June 2018 - keycloak-user - Jboss List Archives

by Matthew Broadhead

org.keycloak.representations.idm.UserRepresentation (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...) has a property enabled which is of type java.lang.Boolean. Technically this should have getters and setters of getEnabled and setEnabled. A type boolean would have isEnabled and setEnabled. This stops it from working with JSF (https://stackoverflow.com/questions/14400222/boolean-properties-starting-...) This also applies to totp and emailVerified in the same class.

6 years, 10 months

2
3
0 / 0

Magic Link feature removed?

by Stefan Hesse

Hello, according to this issue: https://issues.jboss.org/browse/KEYCLOAK-1942 Magic Link was introduced in version 4.0.0.Beta1. I am running 4.0.0.Beta.2, and I tried to follow the following tutorial in order to implement it: https://www.youtube.com/watch?v=oyUsI3QgEq8 Strangely the option does not appear in the Beta2 anymore. Was the feature removed again? Regards Stefan

7 years, 3 months

3
3
0 / 0

Client Registration performance

by Eivind Larsen

Hello Keycloak Users! We are planning on using the Client Registration flow for setting up clients on login. This is mainly to more clearly identify each individual device a user has logged in with. Are there anyone using this feature in production with a large number of clients? With our current stats, we would probably end up with a few million clients by the end of the year. 1. Will this scale well with the way Keycloak works? 2. If a user loses their device, how should a full revoke & logout be performed? 3. Is there an alternative approach to give each user more control over their device and session? Thanks, Eivind Larsen

7 years, 4 months

2
1
0 / 0

Keycloak realm detection from email domain

by Scott Hezzell

Hi I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem? My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint. Can anyone see any issues with this approach? Or a suggest a better approach? Thanks Scott

7 years, 4 months

3
2
0 / 0

Realm resolution based on username (email address)

by Pedro Pedro

Hi. I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier. Now in Keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address). How do I go about doing that? Best regards, Pedro.

7 years, 4 months

2
1
0 / 0

Organization Based Accounts and Permissions

by Charles Henck

Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin

7 years, 5 months

6
19
0 / 0

LDAP user group membership not syncing

by Luiz Carlos

Hi everyone I'm trying to sync the LDAP groups into Keycloak but it doesn't update the membership if I add or remove it from a group in LDAP. I was able to sync the groups and its users into Keycloak correctly if those wasn't provisioned before. For example, if the user already exists in Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also provisioned from LDAP), the user in Keycloak continues to being a member of the group in the Groups tab of user's details screen and in client's group mappers. However, if I open the Members tab of group's details screen the user was removed from the group. Is there any way to solve this problem? Because of my company policy I can't use Keycloak to manage the groups. I'm using Keycloak 2.5.1. Thanks for the help -- Luiz Carlos

7 years, 5 months

3
2
0 / 0

user storage ldap or keycloak

by Istvan Orban

Dear Keycloak users. I am very new to keycloak and I really like it. it is great. I am currently migrating a legacy app ( using it's own user management ) to support SSO. I have set-up keycloak with openid connect and it works very well. At this point we need to decide if we will use keycloak as our main user store or we will set-up an LDAP. My question is that. Is keycloak designed in a way that it can fullfil all the responsibilities of the main user store? Any risk with this at all? ps: our userbase is small and at this point I am not sure if we want to add ldap just for this. -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *

7 years, 5 months

3
2
0 / 0

Keycloak SAML tomcat adapter and correct log-out

by Leonid Rozenblyum

Hello! I'm using a keycloak tomcat SAML adapter and I have a question related to ?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE stack, request.logout() is not the way to go, right?). When I use GLO=true, my session inside the Keycloak is indeed invalidated however the local session in Tomcat is not. When I try session.invalidate() and then redirect to GLO=true, sometimes my protected page still can be loaded. Is there a robust documented way to do the logout with help of Keycloak SAML tomcat adapter? Thanks

7 years, 5 months

2
1
0 / 0

Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names

by Niels Bertram

Hi there, we have a requirement to set the jndi datasource name on a UserFederation provider when added to a realm to support connecting different realms in the same Keycloak server to different databases. Been through the examples and read a few emails from around 2016 in the developer list but do not find anyone who'd actually done this before. we could create a user managed EntityManagerFactory within the federation provider factory but the question is then how can we inject it into the container context and enlist our transactions in the JTA? Has anyone ever had to implement something like that? Cheers, NIels

7 years, 6 months

4
8
0 / 0

Group-Mapping

by Lahari Guntha

Hi All, We are using keycloak of version 3.3.0.CR2. I have my Keycloak integrated with LDAP. I have configured many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP. eg: Users in LDAP: "user1" Groups in LDAP: "group1","group2" When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in the Keycloak UI page and we can also see the groups mapped to it. Now I add the user "user1" into another group "group2"... But now the newly added group is not reflected when click on User> Group Mapping. Why Is this happening?? What is the solution to continuously sync the users with the groups they are present in/added newly automatically???? Thanks, Lahari =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

7 years, 6 months

3
16
0 / 0

Keycloak Proxy Rename

by Bruno Oliveira

Good afternoon, We are considering to transfer or fork the keycloak-proxy[1] to Keycloak organization. In order to accomplish that, I've been working with Rohith updating some of its dependencies[2]. While discussing with our team, we reached the conclusion that call it a proxy could potentially increase the scope of the project and also give people the wrong idea. Because would be expected things like load balancing, rate limiting, and other features. That's not what we want right now. I would like to gather some feedback from the community before we move forward. So please vote on the following Doodle: https://doodle.com/poll/gux626ktscgpr96t Also, feel free to suggest other names and it will be included. [1] - https://github.com/gambol99/keycloak-proxy [2] - https://issues.jboss.org/browse/KEYCLOAK-7265 -- abstractj

7 years, 7 months

8
9
0 / 0

Keycloak Java Servlet Filter Adapter.

by Luis Rodríguez Fernández

Hello there, I am using the java servlet filter adapter ( http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet...) in apache-tomcat 9 and it works like a charm, thanks! The filter class is org.keycloak.adapters.saml.servlet.SamlFilter I would like to fully externalize the keycloak configuration from the deployed applications. I know that I can set the keycloack config file via the filter config param keycloak.config.file, to some external path like /usr/local/my-keycloak-saml.xml, brilliant! In the other hand the SamlFilter( https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-fi...) looks for the keystores inside of the application context: usually something like /WEB-INF/my-keystore.jks. This is due the implementation of the ResourceLoader.getResourceAsStream(String resource) function. It looks like something like this: ResourceLoader loader = new ResourceLoader() { @Override public InputStream getResourceAsStream(String resource) { return filterConfig.getServletContext().getResourceAsStream(resource); } }; In ServletContext.getResourceAsStream(java.lang.String path) the path param must begin with a "/" and it is interpreted as relative to the current context root. I would be in favor of having the possibility of externalize this resource, perhaps having somethig like: //First try the original one InputStream is = filterConfig.getServletContext().getResourceAsStream(resource); if(is=null) { // Try with an external one try { is = new FileInputStream(resource); } catch (FileNotFoundException e) { throw new RuntimeException(e); } } Any thoughts on this? Thanks in advance, Luis -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett

7 years, 8 months

1
1
0 / 0

Issue when two user federation providers are deployed

by Juan Pablo Perata

Hi, I have been facing an issue with having two user federation providers deployed on the same keycloak instance. When both are deployed, one of them appears as not visible from the admin console. I created this issue when I explain better the situation: https://issues.jboss.org/browse/KEYCLOAK-7735?_sscc=t It seems to be a bug but cannot confirm that. I appreciate if someone faced something similar or points out something I do not see. Regards, Juan

7 years, 8 months

2
3
0 / 0

lock user after being inactive for certain period

by Sachin Rastogi

Hi all, We need to disable / lock user if user doesn't login into system for certain period (such as after 10 days or so). I couldn't find an option to enable. Please guide me. Regards, SR

7 years, 8 months

2
1
0 / 0

SAML Advice assertion with signature

by Arjan Lamers

Hi, We are running KeyCloak 3.4.3-Final for a client and are running into trouble with an identity provider (the dutch eHerkenning) that is using SAML Advice tags. We were running an older version of KeyCloak and recently that identity provider started to use <saml:Advice> tags in their responses. We found https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the Advice tag and that made us upgrade to 3.4.3. However, this patch does not seem to be complete. The patch there ignores the Advice tag when parsing the document. This is fine. However, in our case, the Advice contains two Assertions, both of which are signed (have a Signature tag). The document verification seems to also validate these signatures. This is a problem, since we do not have the keys for these advices, hence the validation fails. We have been advised to fully ignore the Advice tag, including the underlying signatures. I am not a SAML expert but that feels a bit wrong. Any thoughts on that? However, if we do want to go down this road, we would probably patch this in org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document signedDoc, final KeyLocator locator) by skipping over nodes that have an ‘Advice’ parent. Would that be an appropriate approach? Would you be interested in such a patch? Met vriendelijke groet, Arjan Lamers Software Architect +31 (0)6 23 82 24 05 a.lamers(a)first8.nl https://www.first8.nl <http://www.first8.nl/> Linkedin https://www.linkedin.com/in/arjanl <https://www.linkedin.com/in/profiel-id> Kerkenbos 1059b 6546 BB Nijmegen Bekijk hier de algemene voorwaarden van Conclusion <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>

7 years, 8 months

3
4
0 / 0

Multiple logins from different IPs

by Eric Dill

Hi, Searching through the mailing list, the docs and JIRA, I've been able to find some previous conversations on the mailing list <http://lists.jboss.org/pipermail/keycloak-user/2017-March/010059.html> and a closed Jira ticket <https://issues.jboss.org/browse/KEYCLOAK-4611> around the same user being able to simultaneously be logged in from two (or more) different IP addresses. The comment last year was > We don't have this supported OOTB, but likely we should as it's quite popular use-case though It's been a bit over a year since that was posted to the mailing list. I wonder if this capability is now supported out of the box? The other piece of advice last year was that > For now, you will need to implement custom Authenticator If this capability does not exist out of the box, are there any available examples of doing this as a plug-in? Thanks for the great project :-D Best, Eric -- Eric D. Dill, PhD Senior Solutions Architect <https://anaconda.com/> <https://twitter.com/anacondainc> <https://www.linkedin.com/company/anacondainc> <https://www.facebook.com/anacondainc/> <https://www.slideshare.net/continuumio>

7 years, 9 months

2
1
0 / 0

Re: [keycloak-user] Keycloak Server boot has failed in an unrecoverable manner

by Shaik Salam

Hi, We have installed docker on linux operating system in vm and running keycloak server as container. Tying to restart server(ex: ./bin.standalone.sh) but boot is failed due to following port conflicts. Could you please let us know is any modifications needed on ports or interface's ip address for respective files(ex: standalone.xml,host.xml etc). Please provide suitable solution and in which files modification needs to do, to rectify following errors and find log file for more information. Thanks in advance. 11:10:48,087 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.undertow.listener.default: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.default: Address already in use /127.0.0.1:8080 at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 11:10:48,325 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: java.net.BindException: Address already in use /127.0.0.1:9990 at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:340) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 11:10:48,388 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.undertow.listener.https: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.https: Address already in use /127.0.0.1:8443 at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) failure description: { "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "java.net.BindException: Address already in use /127.0.0.1:9990"}, "WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => { "Services that were unable to start:" => ["org.wildfly.management.http.extensible.shutdown"], "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"] } } 11:10:49,024 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => { "Services that were unable to start:" => [ "jboss.deployment.discovery.\"keycloak-server.war\"", "jboss.deployment.unit.\"keycloak-server.war\".component.\"com.sun.faces.config.ConfigureListener\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.faces.webapp.FacetTag\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.ScriptFreeTLV\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.filters.KeycloakSessionServletFilter\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.listeners.KeycloakSessionDestroyListener\".START", "jboss.deployment.unit.\"keycloak-server.war\".deploymentCompleteService", "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service", "jboss.undertow.deployment.default-server.default-host./auth" ], "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"] }} BR Salam =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

7 years, 9 months

2
2
0 / 0

Get all users for a given client with consent

by Henning Waack

Hi. Is it possible to get a list of all users who have given their consent for a specific client? I am working with KC 4.0 (and Spring Boot 2.0). Thanks & greetings Henning

7 years, 9 months

2
4
0 / 0

Keycloak on Kubernetes - HTTPS required

by Pavlov, Yordan

Hi all, I’m evaluating Keycloak as IAM for one open source project [1], so far, I’ve tested it successfully on a minikube (local) Kubernetes cluster and I want to run it in on a real cluster. The real cluster (created by Gardener [2]) is running on AWS and the access to the Keycloak is exposed through an Ingress controller [3]. We’ve also installed “cert-manager” for automated certificates management of Let’s Encrypt issued certificates. So far so good, but when I try to login to the “Admin Console” I get the following error: “We're sorry... HTTPS required” In the logs of the pod, there is the following warning: “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, error=ssl_required” As far as I understand, the Let’s Encrypt certificated is trusted by the browsers and it appears to be trusted by the OpenJDK also [4]. Then what should be done in order to access the Admin Console? Last but not least, we are using jboss/keycloak:latest image (I know that we should be using some stable version like 4.0.0, but it appears that the issue is not related to the image version). Regards, Yordan Pavlov [1] ProMART: https://github.com/promart-io | https://www.promart.io/ [2] Gardener: https://github.com/gardener [3] Keycloak: https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757

7 years, 9 months

4
7
0 / 0

KEYCLOAK-7237 : Redirect URI is adding port zero to the url

by Shawn Fu Sheng

Dear keycloak team, I encountered redirect_uri error. Found same issue logged at below JIRA, just want to check any work around? Anyone can help? Thank you in advance. KEYCLOAK-7237 <https://issues.jboss.org/browse/KEYCLOAK-7237> 2018-06-30 11:34:13,996 WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=Victz, clientId=portal, userId=null, ipAddress=175.156.168.158, error=invalid_redirect_uri, redirect_uri=https://www.mydomain.com:0/home <https://www.mydomain.com:0/home> I am using apache http reverse proxy running on centos7, wildly 10, keycloak 3.4.3. has also tried in below environment but same error. Tried in wildly 10, wildly 11, jboss 7.1 Keycloak 3.4.3 as well as keycloak 4.0 Also tried shutdown apache http and access directly to http://www.mydomain.com:8080/home <http://www.mydomain.com:8080/home> , but seems return_uri automatically been converted to https with port 0. Please see below standalone.xml, tried removed below config in red but no luck. <subsystem xmlns="urn:jboss:domain:undertow:4.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/> <https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <location name="/drive" handler="drive"/> <access-log pattern="%h %l %u %t "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" "%{i,COOKIE}" "%{o,SET-COOKIE}" %S "%I %T"" prefix="access."/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> <http-invoker security-realm="ApplicationRealm"/> </host> <host name="mydomain1" alias="mydomain1.com,www.mydomain1.com" default-web-module=“mydomain-0.1.war"> <location name="/drive" handler="drive”/> <filter-ref name="proxy-peer"/> <filter-ref name="request-dumper" priority="30"/> </host> <host name="mydomain2" alias="mydomain2.com,www.mydomain2.com" default-web-module="mydomain2-0.1.war"> <location name="/drive" handler="drive"/> <filter-ref name="proxy-peer"/> <filter-ref name="request-dumper" priority="30"/> </host> <host name="mydomain3" alias="mydomain3.com,www.mydomain3.com" default-web-module="mydomain3-0.1.war"> <location name="/drive" handler="drive"/> <filter-ref name="proxy-peer"/> <filter-ref name="request-dumper" priority="30"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> <file name="drive" path="/app/drive"/> </handlers> <filters> <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core"/> <filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core"/> </filters> </subsystem> Rds, Shawn

7 years, 9 months

1
1
0 / 0

x509 - serial number as a HEX

by Karol Buler

Hi Everybody, is there any possibility to get Serial Number field from certificate in x509 authentication flow as a HEX value instead of Integer. I've set the x509 Direct Grant authentication flow to take Serial Number as a username, and I've expected that there will be a HEX value, which I see in certificate, but I've got Integer representation of it in my User Storage Federation's classes. Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com<https://www.adbglobal.com> This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED. Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.

7 years, 9 months

2
1
0 / 0

How to use Keycloak in CakePHP Application

by Kanhaiya Ora

Hi Developers, I am PHP Developer. I am begineer with keycloak so can you help me for how to setup Keycloak with *CakePHP* application. I don't found any proper documentation for how to configure a Keycloak with PHP Application. If i am using Keycloak REST API for configure a Keycloak with PHP Application then we want to use a Keycloak Admin as a REST API server. If you have any proper documentation and video tutorial for configure a Keycloak with PHP Application. so please send me link, so i can start work on Keycloak with my application. Thanks in Advance. -- *Kanhaiya Ora* *Sr. Software DeveloperXin Performance* E:kanhaiya@xinperformance.com T: +91 9755518055 W: xinperformance.com

7 years, 9 months

1
0
0 / 0

username to be used for importing users

by Leonid Rozenblyum

Hello! We're using 2 keycloak instances. SP -> Keycloak (broker) -> Keycloak (Identity provider) How can we configure the broker to create user names equal to the original username from keycloak (Idp)? Now the new users inside the broker receive a G-.... (long meaningless string) username during the first log-in. So if user logs in through Idp with login: 'hello' we would like user 'hello' be created in the broker Thank you for advice.

7 years, 9 months

1
1
0 / 0

Keycloak DB connection reset

by Pulkit Srivastava

Hi, I am using keycloak with AWS MySQL RDS instance. The problem i am facing is that after some time, the db connection is reset and i have to restart keycloak server to make db connection again. It wasn't a problem till the time i was using keycloak's inmemory H2 DB. Please help. Thanks, Pulkit

7 years, 9 months

1
1
0 / 0

Error while building inside a container

by Rafael Weingärtner

Hello, Keycloak community, I am trying to build Keycloak 4.0.0Final, but I keep getting the following error: Results : > Tests in error: > > JavascriptAdapterTest.org.keycloak.testsuite.adapter.javascript.JavascriptAdapterTest > ? Runtime > > DemoFilterServletAdapterTest.org.keycloak.testsuite.adapter.servlet.DemoFilterServletAdapterTest > ? Runtime > > DemoServletsAdapterTest.org.keycloak.testsuite.adapter.servlet.DemoServletsAdapterTest > ? Runtime > > Tests run: 1703, Failures: 0, Errors: 3, Skipped: 247 > I am not understanding it. Has someone here seen something similar? I am running the build inside a docker container, can this be the problem? Can I be missing some dependency or something else? I am using a Debian 8.11, Java 8_171 and maven 3.5.4. When I try to build using a bare server, everything works. -- Rafael Weingärtner

7 years, 9 months

1
0
0 / 0

Facing issue after having keycloak SAML adapter keycloak-saml.xml content into wildfly instance.xml file

by vandana thota

As per this doc https://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/jboss-ad... I have installed the file from keycloak --client --.>Insatllation tab--> keycloak SAML Adapter Keycloak-Saml.xml. Copied this file content to wildfly instance's .xml file and Im seeing the below error . 515: | 516: | 517: <sslPolicy="EXTERNAL"> | ^^^^ Illegal to have multiple roots (start tag in epilog?) | | 518: <SP entityID="Sample-app"> | 519: | 520: | | The primary underlying error message was: | > Illegal to have multiple roots (start tag in epilog?). | > at [row,col {unknown-source}]: [517,9] Thanks,

7 years, 9 months

1
0
0 / 0

Authorization Services - Admin Console

by gambol

Hiya I'm guessing this isn't possible yet but just in case, is it possible to provide fine-grain controls over the creation of local accounts. At the moment we have a project whom we to gave the ability to control membership of one or more groups via "User Policy" in authorization services. We would like them to be able to "create" a user as well, but retain the above limitation. At the moment this doesn't look like its possible as the only way to get the "Add User" button is to add the "manage-users" role from "realm-management" .. This unfortunately gives the access to do anything they want with the users .. adding a group, delete etc etc Are there any plan's to extend the scopes available under the Users resource type? .. Rohith

7 years, 9 months

2
2
0 / 0

Forbidden error on keycloak

by vandana thota

We are configuring the single sign on configuration for the application whcih we deployed on wildfly instance by using keycloak , okta, application on wildfly instance. I could add or import the External IDP Metadata in keyckloak under the tab add identity provider . Could see a tab ( Saml-sample app) on keycloak page . Case 1 When I click on tab ( Saml-sample app) on keycloak it's redirecting to okta page and I gave the crednetials and after that its redirecting to keycloak and showing this error Forbidden You don't have access to the requested resource. Go to the home page » PFA What needs to done in order to acihieve the single sign on configuration for the application which we deployed on wildfly instance ? Do We have to configure anything on application side Thanks.

