June 2018 - keycloak-user - Jboss List Archives

Add custom Attributes to user from Kerberos ticket

by Dominik Guhr

Hi, so I am writing a custom authenticator right now which handles a kerberos ticket from an ldap federation provider I added via admin panel. This works, only thing is due to the internationalization bug I don't import the users from the Federation provider. Now in my custom authenticator, I try to call a thirdparty api and add some attributes to this user. To achieve this, I customized the authenticate(AuthenticationFlowContext context) - method to call my thirdparty api via apache HttpClient (works). Then, I try to read everything the resultjson of thirdparty returns, and map it into a UserModel. I do it like this: if (responseCode == 200) { ObjectMapper mapper = new ObjectMapper(); ObjectNode rootnode = (ObjectNode) mapper.readTree(responseString); rootnode.fieldNames().forEachRemaining(s -> { String val = rootnode.get(s).asText(); if (s.equals("lastname") output.getAuthenticatedUser().setLastName(val); else if (s.equals("firstname")) output.getAuthenticatedUser().setFirstName(val); else if (s.equals("email")) output.getAuthenticatedUser().setEmail(val); else if (s.equals("username")) ; // skip this completely. else if (s.equals("newPasswordRequired")) { // TODO when required action works, set it here // user.addRequiredAction("UPDATE_THIRDPARTY_PASSWORD"); } else { output.getAuthenticatedUser().setAttribute(s, Arrays.asList(val)); logger.info("adding attribute to usermodel: " + s); } }); context.setUser(output.getAuthenticatedUser()); So here I set the Attributes etc. dynamically. Which works pretty fine. But in my token I don'T get these Attributes - seems like I only get those who are actually mapped from LDAP, too. So I tried to add a mapper for "employeeID" to my federation provider, but that didn't change something. In my client, for sure I added that mapper via User Attribute and, for the sake of idk, later tried with User Property, but had no effect So, I need to get the other Attributes too, dynamically would be perfect, but even statically would be good. Is there any chance to do this, or do I have to stick with the fields from ldap? I thought the context.setUser ... would do, but seems it doesn't. Perhaps I have to set the user not for the context, but elsewhere? Any help is highly appreciated. Thank you, Dominik

2 years, 10 months

1
0
0 / 0

How to return custom error messages from custom spnego authenticator?

by Dominik Guhr

Hi everyone, So I just posted this question on SO, hoping to reach more people, but would be great to get an answer here too, obviously: https://stackoverflow.com/questions/50695959/how-do-i-return-custom-error... Thanks! Best regards, Dominik

2 years, 10 months

1
0
0 / 0

No sync between infinispan and keycloak in cluster

by Lamine Léo Keita

Hi, I am facing an issue with the cluster example. I have 2 sites on each I have 1 Keycloak and 1 infinispan running. Infinispan see each other and are configured as the example in documentaion. Each keycloak see the infinispan on his site. When I open 2 sessions, one on each sites, I see 2 entry in the session cache on the infinispan but on each keycloak I see that only one session is running! Did someone already had this issue? Could somebody help me please? Lamine

2 years, 10 months

1
0
0 / 0

how to notify app when keycloak session timeout or user logout?

by Nhut Thai Le

Hello, My app has quite some sessions that starts when a user login though keycloak. I want to close these sessions when keycloak session expires or the user logout. Is there any notification/call back from keycloak server when such event occurs ? Thai

2 years, 10 months

2
1
0 / 0

Re: [keycloak-user] Mapping SAML attributes from ADFS

by Rens Verhage

Thanks Tony! This helped a lot. After mapping the attributes like this everything works fine: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email Rens On 4 Jun 2018, at 11:58, Tony Harris <Tony.Harris(a)oneadvanced.com<mailto:Tony.Harris@oneadvanced.com>> wrote: This might help get you started. This maps the surname claim in SAML to the LastName attribute in Keycloak. The SAML names here should give you the name of the others. https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.... <image001.png> -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Rens Verhage Sent: 04 June 2018 10:28 To: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> Subject: [keycloak-user] Mapping SAML attributes from ADFS Hi all, I’m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response. Do I have to explicitly map these attributes? How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes? Rens _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com/>

