[Keycloak] Server Development - Custom Forgot Password Branding
by Frédéric Sénèque
Dear all,
We need to do some custom branding on the forgot password pages and emails, reset password etc..., and we are planning to extend keycloak theme (version 3.4.3.Final)
But we facing an issue on how to get some custom data frome te previous page( the login form ).
We tried to look at this, but it seems quite old : https://stackoverflow.com/questions/44072608/keycloak-access-cookie-and-o...
I have read the documentation about creating a new SPI and try to create one for the forgot password page (org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider)
But it looks like that I need to implement all the login pages (configure TOTP, Update Profile ...)
Is there a way to only « overide » forgot password and reset password without the need of copy/pasting almost all of the code ?
Thanks in advance
Regards,
Frédéric SENEQUE
5 years, 10 months
Group's attributes not being mapped to users?
by Andy Yar
Hello,
I use Keycloak 3.4.1.Final and keycloak-js NPM package as client.
My use case employs a single level group hierarchy and users who
belong to one of the groups. Each group has an attribute.
For example attribute department_full_name. Thus users working in the
same department could be grouped together and each would inherit its
department_full_name attribute from the group.
This way it feels natural to me.
I've googled a relevant discussion:
http://lists.jboss.org/pipermail/keycloak-user/2015-December/004042.html
Also the Server Administration confirms this behavior by stating: "The
Attributes and Role Mappings tab work exactly as the tabs with similar
names under a user. Any attributes and role mappings you define will
be inherited by the groups and users that are members of this group."
However, it doesn't seem to work for me using Bearer OpenID Connect
scheme. Decoded JWT structure simply doesn't contain my mapped
attribute (in id_token or access_token). It contains both roles mapped
from group and directly set user's attribute but not the group mapped
attribute...
Am I missing something obvious here? Thanks
Andy
5 years, 10 months
No 'Access-Control-Allow-Origin' header found in preflight response
by Nhut Thai Le
Hello,
I am having issue with CORS, here is my setup:
I'm using keycloak 4.0.0.Beta2.
In the client setting page of keycloak admin console, I have web origin set
to *
Keycloak jetty adaptor is configured programmatically as follow:
AdapterConfig keycloakConfig = new AdapterConfig();
...
keycloakConfig.setCors(true);
keycloakConfig.setCorsAllowedMethods("POST, PUT, DELETE, GET");
keycloakConfig.setCorsAllowedHeaders("Origin, X-Requested-With,
Content-Type, Accept, Cache-Control, Cookie, Host, Pragma, Referer,
User-Agent");
>From the browser, I see a GEt request:
https://dev.test.com:9443/diagram/services/diagrams/rest/common/getData?d...
And the server response:
HTTP/1.1 302 Found Date: Mon, 11 Jun 2018 19:56:04 GMT Set-Cookie:
JSESSIONID=node0lc6bl81dkagi1q62aulvltr183.node0;Path=/diagram/services/diagrams/rest;Secure
Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie:
OAuth_Token_Request_State=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73;HttpOnly
Location:
https://dev.test.com:8543/auth/realms/bigrealm/protocol/openid-connect/au...
Content-Length: 0 Server: Jetty(9.4.6.v20170531)
Somehow this 302 instructs the browser to do a preflight check with OPTIONS:
OPTIONS
/auth/realms/bigrealm/protocol/openid-connect/auth?response_type=code&client_id=test&redirect_uri=https%3A%2F%
2Fdev.test.com%3A9443%2Fdiagram%2Fservices%2Fdiagrams%2Frest%2Fcommon%2FgetData?diagramID%3D_uulwGnlHS8ycCW-SGOpRjg%26synchronize%3Dfalse%26_%3D1528746961564&state=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73&login=true&scope=openid
HTTP/1.1 Host: dev.test.com:8543 Connection: keep-alive Pragma: no-cache
Cache-Control: no-cache Access-Control-Request-Method: GET Origin:
https://dev.test.com:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79
Safari/537.36 Access-Control-Request-Headers: x-requested-with Accept: */*
Accept-Encoding: gzip, deflate, br Accept-Language:
en-GB,en-US;q=0.9,en;q=0.8
However, when keycloak reply to the preflight, it set status to 204
(perhaps correct since it has nothing) but no 'Access-Control-Allow-Origin'
header is returned.
I think because of this, the real GET request is not sent.
Did I miss anything when config keycloak that may cause this?
Thai
5 years, 10 months
Custom User Registration flow
by Manisha Nandal
*I built a custom FormAction/FormActionFactory to provide additional
behavior in the registration flow. I'm able to build the JAR, I have
deployed my changes to standalone/deployments directory. Now when going
through the registration process, the FormAction is definitely triggered
but an immediate error is thrown:15:10:38,229 ERROR
[org.keycloak.services.error.KeycloakErrorHandler] (default task-14)
Uncaught server error: java.lang.NoClassDefFoundError:
org/keycloak/services/validation/Validation at
org.keycloak.authenticationspi.RegistrationProfile.validate(RegistrationProfile.java:39)
at
org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:214)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:816)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:284)
at
org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:607)
at
org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:659)
at
org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:639)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483) at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)*
*Please tell the missing configuration as it it unable to locate the
class files from keycloak dependencies.*
*Thanks,*
*Manisha*
5 years, 10 months
How to avoid Logout from IDP when application Logs out using Keycloak
by siddhartha chakraborty
Hi All,
So we are logging out from our Application using :
*KeycloakDeployment deployment =keycloakSecurityContext.getDeployment();*
*keycloakSecurityContext.logout(deployment);*
But as a result we are getting logged out from the IDP also, which is not
desirable.
Basically we dont want to log out from the IDP , when our application logs
out.
Any help please.
We tried providing some invalid URL(example: www.google.com) in the Logout
URL in the OpenID Connect Config,
but the session was not redirected to www.google.com.
We even tried enabling the Backchannel Logout, but it didnt work.
Any help will be much appreciated.
Thanks,
Siddhartha
5 years, 10 months
information about post "How to configure MS AD FS 3.0 as an identity provider corrected in Keycloak"
by Otaño Pavo, Cesar
Hi all,
I am reviewing the post "How to configure MS AD FS 3.0 as an identity provider corrected in Keycloak": https://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
At the beginning of the post, in the section "Configure the Keycloak server" there are two points that are:
- Configure key layer for the incoming HTTPS connection
- Export the AD FS certificate to a Java trust store to enable outgoing HTTPS connections
These two points have a link with instructions on the steps to follow, the instructions are in GitBook. When I try to register, the page redirects me to the new Gitbook site to register.
I registered in the new site but I cannot find the instructions that I commented before. The documents are not in the new platform and the old one does not let me sign up.
¿Can someone send me the information or can send me an invitation to collaborate?
Thank you
Regards
César
AVISO LEGAL
El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido.
LEGAL NOTICE
The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.
5 years, 10 months
Unexpected behavior: self-registration through a provided IDP
by Stefan Engstrom
I have a setup where self-registration is disallowed on the realm > login page.
Meanwhile, I have Google set up as an identity provider and if I attempt to authenticate using a google account (that doesn't yet exist in the realm) Keycloak asks me to verify my email and is happy to create an account for me. Is there a way to prevent this from happening?
Stefan Engström
Lead Research & Development Engineer
Education Networks of America
618 Grassmere Park Drive
Suite 12
Nashville, TN 37211
Phone: 615-312-6136
CTAC: 888-612-2880
Video @ https://ena.zoom.us/my/sengstrom
Mobile: 615-500-3223 <= Best option
5 years, 10 months