7 years, 9 months

1
0
0 / 0

Re: [keycloak-user] Keycloak 4

by Pedro Igor Silva

Think we are missing this in docs :) You need to enable "User-Managed Access" in Realm Settings (General tab). On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont <corentin.dupont(a)gmail.com> wrote: > OK, interesting: I didn't know about this console :) > I can access it with my "test" user, but I don't see the "My Resources" > menu entry (see screenshot). > I created some resources owned by that user (using the API). But they > don't show up. > What did I missed? > > On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com> > wrote: > >> Yeah, you can access those claims in a JS policy. >> >> Regarding the "account management console" take a look here: >> https://www.keycloak.org/docs/latest/authorization_ser >> vices/index.html#_service_authorization_api_aapi. >> >> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >> corentin.dupont(a)gmail.com> wrote: >> >>> Ok, I see the "claim_token" parameter in the request. >>> I guess you can retrieve those claims in a javascript rule, from the >>> evaluation context. >>> >>> By the way, I still cannot figure out where is the "account management >>> console", where user can manager users access (as per the release notes)?? >>> >>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva(a)redhat.com> >>> wrote: >>> >>>> The new form of obtaining entitlements relies solely on the token >>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>> grant types. With that in mind the new format of the request should be a >>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>> >>>> Regarding pushing claims to your policies, there is a specific HTTP >>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>> you want to push. >>>> >>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>> ces/index.html#_service_obtaining_permissions >>>> >>>> >>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>> corentin.dupont(a)gmail.com> wrote: >>>> >>>>> Thanks Pedro, I went through the pull request. >>>>> I'm not sure how to modify my entitlement requests? >>>>> For example I have: >>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>> Bearer $TOKEN" -d '{ >>>>> "permissions" : [ >>>>> { >>>>> "resource_set_name" : "Sensors", >>>>> "scopes" : [ >>>>> "sensors:update" >>>>> ] >>>>> } >>>>> ] >>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup >>>>> " >>>>> >>>>> This call has been moved to uma-2, right? >>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>> >>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>> Bearer $TOKEN" -d '{ >>>>> "permissions" : [ >>>>> { >>>>> "resource_set_name" : "Sensors", >>>>> "scopes" : [ >>>>> "sensors:update" >>>>> ] >>>>> } >>>>> ], >>>>> claims: ["owner": "cdupont"] >>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup >>>>> " >>>>> >>>>> In this example, I would like to push the owner of the sensor >>>>> ("cdupont"), which I take from our own database before calling the API. >>>>> >>>>> Sorry about the questions, maybe I should just wait that the >>>>> documentation is merged :) >>>>> >>>>> >>>>> >>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <psilva(a)redhat.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> We have a few changes to docs that were not released because the PR >>>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>>> are using our adapters) here [2]. >>>>>> >>>>>> Regards. >>>>>> Pedro igor >>>>>> >>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>> ces/index.html#_enforcer_claim_information_point >>>>>> >>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>> corentin.dupont(a)gmail.com> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> I'm playing with the new version of Keycloak ( >>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>> >>>>>>> I have some questions: >>>>>>> - where is the "account management console"? >>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>> >>>>>>> Thanks! >>>>>>> Corentin >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user(a)lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >

7 years, 9 months

3
7
0 / 0

Static API keys (long lived access tokens)

by Yuriy Yunikov

Hi everyone, We have a need to issue static access token from Keycloak which wouldn't change and have no expiry but can be revoked. From what I've seen so far Keycloak can only issue offline token <http://www.keycloak.org/docs/3.0/server_admin/topics/sessions/offline.html> for refresh token, but not for access tokens. Is there any way to achieve this? Regards, Yuriy

7 years, 9 months

1
0
0 / 0

Kerberos authentication in Windows

by Otaño Pavo, Cesar

Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-... In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." After enabling -Dsun.security.krb5.debug=true and -Dsun.security.spenego.degug=true and change Kerberos authentication from required to alternative, the server log is the following: 13:17:06,116 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (defaul t task-17) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP C onfiguration: {serverPrincipal=[HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.L OCAL], pagination=[true], fullSyncPeriod=[-1], connectionPooling=[true], usersDn =[dc=sanbox,dc=local], cachePolicy=[DEFAULT], useKerberosForPasswordAuthenticati on=[true], importEnabled=[true], enabled=[true], bindDn=[CN=keycloak,CN=Users,DC =sanbox,DC=local], usernameLDAPAttribute=[cn], changedSyncPeriod=[-1], lastSync= [1530011208], vendor=[ad], uuidLDAPAttribute=[objectGUID], allowKerberosAuthenti cation=[true], connectionUrl=[ldap://sb-ad.sanbox.local:389], syncRegistrations= [false], authType=[simple], debug=[true], searchScope=[2], useTruststoreSpi=[lda psOnly], keyTab=[C:\\keycloak.keytab], kerberosRealm=[SANBOX.LOCAL], priority=[0 ], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn] , editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: [] 13:17:06,135 INFO [stdout] (default task-17) Debug is true storeKey true useTi cketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\\keycloak.keytab refreshKrb5Config is false principal is HTTP S/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL tryFirstPass is false useFirstP ass is false storePass is false clearPass is false 13:17:06,138 INFO [stdout] (default task-17) principal is HTTPS/facultativoskey cloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,139 INFO [stdout] (default task-17) Will use keytab 13:17:06,140 ERROR [stderr] (default task-17) [LoginContext]: login success 13:17:06,142 INFO [stdout] (default task-17) Commit Succeeded 13:17:06,142 INFO [stdout] (default task-17) 13:17:06,143 ERROR [stderr] (default task-17) [LoginContext]: commit success 13:17:06,150 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,151 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,153 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,154 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,157 INFO [stdout] (default task-17) Entered SpNegoContext.acceptSecCon text with state=STATE_NEW 13:17:06,158 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceiving token = a0 6b 30 69 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 0 9 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e a2 35 04 33 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 06 00 06 00 2d 00 00 00 05 00 05 00 28 00 00 00 06 03 80 25 00 00 00 0f 53 42 2d 4 7 49 53 41 4e 42 4f 58 13:17:06,160 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10 13:17:06,162 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30 13:17:06,165 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mech Token 13:17:06,165 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceived token of type = SPNEGO NegTokenInit 13:17:06,166 INFO [stdout] (default task-17) SpNegoContext: negotiated mechanis m = 1.2.840.113554.1.2.2 13:17:06,166 INFO [stdout] (default task-17) The underlying mechanism context h as not been initialized 13:17:06,168 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: me chanism wanted = 1.2.840.113554.1.2.2 13:17:06,170 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: ne gotiated result = ACCEPT_INCOMPLETE 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token of type = SPNEGO NegTokenTarg 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02 13:17:06,173 INFO [stdout] (default task-17) [Krb5LoginModule]: Enter ing logout 13:17:06,174 INFO [stdout] (default task-17) [Krb5LoginModule]: logge d out Subject 13:17:06,175 ERROR [stderr] (default task-17) [LoginContext]: logout success Aditional information: +Keycloak is installed in Windows Server 2012. +Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL<mailto:HTTP/facultativoskeycloak.sanbox.local@SANBOX.LOCAL> -mapUser Keycloak(a)SANBOX.LOCAL<mailto:Keycloak@SANBOX.LOCAL> -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT +Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } +Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL<mailto:HTTPS/facultativoskeycloak.sanbox.local@SANBOX.LOCAL> KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

7 years, 9 months

3
2
0 / 0

Re: [keycloak-user] brokered-login only

by Marek Posolda

Yes, sure. If you need to just override themes, you may not need to override authentication flow. But if you need to override UsernamePassword Authenticator and change the implementation, so that it doesn't allow to login with username/password at all, then you will need to add this authenticator implementation into new browser authentication flow. Maybe instead of overriding UsernamePassword authenticator, it's easier to create new implementation of authenticator, which will just show the Freemarker form with links to brokers (No username/password). In that case you will also need to create new authentication flow and add that new authenticator implementation to it. Marek On 25/06/18 08:57, Corbetta, Francesco wrote: > Hello > > What about changing the browser authentication flow? > > Best > > Francesco > > -----Original Message----- > From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Marek Posolda > Sent: 25 June 2018 08:49 > To: mj <lists(a)merit.unu.edu>; keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] brokered-login only > > It's possible to remove username/password fields from login screen by doing custom theme and override freemarker template for login screen. > > You may need to remove tab "password" from account management as well so that users are not able to set their password here. This can be also achieved through theme. > > Thing is, that after changing themes, users will be still able to login with their username/passwords if they "simulate" sending the same HTTP request, which login screen is sending (they can also simulate changing their password in account management by HTTP request even if "password" > tab is not in the UI). So if you expect to have malicious users, which would try to do something like this and you want to be safe and avoid this, you may need to change/override the UsernamePassword Authenticator too and avoid authentication of users with username/password. Then login with username/password will be impossible even if user is trying to "simulate" the request like this. > > Marek > > > On 24/06/18 14:30, mj wrote: >> Hi, >> >> Is there a way to create a realm in keycloak with a few brokered IdP's, >> *without* the local username/password fields on the login screen, >> but >> *only* a list of external IdP's to choose from? >> >> Thanks! >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

7 years, 9 months

4
6
0 / 0

Why does error page always use base theme?

by Neujahr, Jana

Dear Keycloak users, my task is to style the custom keycloak theme. But I found some strange behavior for which cannot find a solution. I'm using Keycloak 4 beta. For the error pages ("We're sorry..." "Page not found"...) Keycloak always uses the base/keycloak theme, not my custom one... These are the steps I tried: · In the Admin Console, I added custom theme to all possible areas (Login, Account...) · added error.ftl, info.ftl and others to the custom theme in folder "login" · ensured that "template.ftl" from the same folder is used in all these FTLs: <#import "template.ftl" as layout> · created an own login.css with specific overwriting styles (which is already used in login´pages successfully) · added login.css to theme.properties: styles=node_modules/patternfly/dist/css/patternfly.css node_modules/patternfly/dist/css/patternfly-additions.css lib/zocial/zocial.css css/login.css But in the error page always the base/keycloak css is used. I ensured that with altering the base css -> then it worked with the error page. What to do to make Keycloak take my custom theme for errors? I'd appreciate any help! Kindly yours Jana Treffen Sie GISA auf folgenden Veranstaltungen! 06.-07.09.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig 11.-12.09.2018 Jahreskongress der Energieforen: Energiemarkt der Zukunft, Leipzig 23.-24.10.2018 metering days 2018, Fulda 15.11.018 BEMD-Jahreskongress 2018, Mannheim Aufsichtsratsvorsitzender: Norbert Rotter Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

7 years, 9 months

2
1
0 / 0

keycloak | Wildfly

by vandana thota

Hello Does any one knows the blow process : If yes can you able to tell us how to set up the broker in keycloak for keycloak final 4.0.0.0 version . 1. Set up a client for your application in Keycloak 2. Set up a broker in Keycloak that points to Okta and sets that as the automatic delegate. This means no keycloak login screen would be shown and it would delegate directly to Okta for authentication. 3. Log into Okta 4. Get to Okta app screen. 5. Click on app link 6. App redirects to Keycloak for authentication 7. Keycloak redirects automatically to Okta 8. Okta sees you are already logged in 9. Redirects back to Keycloak 10. Creates SAML assertion or OIDC token for client Thanks, Vandana

7 years, 9 months

1
0
0 / 0

Keycloak & Okta

by John D. Ament

Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John

7 years, 9 months

3
6
0 / 0

UMA 2.0 permissions for service client owned resources

by Gary Schulte

Hello all, I have some criteria for resource scope sharing that I am trying to reconcile. We are using keycloak to protect data resources. The data resources are created with a corresponding keycloak resource and scopes. These resources are logically owned by the resource creator, but we want to have the resources technically owned by the service client for a couple reasons: * resources may be created by CS and "transitioned" to users * resources created by users who leave the organization should not be orphaned To accomplish this we have an owner scope which is a proxy for the actual resource ownership, and the service client actually owns all of the resources. However, we want to allow users to share scopes dynamically. We are looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this sharing, and intend to continue to use policies for our administrative RBAC scenarios. In testing, I have been able to grant and revoke permissions using the permission ticketing for service-client-owned resources. However when I attempt to use the evaluation console to verify the behavior, I get a 500 error (and no logging on the keycloak side): {"error":"server_error","error_description":"Error while evaluating permissions."} Are UMA 2.0 permissions for service client owned resources a supported use case? TIA Gary Schulte

7 years, 9 months

2
3
0 / 0

Is there any update on https://issues.jboss.org/browse/KEYCLOAK-2940 ?

by Schenk, Manfred

Does anyone have information about https://issues.jboss.org/browse/KEYCLOAK-2940 ? Is there something planned for the near future or will we have to wait for years before this will be implemented? Some kind of roadmap could be helpful. Regards, Manfred -- Manfred Schenk, Fraunhofer IOSB Informationsmanagement und Leittechnik Fraunhoferstraße 1,76131 Karlsruhe, Germany Telefon +49 721 6091-391 mailto:Manfred.Schenk@iosb.fraunhofer.de http://www.iosb.fraunhofer.de

7 years, 9 months

2
2
0 / 0

Keycloak 4.0.0.Final Implicit flow response is different to 3.4.3.Final

by Ian Duffy

Hi All, In Keycloak 3.4.3.final when I used the implicit flow the URL fragment path contained: - session_state - access_token - id_token - token_type - expires_in - not-before-policy in Keycloak 4.0.0.Final I'm only seeing: - session_state - id_token - access_token Why is this? Is there configuration missing or is this a bug? Thanks, Ian.

7 years, 9 months

1
0
0 / 0

Keycloak always create user when use exchange_token grant_type

by Florian Bernard

Hello, We try to implement the following use case : We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it’s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it’ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian

7 years, 9 months

2
2
0 / 0

How to resolve ERR_CONNECTION_TIMED_OUT

by vandana thota

When I was tryin to open the keycloak admin console Im gettting below error . How to resolve it This site can’t be reached - ERR_CONNECTION_TIMED_OUT

7 years, 9 months

1
0
0 / 0

Brokered logins only?

by pkboucher801＠gmail.com

Any way (other than a custom theme that enforces it in the UI) to allow only brokered logins to a realm? For reasons beyond my control, the user's password is the same in the IDP as it is in KC (they point at the same OU in LDAP), but the IDP has been configured with a particular 2FA method that is not supported by KC. So the problem is that if the users login with username/password submission on the KC login page, they can bypass the IDP's 2FA. We can set the IDP as the default, but kc_idp_hint as a blank value will bring up the KC login page. Maybe there's a way to adjust the flows so that brokered login works, but username/password submission on the KC login page fails (or is not even offered)? Maybe setup pre-configured OTPs on the accounts, so that the users can't get past there? (this would be a bad, confusing UX) Any other ideas? Regards, Peter K. Boucher

7 years, 9 months

3
5
0 / 0

Backchannel logout with SSL

by PEETERS.THOMAS (ICT)

Hey all, One of our requirements for SSO is that when one SSO application in the SSO realm gets a logout request, that it logs out all the other applications in the same SSO realm. For that, I'm assuming 'backchannel logout' is what we need. We've configured an "admin url" in the clients configuration, using https. But this throws an exception in Keycloaks Undertow subsystem. When using http instead of https we get an error in our client application telling us that we need SSL. (PreAuthActionsHandler in the Keycloak adapter). SSL is configured in our client (JBoss 6.4 EAP standalone.xml) and in Keycloak standalone.xml. All https authentication request/response from/to the Keycloak server and our JBoss client seems to work. The exception is as follows: KC-SERVICES0057: Logout for client '****' failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.keycloak.connections.httpclient.DefaultHttpClientFactory$1.postText(DefaultHttpClientFactory.java:70) at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:243) at org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:187) at org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:142) at org.keycloak.protocol.oidc.OIDCLoginProtocol.backchannelLogout(OIDCLoginProtocol.java:266) at org.keycloak.services.managers.AuthenticationManager.backchannelLogoutClientSession(AuthenticationManager.java:331) at org.keycloak.services.managers.AuthenticationManager.lambda$backchannelLogoutAll$0(AuthenticationManager.java:242) at java.util.HashMap$Values.forEach(HashMap.java:972) at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) at org.keycloak.services.managers.AuthenticationManager.backchannelLogoutAll(AuthenticationManager.java:241) at org.keycloak.services.managers.AuthenticationManager.backchannelLogout(AuthenticationManager.java:203) at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:208) at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logoutToken(LogoutEndpoint.java:198) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 92 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 98 more Setup: JBoss EAP 6.4, Keycloak-spring-security-adapter 3.4.1.Final, Keycloak 3.4.1.Final. Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer

7 years, 9 months

1
0
0 / 0

Mapping LDAP group-roles to Keycloak

by Alvaro Martin

Hi, We have defined a set of fine-grain roles to secure endpoints on a backend application. We wanted to assign different set of roles to users. To avoid having to assign roles one-by-one to each user we have created groups and we have mapped roles to them (groups will work as profiles here) . Then we have assigned users to groups. This worked well. Now we want to create this setup in a LDAP and configure user federation. We can map LDAP roles to keycloak roles and LDAP groups to keycloak groups. We also even import group users to keycloak. But we don´t know how to transfer LDAP group-roles to keycloak group role-mappings. We haven´t found a mapper for this. Is there any way to do it? Thanks in advance, *Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/> alvaro.martin(a)bluetab.net +34 91 457 16 97 +34 687 398 622t

