invalid_token with SAML HTTP redirect binding
by Emanuele Faranda
Hello,
I'm trying to implement SAML authentication with the help of keycloak,
but I cannot make it work.
I'm running keycloak 4.0.0.Final as a standalone server distribution on
ubuntu 16.04 .
I've configured a new SAML identity provider from the "Identity
Providers" menu by filling in only the required fields.
From command line, I'm sending the following request to my keycloak
instance:
curl
http://192.168.2.165:8080/auth/realms/master/broker/saml/endpoint?SAMLReq...
where the SAMLRequest parameter value is the url_encode of
base64+deflate (generated from https://www.samltool.com/encode.php) of
the following SAML request:
<samlp:AuthnRequest ID="_abc123szs"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
IssueInstant="2018-06-18T16:35:21Z" Version="2.0"></samlp:AuthnRequest>
Keycloak returns "Invalid Request" in the HTML reply. I've enabled
verbose debugging and this is the trace:
23:11:11,462 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-4) RESTEASY002315: PathInfo: /realms/master/broker/saml/endpoint
23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default
task-4) SAML Redirect Binding
23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default
task-4) <samlp:AuthnRequest ID="_abc123szs"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
IssueInstant="2018-06-18T16:35:21Z" Version="2.0"></samlp:AuthnRequest>
23:11:11,471 WARN [org.keycloak.events] (default task-4)
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=192.168.2.221, error=invalid_token
The debug trace shows that the request is decoded properly, but I get
the "invalid_token" warning. If I redirect an HTTP client via a 302
request to the url above I get the same "Invalid Request" and inability
to proceed with login.
I've also tried with different sample SAML requests XML, but the result
are the same. Do you have any clue?
Regards,
Emanuele
5 years, 10 months
How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1
by vandana thota
Hello
I have copied this file on wildfly server
keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to open
this ?
Previously we have zip files and culd open them by running unzip
command . But for this sha1 file how to open it and how can we do
further configurations on wildfly with this keycloak adapater which is
in sha1 format.
Thanks.
5 years, 10 months
Display Calling application name
by Pulkit Srivastava
Hi,
I have multiple applications that authenticate users using keycloak. Is
there a way to show the application name on keycloak login page according
to the application from which the user arrived. How this can be achieved?
Thanks,
Pulkit
5 years, 10 months
Entitlement request with additional parameters
by Corentin Dupont
Hi guys,
I use the entitlement API to check access control on my resources. Here I
check if a user can update a sensor:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"sensors:update"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But I would like to make complex policies that check additional parameters,
such as sensor status etc.
How can I pass along the additional parameters to the request, and use them
in my policies? I use javascript policies mainly.
Thanks
Corentin
5 years, 10 months
Keycloak sso logout
by Robert .
I have been having problems with the Keycloak sso logout functionality in
Keycloak 3.4.3.
Previously I have tested the single sign-out functionality in Keycloak
2.4.0, and did not experience such problems.
I have debugged the issue in 3.4.3 and noticed that the sessionCreated
method in HttpSessionManager is never
called. This means that no http session is invalidated in the logout
methods.
To fix this I have created my own HttpSessionManager based on a Spring
ApplicationListener.and registered it as a
listener in my web.xml.
I would like to know if this is a known issue. Has this been fixed in
4.0.0? Can it also be fixed in a 3.4.4 version?
public class MyHttpSessionManager extends HttpSessionManager implements
ApplicationListener<ApplicationEvent> {
@Override
public void onApplicationEvent(ApplicationEvent event) {
if (event instanceof HttpSessionCreatedEvent) {
HttpSession session = ((HttpSessionCreatedEvent) event).getSession();
HttpSessionEvent creationEvent = new HttpSessionEvent(session);
this.sessionCreated(creationEvent);
}
}
}
5 years, 10 months
Different IDP's for different clients
by Pulkit Srivastava
I have different clients(same realm) setup in keycloak with some IDP's such
as google, facebook, twitter etc.
I want different clients to see different idp's.
For instance, client1 should see google and twitter, client2 should see
facebook and google etc.
How can this be achieved.?
Thanks,
Pulkit
5 years, 10 months
Can able to install keycloak adapters
by vandana thota
Hello
We have wildfly 11.0.0.0 final .
We copied keycloak-wildfly-adapter-dist-4.0.0.Final.zip under Wildfly_Home
path
Unizipped that file.
I even created the file layers.conf under the folder Wildfly_Home/Modules
Trying to run the command to install the keycloak adapter on wildfly but
its throwing the below error , what needs to be done for this any idea ?
nl0000:/srv/prop/wildfly/11/bin> ./jboss-cli.sh
--file=adapter-elytron-install.cli --connect --controller=0.0.0.0:xxxx
Authenticating against security realm: ManagementRealm
Username: xxxx
Password:
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0310: Extension module
org.keycloak.keycloak-adapter-subsystem not found",
"rolled-back" => true
"response-headers" =>
{"process-state" => "reload-required" }
}
Can't we install this manullay instead of using Jboss-cli or how can we
resolve the above error
5 years, 10 months
Will Keycloak scale to handle hundreads of LDAP integrations?
by Filipe Abrahao
Hi everyone,
I work at Doodle, an online platform to help people to schedule meetings
and social events, we have around 28m people that use our product every
month and we are in the process of splitting our monolith.
We have been experimenting with Keycloak as our auth service, and so far we
are pretty happy with it, we just making sure it fulfils all our
requirements, but we have one that we are not sure if it would work with
Keycloak:
Some of our bigger users, like universities and big corporations require to
manage their users via LDAP. We know that Keycloak can integrate with LDAP.
But my question is if creating one LDAP configuration for each client is
the right way to do it.
If we have to configure one LDAP integration for each client that requires
it, we potentially will end-up with hundreds (perhaps thousands) of them.
Will it scale? Will Keycloak be able to handle that?
many thanks,
Filipe A
5 years, 10 months
Replace username with phone number
by Ahmed Ossama
Hi Everyone,
I am new to Keycloak and I am considering using it in a project. However
I've been playing with Keycloak for a bit and cannot seem to find out a
specific need for the project. The need is to signup and make the phone
number of a user to be the user identified instead of the username.
What I did was: created an empty realm, exported it, then modified the
properties using username to be phonenumber, and imported it again. Then
created a new theme based on the basic theme and changed username to be
phonenumber. But it wasn't enough and in the UI there was a lot of
reference to username.
So I was wondering if this is possible or not, and if possible how can I
achieve it?
Thanks in advance.
--
Regards,
Ahmed Ossama
5 years, 10 months
Why keycloak admin-cli throwing - HTTP error - 415 Unsupported Media Type
by Subodh Joshi
Hi
I am trying to update realm from the admin-cli but end with 415 unsupported
Media type.
FYI i did not make any single change in demorealm.json file.
> /opt/keycloak/bin/kcadm.sh get realms/CRUE_Realm > demorealm.json
> /opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm > demorealm.json
>
* HTTP error - 415 Unsupported Media Type *
--
Subodh Chandra Joshi
subodh1_joshi82(a)yahoo.co.in
http://www.trendsinnews.com
5 years, 10 months
