x509 authentication - two fields
by Karol Buler
Hi Keycloaks :)
I want to use two fields from certificate in x509 authentication flow.
Is there any possibility to do that out of the box, or I have to
implement my own custom authentication mechanism using Authentication SPI?
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
5 years, 9 months
Keycloak username attribute
by Steve Munene
Hi, what is the saml user attribute used by keycloak in the saml response.
I keep getting this when after login from cloudstack
<loginresponse cloud-stack-version="4.10.0.0<http://4.10.0.0>">
<errorcode>531</errorcode>
<errortext>
Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.
</errortext>
</loginresponse>
5 years, 9 months
SSO with Keycloak JS and Cordova adapter
by Stephen Coady
Hi,
We have multiple apps (Native and Hybrid) using Keycloak and the single
sign on feature. It is currently working for all but Cordova. I am
wondering does the cordova adapter within Keycloak-js currently support
single sign on in the same way the default adapter does? From my initial
experiments it looks like it doesn't and the inappbrowser plugin may be to
blame. Is there a way around this?
At the moment it looks like my only option would be to use the default
adapter in my cordova application, but this brings other complications -
such as a fragmented auth process.
Thanks,
Stephen
--
STEPHEN COADY
ASSOCIATE SOFTWARE ENGINEER
Red Hat
<https://www.redhat.com/>
Communications House, Cork Road
Waterford City, Ireland X91NY33
scoady(a)redhat.com IM: scoady
<https://red.ht/sig>
5 years, 9 months
Alternative authentication flows
by Tech
Dear experts,
we are working with Keycloak 4.0.0.
We want to implement the following authentication workflow:
1) Mandatory User/Password
2) If User/Password corrected then mandatory one between
2.1) Google Authenticator
2.2) Another factor of authentication
We are only able to make the first challenge mandatory, while we are not
able to choose the second mandatory option.
If we set them as Required will be chosen both in sequence ("Google
Authenticator" AND "Other factor"), while we cannot choose "Google
Authenticator" OR "Other factor".
Could you please advise?
Thanks
5 years, 9 months
Failed to evaluate permissions with javascript
by Corentin Dupont
Hi again,
I use a small javascript policy:
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (identity.id == permission.getResource().getOwner()) {
$evaluation.grant();
}
But this gets me an error:
Unexpected error while evaluating permissions: java.lang.RuntimeException:
Failed to evaluate permissions
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
at
org.keycloak.authorization.authorization.AuthorizationTokenService.evaluatePermissions(AuthorizationTokenService.java:208)
...
Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
execute script 'Resource owner' problem was: TypeError: null has no such
function "getOwner" in <eval> at line number 4
at
org.keycloak.scripting.AbstractEvaluatableScriptAdapter.evalUnchecked(AbstractEvaluatableScriptAdapter.java:64)
at
org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval(AbstractEvaluatableScriptAdapter.java:30)
I noticed this happens only with scope-based policies, so maybe it's the
same problem than before?
5 years, 9 months
Best way to do SSO
by Romain Rhieu
Hi,
I am currently working on setting up keycloak to manage the authentication
and authorization of a huge application pool.
I have a series of applications that have both public and protected areas.
So, I need to be able to identify a user that lands on a public url in
order to show personalized content.
Google offers similar functionality :
- Go to https://mail.google.com
- Login
- Then go to https://www.youtube.com
- You see personalized content on a page that is obviously public.
I'm wondering about the best way to do SSO. Reading the documentation, I
see two hypotheses:
1/ *Use Keycloak as basis*
Keycloak has to be customized in order so the session cookie becomes
available to whole domain (.example.com instead of keycloak.example.com)
Applications must store cookie value in session and deal with session
management.
However, I read in the documentation that I should not rely on this cookie
directly because its format can change and it’s also associated with the
URL of the Keycloak server, not my application.
2/ U*se JS adapter to use "check-sso" feature*
At each request on my application, when the page is loading, I call the
function "check-sso". If the user is already authenticated to Keycloak, I
refresh the page and create a user session on my application.