7 years, 9 months

2
1
0 / 0

Fwd: Keycloak 4

by Corentin Dupont

OK, interesting: I didn't know about this console :) I can access it with my "test" user, but I don't see the "My Resources" menu entry (see screenshot). I created some resources owned by that user (using the API). But they don't show up. What did I missed? On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote: > Yeah, you can access those claims in a JS policy. > > Regarding the "account management console" take a look here: > https://www.keycloak.org/docs/latest/authorization_ser > vices/index.html#_service_authorization_api_aapi. > > On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < > corentin.dupont(a)gmail.com> wrote: > >> Ok, I see the "claim_token" parameter in the request. >> I guess you can retrieve those claims in a javascript rule, from the >> evaluation context. >> >> By the way, I still cannot figure out where is the "account management >> console", where user can manager users access (as per the release notes)?? >> >> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva <psilva(a)redhat.com> >> wrote: >> >>> The new form of obtaining entitlements relies solely on the token >>> endpoint just like when you are obtaining access tokens using other OAuth2 >>> grant types. With that in mind the new format of the request should be a >>> HTTP POST + parameters. Check this documentation [1] for more details. >>> >>> Regarding pushing claims to your policies, there is a specific HTTP >>> parameter that you can use to pass a Base64 encoded JSON with the claims >>> you want to push. >>> >>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>> ces/index.html#_service_obtaining_permissions >>> >>> >>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>> corentin.dupont(a)gmail.com> wrote: >>> >>>> Thanks Pedro, I went through the pull request. >>>> I'm not sure how to modify my entitlement requests? >>>> For example I have: >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>> Bearer $TOKEN" -d '{ >>>> "permissions" : [ >>>> { >>>> "resource_set_name" : "Sensors", >>>> "scopes" : [ >>>> "sensors:update" >>>> ] >>>> } >>>> ] >>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >>>> >>>> This call has been moved to uma-2, right? >>>> Can I add pushed claims to this call? What I'm imagining is: >>>> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>> Bearer $TOKEN" -d '{ >>>> "permissions" : [ >>>> { >>>> "resource_set_name" : "Sensors", >>>> "scopes" : [ >>>> "sensors:update" >>>> ] >>>> } >>>> ], >>>> claims: ["owner": "cdupont"] >>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >>>> >>>> In this example, I would like to push the owner of the sensor >>>> ("cdupont"), which I take from our own database before calling the API. >>>> >>>> Sorry about the questions, maybe I should just wait that the >>>> documentation is merged :) >>>> >>>> >>>> >>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva <psilva(a)redhat.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> We have a few changes to docs that were not released because the PR >>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>> are using our adapters) here [2]. >>>>> >>>>> Regards. >>>>> Pedro igor >>>>> >>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>> ces/index.html#_enforcer_claim_information_point >>>>> >>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>> corentin.dupont(a)gmail.com> wrote: >>>>> >>>>>> Hi guys, >>>>>> I'm playing with the new version of Keycloak ( >>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>> >>>>>> I have some questions: >>>>>> - where is the "account management console"? >>>>>> - How to use pushed claims? Which APIs are affected? >>>>>> >>>>>> Thanks! >>>>>> Corentin >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> >

7 years, 9 months

1
1
0 / 0

Re: [keycloak-user] keycloak-user Digest, Vol 54, Issue 41

by Otaño Pavo, Cesar

Hi Dominique, There is an error in the description of the ktpass command. the command is really: ktpass -out c:\keycloak.keytab -princ HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL -mapUser Keycloak(a)SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT Regards ------------------------------ Message: 5 Date: Tue, 26 Jun 2018 12:46:01 +0000 From: Dominique ARNOU <dominique.arnou(a)cnieg.fr> Subject: Re: [keycloak-user] Kerberos authentication in Windows To: Ota?o Pavo, Cesar <c.otano(a)ibermatica.com>, "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> Message-ID: <DB6PR07MB323955D8C4121CCE0FFC686686490(a)DB6PR07MB3239.eurprd07.prod.outlook.com> Content-Type: text/plain; charset="iso-8859-1" Hi Your server principal would be HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL, not HTTPS/... Dominique -----Message d'origine----- De?: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] De la part de Ota?o Pavo, Cesar Envoy??: mardi 26 juin 2018 14:13 ??: keycloak-user(a)lists.jboss.org Objet?: [keycloak-user] Kerberos authentication in Windows Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-... In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." Aditional information: ? Keycloak is installed in Windows Server 2012. ? Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL -mapUser Keycloak(a)SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT ? Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } ? Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards Cesar AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

7 years, 9 months

1
0
0 / 0

3.4.3.Final Resolve java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration in custom authenticator

by Jeremy Giberson

Hello, I’m wondering how I can resolve the error: "Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration” being thrown in my custom authenticator. This started occurring after we added the dependency " keycloak-authz-client” to our project so we can utilize the AuthzClient class. I’m hoping to utilize the hot deployment option of moving my compiled jar into the deployments folder.

7 years, 9 months

2
3
0 / 0

RESET_PASSWORD_ERROR incorrect clientId

by Dan Neville

Hello, I am currently experiencing some issues with resetting credentials via Keycloak. I've experienced this with both 3.4.0 and 4.0.0. We have the "account" client disabled because we do not want a user to have access to changing any of their details other than the password as we saw here http://lists.jboss.org/pipermail/keycloak-user/2017-September/011873.html. We have another two clients "web" and "mobile" which we use. When we request a reset with client_id set to "web" (http://localhost/auth/realms/my-realm/login-actions/reset-credentials?cli...) an email is sent, I click on the link and I can correctly reset my password. However when I reset with client_id set to "mobile" (https://localhost/auth/realms/my-realm/login-actions/reset-credentials?cl...) an email is sent, I click on the link and I get a page which says "Login requester not availble" and the log line seen is: 14:25:42,543 WARN [org.keycloak.events] (default task-70) type=RESET_PASSWORD_ERROR, realmId=my-realm, clientId=account, userId=d4486f3c-ac49-49da-aecf-8898d80f59b7, ipAddress=X.X.X.X, error=client_not_found, reason=loginRequesterNotEnabledMessage, auth_method=openid-connect, token_id=1c9a2709-2902-496b-9e2c-90cdb4404374, action=reset-credentials, response_type=code, redirect_uri=http://localhost/auth/realms/my-realm/account/, remember_me=false, code_id=7ac6953f-a943-473c-b333-e526202c9793, response_mode=query In the log line I can see that it is trying to use the "account" client id which is disabled, so I understand this is why I'm getting the error. However I'm not sure why it is trying to use the "account" client id. What reasons could there be for the client_id with "mobile" acting differently? Many Thanks Dan [Benefex Logo] Dan Neville Senior Backend Engineer hellobenefex.com<https://www.benefex.co.uk> [https://s3-eu-west-1.amazonaws.com/commsmedia-bucket/images/benefex/socia...]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex> Benefex Ltd, Mountbatten House, , Southampton, SO15 2JU. Registered Number: 04768546 As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you! This message has been scanned for malware by Websense. www.websense.com

7 years, 9 months

1
0
0 / 0

Kerberos authentication in Windows

by Otaño Pavo, Cesar

Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-... In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." Aditional information: · Keycloak is installed in Windows Server 2012. · Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL -mapUser Keycloak(a)SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT · Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } · Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards Cesar AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

7 years, 9 months

2
1
0 / 0

Keycloak 4

by Corentin Dupont

Hi guys, I'm playing with the new version of Keycloak ( https://www.keycloak.org/docs/latest/release_notes/index.html) I have some questions: - where is the "account management console"? - How to use pushed claims? Which APIs are affected? Thanks! Corentin

7 years, 9 months

2
5
0 / 0

Keycloak 3.4.x client-url and SSO questions

by PEETERS.THOMAS (ICT)

Hey all, While implementing a Keycloak based secure application set (3 internal web applications) with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate answer to. Our environment and implementations: The security layer is implemented on the front-end only (for now). JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10, Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used). What we’ve got working: 2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log in to app1 we’re also logged in in app2, so that’s good. What we want but can’t seem to achieve: · Log out of app1 --> refresh of app2 should redirect to the Keycloak login page. At this point it seems that the user credentials remain active as long as the browser session remains active. · After successful login from the Keycloak login page always redirect to the application welcome page (index.xhtml for instance). Use case: A user is working in one of our secured applications, has its browser session ended and clicks on some kind of link. The application correctly redirects this user to the Keycloak login page. The user correctly logs in and gets taken back to where he/she was. However, when this is an AJAX kind-of request the user sees plain XML when taken back the application. To avoid this I would like to always redirect to the welcome page of the application when the user logs in through the Keycloak login page. I can’t seem to find a way to do this. · Logout doesn’t always work well. Sometimes the Spring AntPathRequestMatcher doesn’t correctly match our logout pattern (/sso/logout**). Therefore we’ve provided an alternative that we’ve found in the documentation in the form of: “https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL> However this doesn’t always work either. There are situations, depending on invalid rights for certain application parts where this never logs out a user. We’ve got a Spring-security application context in XML that is roughly the same as the one found in the documentation. And a keycloak.json file that looks like this: { "realm": "<realmName>", "auth-server-url": "<keycloak-url-with-port>/auth", "ssl-required": "all", "truststore": "<working-truststore>", "truststore-password":"<a-working-pwd>", "resource": "<App1-name>", "public-client": true, "always-refresh-token": true } Due to the large number of Keycloak releases and accompanied configuration changes it’s really hard for us to find relevant information. When we first started by creating a POC we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not old appears to be outdated. Just an observation. Thanks for reading. Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer

7 years, 9 months

1
1
0 / 0

Group-based permissions for resources

by Christian Stier

Dear all, I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC. The application manages resources based on their association with user groups. Its simplified path schema is similar to /{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to map organizations to Keycloak user groups. 1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see a way to check against path parameters. 2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of group-based authorization? Thanks for any pointers and input. Best regards Christian

7 years, 9 months

2
2
0 / 0

Using the Keycloak js adapter in a Mobile App

by Stephen Coady

Hi, I am currently trying to use the Keycloak JS adapter to login on a mobile device. We were using the cordova adapter but had to change to the default as with local development using Openshift this line: https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.j... was causing us issues and we could not redirect to the app. My question is this: is there a way, or a way planned, to handle the code returned from login with the redirectUri in a mobile view? Currently it looks as though I will have to parse the returned token myself and then login using whatever details it provides me with. Any help at all would be greatly appreciated. Thank you. -- STEPHEN COADY ASSOCIATE SOFTWARE ENGINEER Red Hat <https://www.redhat.com/> Communications House, Cork Road Waterford City, Ireland X91NY33 scoady(a)redhat.com IM: scoady <https://red.ht/sig>

7 years, 9 months

1
0
0 / 0

Why and what are the files under installation tab of client tab in keycloak

by vandana thota

What are these files used for and why ? These files are under the installation tab of client tab in keycloak user interface page . 1)SAML Metadata IDPSSO Descriptor. 2)Keycloak SAML adapter-saml.xml 3)SAML Metadata SPSSODescriptor 4)keycloak SAML Wildfly/ Jboss Subsystem 5)Mod auth Mellon files

7 years, 9 months

1
0
0 / 0

Keycloak doubts securing WAR via SAML subsystem

by vandana thota

Hello All, >From the below doc I have few doubts : https://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/saml-jbo... 1st doubt : I wanna take this option "Securing WARs via Keycloak SAML Subsystem" we need to configure this instance's .xml file <extensions> <extension module="org.keycloak.keycloak-saml-adapter-subsystem"/> </extensions> <profile> <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1"> <secure-deployment name="WAR MODULE NAME.war"> <SP entityID="APPLICATION URL"> ... </SP> </secure-deployment> </subsystem> </profile> >From above content which is given in document . I did not get this thing from the lines " The secure-deployment name attribute identifies the WAR you want to secure. Its value is the module-name defined in web.xml with .war appended." Do I have to put like this </secure-deployment> "sample.war" </ secure-deployment> or </secure-deployment> "sample.war" Sample.war is the deoplyment file which I have deployed on wildfly instance . ################ >From the below lines which is mentioned in the doc , I have few doubts "You do not have to crack open a WAR to secure it with Keycloak. Alternatively, you can externally secure it via the Keycloak SAML Adapter Subsystem. While you don’t have to specify KEYCLOAK-SAML as an auth-method, you still have to define the security-constraints in web.xml. You do not, however, have to create a WEB-INF/keycloak-saml.xml file. This metadata is instead defined within the XML in your server’sdomain.xml or standalone.xml subsystem configuration section." (2nd doubt) (2)do I have to define security-constraints in web.xml ? (2.a) :in that case there is no need to create keycloak-saml.xml file ? (2.b)If I have to create keycloak-saml.xml file from where and what content needs to be in this keycloak-saml.xml file . (3rd doubt) (3)Which metadata is is already defined in standalone.xml file of wildfly instance ? (3.a)As its already defined there is no need to define security-constraints in web.xml? (3.b)there is no need to create the keycloak.xml file under WEB-INF folder Thanks, Vandana

7 years, 9 months

1
0
0 / 0

Needs to know wether the doc info is part of SSO or not

by vandana thota

https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-ad... Does any one knows the section 4.2.1.2 is a part of single sign on configuration ? Thanks.

7 years, 9 months

2
5
0 / 0

Fine-grained permissions to map a client role to a group

by Leistert Christoph (INST/ECS2)

Hello, We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of. For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups. We struggle a bit with the right role/permissions setup to map the client role to a group. First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users. Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden). Is there any other way than using the "manage-users" realm role to map a client role to a group? Is it planned to add fine-grained permissions for a "Groups" resource? Mit freundlichen Grüßen / Best regards Christoph Leistert (INST/ECS2) Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn

7 years, 9 months

2
2
0 / 0

brokered-login only

by mj

Hi, Is there a way to create a realm in keycloak with a few brokered IdP's, *without* the local username/password fields on the login screen, but *only* a list of external IdP's to choose from? Thanks! MJ

7 years, 9 months

2
1
0 / 0

Keycloak as SAML IdP - Google sign-out problem

by Rodolfo De Nadai

Hi, i'm configuring my keycloak installation as an IdP and Google apps as an SSO. I'm able to login but when trying to logout i got no success... My configuration follows the described here: https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-... There were a thread in the mailing list which was able to login also, but didn't mention logout process. As i thought it should be almost as transparent, since no documentation say anything, is begging to transform in a problem. If someone could help or point in some direction i appreciate. thanks

7 years, 9 months

2
2
0 / 0

Keycloak not sending backchannel logout requests

by Aram Aslanyan

Hi, I am usinng Keycloak 3.4.3. My webapp uses Keycloak adapter to interact with auth server. I am using Open ID Connect protocol. Admin URL is provided for the client in Keycloak server. When I logout user session via Keycloak admin console, it seem not to send backchannel logout request to my webapp. Local session still lives (until access token becomes invalid). What am I missing? Thanks, Aram -- *Aram Aslanyan* Application Developer Email: *aram.aslanyan(a)clincapture.com <aram.aslanyan(a)clincapture.com>* *www.clincapture.com <http://www.clincapture.com/>* *Follow us on social media: <https://twitter.com/ClinCapture> <https://www.linkedin.com/company/clincapture> <https://www.facebook.com/ClinCapture/>* *Confidentiality Notice: Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorized. If you are not an addressee, please inform the sender immediately.*

7 years, 9 months

1
0
0 / 0

Apache X509 cert-lookup

by Matthias ANGLADE

Hello, I'm trying to setup a client cert authentication. Since my Keycloak server is running behind an SSL reverse proxy I modified the domain.xml file in order to declare the Apache cert lookup SPI. I checked that the certificate was properly embedded in the HTTP header still, I can't get to authenticate using this approach. In the log file I see no line related to this authentication (I should be able to see log coming from AbstractClientCertificateFromHttpHeadersLookup. It behaves just as if the SPI wasn't active. Note that even if my proxy isn't an Apache server, the certificate it emits is formatted like for Apache. Any clue on this ? Regards,

7 years, 9 months

2
2
0 / 0

Implementation of Policy Provider Service Provider Interface

by Leonardo Nunes

The Authorization documentation says that Keycloak supports different access control mechanisms including (Support for custom access control mechanisms (ACMs) through a Policy Provider Service Provider Interface (SPI)). Which class do I need to extend to implement this SPI. Currently I’m on version 3.4.3.Final. Thank you! -- Leonardo Nunes ________________________________ Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não poderá usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

7 years, 9 months

2
1
0 / 0

Keycloak as an identity provider (either SAML or OpenID Connect)?

by Rafael Weingärtner

Hello, Keycloak community, I am evaluating Keycloak, and after some reading, I got the impression that it supports OpenID Connect and SAML (which fits exactly on my requirement). However, after installing it, and digging a little deeper in the configuration overview, I got confused. I have used OpenID Connect before with MITREid implementation. So, when I install and configure MITREid IdP, it will be working as an IdP for my federation. I understand that key cloak can do identity brokering, which is super nice, but what I wonder is the following. Is Keycloak prepared to be an IdP out of the box with either SAML or OpenID Connect protocols? Or, Does it depends on IdPs that implement those protocols to work? -- Rafael Weingärtner

7 years, 9 months

3
3
0 / 0

Offline token revocation via API

by Dmitriy Semiushkin

Hello there! I’m trying to find a way to allow user revoking their offline token via my web app (i.e. using keycloak’s API), not visiting keycloak’s page. I’ve tried using DELETE /auth/admin/realms/R/users/U/consents/C request, but it requires `manage-users` role which is kinda wide. I need a way to narrow this role to “allow user only revoke his tokens, not other users’ ones”. I’ve tried implementing this in JavaScript Policy, but Evalution API have no information about user I’m trying to manage, so I can’t compare user id with identity id to tell if this is the same user. Is there any way to implement this? Thanks in advance!