2 years, 10 months

1
1
0 / 0

cannot change token times/settings in realm settings

by Avinash Kundaliya

Hello Community, I just setup a keycloak-4 beta3 and have the issue that when i nagivate to the "Tokens" page, it shows up for a brief moment and then redirects to the "Resource not found" page. In the network requests, we can see that the request [1] returns a 404. The same doesnt happen for the master realm. We have the same issue in keycloak-4 beta1 as well (which is why i wanted to update and try) Any suggestion would be helpful here. Regards, Avinash [1] <url>/auth/admin/realms/myrealm?$promise={}&$resolved=true&accessCodeLifespan={"unit":"Minutes","time":1}&accessCodeLifespanLogin={"unit":"Minutes","time":30}&accessCodeLifespanUserAction={"unit":"Minutes","time":5}&accessTokenLifespan={"unit":"Minutes","time":5}&accessTokenLifespanForImplicitFlow={"unit":"Minutes","time":15}&actionTokenGeneratedByAdminLifespan={"unit":"Hours","time":12}&actionTokenGeneratedByUserLifespan={"unit":"Minutes","time":5}&adminEventsDetailsEnabled=false&adminEventsEnabled=false&attributes={"_browser_header.xXSSProtection":"1;+mode=block","_browser_header.xFrameOptions":"SAMEORIGIN","_browser_header.strictTransportSecurity":"max-age=31536000;+includeSubDomains","permanentLockout":"false","quickLoginCheckMilliSeconds":"1000","_browser_header.xRobotsTag":"none","maxFailureWaitSeconds":"900","minimumQuickLoginWaitSeconds":"60","failureFactor":"30","actionTokenGeneratedByUserLifespan":"300","maxDeltaTimeSeconds":"43200","_browser_header.xContentTypeOptions":"nosniff","actionTokenGeneratedByAdminLifespan":"43200","bruteForceProtected":"false","_browser_header.contentSecurityPolicy":"frame-src+'self';+frame-ancestors+'self';+object-src+'none';","waitIncrementSeconds":"60"}&browserFlow=browser&browserSecurityHeaders={"xContentTypeOptions":"nosniff","xRobotsTag":"none","xFrameOptions":"SAMEORIGIN","xXSSProtection":"1;+mode=block","contentSecurityPolicy":"frame-src+'self';+frame-ancestors+'self';+object-src+'none';","strictTransportSecurity":"max-age=31536000;+includeSubDomains"}&bruteForceProtected=false&clientAuthenticationFlow=clients&defaultRoles=offline_access&defaultRoles=uma_authorization&directGrantFlow=direct+grant&dockerAuthenticationFlow=docker+auth&duplicateEmailsAllowed=false&editUsernameAllowed=true&enabled=true&eventsEnabled=false&eventsListeners=jboss-logging&failureFactor=30&internationalizationEnabled=false&loginWithEmailAllowed=true&maxDeltaTimeSeconds=43200&maxFailureWaitSeconds=900&minimumQuickLoginWaitSeconds=60&notBefore=0&offlineSessionIdleTimeout={"unit":"Days","time":30}&otpPolicyAlgorithm=HmacSHA1&otpPolicyDigits=6&otpPolicyInitialCounter=0&otpPolicyLookAheadWindow=1&otpPolicyPeriod=30&otpPolicyType=totp&otpSupportedApplications=FreeOTP&otpSupportedApplications=Google+Authenticator&permanentLockout=false&quickLoginCheckMilliSeconds=1000&realm=myrealm&refreshTokenMaxReuse=0&registrationAllowed=true&registrationEmailAsUsername=false&registrationFlow=registration&rememberMe=false&requiredCredentials=password&resetCredentialsFlow=reset+credentials&resetPasswordAllowed=false&revokeRefreshToken=false&smtpServer={}&sslRequired=all&ssoSessionIdleTimeout={"unit":"Minutes","time":30}&ssoSessionMaxLifespan={"unit":"Hours","time":10}&userManagedAccessAllowed=false&verifyEmail=false&waitIncrementSeconds=60 -- --- Avinash Kundaliya avinash(a)avinash.com.np http://avinash.com.np

