Upgrading Keycloak and Infinispan conflict
by Federico Navarro Polo - Info.nl
Hi,
We are upgrading our Keycloak environment to the latest stable version, and we’ve found out a problem with Infinispan. Our setup is a standalone-ha with distributed cache.
Apparently, there were breaking changes when going from Keycloak 3.1.0 to 3.2.0, since some classes and enums were removed from codebase. Those entities are still cached by Infinispan, so after upgrading Keycloak, on restart, a big amount of ClassNotFoundException or IllegalArgumentException due to these changes.
Is there any way to cleanly transition without clearing the caches?
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | -<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
7 years, 10 months
Send information about the authenticator type into the OpenID Connect token
by Daicy Duarte
Hi,
I need to send inside the openID Connect token information about the authenticator type that the user has used to log in.
I have seen that in Clients -> Mappers is possible to add some fields that you want to send inside the openid connect token, but not the authenticator type that was used, for example the custom authenticator "secret-question".
Best regards,
---
Daicy
7 years, 10 months
Identity Provider / First Broker Login Flow Hooks
by Andreas Taube
Hey together,
I would like to integrate with an external Identity Provider and I wonder
about the best way to hook into this process? As soon as the external IP
authorizes the user with a valid token I would like to do some internal
setup calls and link metadata to the user (attributes) being created by
Keycloak.
I know it is possible to extend Keycloak with custom IdentityProviderMapper
extensions but I would like to validate if they are also meant to execute
async http requests? If not, are there any other options better suited for
this use case?
Thanks for any feedback
7 years, 10 months
Keycloak LDAP federation (FreeIPA) and expired passwords
by Ryan King
Hello,
We're trying to use Keycloak as the main portal for users (to access
services + manage their accounts) - but I've been struggling to come up
with the best solution for handling expired passwords (for federated users
- FreeIPA LDAP). We are using Keycloak (3.4.3).
As far as I am aware, expired passwords are currently only handled
correctly with Active Directory (using the msad-user-account-control
mapper). It looks like someone was interested in implementing for other
LDAP providers, but didn't:
https://issues.jboss.org/browse/KEYCLOAK-4052
I've also tried configuring keycloak to use Kerberos password
authentication (LDAP + Kerberos integration..) - but that still didn't seem
to detect the expired password (even though from a console, kinit prompts
the user to change their password).
So, currently I have put in a workaround by:
1. Under the realm Authentication - Required Actions - set "Update
Password" to default (so "new" users - ie: those who are given a temp
password - are prompted to set a new password... keycloak has been given
access to set non-expired passwords on our FreeIPA servers)
2. Set a password policy on the realm - 90 days expiry (matches that of the
FreeIPA password policy).
Some issues with this are - if the user sets their password via FreeIPA
directly (kpasswd, ldap, etc) - then keycloak won't know about the new
expiry - hence, the user may have to set their password again on Keycloak
sooner than they would expect.
So, my questions are:
1. Is there a better way to handle this? We'd just like to avoid sending
our users around to different places (ie: to the freeIPA UI) to work around
an expired password & we'd like to make sure it's clear _when_ their
password has expired... to the best of our ability.
2. I'm also not 100% certain if this Keycloak password policy is actually
implemented on federated ldap users? Does anyone know? I came across a
few issues that discussed implementing it - but so far haven't come up with
anything conclusive (I'm setting the password expiry to 1 day now to test
it out). I checked a dump of the database, and could not see anything that
looked like a timestamp or anything (to indicate a 90 day expiry) for a
user who just changed their password in Keycloak... so, I'm not sure how
that's tracked? (if I could find it in the DB, I was thinking of another
dirty hack to sync the password expiry from freeipa -> keycloak via a hook
if someone does update their account in freeipa).
Thanks,
Ryan
7 years, 10 months
SAML client + google IDP
by Pulkit Srivastava
Is it possible to authenticate a SAML client in keycloak using google as
identity provider.?
My scenario is :
a SAML application would be redirected to keycloak and then to google for
authentication. After authentication user should be redirected back to the
application.
Thanks,
Pulkit
7 years, 10 months
Bulk user imports
by Chris Latta
Hi,
We are in the process of upgrading from 2.5.5 to 4.0.0 and have had to
switch from MongoDB to MySQL. We have been able to export our user base but
with 280k+ users to import back into Keycloak this is proving troublesome.
The import process takes 25 mins to import one file of 500 users, which
doesnt really seem practical as that would take us approximately 9/10 days
to import the user base if we were working 24/7.
Any thoughts or ideas would be appreciated.
Kind Regards
Chris Latta
Dev Ops Engineer
Email: *chris.latta(a)dovetailgames.com <chris.latta(a)dovetailgames.com>*
Website *www.dovetailgames.com <http://www.dovetailgames.com/>*
P Please consider the environment before deciding to print this email.
*This e-mail and its attachments may be confidential and are intended
solely for the use of the individual to whom it is addressed. *
*Any views or opinions expressed are solely those of the author and do not
necessarily represent those of Railsimulator.com*
*If you are not the intended recipient of this email and its attachments,
you must take no action based upon them, nor must you copy or show them to
anyone. *
*Please contact the sender if you believe you have received this email in
error.*
*Dovetail games is a trading name of RailSimulator.com LTD Registered In
England No: 6751125 *
*Registered Office: Dovetail Games is a trading name of Railsimulator.com
Ltd The Observatory, Chatham Maritime, Chatham, Kent, ME4 4NT*
*VAT Registration No: 948 5431 91*
P please don't print this e-mail unless you really need to.
7 years, 10 months
Custom Reset Actions for Users
by Min Han Lee
Hello Marek, and everyone,
I wondered if it is possible to custom actions for Reset Actions in the
Users credential section?
Appreciate any available pointer.
Kind Regards
Neo Lee
7 years, 10 months
Configure granted consents to not persistent
by CS CHONG
Hi,
Are we able to force user to confirm consent after every login ?
In another words, user will need to confirm consent for a particular client every time when they login.
I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
I couldn’t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
hints.
Regards,
CS
7 years, 10 months
Re: [keycloak-user] Required User Actions - Update Profile
by Min Han Lee
Hello Marek,
Thanks for this.
I was trying to add more fields under this screen - Update user profile for
new user first login.
I've tried to edit the account.tfl but it only works for the Account
dashboard which is under <server-root>/auth/realms/{realm-name}/account.
Kind Regards
Neo Lee
On Mon, May 21, 2018 at 12:25 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
> Hi Neo Lee,
>
> could you please rather send your question to keycloak-user mailing list,
> so more people can chime in? And add more details? From the descriptions of
> your question, I am not sure what are you talking about. Also the
> screenshot doesn't contain much info.
>
> Regards,
> Marek
>
>
> On 21/05/18 08:57, Min Han Lee wrote:
>
> Hello Marek,
>
> I hope you're well.
>
> I'm wondered if it possible to add more attributes to the "Update Profile"
> for the user first login?
>
>
>
> Kind Regards
> Neo Lee
>
>
>
>
>
>
7 years, 10 months
Fetch QR Code - OTP REST API
by Ankur Singhal
Hi All,
I have my own login page, wish to integrate this with Keycloak OTP
Functionality.
Looking for REST API for below flows.
1.) User Enters username/password and login.
2.) If *CONFIGURE_OTP* action is configured, REST API return with QR
Code (image/secret).
3.) User scans and submits the OTP.
4.) Subsequent login just return to enter OTP if no action configured.
Thanks
Ankur
7 years, 10 months