7 years, 9 months

2
2
0 / 0

Using two or more access types

by Danilo do Val

Good afternoon sirs I am implementing the Keycloak Authorization Service and, in addition to JWT, we need to use a second type of access, for example, Apikey or Basic Auth, does anyone have experience or knowledge of how to support different authentication types of the adapters? Our case study uses the example app-authz-a-photoz ( https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-um... ) Em sex, 22 de jun de 2018 às 08:57, <keycloak-user-request(a)lists.jboss.org> escreveu: > Send keycloak-user mailing list submissions to > keycloak-user(a)lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request(a)lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner(a)lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Using two or more access types (Danilo do Val) > 2. Re: Architectural Blueprint/Recommendations (Dmitry Telegin) > 3. Re: Add custom roles in realm-management client (Dmitry Telegin) > 4. Re: Keycloak client (Dmitry Telegin) > 5. Re: keycloak SAML response - Authentication method > information (Manisha Nandal) > 6. Re: Keycloak as SAML IdP - Google sign-out problem (Tiemen Ruiten) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 21 Jun 2018 16:16:29 -0300 > From: Danilo do Val <danilodoval(a)gmail.com> > Subject: [keycloak-user] Using two or more access types > To: keycloak-user(a)lists.jboss.org > Message-ID: > < > CAOPhXAm0rQVoE1aL5SnG513T8xKa5mVLDuRXXk+rSBPfPxRH1w(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > `` ` > > Boa tarde senhores > > Estou implementando o Servi?o de Autoriza??o Keycloak e, al?m do JWT, > precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic > Auth, algu?m tem experi?ncia ou conhecimento de como suportar diferentes > tipos de autentica??o dos adaptadores? > > Nosso estudo de caso usa o exemplo app-authz-a-photoz ( > > https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-um... > ) > > > -- > __________________ > http://br.linkedin.com/in/daniloval > 19 9227.9082 > > > ------------------------------ > > Message: 2 > Date: Fri, 22 Jun 2018 01:26:08 +0300 > From: Dmitry Telegin <dt(a)acutus.pro> > Subject: Re: [keycloak-user] Architectural Blueprint/Recommendations > To: "Everson, David (MNIT)" <david.everson(a)state.mn.us>, > "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> > Message-ID: <1529619968.6161.1.camel(a)acutus.pro> > Content-Type: text/plain; charset="UTF-8" > > Hi David, > > Please see the answers and remarks inline. > > On Mon, 2018-06-18 at 14:40 +0000, Everson, David (MNIT) wrote: > (skipped) > > 15. Keycloak should be clustered for high availability. > > 16. Keycloak environment would be hosted on AWS, more than likely EC2 > > instances. > > 17. Client applications also hosted in AWS. > > 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. > > Speaking of Keycloak on AWS, this is absolutely doable, but not that > trivial. Please be sure to have read the document [1], especially the > "Troubleshooting AWS specifics" part, and relevant ML postings [2]. > Long story short, AWS doesn't allow for IP multicast between the nodes, > which is the default node discovery mode in JGroups (the backbone of > Keycloak clustering). You should use S3_PING or JDBC_PING instead. > > > > > A few questions/concerns of the working group: > > > > A. Is there any information available on the maximum size of an > > Keycloak installation? Will Keycloak be scalable and performant given > > the above assumptions and constraints. > > AFAIK, nobody has performed actual Keycloak benchmarking yet > (publicly). There's however a Keycloak benchmarking suite based on > Gatling [3]. It hasn't been updated for about two years, so first we'll > need to make sure it works with recent Keycloak versions. > > > > > B. What's the best recommendation for distributing the Keycloak > > instances and realms.??Right now the group has three options on the > > table:??1) A single Keycloak install per application (i.e. > > client);??2) A single Keycloak install per organizational unit (i.e. > > realm); or 3) A single Keycloak install per organization (i.e. > > serving all realms and clients). > > The pros for A and B is obviously that you get some degree of > separation/isolation, which might be good from the security and > availability POV. However, this comes at a price of complexity; you'll > have to deploy, monitor & maintain each separate instance / group of > instances, each having different configs and dedicated database. > > Another big issue is load distribution. I doubt that your > clients/realms all have equal, uniform load patterns. Given that each > Keycloak instance will have its hardware limitations (CPU, RAM), you > potentially end up with some nodes overloaded and others idle. The C > scenario is obviously free from this issue. > > > > > C. A major concern the group has with a single Keycloak install (#3 > > in previous bullet) is the high-availability in terms of performance > > and concerns of a rouge client affecting other applications > > negatively.??What is the community's recommendation for addressing > > this concern? > > As you will necessarily have a load balancer / reverse proxy in front > of your Keycloak cluster, you can enforce rate limiting / throttling on > your load balancer. For example, haproxy implements rate limiting based > on IP addresses, URLs and HTTP headers [4]. > > > > > D. Another major concern the group has with a single Keycloak install > > is the restarts that are necessary when an organization unit deploys > > a new or updated template.??The concern is that all applications > > would be unavailable during the restart.???We would be operating in a > > clustered environment, is the best solution to this concern > > restarting individual members of the cluster rather than the entire > > cluster? > > Could you please elaborate on template deployment? In Keycloak > parlance, "templates" can be understood either as "client templates" or > "HTML templates" (within custom GUI themes). > > Client templates surely can be created/updated via GUI or REST API, > without the need for restart. For GUI themes, they can be deployed a) > as Wildfly modules, b) via "themes" directory. While the former option > indeed requires restart, the latter does not. Keycloak 4.x also adds c) > hot deployment of themes by dropping theme JARs into the "deployments" > directory. > > > > > E. For reporting and governance processes, the Keycloak API performs > > quite poorly when we execute use cases such as "Report all Users of > > an Application".??Given the version we are currently on, to > > accomplish this we need to query all users in the realm and then > > filter the users if they have the client/role combination.??We > > understand that a future release addresses this use case, but in the > > meantime the concern is such a query will negatively affect all other > > clients using Keycloak.??Any recommendations on handling this use > > case prior to Keycloak 4.x? > > Is this indeed addressed by Keycloak 4.x? (just wondering, couldn't > find any info) > > Keycloak admin REST API has an endpoint called "Return List of Users > that have the specified role name", see [5] (identical for KC 3.x and > 4.x). You could use this endpoint, however you will have to iterate > over client roles and then merge and de-duplicate the results. Anyway, > this should be much more efficient than your current approach. > > In general, this looks like a classical use case for Realm Resource > Provider [6]. The query you described easily maps to a single SQL/JPQL > statement, so you could implement a custom REST resource that would > execute exactly that query and return results. > > Unfortunately, custom REST resources in Keycloak are public by default > (protected resources should become a part of the hypothetical Admin > Resource SPI somewhere in the future). However, you can implement that > (relatively) easily with the techniques demonstrated in Beercloak [7]. > > > > > F. Upgrading Versions of Keycloak.??We have experienced some > > difficulty of upgrading versions on server-side (we need to export, > > import vs a simple DB backup and deployment).??What is the > > recommendations for handling the upgrade of Keycloak from one version > > to the next given the size of our user base? > > Could you please elaborate a bit on the problems that you're facing? > The export/import scenario is relevant for database upgrades (e.g. > PostgreSQL 9 -> 10), but Keycloak does ship migration scripts that > should upgrade the data+metadata automatically. Why doesn't that work > in your case? Let us know, probably this could be fixed. > > > > > I'm sorry for the long post, hopefully folks get to this point.??Any > > insight that we could receive would be greatly appreciated. We are at > > a critical cross-roads in our Keycloak adoption and want to ensure we > > do this correctly. > > Sorry it took so long to reply. Keycloak is a great product, I hope it > fulfills your needs. Good luck! > > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > [1] https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup- > in-aws.html > <https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws...> > [2] https://www.keycloak.org/search.html?q=aws > [3] https://github.com/rvansa/keycloak-benchmark > [4] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim > iting/ > <https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/> > [5] https://www.keycloak.org/docs-api/3.4/rest-api/index.html > [6] https://www.keycloak.org/docs/latest/server_development/index.html# > _extensions_rest > [7] https://github.com/dteleguin/beercloak > > > > > Thanks! > > Dave > > > > > > Dave Everson > > Application Development Team Lead | Environmental Health > > Minnesota IT Services | Partners in Minnesota Department of Health > > 625 Robert Street North > > St. Paul, MN 55155 > > O: 651-201-5146 > > Information Technology for Minnesota Government?| > > ?mn.gov/mnit<http://mn.gov/mnit> > > [Minnesota IT Services Logo] > > [Facebook logo]<https://www.facebook.com/MN.ITServices>[LinkedIn > > logo]<https://www.linkedin.com/company/mn-it-services>[Twitter > > logo]<https://twitter.com/mnit_services> > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ------------------------------ > > Message: 3 > Date: Fri, 22 Jun 2018 03:38:30 +0300 > From: Dmitry Telegin <dt(a)acutus.pro> > Subject: Re: [keycloak-user] Add custom roles in realm-management > client > To: Waldemar Schmalz <waldemar.schmalz(a)codecentric.de>, > keycloak-user(a)lists.jboss.org > Message-ID: <1529627910.9620.1.camel(a)acutus.pro> > Content-Type: text/plain; charset="UTF-8" > > Hi Waldemar, > What version of Keycloak are you on? Things are different for pre-3.2.0 > and post-3.2.0. > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022) > 888-30-71 > E-mail:?info@acutus.pro > > Hello, > > > > I have created a new client-role in client "realm-management". It's > > called > > "manage-roles" and its purpose is (or should be) to grant users > > access to > > create, edit and delete roles in their realms. In the base theme this > > is > > only possible when users have access to the role "manage-realm" in > > client > > "realm-management". But with this client-role the user is able to > > manage > > the whole realm, not only the roles. My user is only allowed to > > manage > > roles, users and groups in this case. > > > > I changed the html-files so that the keycloak sidebar menu is > > working: Menu > > item "Roles" is visible for user with my custom client-role "manage- > > role". > > I also extented the getAccessObject() method in my themes > > controller/realm.js with the needed new role "manageRoles". > > > > Accessing the roles-list page is working, but accessing the role- > > details > > page (when clicking on a specific role) fails. I get a 403 Forbidden. > > My > > question is: Is there something I forgot?, where is the check for > > returning > > a 200 OK or a Forbidden for this case? It seems it is not in the > > templates > > files, like for the side-menu? > > > > If I forgot any information or something, please contact me. > > > > Thank you, your help is much appreciated! > > > > Best regards > > Waldemar > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ------------------------------ > > Message: 4 > Date: Fri, 22 Jun 2018 04:34:35 +0300 > From: Dmitry Telegin <dt(a)acutus.pro> > Subject: Re: [keycloak-user] Keycloak client > To: Vinay <vinayatoz(a)gmail.com>, keycloak-user(a)lists.jboss.org > Message-ID: <1529631275.9620.4.camel(a)acutus.pro> > Content-Type: text/plain; charset="UTF-8" > > Hi Vinay, > In Keycloak, client is (simply speaking) a combination of base URL, > protocol (OIDC/SAML), roles and authorization rules. So, if your > application lives under a single base URL, it's simply impossible to > have many clients per application. Moreover, an adapter (that you use > to secure your application) is configured for a particular client. > Hence, there is a 1-to-1 relationship between an application and a > client. > However, if your application is heterogeneous, i.e. consists of > separate components living under different base URLs (and created with > different technologies), you will have to define individual clients for > them. > Resource is an URI under client's base URL, and is used to define fine- > grained authorization rules within that client. > Cheers,Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > + 42 (022) 888-30-71 > E-mail: info(a)acutus.pro > ? Thu, 21/06/2018 ? 12:50 -0400, Vinay ?????: > > Hi there, > > In what scenario an application should have multiple clients defined > > in the > > keycloak server ? How keycloak client defers from a resource ? I > > understand > > it is an application that asks for an authentication, but I am not > > sure > > when do we need multiple clients in an application. What is the basis > > for > > defining clients ? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ------------------------------ > > Message: 5 > Date: Fri, 22 Jun 2018 10:05:51 +0530 > From: Manisha Nandal <manisha04.nandal(a)gmail.com> > Subject: Re: [keycloak-user] keycloak SAML response - Authentication > method information > To: keycloak-user(a)lists.jboss.org > Message-ID: > < > CAP63w5Ti+nKSk2FF4n_urmEkNPBY5HYKq-5MvBS88Jnbnss2Xg(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Any update ? > > On Wed, Jun 20, 2018 at 4:12 PM, Manisha Nandal < > manisha04.nandal(a)gmail.com> > wrote: > > > Hi, > > > > I authenticated my client application using google IDP. i want to > retrieve > > the information of IDP used for authentication from keycloak SAML > > response. I have checked in keycloak documentation that > > "AuthnStatement" give us the authentication method used (password, etc.) > > as well as a timestamp of the login. > > > > But, my SAML response does not provide any such information. SAML > contains > > user name used for authentication under "NameID" but i want the identity > > provider information, say in my case google is IDP > > > > <saml:AuthnStatement AuthnInstant="2018-06-20T08:00:43.222Z" > > SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794:: > > 7f6d3293-8370-413f-b958-1763df3bb078"> > > <saml:AuthnContext> > > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0: > > ac:classes:unspecified</saml:AuthnContextClassRef> > > </saml:AuthnContext> > > </saml:AuthnStatement> > > > > Can you please guide me on the same > > > > > > Thanks, > > Manisha > > > > > ------------------------------ > > Message: 6 > Date: Fri, 22 Jun 2018 10:00:53 +0200 > From: Tiemen Ruiten <t.ruiten(a)rdmedia.com> > Subject: Re: [keycloak-user] Keycloak as SAML IdP - Google sign-out > problem > To: Rodolfo De Nadai <rdenadai(a)gmail.com> > Cc: keycloak-user <keycloak-user(a)lists.jboss.org> > Message-ID: > < > CAAegNz0QKWJn0zdOZst36GsOujrsXuyhvwYAHnSvnZ8xxGpn_g(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Signout is working for us, I initially used the same guide but had to make > some changes. My setup differs in the following places: > > Include OneTimeUse Condition - off > Optimize REDIRECT signing key lookup - off > SAML Signature Key Name - NONE > Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps (note > the lack of &RelayState=true) > > I set the signout URL in the Google Apps dashboard to > https://ourdomain.tld/auth/realms/{realmname}/account/ > > On 19 June 2018 at 22:12, Rodolfo De Nadai <rdenadai(a)gmail.com> wrote: > > > Hi, > > > > i'm configuring my keycloak installation as an IdP and Google apps as an > > SSO. > > > > I'm able to login but when trying to logout i got no success... > > > > My configuration follows the described here: > > https://stories.scandiweb.com/sign-in-to-google-apps-using- > > saml-protocol-and-keycloak-as-identity-provider-79227fd2e063 > > > > There were a thread in the mailing list which was able to login also, but > > didn't mention logout process. As i thought it should be almost as > > transparent, since no documentation say anything, is begging to transform > > in a problem. > > > > If someone could help or point in some direction i appreciate. > > > > thanks > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 54, Issue 32 > ********************************************* > -- __________________ http://br.linkedin.com/in/daniloval 19 9227.9082

7 years, 9 months

1
0
0 / 0

realm JSON download without authorization check

by Neujahr, Jana

Dear keycloak users, we found a little security gap which we do not know how to fix: When you type and open the URL https://<domain>/auth/realms/<realmname<https://%3cdomain%3e/auth/realms/%3crealmname>>, then a download of the keycloak JSON starts without checking for authorization! The JSON contains the realm name, public key, account-service and the parameter tokens-not-before. How can we prohibid this URL/JSON for others than a specific role? Thank you in advance for your help. Kind regards Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 – Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

7 years, 9 months

1
0
0 / 0

Client scopes not checked?

by Matthias Kesternich

Hello, I am trying to setup a keycloak configuration for my use case which goes like this: - I have an api called test-api, written in python and using oauth2/oicd. - Simple endpoints can be accessed if the access token's scope contains "test-api-read-write". This scope is granted to admin and api users. - Admin endpoints can be accessed if the access token's scope contains "test-api-admin". This scope is granted only to admin users. - All other users requesting an access token should not be granted any of the scopes. Now I've set it up like this in keycloak: 1. Create new realm "test" 2. Create user "norights". 3. Create new client scopes "test-api-read-write" and "test-api-admin" (display consent = off). 4. Create new client "test-api" (confidential, openid-connect). 5. Add "test-api-read-write" to default client scopes of "test-api", add "test-api-admin" to optional client scopes. 6. Under "Scope" set "Full scope allowed" = off. To test the setup I go to the test-api client scopes page and click "Evaluate" with - optional client scopes: test-api-admin - user: norights This returns a generated access token like shown at the bottom of this mail. Especially, it contains the line "scope": "openid profile test-api-admin email test-api-read-write" This is really suprising to me, I expected "scopes" to *not* contain any of the "test-api-*" scopes. After all the user norights does not have any roles or permissions setup yet. Quoting from a previous mail on this list: "If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration" Here, the intersection with the users own roles/scopes seems to be missing. I've looked at the code here: https://github.com/keycloak/keycloak/blob/49407c2e4f870659e1d5a00c7fd6cf1... . It seems initToken does "token.setScope(clientSessionCtx.getScopeString());" which seems to merely copy the scopes from the request. There's also this applyScope() method that sees to do the intersection thing, but doesn't seem to be called in this case. Is my understanding of client scope just plain wrong? I could get it to work if I use the "Authorize" tab and setup all this complicated policies stuff, but client scopes just seem so much easier. Thanks for creating such an impressive open source SSO solution! -Matthias Generated access token: { "jti": "14f8a8e5-b39f-4092-aaa8-25ce62ceac2e", "exp": 1529408429, "nbf": 0, "iat": 1529408129, "iss": "http://localhost:8080/auth/realms/test", "aud": "test-api", "sub": "f4ecc77a-45ad-4dbf-9295-87d2fa4518c9", "typ": "Bearer", "azp": "test-api", "auth_time": 0, "session_state": "35140ca3-6107-4a79-8f46-b1b298d4bb58", "acr": "1", "allowed-origins": [], "resource_access": {}, "scope": "openid profile test-api-admin email test-api-read-write", "email_verified": true, "preferred_username": "norights" }

7 years, 9 months

2
5
0 / 0

Setting up certificate for SAML SP side

by Hylton Peimer

Are there any resources explaining how to install certificates in Keycloak that are required to verify SAML signatures?

7 years, 9 months

1
0
0 / 0

keycloak SAML response - Authentication method information

by Manisha Nandal

Hi, I authenticated my client application using google IDP. i want to retrieve the information of IDP used for authentication from keycloak SAML response. I have checked in keycloak documentation that "AuthnStatement" give us the authentication method used (password, etc.) as well as a timestamp of the login. But, my SAML response does not provide any such information. SAML contains user name used for authentication under "NameID" but i want the identity provider information, say in my case google is IDP <saml:AuthnStatement AuthnInstant="2018-06-20T08:00:43.222Z" SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794::7f6d3293-8370-413f-b958-1763df3bb078"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> Can you please guide me on the same Thanks, Manisha

7 years, 9 months

1
1
0 / 0

Keycloak client

by Vinay

Hi there, In what scenario an application should have multiple clients defined in the keycloak server ? How keycloak client defers from a resource ? I understand it is an application that asks for an authentication, but I am not sure when do we need multiple clients in an application. What is the basis for defining clients ?

7 years, 9 months

2
1
0 / 0

Add custom roles in realm-management client

by Waldemar Schmalz

Hello, I have created a new client-role in client "realm-management". It's called "manage-roles" and its purpose is (or should be) to grant users access to create, edit and delete roles in their realms. In the base theme this is only possible when users have access to the role "manage-realm" in client "realm-management". But with this client-role the user is able to manage the whole realm, not only the roles. My user is only allowed to manage roles, users and groups in this case. I changed the html-files so that the keycloak sidebar menu is working: Menu item "Roles" is visible for user with my custom client-role "manage-role". I also extented the getAccessObject() method in my themes controller/realm.js with the needed new role "manageRoles". Accessing the roles-list page is working, but accessing the role-details page (when clicking on a specific role) fails. I get a 403 Forbidden. My question is: Is there something I forgot?, where is the check for returning a 200 OK or a Forbidden for this case? It seems it is not in the templates files, like for the side-menu? If I forgot any information or something, please contact me. Thank you, your help is much appreciated! Best regards Waldemar

7 years, 9 months

2
1
0 / 0

Architectural Blueprint/Recommendations

by Everson, David (MNIT)

Hello, Our organization has been using Keycloak over the last few years. During this time, several versions and implementation approaches of Keycloak have popped up in the organization as various organizational units leveraged Keycloak. We are now at the point of taking Keycloak to the next level of maturity within the organization with a common architecture and governance model around Keycloak/IDAM. We have convened a working group to take our experiences to-date and formulate an architecture which the organization can move forward with. The major point of contention with the future architecture is the nature in which the instances and realms are deployed. To this end, I am looking for some feedback from the community regarding the most scalable architectural blueprint/recommendation to help achieve the following requirements and questions: Here is a list of our assumptions/constraints: 1. The organization consists of 10 organizational units (i.e. realms). 2. Each organization unit supports 10-15 applications (i.e. clients) requiring authentication/authorization. 3. The primary application profile is a web application. (i.e. keycloak access type of 'confidential') 4. The organization is starting to developing an increasing number of web services which leverage bearer-only authn/authz. 5. For the organization, Keycloak would support 100,000 users. 6. Of the 100,000 users, 1-2% of those users would be federated via Active Directory. 7. Within an organization unit, users should be able to leverage SSO for any application within the organizational unit. 8. The primary usage of applications are between core business hours. 9. The applications are accessible 24x7. 10. On any given day, about 20% of the total user base may log into at least one application. 11. Due to inactivity requirements, users may typically have to re-authenticate multiple times during the day. 12. The organization has a desire to maintain a common set of IDAM policies and reporting (i.e. governance) across all organizational units. 13. The organization would provide a default template for all organizational units. 14. Each organization unit may modify/create their own template as business requirements dictate. 15. Keycloak should be clustered for high availability. 16. Keycloak environment would be hosted on AWS, more than likely EC2 instances. 17. Client applications also hosted in AWS. 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. A few questions/concerns of the working group: A. Is there any information available on the maximum size of an Keycloak installation? Will Keycloak be scalable and performant given the above assumptions and constraints. B. What's the best recommendation for distributing the Keycloak instances and realms. Right now the group has three options on the table: 1) A single Keycloak install per application (i.e. client); 2) A single Keycloak install per organizational unit (i.e. realm); or 3) A single Keycloak install per organization (i.e. serving all realms and clients). C. A major concern the group has with a single Keycloak install (#3 in previous bullet) is the high-availability in terms of performance and concerns of a rouge client affecting other applications negatively. What is the community's recommendation for addressing this concern? D. Another major concern the group has with a single Keycloak install is the restarts that are necessary when an organization unit deploys a new or updated template. The concern is that all applications would be unavailable during the restart. We would be operating in a clustered environment, is the best solution to this concern restarting individual members of the cluster rather than the entire cluster? E. For reporting and governance processes, the Keycloak API performs quite poorly when we execute use cases such as "Report all Users of an Application". Given the version we are currently on, to accomplish this we need to query all users in the realm and then filter the users if they have the client/role combination. We understand that a future release addresses this use case, but in the meantime the concern is such a query will negatively affect all other clients using Keycloak. Any recommendations on handling this use case prior to Keycloak 4.x? F. Upgrading Versions of Keycloak. We have experienced some difficulty of upgrading versions on server-side (we need to export, import vs a simple DB backup and deployment). What is the recommendations for handling the upgrade of Keycloak from one version to the next given the size of our user base? I'm sorry for the long post, hopefully folks get to this point. Any insight that we could receive would be greatly appreciated. We are at a critical cross-roads in our Keycloak adoption and want to ensure we do this correctly. Thanks! Dave Dave Everson Application Development Team Lead | Environmental Health Minnesota IT Services | Partners in Minnesota Department of Health 625 Robert Street North St. Paul, MN 55155 O: 651-201-5146 Information Technology for Minnesota Government | mn.gov/mnit<http://mn.gov/mnit> [Minnesota IT Services Logo] [Facebook logo]<https://www.facebook.com/MN.ITServices>[LinkedIn logo]<https://www.linkedin.com/company/mn-it-services>[Twitter logo]<https://twitter.com/mnit_services>

