JAAS login context propagation issue with Keyclock
by valsaraj pv
Hi,
I am facing issue with JAAS login context propagation when using Keyclock.
Following code is executed from Message Driven Bean to login as application
MDB user.
> loginContext = new LoginContext("keycloak", new CallbackHandler() {
>
> @Override
>
> public void handle(Callback[] callbacks) {
>
> int len = callbacks.length;
>
> Callback cb;
>
> for (int i = 0; i < len; i++) {
>
> cb = callbacks[i];
>
> if (cb instanceof NameCallback) {
>
> NameCallback ncb = (NameCallback) cb;
>
> ncb.setName(mdbuserName);
>
> } else if (cb instanceof PasswordCallback) {
>
> PasswordCallback pcb = (PasswordCallback) cb;
>
> pcb.setPassword(mdbUserPass);
>
> }
>
> }
>
> }
>
> });
>
> loginContext.login();
>
>
After that when I check the principal, I got anonymous!
> Principal p = ctx.getCallerPrincipal();
>
Is there any work around for this issue?
Thanks!
8 years
RPT vs regular access tokens
by Juan José Vázquez Delgado
Hello everyone!. According to the documentation, an RPT is just a jwt token
with permission claims. In order to disambiguate between RPT and regular
access tokens, is there any way to do this apart from checking the
existence of these permission claims?. Thanks!.
8 years
Mapping SAML attributes from ADFS
by Rens Verhage
Hi all,
I’m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response.
Do I have to explicitly map these attributes?
How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes?
Rens
8 years
Admin console and reverse proxy
by Benoit HERARD
Hi All
I've installed the latest version (4.0.0.Beta3) on a test box and
followed this guide
(https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...)
to access keycloak through an apache reverse proxy.
For the moment, in order to facilitate troubleshooting, my configuration
is using http only (for keycloak and apache).
Apache is listening on port 80 and keycloak on 8080
For now, I can perfectly connect and use the user account management via
the proxy (http://localhost/auth/realms/master/account)
As well, I can configure and use mod_auth_openid to protect backends on
apache.
My probelm is when I want to connect the keycloak admin console.
If I go directly on WildFly (http://localhost:8080/auth/admin) it works.
I can login and use the admin console.
But if a go there via the proxy (http://localhost/auth/admin) it fails.
The login form open, I can entrer and submit my creds but then a blank
page opens when admin console GUI should be available.
With developers tools of by browser I can see that cookies seems to be
set correctly by authent. server (f.e. from this blank page I type the
url of account management and it's displayed without re-entering creds,
so I conclude that I am logged in).
Developer tools call stack shows that it fails in calling
https://localhost/auth/admin/master/console/whoami with HTTP 401
(unauthorized)
Any idea?
Thx
8 years
Bulk user import recommendations
by Scott Hezzell
Hi
Keycloak 3.4.0 - running 5 instances in containers using standalone clustered mode running against postgres.
I am looking for the recommended approach to bulk user imports into keycloak. I initially hoped to use the admin api but I am looking at having to import batches of up to 80,000 users and initial tests look to top out at just under 40 requests per second. At that throughput it will take 33 minutes to import a set of 80,000 users.
Is this an expected throughput level? Any techniques to increase this? Any alternative techniques?
I thought about inserting directly into the keycloak postgres db but I am concerned about the upgrade experience.
Could implementing my own user store and adding my own custom user storage provider, enabling me to import directly into my own db and implementing defined interfaces for the user storage provider so hopefully help the upgrade path, be an option?
Are there any migration options I could take advantage of?
Many thanks
Scott
[Benefex Logo]
Scott Hezzell
Senior Developer
hellobenefex.com<https://www.benefex.co.uk>
[https://s3-eu-west-1.amazonaws.com/commsmedia-bucket/images/benefex/socia...]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex>
Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546
As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you!
This message has been scanned for malware by Websense. www.websense.com
8 years
Force additional authentication for specific pages?
by Eric B
I'm not sure how this can be done in Keycloak, but I suspect that it must
be feasible. Is there a way to use Resources, or something similar, that
would force an already-authenticated user to reauthenticate himself when
accessing a specific set of resources?
For example, if a user wants to access high-level administrative functions,
I would like for the user to reauthenticate themselves again. This
reauthentication could be valid for a finite period of time (ex: 5 mins),
before the user would have to once-again reauthenticate themselves to
continue using the high-level admin functions.
During the period where the user re-authenticates himself for the
high-level functions, I want his existing Keycloak session to continue as
it was; there should be no interruption in his original session or
credentials.
I've been looking to see if there was a way to use Keycloak Authorization
Resources and Permissions to accomplish this. Are there any good examples
or docs that could help steer me? Or am I looking down the wrong path?
Thanks,
Eric
8 years
Hardware requirements of keycloak cluster
by priti guleria
Hi Team,
I want to deploy a clustered keycloak setup in production.
Can someone help me with what should be the minimum harware requirements
for this setup ?
Thanks,
Priti
8 years
E-Mail template: which template is used for which action? How to alter this?
by Neujahr, Jana
Dear keycloak users,
I'm to configure keycloak email messages. I aleady found the folders and the FTL-files.
Strangely, keycloak does not seem to use the email_verification.ftl when sending an activation link. It's using the executeActions.ftl, though I found out that the "requiredAction" actually is VERIFY_EMAIL. So why not using the apropriate template?
Is there a possibility form e to change the use of ftl-templates with the different actions?
Alternatively, does anybody know whether in the executeActions case there can be several "requiredActions"? If it's sure to be only one, I could do the modulation to the different templates in the executeActions.ftl, checking the requiredActions.
I apreciate every hint or idea.
PS: If someone needs to know how far I'm gone with checking the requiredActions in the executeActions.ftl, I'll happily share.
Kind regards
Jana
Treffen Sie GISA auf folgenden Veranstaltungen!
15.06.2018 WEBINAR: GISA 365 – Wie sieht Ihr Weg in die Cloud aus?
19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig
19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & Püfungen, Leipzig
23.-24.10.2018 metering days 2018, Fulda
Aufsichtsratsvorsitzender: Norbert Rotter
Geschäftsführung: Michael Krüger
Sitz der Gesellschaft: Halle/Saale
Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414
UST-ID-Nr. DE 158253683
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.
8 years
Modify roles in Token after user login SPI
by Sandeep Rai
Hi Community,
I'm trying to add more roles into the token after the token has been
generated following the isValid() return of the Authentication SPI.
I have a application which has SMS otp functionality. After the user has
verified the OTP I want to grant more roles to the user by adding those
roles into the token. But how do I modify the existing token or even renew
it with new roles ?
Is there a endpoint I can use to do so ? Or anyother ProviderInterface that
I can use to achieve this ?
Regards
8 years