Do you think these hypothesis are good ?
Do you know a better way to do SSO?
Thanks in advance
5 years, 9 months
Same user exists in both broker and identity provider
by priti guleria
Hi,
We are currently working on keycloak as SSO solution, where keycloak will
act as identity broker.
My use case is as below
- User 1 is present in keycloak broker and user 1 is also present in
identity provider .
- But in identity provider user 1 does not have username assosiated with
that ,instead it has employeeid attribute as unique key.
Now my goal is to identify if user already present in broker keycloak and I
tries to login through Identity provider it should identify it as existing
account and merge both the accounts.
(Currently since identity provider does not have username for user 1 it is
not able to identify in broker as existing account).
Is there any configuration which can tell keycloak broker to check for
employeeid attribute and not username for existing account ?
Thanks,
Priti
5 years, 9 months
customizing OIDC refresh token flow
by Ori Doolman
Hi,
I'm looking for a way to customize the OIDC token endpoint:
In OICD code flow, when getting a new access token using a refresh token, I want to call an external system and update a user attribute, such that the attribute value will be mapped to an attribute of the returned JWT access token.
I think the relevant source code is here, but I didn't see a way to customize it using an SPI:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
The reason I need it is because we are working with an external identity provider, which returns an access token to us which is valid for only 15 minutes.
The external access token is mapped to our JWT once the user logs in (we customized the authentication flow).
Now I need a way that my JWT will always contain a valid external access token.
Therefore, I thought we can fetch a new external access token every time we refresh our JWT.
Or is there a better way to accomplish that?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
5 years, 9 months
Create new authentication flow using kcadm in Docker
by triton oidc
Hi,
i'm using a docker image, and in the build, i'd like to create a new flow.
However i could not find a way to do this in CLI
Doing it in the GUI is not really what i want
When i try
./kcadm.sh create authentication/flows
i get a
HTTP error - 415 Unsupported Media Type
Does this mean it's not possible ?
If so should a create a feature request ?
my company pay a lot of redhat support, so they could support this feature.
Thanks for any help
Amaury
5 years, 9 months
keycloak-adapter-core-4.0.0.Final: Invalid version of org.apache.httpcore imported
by Nhut Thai Le
Hello,
I'm trying to add keycloak adapter to OSGI container Felix using bnd, but I
got error when resolving dependency:
Resolution failed. Capabilities satisfying the following requirements could
not be found:
[<<INITIAL>>]
⮡ osgi.identity: (osgi.identity=org.keycloak.keycloak-pax-web-jetty94)
⮡ [org.keycloak.keycloak-pax-web-jetty94 version=4.0.0.Final]
⮡ osgi.wiring.package:
(&(osgi.wiring.package=org.keycloak.adapters.jetty)(version>=4.0.0.Final))
⮡ [org.keycloak.keycloak-jetty94-adapter
version=4.0.0.Final]
⮡ osgi.wiring.package:
(&(osgi.wiring.package=org.keycloak.adapters)(version>=4.0.0.Final))
⮡ [org.keycloak.keycloak-adapter-core
version=4.0.0.Final]
⮡ osgi.wiring.package:
(&(osgi.wiring.package=org.apache.http)(version>=4.5.2))
Opening up manifest of keycloak-adapter-core-4.0.0.Final.jar i found this
in Import-Packages section: org.apache.http;version="4.5.2"
As i understand org.apache.http is found in
org.apache.httpcomponents:httpcore-osgi, this bundle has max version at
4.4.10 as of today on Maven central. So this requirement will never be
resolved by bnd.
I also looked at the keycloak-adapter-core-4.0.0.Final.pom and found the
import of all org.apache.http.* require the same version:
org.apache.http.*;version=${apache.httpcomponents.version},
this is wrong because org.apache.http is provided in both
apache.httpcomponents.httpclient
and apache.httpcomponents.httpcore.
Could anyone verify if this is a build issue and apply a fix?
Thank you
Thai Le
5 years, 9 months