7 years, 9 months

2
2
0 / 0

Using two or more access types

by Danilo do Val

`` ` Boa tarde senhores Estou implementando o Serviço de Autorização Keycloak e, além do JWT, precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic Auth, alguém tem experiência ou conhecimento de como suportar diferentes tipos de autenticação dos adaptadores? Nosso estudo de caso usa o exemplo app-authz-a-photoz ( https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-um... ) -- __________________ http://br.linkedin.com/in/daniloval 19 9227.9082

7 years, 9 months

1
0
0 / 0

Keycloak: Failed to verify token - Invalid token issuer

by Henning Waack

Hi all. Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log: 2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token 2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK' at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108) --- The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g. > issuer: "https://nak.xxx.de/auth/realms/NAK" > authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth" > token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token" The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example: header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5 header=X_FORWARDED_PROTO=https header=Host=nak.xxx.de header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de header=X-Forwarded-Proto=https In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true". So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."? Thanks & greetings Henning

7 years, 9 months

1
1
0 / 0

How to cause 401 if KeycloakConfigResolver finds no KeycloakDeployment

by Sergey Beryozkin

Hi At the moment a client gets 500 if KeycloakConfigResolver returns null. Is it possible to throw a Keycloak runtime exception for Keycloak return 401 ? If not, would it make sense to open a minor enhancement request ? Thanks, Sergey

7 years, 9 months

1
0
0 / 0

how to import json user md5 password?

by Gérald Payet

Dear All, Can somebody explain how to import users with a current database? All info in the json file are fine except the md5 password. Is the way to manage with my current md5 password at the begining (import process with the json file) for that? Thanks a lot. Regards, *Gérald PAYET*

7 years, 9 months

2
2
0 / 0

New ftl template and routing

by Miguel Sanz

Hello, my team want to add a new template in the User Account Management because we need to show other useful data to the user. Of course, If we want to add this new template, we want to have access to it from the routing and we also need the user token. I think that we need to modify the server code if we want to add this new feature. But we would like to modify the code as little as possible. How can we add a new template and the route without changing the code much? Thank you very much. -- [image: Kairós Digital Solutions] <http://www.kairosds.com> [image: Miguel Sanz Martín] Full-stack Developer *Kairós Digital Solutions* Castellana 43 - WeWork, Madrid 28046 <https://goo.gl/maps/rXYrLwh5s6t> https://www.kairosds.com/ *Nota legal*: Este mensaje y cualquier archivo adjunto está destinado únicamente a quien se dirige y es confidencial. Si usted ha recibido este mensaje por error, comuníqueselo al remitente y bórrelo inmediatamente. La utilización, revelación y/o reproducción del mensaje puede constituir un delito. *Protección de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA SOLUTIONS, S.L.**Finalidad.* Envío de información, respuesta a consultas y contactos genéricos, mientras dure nuestra relación y tengamos su consentimiento. *Destinatarios.* No se cederán datos a terceros salvo obligación legal. *Derechos.* Puede ejercer los derechos de acceso, rectificación, supresión y oposición, limitar el tratamiento de sus datos, o directamente oponerse al tratamiento, o ejercer el derecho a la portabilidad de los mismos. Todo ello, mediante escrito, acompañado de copia de documento oficial que le identifique, dirigido al RESPONSABLE. En caso de disconformidad con el tratamiento, también tiene derecho a presentar una reclamación ante la Agencia Española de Protección de Datos. También podrá oponerse a nuestros envíos de comunicaciones comerciales (Art.21.2 de la LSSI) a través de la siguiente dirección de correo electrónico: info(a)kairosds.com -- Nota legal: Este mensaje y cualquier archivo adjunto está destinado únicamente a quien se dirige y es confidencial. Si usted ha recibido este mensaje por error, comuníqueselo al remitente y bórrelo inmediatamente. La utilización, revelación y/o reproducción del mensaje puede constituir un delito. Protección de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA SOLUTIONS, S.L.Finalidad. Envío de información, respuesta a consultas y contactos genéricos, mientras dure nuestra relación y tengamos su consentimiento. Destinatarios. No se cederán datos a terceros salvo obligación legal. Derechos. Puede ejercer los derechos de acceso, rectificación, supresión y oposición, limitar el tratamiento de sus datos, o directamente oponerse al tratamiento, o ejercer el derecho a la portabilidad de los mismos. Todo ello, mediante escrito, acompañado de copia de documento oficial que le identifique, dirigido al RESPONSABLE. En caso de disconformidad con el tratamiento, también tiene derecho a presentar una reclamación ante la Agencia Española de Protección de Datos. También podrá oponerse a nuestros envíos de comunicaciones comerciales (Art.21.2 de la LSSI) a través de la siguiente dirección de correo electrónico: info@kairosds.com <mailto:info@kairosds.com>

7 years, 9 months

1
0
0 / 0

Re: [keycloak-user] Secure RESTfull API with keycloak

by Alvaro Martin

Hi, We are evaluating keycloak as an IAM for a future application. We are building a prototype with an Angular front app and a spring boot 2 backend. The bankend app exposes a RESTfull API whose access we want to restrict down to the HTTP verb level. At least we want to achive two access levels on each endpoint: readonly access (HTTP GET) and full access (GET, POST, PUT, DELETE). We have configured keycloak and built the application but the backend doesn´t seem to restrict the access. Here it is the application.yml. We are trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for full access). keycloak: auth-server-url: http://localhost:8010/auth bearer-only: true public-client: true realm: blue-energy resource: client-service securityConstraints: - authRoles: - ROLE_CLIENT_RO securityCollections: - name: protected resource patterns: - /clients - /clients/ methods: - GET ssl-required: external The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP verb. If we assign the realm role ROLE_CLIENT_RO to the user that should grant just readonly access he has unrestricted access to the whole enpoint (i.e. all the verbs). We are using keycloak 4.0.0.Final. Is this configuration supposed to work? We haven´t found much references on how to setup and scenario like this? Thanks in advance, *Álvaro Martín García*[image: bluetab.net] <http://www.bluetab.net/> alvaro.martin(a)bluetab.net +34 91 457 16 97 +34 687 398 622

7 years, 9 months

2
2
0 / 0

Admin API: Deleting an offline session

by Eivind Larsen

Hi Keycloak Users In the admin API there is a call to delete a session by ID: DELETE /{realm}/sessions/{session} This works for user (online) sessions, but when given the session ID of an offline session, it gives 404 error and nothing is deleted. Seeing as this is the only way to delete a given sessionId, I would expect the call to also delete offline sessions. 1. Is there a way to delete an offline session by id? 2. I think it would be more useful if this call was scoped per user. Currently you have to load all user sessions, verify that this session ID is indeed owned by the user, then call delete. Scoping per user would make it impossible to delete a wrong user's session, and it would reduce requests to the keycloak instance significantly. Best Regards, Eivind Larsen

7 years, 9 months

1
0
0 / 0

KrakenD and Keycloak

by Peter Awad

We are in the early stages of implementing keycloak and currently have a dev environment setup with keycloak 4.beta3 One of my dev teams is working on an API proxy with KrakenD but are struggling. I assumed that this was going to a bearer type and provided them with the following: { "realm": "InboxAuth", "bearer-only": true, "auth-server-url": "https://dev-idp03.inboxmarketer.net/auth", "ssl-required": "all", "resource": "insights-dev", "confidential-port": 0 } as well as a test user, clientId, secret and Reg Token However krakenD appears to want the following: ClientId - Got that. Client Secret - Got that. Token URL - auth server url does not seem to work here. Scopes - Got that. So I guess the real question is what should I be using for Token URL Thanks *Peter Awad* | Customer Success Specialist pawad(a)inboxmarketer.com T: 519.824.6664 x220 *To give real service you must add something which cannot be bought or measured with money, and that is sincerity and integrity.* ~ Douglas Adams

7 years, 9 months

2
2
0 / 0

Keycloak 2.3.0.Final Docker container without ssl

by Max Mayr

Hello there, is there a possiblity to start the Keycloak 2.3.0.Final Docker container without ssl? Maybe with changing the standalone.xml ? Or add properties? Kind Regards, Max

7 years, 9 months

1
0
0 / 0

Getting a realm public key without credentials

by Jean-Baptiste Fouet

Hi, we are trying to integrate keycloak in our system, and in order to check the genreate access token, we need a realm public key. We would like to avoid configuring crednetila on all endpoint needing to check a JWT token, so it would be great to be able to get keycloak key without any credentials. i did found the endpoint http://localhost:8080/auth/realms/{realm} <http://%7b%7bkchost%7d%7d:8080/auth/realms/ISEP/> which give the following json,without auth: {"realm":{realm},"public_key":"xx","token-service":"http://localhost:8080/auth/realms/{realm}/protocol/openid-connect","account-service":"http://localhost:8080/auth/realms/{realm}/account","tokens-not-before":0} Unfortunately, here there is no key id, so i can't handle several JWT provider or even a single keycloak with key rotation. Now, i found a more detailed key interface under http://localhost:8080/auth/admin/realms/{realms}/keys, returning for each key the status, type (algorithm), an the keyid. But i need credentials to access this interface, even though its only public data (HMAC & AES keys are NOT provided). I accessed it with the keycloak master admin, i do not want to spread his credentials everywhere, but i would be ok if i could create a user with limited rights to access only that Any suggestions on how to proceed ? Is there another endpoint to get this fulll info ? The doc doesnt clearly states the roles needed to access auth/admin/realms/{realms}/keys Thank you JB

7 years, 9 months

2
2
0 / 0

Keycloak Rest API - sessions

by Eivind Larsen

Hi Keycloak Users! I am integrating the session data from Keycloak into our existing account settings page. I see Keycloak has an API call for listing user sessions. GET /admin/realms/{realm}/clients/{id}/user-sessions a) I was wondering why this does not include offline sessions? So to list all sessions I need to: 1. List user sessions (call above). 2. List consents. 3. Grab client ids from consents. 4. List offlineSessions for each client in 3. 5. Merge all the session from 1 and 4. b) Am I missing something? Is there a simpler way to list all sessions for a user? Best regards, Eivind Larsen

7 years, 9 months

2
2
0 / 0

Release plan RH-SSO

by Lösch, Sebastian

Hello, the new Keycloak release 4.0.0.Final is out now and I wonder what's the next RH-SSO release. Is there any release plan regarding RH-SSO? (And is this mailing list the right place to ask?) Best regards, Sebastian

7 years, 9 months

2
1
0 / 0

Identity Provider Mappers are not being deleted when Identity Provider is deleted

by Matt Evans

I'm using kcadm to add and remove identity providers, and identity provider mappers. I've noticed that I can delete an identity provider that has a mapper assigned to it, and then when I read the whole realm, the identityProviderMappers element contains all the mappers, including ones for the identity providers that I have deleted. I don't seem to be able to delete them then, I can't use the documented api url because it is a sub route of the identity-provider, which doesn't exist now, so it returns 404. Is there an admin url that can manipulate the provider mappers collection itself? Or is this an issue and deleting the provider should also delete it's mappers? Matt

7 years, 9 months

2
1
0 / 0

"Mapper-spanning" LDAP federation and mapping "Composite Roles"

by Marco Hünseler

Hello there, I am trying to to import a rather large and complex AD structure into Keycloak and I am facing some rather substantial problems with that. First of all, I have some user groups whose members span over multiple subtrees. Example: Group OU 1 |- Group1 |- Group1.1 Group OU 2 |- Group2 |- Group2.2 Where Group1.1 is a member of Group1, Group2.2 is a member of Group2 and Group2 is a member of Group1. In reality it is a little bit more complex of course and makes much more sense ;-) Unfortunately, this doesn't seem to work as every group mapper only sees its own groups, which leads to (1) that the resulting group-order does not remotely match the one that's in AD and worse (2) when telling a group mapper to watch out for groups that do not exist in upstream anymore, it cleans up everything else. Second, there are (fortunately seperate) OUs containing groups that represent a set of rights granted to the user. Obviously, I want to map them as roles. What I cannot archieve is to map these roles, once I import them, to the groups they point to. Loading the roles recursively would probably possible as well, but I would like to stick to the AD structure as close as possible (I'm planning to connect Keycloak to different data sources as well and it would be pretty awesome to have some reporting against the keycloak db at a later stage). Third, there are quite a lot of groups with multiple "member"s in AD. When listing them, most of them have something in common: They are logically used to pool similar roles, so no one needs to manage them one by one. Which leads me to think that it would be quite accurate to map them as "composite roles". Unfortunately, this does not seem to be supported by the role mappers at all and if it was, it would probably also not work over mapper boundaries. TLDR; Keycloak is able to map groups and roles from AD but is completely missing functionality to do this cooperatively between mappers. I would love to know whether anyone can think of another as-good-as-possible-structure-preserving way of mapping this directory beast inside Keycloak. Also, I would love to hear about your thoughts regarding implementing some "cross-mapper" functionality for the LDAP connector and how far it can or should go to get this upstreamed later eventually so we can proceed with this on -dev :-) Thanks for reading! Marco

7 years, 9 months

2
1
0 / 0

keycloak without token

by rdg77390

Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/

7 years, 9 months

2
1
0 / 0

keycloak without token

by rdg77390

Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/

7 years, 9 months

1
0
0 / 0

keycloak without token

by rdg77390

Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/

7 years, 9 months

1
0
0 / 0

About issue 6073

by Nicolas Gillet

Hello, Implementing kc as authentication server for our web application, I stumbled upon what tastes like the jira issue 6073. All our applications servers are in the same network and a HaProxy makes rooting of requests based on the path (The Keycloak server answers all path starting with /auth for instance) From what I got of the auth mechanism, the other applications hosted in our network (aka "clients") need to query Keycloak when they receive a token form the browser, therefore they need to have the kc URL and there comes the glitch: in order to make it work, the url must be strictly equals to token's issuer and when querying over the internal network, it's not the case. Worst for me, our company has several domain names for the very same application, these domains being our customer's domains for whom we "style" the application so using the "external" domain name to query kc is not an option as it's dynamic, depending of the domain name the token was issued on. Anyway that's yet another reason to get interest on the feature request 6073. I had a look in the code to see if I could do the pull request myself but it's very daunting and does not look an easy one for a first contribution. So I'd like to know if the team is planning on implementing this feature one day or if someone is willing to give me more detail about the way to do it (my background in oAuth and security beeing very light) Many thanks, Nicolas GILLET

7 years, 9 months

1
0
0 / 0

invalid_token with SAML HTTP redirect binding

by Emanuele Faranda

Hello, I'm trying to implement SAML authentication with the help of keycloak, but I cannot make it work. I'm running keycloak 4.0.0.Final as a standalone server distribution on ubuntu 16.04 . I've configured a new SAML identity provider from the "Identity Providers" menu by filling in only the required fields. From command line, I'm sending the following request to my keycloak instance: curl http://192.168.2.165:8080/auth/realms/master/broker/saml/endpoint?SAMLReq... where the SAMLRequest parameter value is the url_encode of base64+deflate (generated from https://www.samltool.com/encode.php) of the following SAML request: <samlp:AuthnRequest ID="_abc123szs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2018-06-18T16:35:21Z" Version="2.0"></samlp:AuthnRequest> Keycloak returns "Invalid Request" in the HTML reply. I've enabled verbose debugging and this is the trace: 23:11:11,462 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-4) RESTEASY002315: PathInfo: /realms/master/broker/saml/endpoint 23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-4) SAML Redirect Binding 23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-4) <samlp:AuthnRequest ID="_abc123szs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" IssueInstant="2018-06-18T16:35:21Z" Version="2.0"></samlp:AuthnRequest> 23:11:11,471 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.2.221, error=invalid_token The debug trace shows that the request is decoded properly, but I get the "invalid_token" warning. If I redirect an HTTP client via a 302 request to the url above I get the same "Invalid Request" and inability to proceed with login. I've also tried with different sample SAML requests XML, but the result are the same. Do you have any clue? Regards, Emanuele

7 years, 9 months

1
0
0 / 0

How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1

by vandana thota

Hello I have copied this file on wildfly server keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to open this ? Previously we have zip files and culd open them by running unzip command . But for this sha1 file how to open it and how can we do further configurations on wildfly with this keycloak adapater which is in sha1 format. Thanks.

7 years, 9 months

2
5
0 / 0

Display Calling application name

by Pulkit Srivastava

Hi, I have multiple applications that authenticate users using keycloak. Is there a way to show the application name on keycloak login page according to the application from which the user arrived. How this can be achieved? Thanks, Pulkit

7 years, 9 months

3
3
0 / 0

Entitlement request with additional parameters

by Corentin Dupont

Hi guys, I use the entitlement API to check access control on my resources. Here I check if a user can update a sensor: curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{ "permissions" : [ { "resource_set_name" : "Sensors", "scopes" : [ "sensors:update" ] } ] }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" But I would like to make complex policies that check additional parameters, such as sensor status etc. How can I pass along the additional parameters to the request, and use them in my policies? I use javascript policies mainly. Thanks Corentin

7 years, 9 months

2
3
0 / 0

Keycloak sso logout

by Robert .

