last name, as well as
email. I miss username and password or just password if I decide to use
email as login. I would like to use attributes I know for validation of
new user registrations.
Any registration attempt with uknown email, first and last should be denied.
Sadly due to necessity to host user self registration in mobile app I
had to move it outside of keycloak. This means I use a small utility to
create accounts using admin api.
I've tried to use UserStorageProvider, but this SPI is not permited to
"deny" user registration. When I try to add new user, it goes in even if
there is no matching combination of attributes. Which SPI is valid for
my use case?
Kind regards,
Lukasz
6 years
How to use keycloak-admin-client in the browser
by moritz.becker@gmx.at
Hi,
I want to use keycloak-admin-client in javascript client to allow the user
to manage keycloak resources.
However, keycloak-admin-client depends on keycloak-request-token which uses
ES6 arrow functions in its distribution.
So I wonder what the correct way is to use this in the browser?
Thanks
6 years
"Verify email" on custom User Federation failed
by Sachin Rastogi
Hi all,
We are using custom User Federation for our user store which is a database.
Users successfully able to authenticate against the custom User Federation.
Everything is working fine as expected.
Now, we want to "Verify email" on user's first login and also generate
initial magic link email to user.
After we enabled "Verify email" in the realm.and under Required Actions of
Browser Authentication Flow. We are getting the following exception.
08:51:00,649 WARN [org.keycloak.services] (default task-36)
KC-SERVICES0013: Failed authentication:
org.keycloak.storage.ReadOnlyException: user is read only for this update
at
org.keycloak.storage.adapter.AbstractUserAdapter.addRequiredAction(AbstractUserAdapter.java:82)
at
org.keycloak.authentication.requiredactions.VerifyEmail.evaluateTriggers(VerifyEmail.java:53)
at
org.keycloak.services.managers.AuthenticationManager.evaluateRequiredActionTriggers(AuthenticationManager.java:1039)
at
org.keycloak.services.managers.AuthenticationManager.nextRequiredAction(AuthenticationManager.java:812)
at
org.keycloak.authentication.AuthenticationProcessor.nextRequiredAction(AuthenticationProcessor.java:956)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:944)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:821)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:284)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:255)
at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:251)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:311)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Please advise how can I fix this.
Regards,
6 years