2 years, 10 months

1
0
0 / 0

Non ASCII characters in local part of email

by Vinay

Any reason why keycloak doesn't support non ASCII characters in the local part of the email address ? As per RFC 6531 <https://tools.ietf.org/html/rfc6531>, these chars are allowed. -Vinay

2 years, 10 months

1
0
0 / 0

LDAP failover

by Vinay

Does keycloak provide LDAP failover i.e. provide two LDAP URLs while creating an LDAP provider so that users can be search on both primary and secondary LDAP server ? This is required for high availability ?

2 years, 10 months

5
6
0 / 0

Keycloak SAML redirection stuck in loop after logging in

by Lenay Schminzh

I'm trying to secure a url : /monitoring with Keycloak using SAML. I've modified my web.xml : <web-app>  <login-config> <auth-method>KEYCLOAK-SAML</auth-method> <realm-name>this is ignored currently</realm-name> </login-config> <security-role> <role-name>monitoringrole</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Monitoring</web-resource-name> <url-pattern>/monitoring</url-pattern> </web-resource-collection> <auth-constraint> <role-name>monitoringrole</role-name> </auth-constraint> </security-constraint> <listener> <listener-class> org.springframework.web.context.request.RequestContextListener </listener-class> </listener></web-app> I've also modified my tomcat7's context.xml file with the correct Valve and added the keycloak-saml.xml in /WEB-INF. I'm correctly redirected to the IdP, but even after successfully logging in, I keep getting this message : *You are already logged in* I guess I'm redirecting to the same url I'm securing, but shouldn't keycloak grant me access to the page ? [image: Capture.PNG] Here is my configuration on the keycloak server : [image: 7252z.png] Am I missing something on the configuration side ? Thank you.

2 years, 10 months

1
0
0 / 0

Get old password in custom update-password required action

by Dominik Guhr

Hi everyone, I need help with the following custom authentication flow: 1a. user logs in via a custom username/pw form authenticator. Success case: he gets logged in, backendwise into a third-party system via a REST call. User is created in keycloak. => works! 1b. user logs in, but thirdparty system returns a flag that user has to change his password. For this, I created a required action which just uses the "normal" update_password required action, but in its processAction method calls the thirdparty system. => Doesn'T really work, because: one requirement of the thirdparty-API for updating the pw of a user to a new one is, there has to be the old password in the request json, syntax: { username: "...", passwordNew: "...", passwordOld: "..." } Now I am struggling a little to get the old password in my required action-form, which, as of now, is the login-update-password.ftl as can be found here: https://github.com/keycloak/keycloak/blob/master/themes/src/main/resource... It seems there already is a hidden field for the current password, but this has no value. So this seemed not to work, and now I am thinking to create my own form and set it for the required action. Therefor I have one problem (so far): The code I use now for creating the update pw-form which is the "normal" kc-form looks like this: @Override public void requiredActionChallenge(RequiredActionContext context) { Response challenge = context.form() .setAttribute("username", context.getAuthenticationSession().getAuthenticatedUser().getUsername()) .createResponse(UserModel.RequiredAction.UPDATE_PASSWORD); context.challenge(challenge); } Now I want to use my own form, containing another form element where user has to put in his old pw. So, what do I need to change here? I saw the secretactionrequiredaction at github, which uses createForm("...ftl"), but not the setAttribute and/or createResponse - so, one question is: is createForm... enough to get my own form loaded at the required action? (aside from putting a custom ftl in the theme I use) Would be great to get some hints here! Thanks in advance, Dominik dominik.guhr(a)codecentric.de

2 years, 10 months

1
0
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2018