I have been having problems with the Keycloak sso logout functionality in Keycloak 3.4.3. Previously I have tested the single sign-out functionality in Keycloak 2.4.0, and did not experience such problems. I have debugged the issue in 3.4.3 and noticed that the sessionCreated method in HttpSessionManager is never called. This means that no http session is invalidated in the logout methods. To fix this I have created my own HttpSessionManager based on a Spring ApplicationListener.and registered it as a listener in my web.xml. I would like to know if this is a known issue. Has this been fixed in 4.0.0? Can it also be fixed in a 3.4.4 version? public class MyHttpSessionManager extends HttpSessionManager implements ApplicationListener<ApplicationEvent> { @Override public void onApplicationEvent(ApplicationEvent event) { if (event instanceof HttpSessionCreatedEvent) { HttpSession session = ((HttpSessionCreatedEvent) event).getSession(); HttpSessionEvent creationEvent = new HttpSessionEvent(session); this.sessionCreated(creationEvent); } } }

7 years, 9 months

1
0
0 / 0

Different IDP's for different clients

by Pulkit Srivastava

I have different clients(same realm) setup in keycloak with some IDP's such as google, facebook, twitter etc. I want different clients to see different idp's. For instance, client1 should see google and twitter, client2 should see facebook and google etc. How can this be achieved.? Thanks, Pulkit

7 years, 9 months

2
3
0 / 0

Can able to install keycloak adapters

by vandana thota

Hello We have wildfly 11.0.0.0 final . We copied keycloak-wildfly-adapter-dist-4.0.0.Final.zip under Wildfly_Home path Unizipped that file. I even created the file layers.conf under the folder Wildfly_Home/Modules Trying to run the command to install the keycloak adapter on wildfly but its throwing the below error , what needs to be done for this any idea ? nl0000:/srv/prop/wildfly/11/bin> ./jboss-cli.sh --file=adapter-elytron-install.cli --connect --controller=0.0.0.0:xxxx Authenticating against security realm: ManagementRealm Username: xxxx Password: { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true "response-headers" => {"process-state" => "reload-required" } } Can't we install this manullay instead of using Jboss-cli or how can we resolve the above error

7 years, 9 months

1
0
0 / 0

Will Keycloak scale to handle hundreads of LDAP integrations?

by Filipe Abrahao

Hi everyone, I work at Doodle, an online platform to help people to schedule meetings and social events, we have around 28m people that use our product every month and we are in the process of splitting our monolith. We have been experimenting with Keycloak as our auth service, and so far we are pretty happy with it, we just making sure it fulfils all our requirements, but we have one that we are not sure if it would work with Keycloak: Some of our bigger users, like universities and big corporations require to manage their users via LDAP. We know that Keycloak can integrate with LDAP. But my question is if creating one LDAP configuration for each client is the right way to do it. If we have to configure one LDAP integration for each client that requires it, we potentially will end-up with hundreds (perhaps thousands) of them. Will it scale? Will Keycloak be able to handle that? many thanks, Filipe A

7 years, 9 months

4
5
0 / 0

Replace username with phone number

by Ahmed Ossama

Hi Everyone, I am new to Keycloak and I am considering using it in a project. However I've been playing with Keycloak for a bit and cannot seem to find out a specific need for the project. The need is to signup and make the phone number of a user to be the user identified instead of the username. What I did was: created an empty realm, exported it, then modified the properties using username to be phonenumber, and imported it again. Then created a new theme based on the basic theme and changed username to be phonenumber. But it wasn't enough and in the UI there was a lot of reference to username. So I was wondering if this is possible or not, and if possible how can I achieve it? Thanks in advance. -- Regards, Ahmed Ossama

7 years, 9 months

1
0
0 / 0

Why keycloak admin-cli throwing - HTTP error - 415 Unsupported Media Type

by Subodh Joshi

Hi I am trying to update realm from the admin-cli but end with 415 unsupported Media type. FYI i did not make any single change in demorealm.json file. > /opt/keycloak/bin/kcadm.sh get realms/CRUE_Realm > demorealm.json > /opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm > demorealm.json > * HTTP error - 415 Unsupported Media Type * -- Subodh Chandra Joshi subodh1_joshi82(a)yahoo.co.in http://www.trendsinnews.com

7 years, 9 months

1
0
0 / 0

How to generate OIDC Token for users originating from a saml identity provider?

by Renato Silveira - Totvs

Hello, I'm using saml identity provider and version 3.4.0-final of Keycloak. I made the necessary settings so that these users were persisted as valid users in Keycloak, until this point I had no problem. My application has some modules that work with services authenticated by tokens. Is it possible to generate tokens with the saml assertion of the user who logged in via saml identity provider? Is there any specific grant_type or client_assertion_type for this? I made a series of attempts but without success. Has anyone here needed to implement a similar implementation? https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-20#page-5

7 years, 9 months

1
0
0 / 0

Host Header Attack behind Load Balancer

by Hylton Peimer

A Google Load balancer is proxying HTTP request to a Keycloak instance [container running in Kubernetes]. A penetration test revealed that its possible to inject "X-FORWARDED-HOST" with a malicious host name, and Keycloak will accept this (login page). Is there a way to tell Keycloak (3.4) to only access web requests matching a given host? Thanks Hylton Peimer

7 years, 9 months

2
1
0 / 0

throwing error after running this command adapter-elytron-install.cli

by vandana thota

Hello When I was trying to run the command to install keycloak adapter on wildfly server from the path its showing below error . May I know how to resolve this error nl00000:/srv/apps/appsrv/wildfly/keycloak/keycloak-4.0.0.Beta3/bin> ./jboss-cli.sh --file=adapter-elytron-install.cli --connect --controller= 0.0.0.0: 8080 Authenticating against security realm: ManagementRealm Username: XXXXX Password: { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true } nl00000:/srv/apps/appsrv/wildfly/keycloak/keycloak-4.0.0.Beta3/bin> Thanks.

7 years, 9 months

1
0
0 / 0

Start keycloak docker image with ssl disabled (or run other kcadm commands?)

by Ryan Dawson

I’m wondering what is the best way to disable ssl when starting the keycloak docker image. I’m thinking it would be convenient to be able to run this when starting the keycloak docker image: /opt/jboss/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE There already ways to turn off ssl - I could change the master realm’s json or run a db script (https://stackoverflow.com/questions/38337895/globally-disable-https-keycloak) but ideally I want to run a kcadm script as that would be more flexible. I’d also like it to be an install option rather than having to exec/shell in after deploy and change it. I am interested because the helm chart has a preStartScript but that is effectively too early to modify the realm (https://stackoverflow.com/questions/50685882/setting-up-realms-in-keycloa...). I tried adding something to run after docker-entrypoint.sh invokes standalone.sh but realised that is effectively too late (https://github.com/kubernetes/charts/blob/master/stable/keycloak/template...). I’m wondering if it would be a good idea to change the startup script (docker-entrypoint.sh and maybe standalone.sh) to expose this as a argument? Or to provide a hook for any custom script to be run? Anyone got any thoughts or suggestions on this? Ryan

7 years, 9 months

1
1
0 / 0

How to include SMTP server details from admin-cli

by Subodh Joshi

Hi All As a automation of keycloak we want to automate to include the keycloak SMTP server details .What will be command to include the SMTP server details with realm. For realm creation i am using this command /opt/keycloak/bin/kcadm.sh create realms -s realm=realm_name-s enabled=true -- Subodh Chandra Joshi subodh1_joshi82(a)yahoo.co.in http://www.trendsinnews.com

7 years, 9 months

1
1
0 / 0

Multiple user stores / Domain separation

by T. Papke

Hi all, In case multiple user stores are connected (e.g. different Active Directories). Is there any build-in option to provide some kind of domain discriminator (e.g. drop down menu) on the login page? If not, are there any proposals or best practices howto achieve this? How does Keycloak handle the issue that a the username is not unique in case of multiple userstores? Thank you, Regards, Thomas

7 years, 9 months

2
2
0 / 0

OpenShift Commons Briefing #129: KeyCloak for Cloud Natives

by Stian Thorgersen

https://www.youtube.com/watch?v=j6PgJIV1UNI

7 years, 9 months

1
0
0 / 0

Keycloak 4.0.0.Final is out

by Stian Thorgersen

https://www.keycloak.org/downloads.html

7 years, 9 months

3
3
0 / 0

Re: [keycloak-user] Display app name on keycloak login page

by Neujahr, Jana

Hello Pulkit, if you have defined a realm for each application, you can also use one theme for all realms/applications and pass the realm name (parameter is named "realmName") to the template. Kind regards Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 – Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

7 years, 9 months

1
0
0 / 0

Using java admin client with Wildfly

by Pedro Pedro

Hi all, I am trying to use the admin client in maven project, but on startup fails with this: Caused by: java.lang.RuntimeException: Could not find constructor for class: org.keycloak.admin.client.resource.ServerInfoResource at org.jboss.resteasy.spi.metadata.ResourceBuilder.constructor(ResourceBuilder.java:683) at org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.registered(POJOResourceFactory.java:41) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:207) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:193) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:179) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:156) at org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75) at org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) at org.jboss.restea sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) Any ideas about this?

7 years, 9 months

3
5
0 / 0

Community maintained extensions

by Stian Thorgersen

We've added a simple page to list community maintained extensions to Keycloak. If you've developed and maintain an extension to Keycloak we would love you to list your work on our website. To do that simply send a PR to https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/e... . A template for the required json file here https://github.com/keycloak/keycloak-web/blob/master/src/main/resources/e... .

7 years, 9 months

1
0
0 / 0

Display app name on keycloak login page

by Pulkit Srivastava

Hi, I have multiple applications that authenticate users using keycloak. Is there a way to show the application name on keycloak login page according to the application from which the user arrived. How this can be achieved? Thanks, Pulkit

7 years, 9 months

2
1
0 / 0

Can I omit keycloak.securityConstraints and HttpSecurity configuration?

by Gintautas Sulskus

Hi, Is it necessary to manually map Spring app endpoints to Keycloak roles, e.g. by configuring keycloak.securityConstraints in app.properties or HttpSecurity in a Java class? At the moment I configure Keycloak by extending KeycloakWebSecurityConfigurerAdapter. The app works only if I override the 'configure(HttpSecurity http)' method and add endpoint-role mappings manually, e.g.: http.authorizeRequests().antMatchers("/test").hasRole("someRole"). If I omit this step, the app fails to start and throws the following expection: > > Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests() > at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) > at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:579) > ... 26 more > Caused by: java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests() > at org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:49) > at org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:36) > at org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:275) at org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:66) Please find my Keycloak configuration below. Note, I did not set keycloak.securityConstraints[] in my app. keycloak: realm: master auth-server-url: http://localhost/auth ssl-required: external resource: some-service credentials: secret: 6f02848a-0fd1-40fc-96cf-50035110240b use-resource-role-mappings: true confidential-port: 0 principal-attribute: preferred_username policy-enforcer-config: enforcement-mode: ENFORCING Regards, Gin

7 years, 9 months

1
0
0 / 0

Using a User Session Note in an IDP Post Login Flow Authentication SPI

by Trotman, Jake M

Hello, I’m running in to an issue with an Authentication SPI I’m creating. My use case boils down to this: I want to grab a User Session Note I have configured for a specific client in an Authentication SPI during its IDP Post Login flow and do something with it. I have the following configuration set up: A client with a custom mapper for identity_provider_identity to be used as a User Session Note type. A 3rd party IDP used for identity brokering using the OpenID Connect v1.0 configuration. A single custom Authentication SPI configured as the Post Login Flow authentication Flow for this IDP. I’ll omit the beef of the SPI code for brevity, but this code snippet demonstrates the issue I’m running in to: @Override void authenticate(AuthenticationFlowContext context) { context.getAuthenticationSession().getUserSessionNotes().each { println "key: ${it.key}, value: ${it.value}" } context.getAuthenticationSession().getUserSessionNotes() is empty. I’ve tried adding IDP mappers (Hardcoded User Session Attributes), and can see these populate in getUserSessionNotes(), but what I really want is the identity_provider_identity which is only configurable for the client: https://www.keycloak.org/docs/latest/server_admin/index.html#available-us... and available as User Session Data. I’ve tried context.getAuthenticationSession().getClientNotes(), but that does not contain the user session notes. Can anyone help with figuring out a way to pull this user session data into my SPI configured as an IDP post login authentication flow? Thanks for any response, Jake Trotman This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.

7 years, 9 months

1
0
0 / 0

Keycloak always create user when use exchange_token grant_type

by Florian Bernard

Hello, We try to implement the following use case. We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it’s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it’ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian

7 years, 9 months

1
0
0 / 0

by vandana thota

Hello We have below Environment Set up 1) Wildfly -11-final.0.0.0 2)JDK8 3)Linux 7 version 4) Built the wildfly Non-prod as standalone server. Configured 3 Standalone instances on this wildfly server . 5) Deployed the application on all 3 instances 6) Enabled the SSL 7)Installed keycloak and configured and , could able to login to its Administration console 8)SAML 2.0 protocol We need to configure the Service Provider related things on keycloak by using External Identity Provider information . We have already IDP information. What is the next step 1))Do I have do on keycloak inorder to get service provider information. 2) Before having the information about SP what needs to be on keycloak as pre-requisites ? 3)How can I configure anything related to IDP or SDP on wildfly server ( 3 instances ) 's deployed application or standlaone.xml file of 3 instances ? 4)Any other configurations needs to be done related to Single sign on etc Let me know any thing I'm missing to provide as information for the above configuration .If any one knows the information please provide us with detail steps as this was the first time we have installed keycloak and seraching about Service Provider configurations etc . Whole above task is the first time we are going to do. If possible can any one share scree shots step by step . Thanks in advance.

7 years, 9 months

1
0
0 / 0

Developing with keycloak-adapter without an OAuth Server

by Jordan Conner

Hi all, I've been developing a J2EE application utilizing the keycload-wildfly adapter to connect to a 3rd party OAuth server. Now the customer who I'm developing this application for also has another vendor creating an OAuth server. After almost 2 years of developing they have now restricted access to the OAuth server and I can no longer access it from my local environment. They expect me to push my code up to their remote development server to test changes. What is the best way I can go from here? I have tons of code utilizing the attributes in a token, and I don't understand fully how to customize the keycloak-adapter to skip certain functions in a development environment. I was told my local environment shouldn't need to access the OAuth server yet I don't understand how to bypass/fake certain functions. For example, all of my .xhtml pages are secured in the .WAR's web.xml using <login-config> <auth-method>KEYCLOAK</auth-method> </login-config> >From my understanding, if a page is secured in <security-constraints> then that is what triggers the redirect to OAuth (if a token isn't active/valid.) How can I basically "skip" this authentication check in a local environment? I have stood up my own keycloak server which I can authenticate with, but the customer's OAuth server vendor has done custom modifications to their keycloak server. For example, they have added extra fields where first/last name are, where on regular keycloak that would be a user-attribute map. TLDR; Is there anything in the keycloak-adapter that would skip authentication in a development environment. Is there a way to create a fake base64 token? Or during login of my application (where I extract user attributes and their custom attributes) should I make it so it works for either OAuth server? Thank you for any help.

7 years, 9 months

1
0
0 / 0

Re: [keycloak-user] How to take the Service Provider Metadata file or url on Keycloak for wildfly server ?

by vandana thota

We have IDP Metadata file from OKTA . How can I use that file ? Also How to configure the things for Service provider and service provider metadafile in keycloak and wildfly . Yes have installed keycloak , we have wildfly 11 with three standalone instances . Thanks. On Mon, Jun 11, 2018 at 2:33 AM Luis Rodríguez Fernández <uo67113(a)gmail.com> wrote: > Hello Vandana, > > If you have keycloak server and you have registered your wildfly SP you > can try this [1]. > > Also you can generate it yourself, there are online tools like this one [2] > > You can always check the OASIS doc [3], it is oretty well explained and > you can even find an example > > Hope it helps, > > Luis > > > [1] > https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_br... > [2] https://www.samltool.com/sp_metadata.php > [3] > https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simp... > > 2018-06-08 20:31 GMT+02:00 vandana thota <vandana0242(a)gmail.com>: > >> Hello >> >> How to take the Service Provider Metadata file or url on Keycloak for >> wildfly server ? >> >> What configurations needs to be done to get that Service Provider >> Metada file. >> >> >> Thanks, >> Vandana >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett >

7 years, 9 months

1
1
0 / 0

UMA PAT clarification

by Balazs Kovacs

Hi, I'd like some help on clarifying the process of obtaining a PAT token. I've collected some relevant text from the UMA2 specifications: ... "protection API access token (PAT)An [RFC6749] <https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2...> access token with the scope uma_protection, used by the resource server as a client of the authorization server's protection API. The resource owner involved in the UMA grant is the same entity taking on the role of the resource owner authorizing issuance of the PAT." ... "As defined in [UMAGrant] <https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2...>, the resource owner -- the entity here authorizing PAT issuance -- MAY be an end-user (natural person) or a non-human entity treated as a person for limited legal purposes (legal person), such as a corporation. A PAT is unique to a resource owner, resource server used for resource management, and authorization server used for protection of those resources. The issuance of the PAT represents the authorization of the resource owner for the resource server to use the authorization server for protecting those resources." ... "Different grant types for PAT issuance might be appropriate for different types of resource owners; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner. " ... "Use of these endpoints assumes that the resource server has acquired OAuth client credentials from the authorization server by static or dynamic means, and has a valid PAT. Note: Although the resource identifiers that appear in permission and token introspection request messages could sufficiently identify the resource owner, the PAT is still required because it represents the resource owner's authorization to use the protection API, as noted in Section 1.3 <https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2...>. " Apparently, the PAT must represent the identity and consent of the user to be used by the resource server at the authorization server, and this is the _key_ for the authorization server to know whose resource it is handling. In the keycloak documentation, I see an example on how a resource server can act on its own to grab a PAT token, but I don't see or really know a straightforward solution how a resource server could get a PAT on behalf of a user. https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... In case the resource owner is acting, an authorization code flow conducted by the user-agent facing client will use the token at the resource server, which could be in turn also used by the resource server, if that token has 'uma_protection' scope and AS indicated as token audience. But how can the RS acquire a valid PAT for the correct resource owner, when the requesting-party is trying to access the RS for one of the resource owner's registered resource? The resource owner is not even in the flow in this case Can one clarify this a bit how at all circumstances a resource server can acquire a valid PAT to use on the Protection API so that the AS can always conclude the requested owner? Br, Balazs

7 years, 9 months

2
3
0 / 0

Simple user SSO between keycloak instances

by Long Man

I have a pair of keycloak setup as cross datacenter HA as per https://www.keycloak.org/docs/4.0/server_installation/#setup All configuration data is replicated, and changes to session/config are seen immediately in both instances console. However, a user login to /auth/realms/master/account/ cannot re-use the same session between the instances. 1) login to http://host.domain.com:8080/auth/realms/master/account (instance 1) 2) go to http://host.domain.com:9080/auth/realms/master/account (instance 2) prompted to login again although all the cookies are sent to instance2 (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY) Any help appreciated Thanks a bunch! Regards, BL

7 years, 9 months

2
3
0 / 0

[Keycloak] Server Development - Custom Forgot Password Branding

by Frédéric Sénèque

Dear all, We need to do some custom branding on the forgot password pages and emails, reset password etc..., and we are planning to extend keycloak theme (version 3.4.3.Final) But we facing an issue on how to get some custom data frome te previous page( the login form ). We tried to look at this, but it seems quite old : https://stackoverflow.com/questions/44072608/keycloak-access-cookie-and-o... I have read the documentation about creating a new SPI and try to create one for the forgot password page (org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider) But it looks like that I need to implement all the login pages (configure TOTP, Update Profile ...) Is there a way to only « overide » forgot password and reset password without the need of copy/pasting almost all of the code ? Thanks in advance Regards, Frédéric SENEQUE

7 years, 9 months

1
0
0 / 0

Group's attributes not being mapped to users?

by Andy Yar

Hello, I use Keycloak 3.4.1.Final and keycloak-js NPM package as client. My use case employs a single level group hierarchy and users who belong to one of the groups. Each group has an attribute. For example attribute department_full_name. Thus users working in the same department could be grouped together and each would inherit its department_full_name attribute from the group. This way it feels natural to me. I've googled a relevant discussion: http://lists.jboss.org/pipermail/keycloak-user/2015-December/004042.html Also the Server Administration confirms this behavior by stating: "The Attributes and Role Mappings tab work exactly as the tabs with similar names under a user. Any attributes and role mappings you define will be inherited by the groups and users that are members of this group." However, it doesn't seem to work for me using Bearer OpenID Connect scheme. Decoded JWT structure simply doesn't contain my mapped attribute (in id_token or access_token). It contains both roles mapped from group and directly set user's attribute but not the group mapped attribute... Am I missing something obvious here? Thanks Andy

7 years, 9 months

1
1
0 / 0

No 'Access-Control-Allow-Origin' header found in preflight response

by Nhut Thai Le

Hello, I am having issue with CORS, here is my setup: I'm using keycloak 4.0.0.Beta2. In the client setting page of keycloak admin console, I have web origin set to * Keycloak jetty adaptor is configured programmatically as follow: AdapterConfig keycloakConfig = new AdapterConfig(); ... keycloakConfig.setCors(true); keycloakConfig.setCorsAllowedMethods("POST, PUT, DELETE, GET"); keycloakConfig.setCorsAllowedHeaders("Origin, X-Requested-With, Content-Type, Accept, Cache-Control, Cookie, Host, Pragma, Referer, User-Agent"); >From the browser, I see a GEt request: https://dev.test.com:9443/diagram/services/diagrams/rest/common/getData?d... And the server response: HTTP/1.1 302 Found Date: Mon, 11 Jun 2018 19:56:04 GMT Set-Cookie: JSESSIONID=node0lc6bl81dkagi1q62aulvltr183.node0;Path=/diagram/services/diagrams/rest;Secure Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: OAuth_Token_Request_State=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73;HttpOnly Location: https://dev.test.com:8543/auth/realms/bigrealm/protocol/openid-connect/au... Content-Length: 0 Server: Jetty(9.4.6.v20170531) Somehow this 302 instructs the browser to do a preflight check with OPTIONS: OPTIONS /auth/realms/bigrealm/protocol/openid-connect/auth?response_type=code&client_id=test&redirect_uri=https%3A%2F% 2Fdev.test.com%3A9443%2Fdiagram%2Fservices%2Fdiagrams%2Frest%2Fcommon%2FgetData?diagramID%3D_uulwGnlHS8ycCW-SGOpRjg%26synchronize%3Dfalse%26_%3D1528746961564&state=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73&login=true&scope=openid HTTP/1.1 Host: dev.test.com:8543 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Access-Control-Request-Method: GET Origin: https://dev.test.com:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36 Access-Control-Request-Headers: x-requested-with Accept: */* Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 However, when keycloak reply to the preflight, it set status to 204 (perhaps correct since it has nothing) but no 'Access-Control-Allow-Origin' header is returned. I think because of this, the real GET request is not sent. Did I miss anything when config keycloak that may cause this? Thai

7 years, 9 months

1
0
0 / 0

How to take the Service Provider Metadata file or url on Keycloak for wildfly server ?

by vandana thota

Hello How to take the Service Provider Metadata file or url on Keycloak for wildfly server ? What configurations needs to be done to get that Service Provider Metada file. Thanks, Vandana

7 years, 9 months

2
1
0 / 0

http keycloak proxy behind https traefik proxy

by Pierre Nowak

Hello, There is PROXY_ADDRESS_FORWARDING=true to configure http keycloak behind an https proxy, it works all good. I can't find a way to make keycloak proxy work the same way. Configured as http behind a https traefik proxy. The proxy headers seem to be forwarded. I access https://keycloakproxy, it gets redirected to https://keycloak {....}redirect_uri=*http*://keycloakproxy I found that : http://lists.jboss.org/pipermail/keycloak-user/2017-November/012407.html saying that it is a misconfiguration of the client (here keycloak proxy) Has someone any clue on how to do that ? Thanks,

7 years, 9 months

1
1
0 / 0

Custom User Registration flow

by Manisha Nandal

*I built a custom FormAction/FormActionFactory to provide additional behavior in the registration flow. I'm able to build the JAR, I have deployed my changes to standalone/deployments directory. Now when going through the registration process, the FormAction is definitely triggered but an immediate error is thrown:15:10:38,229 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-14) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/services/validation/Validation at org.keycloak.authenticationspi.RegistrationProfile.validate(RegistrationProfile.java:39) at org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:214) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:816) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:284) at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:607) at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:659) at org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:639) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)* *Please tell the missing configuration as it it unable to locate the class files from keycloak dependencies.* *Thanks,* *Manisha*

7 years, 9 months

1
0
0 / 0

How to avoid Logout from IDP when application Logs out using Keycloak

by siddhartha chakraborty

Hi All, So we are logging out from our Application using : *KeycloakDeployment deployment =keycloakSecurityContext.getDeployment();* *keycloakSecurityContext.logout(deployment);* But as a result we are getting logged out from the IDP also, which is not desirable. Basically we dont want to log out from the IDP , when our application logs out. Any help please. We tried providing some invalid URL(example: www.google.com) in the Logout URL in the OpenID Connect Config, but the session was not redirected to www.google.com. We even tried enabling the Backchannel Logout, but it didnt work. Any help will be much appreciated. Thanks, Siddhartha

7 years, 9 months

1
0
0 / 0

information about post "How to configure MS AD FS 3.0 as an identity provider corrected in Keycloak"

by Otaño Pavo, Cesar

Hi all, I am reviewing the post "How to configure MS AD FS 3.0 as an identity provider corrected in Keycloak": https://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html At the beginning of the post, in the section "Configure the Keycloak server" there are two points that are: - Configure key layer for the incoming HTTPS connection - Export the AD FS certificate to a Java trust store to enable outgoing HTTPS connections These two points have a link with instructions on the steps to follow, the instructions are in GitBook. When I try to register, the page redirects me to the new Gitbook site to register. I registered in the new site but I cannot find the instructions that I commented before. The documents are not in the new platform and the old one does not let me sign up. ¿Can someone send me the information or can send me an invitation to collaborate? Thank you Regards César AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

7 years, 9 months

1
0
0 / 0

hierarchical multi-tenancy

by Vinay

Is hierarchical multi-tenancy possible in keycloak i.e. a realm can have sub-realms ? -Vinay

7 years, 10 months

3
2
0 / 0

Unexpected behavior: self-registration through a provided IDP

by Stefan Engstrom

I have a setup where self-registration is disallowed on the realm > login page. Meanwhile, I have Google set up as an identity provider and if I attempt to authenticate using a google account (that doesn't yet exist in the realm) Keycloak asks me to verify my email and is happy to create an account for me. Is there a way to prevent this from happening? Stefan Engström Lead Research & Development Engineer Education Networks of America 618 Grassmere Park Drive Suite 12 Nashville, TN 37211 Phone: 615-312-6136 CTAC: 888-612-2880 Video @ https://ena.zoom.us/my/sengstrom Mobile: 615-500-3223 <= Best option

7 years, 10 months

1
0
0 / 0

Manage-user permission is always overriden in fine-grain permission

by Ansari, Hasebullah

Hello, I have a use-case where I want to create a dedicated realm for one organization with an admin user. But when I give the role ‘realm-admin’ to this user and literally he could anything in this realm, managing clients, managing user, etc. And if the user is not very well known with keycloak then he can also disturb the settings or configuration of the realm it self. Like deleting roles from ‘realm-management’ and with managing user with ‘manage-user’ stuff client for example. Now I have achieved to restrict this admin doing such things but now with the fine grain permission and without ‘manage-clients’ and ‘manage-users’ roles, I cannot see the ‘create client’ and ‘create user’ button in the dedicated realm admin console. In my usecase I want the admin user to create client and user by himself but not manage everything like stated above. Cheers, Hasebullah A Ansari Master of Engineering in IT, Heidelberg IT Specialist / Java Entwickler Syntlogo GmbH

7 years, 10 months

2
1
0 / 0

Problem with realm token settings after changing realm name

by Regula Engelhardt

Hello I have a problem with the token settings. Because my realm name originally had a whitespace in it and the redirection URI for the Google Identity Provider did not work with this name I changed it to a realm name with an underscore instead. Now I can’t change the token settings for my realm with the new name, I always get the error “Resource not found... We could not find the resource you are looking for. Please make sure the URL you entered is correct.”. If I change the name back though I can go to the token settings. Thanks for your help! Regula Engelhardt Junior Developer Noise AG Sonneggstrasse 76 8006 Zürich Switzerland engelhardt(a)noiseag.ch www.noiseag.ch

7 years, 10 months

1
0
0 / 0

Re: [keycloak-user] Keycloak latest beta version for Sql server support

by Athulya Pillai

Hi Raphael, The link which you shared seems to keycloak using MYSQL as database. However, in my case it is MS Sql Server. This seems to be a bug in 4.0.0. Beta2 Thanks and Regards Athulya Pillai From: Raphael Favier [mailto:r.favier@tkhinnovations.com] Sent: Thursday, June 07, 2018 3:41 PM To: Athulya Pillai Subject: Re: [keycloak-user] Keycloak latest beta version for Sql server support Hi Athulya, According to http://lists.jboss.org/pipermail/keycloak-user/2017-November/012377.html I guess it should be MYSQL with kind regards Raphael On Thu, Jun 7, 2018 at 11:23 AM, Athulya Pillai <Athulya.Pillai(a)cybertech.com<mailto:Athulya.Pillai@cybertech.com>> wrote: Hi Team, Latest verson for keycloak is 4.0.0 beta2. When we deploy this version as a docker images, there is a a mandatory environment variable to be set. The variable is DB_VENDOR which accepts only 4 values -H2, POSTGRES,MYSQL and MARIADB. Please let me know the value for above parameter DB_VENDOR to deploy this keycloak image with microsoft sql server Thanks and Regards Athulya Pillai _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

7 years, 10 months

2
2
0 / 0

Keycloak - User registration flow query

by Manisha Nandal

Hi Team, I have used keycloak identity provider for my web application for authentication purpose. I have a query related to user registration flow - Validations of attributes like "first name" and several other (say optional or mandatory) on user registration page is on the client or server side ? As far i have checked i can't see any client side validation in "register.ftl" file. Idea is to add some custom attributes and perform some basic validations for them. Thanks, Manisha

7 years, 10 months

2
2
0 / 0

is it must to buy keycloak license

by vandana thota

Hello Is it must to buy keycloak license by client ? Thanks, Vandana

7 years, 10 months

3
8
0 / 0

Keycloak consent required

by Miguel Sousa

Hello, Regarding the Keycloak consent screen I have two questions: - Is it possible to have a checkbox for each access privilege that the user is granting to the client instead of just an option to allow or deny all of them? - Can the client specify the access privileges that it needs through the scope request parameter in the authorization flow? Thanks in advance, Miguel Sousa

7 years, 10 months

1
1
0 / 0

Updating data provider information on the fly

by Matthew Beliveau

Hello, I am trying to find a place in the Keycloak code where I can update data provider information on a fly. Use case: I have a Keycloak server connected to an back end identity source. This Keycloak server is configured to use an external IdP as an authentication source. When the user is authenticated against the external source and Keycloak receives his assertion or OIDC ticket I want to get info from that ticket and check if the information about this user known to the particular data back end. If the data is not there or different I would like to update the data in the back end. I know where the code for the back end data providers is and can create my own or extend existing one. I found a place where Keycloak processes assertions and tickets. https://github.com/keycloak/keycloak/tree/master/services/src/main/java/o... Is this the right place to invoke the data provider API to do the data update in the back end? Are there any precedents of such code in the Keycloak code base or around? Thanks, Matthew Beliveau

7 years, 10 months

1
0
0 / 0

search-friendly mailing list archives?

by Raphael Favier

Hello, I'm a new subscriber to this mailing list and I'm happy to see how active it is. However I am quite surprised that it is very hard to search its archived messages. Of course archives are here but they are only provided as .txt files. Which makes it quite hard to navigate. For now I am basically using Google and the "site" operator to look for messages that were posted prior to my subscription to the list. Or is there an easier way? I have seen other open source projects using Nabble or Google groups to make it easier for their user to search in their mailing list archives. I think such a tool would reduce the number of questions asked over and over and ease help between users. with kind regards Raphael

7 years, 10 months

2
2
0 / 0

Keycloak latest beta version for Sql server support

by Athulya Pillai

Hi Team, Latest verson for keycloak is 4.0.0 beta2. When we deploy this version as a docker images, there is a a mandatory environment variable to be set. The variable is DB_VENDOR which accepts only 4 values -H2, POSTGRES,MYSQL and MARIADB. Please let me know the value for above parameter DB_VENDOR to deploy this keycloak image with microsoft sql server Thanks and Regards Athulya Pillai

7 years, 10 months

1
0
0 / 0

unintentionally changing the client ID in the sequence of registration

by 蘆原大輔/行員/福岡銀行

I am using keycloak -3.4.3.Final. I am troubled by unintentionally changing the client ID in the sequence of registration transitions. The details are as follows. １、After new user is registered, E-mail is sent from Keycloak.(client ID:"sample app") ２、When I click the link of E-Mail, the confirmation validity screen of the mail address is displayed.(client ID:"sample app") ３、When I click the link "click here to proceed" on the confirmation validity screen of the mail address, client ID is changed from "sample app" to "account". Is the behavior of the above 3 a Keycloak specification? Is it impossible to make the screen transition of Client ID as Sample app? thanks

7 years, 10 months

1
0
0 / 0

E-Mail templates: list of possible parameters?

by Neujahr, Jana

Dear keycloak users, for altering the keycloak e-mail templates it would be nice to know which parameters you can use in your FTL files. Is there a list somewhere? If not, would you all kindly help to create a list for present and future users? I'd like to begin: E-mail template parameters, in alphabetical order: user.firstName (first name of concerned user) user.lastName (last name of concerned user) link (link for user action) linkExpiration (expiration time oft he link) linkExpirationFormatter (formatter for expiration time into days, hours, minutes) event.date (date oft he triggered event) event.ipAddress (IP address oft he user who triggered the event) requiredActions (list oft he triggered Actions, String values) realmName (name of the concerned realm) code (?) identityProviderAlias (alias of used identity provider, e.g. Facebook) identityProviderContext.username (username of used identity provider) Kindly yours Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 – Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

7 years, 10 months

1
0
0 / 0

SQRL (or similar)

by Mark Howells

I'm investigating requirements for a project that we're working on. We'd like to implement a SQRL-like workflow for users. Basically, We have a mobile application that goes to great lengths to identify the user. We'd like to allow users to access web services via a PC by browsing to a login page that shows a QR code and then scanning that code from within the app. I'm aware of tiqr but I'm not sure how 'proprietary' that solution is (nor how readily we absorb the tiqr app functionality into our own app) . Are there any projects around this area that we can consider or do we have to roll our own. Cheers, Mark -- NOTICE AND DISCLAIMER This email contains MJog information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you.**** MJog Limited is a limited company registered in England and Wales. Company Registration No: 2313464 Registered Office: The Old School, 23 High Street, Wilburton, ELY, CB6 3RB We monitor our email system, and may record your emails.

7 years, 10 months

1
0
0 / 0

Wrong event after email verify started by REST (send-verify-email)

by pieter.dekinder＠bricsys.com

Hi all, We are using the REST API Keycloak to trigger an email verification email. (.../send-verify-email) When the verification process is done, the EVENT logged is a CUSTOM_REQUIRED_ACTION event. Email verification is not a customization, so it should probably be logged as VERIFY_EMAIL. Is this expected behaviour? Or can this be considered is as a bug? Kind regards, Pieter

7 years, 10 months

2
1
0 / 0

Fwd: Users in Multiple Realms

by S Mishra

Hello Please excuse me if this has been asked before (I'm sure it has), and I would be grateful if someone could point me to the right resources. I have 2 realms, REALM1 and REALM2, in my local instance of KC. I would like to validate and issue tokens for users who are members of a particular group in another realm on the same server. I.e., In REALM2, I've created a group e.g., REALM1-GROUP, and assigned users to this group, who I want to be validated in REALM1. How can I do this? Thanks in advance. Sam

7 years, 10 months

1
0
0 / 0

Keycloak Licence

by Pulkit Srivastava

Hi, I need to know if there would be any legal/licence issues if i download open source code for keycloak and deploy it after doing certain code level changes. I know the forum says its open source, but i just need to be sure before i start using it. Can anyone confirm that.? Thanks, Pulkit

7 years, 10 months

2
1
0 / 0

Keycloak Training for Developers

by Vinay

Is there a training program on keycloak for developers ?

7 years, 10 months

3
2
0 / 0

Keycloak and Citrix Storefront

by Otaño Pavo, Cesar

Good afternoon Is it possible to use the configuration SAML SP "Citrix StoreFront" and IdP "Keycloak"? Thank you very much César AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

7 years, 10 months

1
0
0 / 0

Unable to verify Google certificate during reCaptcha verification

by G. Allegri

Hi, I've configured Recaptcha for the registration form. It appears and works fine from the browser side, but Keycloak cannot access the verification URL [1] because the SSL Java chain cannot verify the certificate. I've followed the guide in the docs [2] to configure the TrustStore (in standalone mode), after having created the truststore and importing the google cert. I've verified that keytool list the Google certificate correctly, and I've double checked file paths and password, but I keep receiving the following exception: 2018-06-05 13:06:35,921 ERROR [org.keycloak.services] (default task-9) KC-SERVICES0028: Recaptcha failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) (...) I've also tried to set Djavax.net.ssl.trustStore=<path to my truststore> when I launch the standalone.sh, but it neither works. Do I miss something or am I doing something wrong? Thanks, Giovanni [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... [2] https://www.keycloak.org/docs/latest/server_installation/index.html#_trus...

7 years, 10 months

1
0
0 / 0

Keycloak HA with NATIVE S3 Ping and JDBC Ping guide

by Min Han Lee

Hello, I wondered if anyone can give me some pointer on how to implement KC HA with NATIVE S3 Ping or JDBC Ping? I had some search in google but couldn't find any good guides. Thanks Kind Regards Neo Lee

7 years, 10 months

1
0
0 / 0

Where did "Requesting Entitlements" go?

by Stefan Hesse

Hello everyone, in keycloak 3.3 one could easily request entitlements as described here: https://www.keycloak.org/docs/3.3/authorization_services/topics/service/e... In keycloak 4.0 this options seems to be gone. Where did it go? What is the new URL? The old way now returns a 404. And BTW: Where are these breaking changes documented? I can't find them in the release notes, and checking all the issues seems a little cumbersome. Best Regards Stefan

7 years, 10 months

2
1
0 / 0

Add custom Attributes to user from Kerberos ticket

by Dominik Guhr

Hi, so I am writing a custom authenticator right now which handles a kerberos ticket from an ldap federation provider I added via admin panel. This works, only thing is due to the internationalization bug I don't import the users from the Federation provider. Now in my custom authenticator, I try to call a thirdparty api and add some attributes to this user. To achieve this, I customized the authenticate(AuthenticationFlowContext context) - method to call my thirdparty api via apache HttpClient (works). Then, I try to read everything the resultjson of thirdparty returns, and map it into a UserModel. I do it like this: if (responseCode == 200) { ObjectMapper mapper = new ObjectMapper(); ObjectNode rootnode = (ObjectNode) mapper.readTree(responseString); rootnode.fieldNames().forEachRemaining(s -> { String val = rootnode.get(s).asText(); if (s.equals("lastname") output.getAuthenticatedUser().setLastName(val); else if (s.equals("firstname")) output.getAuthenticatedUser().setFirstName(val); else if (s.equals("email")) output.getAuthenticatedUser().setEmail(val); else if (s.equals("username")) ; // skip this completely. else if (s.equals("newPasswordRequired")) { // TODO when required action works, set it here // user.addRequiredAction("UPDATE_THIRDPARTY_PASSWORD"); } else { output.getAuthenticatedUser().setAttribute(s, Arrays.asList(val)); logger.info("adding attribute to usermodel: " + s); } }); context.setUser(output.getAuthenticatedUser()); So here I set the Attributes etc. dynamically. Which works pretty fine. But in my token I don'T get these Attributes - seems like I only get those who are actually mapped from LDAP, too. So I tried to add a mapper for "employeeID" to my federation provider, but that didn't change something. In my client, for sure I added that mapper via User Attribute and, for the sake of idk, later tried with User Property, but had no effect So, I need to get the other Attributes too, dynamically would be perfect, but even statically would be good. Is there any chance to do this, or do I have to stick with the fields from ldap? I thought the context.setUser ... would do, but seems it doesn't. Perhaps I have to set the user not for the context, but elsewhere? Any help is highly appreciated. Thank you, Dominik

7 years, 10 months

1
0
0 / 0

How to return custom error messages from custom spnego authenticator?

by Dominik Guhr

Hi everyone, So I just posted this question on SO, hoping to reach more people, but would be great to get an answer here too, obviously: https://stackoverflow.com/questions/50695959/how-do-i-return-custom-error... Thanks! Best regards, Dominik

7 years, 10 months

1
0
0 / 0

No sync between infinispan and keycloak in cluster

by Lamine Léo Keita

Hi, I am facing an issue with the cluster example. I have 2 sites on each I have 1 Keycloak and 1 infinispan running. Infinispan see each other and are configured as the example in documentaion. Each keycloak see the infinispan on his site. When I open 2 sessions, one on each sites, I see 2 entry in the session cache on the infinispan but on each keycloak I see that only one session is running! Did someone already had this issue? Could somebody help me please? Lamine

7 years, 10 months

1
0
0 / 0

how to notify app when keycloak session timeout or user logout?

by Nhut Thai Le

Hello, My app has quite some sessions that starts when a user login though keycloak. I want to close these sessions when keycloak session expires or the user logout. Is there any notification/call back from keycloak server when such event occurs ? Thai

7 years, 10 months

2
1
0 / 0

Re: [keycloak-user] Mapping SAML attributes from ADFS

by Rens Verhage

Thanks Tony! This helped a lot. After mapping the attributes like this everything works fine: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email Rens On 4 Jun 2018, at 11:58, Tony Harris <Tony.Harris(a)oneadvanced.com<mailto:Tony.Harris@oneadvanced.com>> wrote: This might help get you started. This maps the surname claim in SAML to the LastName attribute in Keycloak. The SAML names here should give you the name of the others. https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.... <image001.png> -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Rens Verhage Sent: 04 June 2018 10:28 To: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] Mapping SAML attributes from ADFS Hi all, I’m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response. Do I have to explicitly map these attributes? How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes? Rens _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com/>

7 years, 10 months

1
1
0 / 0

cannot change token times/settings in realm settings

by Avinash Kundaliya

Hello Community, I just setup a keycloak-4 beta3 and have the issue that when i nagivate to the "Tokens" page, it shows up for a brief moment and then redirects to the "Resource not found" page. In the network requests, we can see that the request [1] returns a 404. The same doesnt happen for the master realm. We have the same issue in keycloak-4 beta1 as well (which is why i wanted to update and try) Any suggestion would be helpful here. Regards, Avinash [1] <url>/auth/admin/realms/myrealm?$promise={}&$resolved=true&accessCodeLifespan={"unit":"Minutes","time":1}&accessCodeLifespanLogin={"unit":"Minutes","time":30}&accessCodeLifespanUserAction={"unit":"Minutes","time":5}&accessTokenLifespan={"unit":"Minutes","time":5}&accessTokenLifespanForImplicitFlow={"unit":"Minutes","time":15}&actionTokenGeneratedByAdminLifespan={"unit":"Hours","time":12}&actionTokenGeneratedByUserLifespan={"unit":"Minutes","time":5}&adminEventsDetailsEnabled=false&adminEventsEnabled=false&attributes={"_browser_header.xXSSProtection":"1;+mode=block","_browser_header.xFrameOptions":"SAMEORIGIN","_browser_header.strictTransportSecurity":"max-age=31536000;+includeSubDomains","permanentLockout":"false","quickLoginCheckMilliSeconds":"1000","_browser_header.xRobotsTag":"none","maxFailureWaitSeconds":"900","minimumQuickLoginWaitSeconds":"60","failureFactor":"30","actionTokenGeneratedByUserLifespan":"300","maxDeltaTimeSeconds":"43200","_browser_header.xContentTypeOptions":"nosniff","actionTokenGeneratedByAdminLifespan":"43200","bruteForceProtected":"false","_browser_header.contentSecurityPolicy":"frame-src+'self';+frame-ancestors+'self';+object-src+'none';","waitIncrementSeconds":"60"}&browserFlow=browser&browserSecurityHeaders={"xContentTypeOptions":"nosniff","xRobotsTag":"none","xFrameOptions":"SAMEORIGIN","xXSSProtection":"1;+mode=block","contentSecurityPolicy":"frame-src+'self';+frame-ancestors+'self';+object-src+'none';","strictTransportSecurity":"max-age=31536000;+includeSubDomains"}&bruteForceProtected=false&clientAuthenticationFlow=clients&defaultRoles=offline_access&defaultRoles=uma_authorization&directGrantFlow=direct+grant&dockerAuthenticationFlow=docker+auth&duplicateEmailsAllowed=false&editUsernameAllowed=true&enabled=true&eventsEnabled=false&eventsListeners=jboss-logging&failureFactor=30&internationalizationEnabled=false&loginWithEmailAllowed=true&maxDeltaTimeSeconds=43200&maxFailureWaitSeconds=900&minimumQuickLoginWaitSeconds=60&notBefore=0&offlineSessionIdleTimeout={"unit":"Days","time":30}&otpPolicyAlgorithm=HmacSHA1&otpPolicyDigits=6&otpPolicyInitialCounter=0&otpPolicyLookAheadWindow=1&otpPolicyPeriod=30&otpPolicyType=totp&otpSupportedApplications=FreeOTP&otpSupportedApplications=Google+Authenticator&permanentLockout=false&quickLoginCheckMilliSeconds=1000&realm=myrealm&refreshTokenMaxReuse=0&registrationAllowed=true&registrationEmailAsUsername=false&registrationFlow=registration&rememberMe=false&requiredCredentials=password&resetCredentialsFlow=reset+credentials&resetPasswordAllowed=false&revokeRefreshToken=false&smtpServer={}&sslRequired=all&ssoSessionIdleTimeout={"unit":"Minutes","time":30}&ssoSessionMaxLifespan={"unit":"Hours","time":10}&userManagedAccessAllowed=false&verifyEmail=false&waitIncrementSeconds=60 -- --- Avinash Kundaliya avinash(a)avinash.com.np http://avinash.com.np

7 years, 10 months

1
0
0 / 0

Non ASCII characters in local part of email

by Vinay

Any reason why keycloak doesn't support non ASCII characters in the local part of the email address ? As per RFC 6531 <https://tools.ietf.org/html/rfc6531>, these chars are allowed. -Vinay

7 years, 10 months

1
0
0 / 0

LDAP failover

by Vinay

Does keycloak provide LDAP failover i.e. provide two LDAP URLs while creating an LDAP provider so that users can be search on both primary and secondary LDAP server ? This is required for high availability ?

7 years, 10 months

5
6
0 / 0

Keycloak SAML redirection stuck in loop after logging in

by Lenay Schminzh

I'm trying to secure a url : /monitoring with Keycloak using SAML. I've modified my web.xml : <web-app>  <login-config> <auth-method>KEYCLOAK-SAML</auth-method> <realm-name>this is ignored currently</realm-name> </login-config> <security-role> <role-name>monitoringrole</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Monitoring</web-resource-name> <url-pattern>/monitoring</url-pattern> </web-resource-collection> <auth-constraint> <role-name>monitoringrole</role-name> </auth-constraint> </security-constraint> <listener> <listener-class> org.springframework.web.context.request.RequestContextListener </listener-class> </listener></web-app> I've also modified my tomcat7's context.xml file with the correct Valve and added the keycloak-saml.xml in /WEB-INF. I'm correctly redirected to the IdP, but even after successfully logging in, I keep getting this message : *You are already logged in* I guess I'm redirecting to the same url I'm securing, but shouldn't keycloak grant me access to the page ? [image: Capture.PNG] Here is my configuration on the keycloak server : [image: 7252z.png] Am I missing something on the configuration side ? Thank you.

7 years, 10 months

1
0
0 / 0

Get old password in custom update-password required action

by Dominik Guhr

Hi everyone, I need help with the following custom authentication flow: 1a. user logs in via a custom username/pw form authenticator. Success case: he gets logged in, backendwise into a third-party system via a REST call. User is created in keycloak. => works! 1b. user logs in, but thirdparty system returns a flag that user has to change his password. For this, I created a required action which just uses the "normal" update_password required action, but in its processAction method calls the thirdparty system. => Doesn'T really work, because: one requirement of the thirdparty-API for updating the pw of a user to a new one is, there has to be the old password in the request json, syntax: { username: "...", passwordNew: "...", passwordOld: "..." } Now I am struggling a little to get the old password in my required action-form, which, as of now, is the login-update-password.ftl as can be found here: https://github.com/keycloak/keycloak/blob/master/themes/src/main/resource... It seems there already is a hidden field for the current password, but this has no value. So this seemed not to work, and now I am thinking to create my own form and set it for the required action. Therefor I have one problem (so far): The code I use now for creating the update pw-form which is the "normal" kc-form looks like this: @Override public void requiredActionChallenge(RequiredActionContext context) { Response challenge = context.form() .setAttribute("username", context.getAuthenticationSession().getAuthenticatedUser().getUsername()) .createResponse(UserModel.RequiredAction.UPDATE_PASSWORD); context.challenge(challenge); } Now I want to use my own form, containing another form element where user has to put in his old pw. So, what do I need to change here? I saw the secretactionrequiredaction at github, which uses createForm("...ftl"), but not the setAttribute and/or createResponse - so, one question is: is createForm... enough to get my own form loaded at the required action? (aside from putting a custom ftl in the theme I use) Would be great to get some hints here! Thanks in advance, Dominik dominik.guhr(a)codecentric.de

7 years, 10 months

1
0
0 / 0

JAAS login context propagation issue with Keyclock

by valsaraj pv

Hi, I am facing issue with JAAS login context propagation when using Keyclock. Following code is executed from Message Driven Bean to login as application MDB user. > loginContext = new LoginContext("keycloak", new CallbackHandler() { > > @Override > > public void handle(Callback[] callbacks) { > > int len = callbacks.length; > > Callback cb; > > for (int i = 0; i < len; i++) { > > cb = callbacks[i]; > > if (cb instanceof NameCallback) { > > NameCallback ncb = (NameCallback) cb; > > ncb.setName(mdbuserName); > > } else if (cb instanceof PasswordCallback) { > > PasswordCallback pcb = (PasswordCallback) cb; > > pcb.setPassword(mdbUserPass); > > } > > } > > } > > }); > > loginContext.login(); > > After that when I check the principal, I got anonymous! > Principal p = ctx.getCallerPrincipal(); > Is there any work around for this issue? Thanks!

7 years, 10 months

1
0
0 / 0

RPT vs regular access tokens

by Juan José Vázquez Delgado

Hello everyone!. According to the documentation, an RPT is just a jwt token with permission claims. In order to disambiguate between RPT and regular access tokens, is there any way to do this apart from checking the existence of these permission claims?. Thanks!.

7 years, 10 months

2
1
0 / 0

Mapping SAML attributes from ADFS

by Rens Verhage

Hi all, I’m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response. Do I have to explicitly map these attributes? How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes? Rens

7 years, 10 months

1
0
0 / 0

Admin console and reverse proxy

by Benoit HERARD

Hi All I've installed the latest version (4.0.0.Beta3) on a test box and followed this guide (https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...) to access keycloak through an apache reverse proxy. For the moment, in order to facilitate troubleshooting, my configuration is using http only (for keycloak and apache). Apache is listening on port 80 and keycloak on 8080 For now, I can perfectly connect and use the user account management via the proxy (http://localhost/auth/realms/master/account) As well, I can configure and use mod_auth_openid to protect backends on apache. My probelm is when I want to connect the keycloak admin console. If I go directly on WildFly (http://localhost:8080/auth/admin) it works. I can login and use the admin console. But if a go there via the proxy (http://localhost/auth/admin) it fails. The login form open, I can entrer and submit my creds but then a blank page opens when admin console GUI should be available. With developers tools of by browser I can see that cookies seems to be set correctly by authent. server (f.e. from this blank page I type the url of account management and it's displayed without re-entering creds, so I conclude that I am logged in). Developer tools call stack shows that it fails in calling https://localhost/auth/admin/master/console/whoami with HTTP 401 (unauthorized) Any idea? Thx

7 years, 10 months

1
0
0 / 0

Bulk user import recommendations

by Scott Hezzell

Hi Keycloak 3.4.0 - running 5 instances in containers using standalone clustered mode running against postgres. I am looking for the recommended approach to bulk user imports into keycloak. I initially hoped to use the admin api but I am looking at having to import batches of up to 80,000 users and initial tests look to top out at just under 40 requests per second. At that throughput it will take 33 minutes to import a set of 80,000 users. Is this an expected throughput level? Any techniques to increase this? Any alternative techniques? I thought about inserting directly into the keycloak postgres db but I am concerned about the upgrade experience. Could implementing my own user store and adding my own custom user storage provider, enabling me to import directly into my own db and implementing defined interfaces for the user storage provider so hopefully help the upgrade path, be an option? Are there any migration options I could take advantage of? Many thanks Scott [Benefex Logo] Scott Hezzell Senior Developer hellobenefex.com<https://www.benefex.co.uk> [https://s3-eu-west-1.amazonaws.com/commsmedia-bucket/images/benefex/socia...]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex> Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546 As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you! This message has been scanned for malware by Websense. www.websense.com

7 years, 10 months

1
0
0 / 0

Force additional authentication for specific pages?

by Eric B

I'm not sure how this can be done in Keycloak, but I suspect that it must be feasible. Is there a way to use Resources, or something similar, that would force an already-authenticated user to reauthenticate himself when accessing a specific set of resources? For example, if a user wants to access high-level administrative functions, I would like for the user to reauthenticate themselves again. This reauthentication could be valid for a finite period of time (ex: 5 mins), before the user would have to once-again reauthenticate themselves to continue using the high-level admin functions. During the period where the user re-authenticates himself for the high-level functions, I want his existing Keycloak session to continue as it was; there should be no interruption in his original session or credentials. I've been looking to see if there was a way to use Keycloak Authorization Resources and Permissions to accomplish this. Are there any good examples or docs that could help steer me? Or am I looking down the wrong path? Thanks, Eric

7 years, 10 months

1
0
0 / 0

Hardware requirements of keycloak cluster

by priti guleria

Hi Team, I want to deploy a clustered keycloak setup in production. Can someone help me with what should be the minimum harware requirements for this setup ? Thanks, Priti

7 years, 10 months

3
3
0 / 0

How to use jaxrs-oauth-client for authorization code grant?

by Anselme Ndeke

Hi, I'm looking for a way to use the authorization code grant flow using a pure jaxrs filter. So far, I've successfully added the jaxrs-oauth-client ( https://github.com/keycloak/keycloak/blob/master/adapters/ oidc/jaxrs-oauth-client) to my rest app, which sends errors on requests without a token. Then, I wonder if jaxrs-oauth-client supports the authorization code grant? This class https://github.com/keycloak/keycloak/blob/master/adapters/ oidc/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/ JaxrsOAuthClient.java has some methods about redirect but I couldn't find any example. I want some URLs to send redirects to auth server instead of auth errors, like in the vanilla getting started guide and without using wildfly/jetty/tomcat/spring adapters. Thanks

7 years, 10 months

1
0
0 / 0

E-Mail template: which template is used for which action? How to alter this?

by Neujahr, Jana

Dear keycloak users, I'm to configure keycloak email messages. I aleady found the folders and the FTL-files. Strangely, keycloak does not seem to use the email_verification.ftl when sending an activation link. It's using the executeActions.ftl, though I found out that the "requiredAction" actually is VERIFY_EMAIL. So why not using the apropriate template? Is there a possibility form e to change the use of ftl-templates with the different actions? Alternatively, does anybody know whether in the executeActions case there can be several "requiredActions"? If it's sure to be only one, I could do the modulation to the different templates in the executeActions.ftl, checking the requiredActions. I apreciate every hint or idea. PS: If someone needs to know how far I'm gone with checking the requiredActions in the executeActions.ftl, I'll happily share. Kind regards Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 – Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Geschäftsführung: Michael Krüger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.

7 years, 10 months

1
0
0 / 0

Modify roles in Token after user login SPI

by Sandeep Rai

Hi Community, I'm trying to add more roles into the token after the token has been generated following the isValid() return of the Authentication SPI. I have a application which has SMS otp functionality. After the user has verified the OTP I want to grant more roles to the user by adding those roles into the token. But how do I modify the existing token or even renew it with new roles ? Is there a endpoint I can use to do so ? Or anyother ProviderInterface that I can use to achieve this ? Regards

7 years, 10 months

1
1
0 / 0

Permission issue in calling EJB from MDB

by valsaraj pv

Hi, We have recently switched from JAAS to Keycloak. Application is JavaEE application with EJBs & MDBs. Set keycloak login module in WildFly to propagate user from wen to EJB & it worked. But facing issue when an EJB is called from MDB. There is anonymoius user in MDB when message received. So that user don't have permission to invoke EJB protected by: > <s:security> > <ejb-name>*</ejb-name> > > <s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access> > <s:security-domain>keycloak</s:security-domain> > </s:security> In JAAS version, we have programmatic login using dedicated mdb user. loginContext = new LoginContext("ldap", new CallbackHandler() { @Override public void handle(Callback[] callbacks) { int len = callbacks.length; Callback cb; for (int i = 0; i < len; i++) { cb = callbacks[i]; if (cb instanceof NameCallback) { NameCallback ncb = (NameCallback) cb; ncb.setName(mdbuserName); } else if (cb instanceof PasswordCallback) { PasswordCallback pcb = (PasswordCallback) cb; pcb.setPassword(mdbUsrPass); } } } }); loginContext.login(); This have user with required permission. Since now moved to Keycloak, this code will not work. What is the option to prevent permission issue in calling EJB from MDB? Thanks!

7 years, 10 months

1
0
0 / 0

Keycloak on OpenShift

by Stian Thorgersen

I wrote up a blog post and did a screencast showing how to deploy Keycloak on OpenShift. Of course I also deployed and secure a Node.js service and a HTML5 application for good measures. The blog post is here: https://blog.keycloak.org/2018/05/keycloak-on-openshift.html And for those that prefer a screencast here you go: https://youtu.be/9zUWqbK3BqI. This OpenShift thing is really nice! The more I use it the more I like it.

7 years, 10 months

2
2
0 / 0

Programmatically login as a user

by valsaraj pv

Hi, I have web application login via Keycloak working fine. But for a background processing like reading messages from a queue, need to login as a dedicated queue user behind the scenes. For this we can't redirect to login page. Earlier it was done pro grammatically by using JAAS login context and passing login module & credentials. Now when we switch to KC, what is the appropriate model to do this? Please advice! Thanks!

7 years, 10 months

2
4
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2018