July 2018 - keycloak-user - Jboss List Archives

Keycloak User Storage SPI with external data base based on Spring Security

by Alvaro Abella

Hi, I followed this example https://github.com/keycloak/keycloak-quickstarts/ tree/latest/user-storage-jpa and I modified to connect with my Oracle database after a little work with Jboss. Now, I can view all users on my Keycloak admin panel, but I can't login with them into his account because password are cyphered with Bcrypt. How do you usually deal with this situations? Has anyone integrated a Spring-Security-based database with keycloak? Thanks! -- *Álvaro Abella González* [image: bluetab.net] <http://www.bluetab.net/>alvaro.abella(a)bluetab.net

6 years, 6 months

2
3
0 / 0

Enabling Identity provider alone

by Madhu

Hi , I want to disable client, Realm management, Authentication and Roles and want to create a user who will be able to provide only Identity provider/broker integration. I understand user needs to be in manage-identity-providers and manage-realm for doing this activity. But with manage realm user also has access to role creation,authenciation and realm setting tabs. Any way to disable these, without going for customized themes or changing the FTL? I am looking for authorization model based solution. Regards,Madhu

6 years, 6 months

3
6
0 / 0

Multiple logins from different IPs

by Eric Dill

Hi, Searching through the mailing list, the docs and JIRA, I've been able to find some previous conversations on the mailing list <http://lists.jboss.org/pipermail/keycloak-user/2017-March/010059.html> and a closed Jira ticket <https://issues.jboss.org/browse/KEYCLOAK-4611> around the same user being able to simultaneously be logged in from two (or more) different IP addresses. The comment last year was > We don't have this supported OOTB, but likely we should as it's quite popular use-case though It's been a bit over a year since that was posted to the mailing list. I wonder if this capability is now supported out of the box? The other piece of advice last year was that > For now, you will need to implement custom Authenticator If this capability does not exist out of the box, are there any available examples of doing this as a plug-in? Thanks for the great project :-D Best, Eric -- Eric D. Dill, PhD Senior Solutions Architect <https://anaconda.com/> <https://twitter.com/anacondainc> <https://www.linkedin.com/company/anacondainc> <https://www.facebook.com/anacondainc/> <https://www.slideshare.net/continuumio>

6 years, 6 months

2
1
0 / 0

Keycloak 4.1.0.Final released!

by Marek Posolda

See details on the blog: http://blog.keycloak.org/2018/07/keycloak-410final-released.html

6 years, 6 months

1
0
0 / 0

NPE when requesting authorization

by Corentin Dupont

Hi guys, I got this error when requesting authorization on a resource: $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H "Authorization: Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=Sensortest#sensors:view" {"error":"server_error","error_description":"Unexpected error while evaluating permissions"} On the server side I get: 12:42:11,821 ERROR [org.keycloak.authorization.authorization.AuthorizationTokenService] (default task-16) Unexpected error while evaluating permissions: java.lang.NullPointerException at org.keycloak.authorization.util.Permissions.permits(Permissions.java:194) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:173) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1124) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) I got my token this way: USERTOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=guest&password=guest&grant_type=password&client_id=api-server&client_secret=xxx' "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" | jq .access_token -r` This seems to happen for scope-based policies. Cheers Corentin

6 years, 6 months

2
8
0 / 0

resource set filter

by Corentin Dupont

Hi, It seems the resource set filter was removed from Keycloak 4? I noticed this line was removed from the doc: List resource set descriptions using a filter: GET /resource_set?filter=${filter} Now the GET /resource_set only returns the list of resource ids, which is not so useful. How to get a resource id from its name?

6 years, 6 months

2
3
0 / 0

Revocation Policy

by gambol

Hiya In regard to revocation policies or the ability to revoke access tokens. Does keycloak only provide this feature as a push model? ... Glancing at documentation and a quick google the implementation seems to be a back channel callback to the url with I guess some verifiable payload? .. Is there any other means to request this information .. I can't see anything in the rest api but essentially I'd like periodically check if any tokens has been revoked. Rohith

6 years, 6 months

1
0
0 / 0

Access token in account management console

by Miguel Sanz

Hi everyone, I need to receive from the back the access token in account.ftl template. I know that I don´t have the access token because I am inside Keycloak. But when you enter in admin console, keycloak.js is used and you can access to the access token in the code. Do you have any suggestion to retrieve the access token in the code of account management console? Also, I have tried to use the keycloak-preview code in Angular 2, but when I try to change the password it returns a 400 error. Thank you very much. -- [image: Kairós Digital Solutions] <http://www.kairosds.com> [image: Miguel Sanz Martín] Full-stack Developer *Kairós Digital Solutions* Castellana 43 - WeWork, Madrid 28046 <https://goo.gl/maps/rXYrLwh5s6t> https://www.kairosds.com/ *Nota legal*: Este mensaje y cualquier archivo adjunto está destinado únicamente a quien se dirige y es confidencial. Si usted ha recibido este mensaje por error, comuníqueselo al remitente y bórrelo inmediatamente. La utilización, revelación y/o reproducción del mensaje puede constituir un delito. *Protección de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA SOLUTIONS, S.L.**Finalidad.* Envío de información, respuesta a consultas y contactos genéricos, mientras dure nuestra relación y tengamos su consentimiento. *Destinatarios.* No se cederán datos a terceros salvo obligación legal. *Derechos.* Puede ejercer los derechos de acceso, rectificación, supresión y oposición, limitar el tratamiento de sus datos, o directamente oponerse al tratamiento, o ejercer el derecho a la portabilidad de los mismos. Todo ello, mediante escrito, acompañado de copia de documento oficial que le identifique, dirigido al RESPONSABLE. En caso de disconformidad con el tratamiento, también tiene derecho a presentar una reclamación ante la Agencia Española de Protección de Datos. También podrá oponerse a nuestros envíos de comunicaciones comerciales (Art.21.2 de la LSSI) a través de la siguiente dirección de correo electrónico: info(a)kairosds.com -- Nota legal: Este mensaje y cualquier archivo adjunto está destinado únicamente a quien se dirige y es confidencial. Si usted ha recibido este mensaje por error, comuníqueselo al remitente y bórrelo inmediatamente. La utilización, revelación y/o reproducción del mensaje puede constituir un delito. Protección de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA SOLUTIONS, S.L.Finalidad. Envío de información, respuesta a consultas y contactos genéricos, mientras dure nuestra relación y tengamos su consentimiento. Destinatarios. No se cederán datos a terceros salvo obligación legal. Derechos. Puede ejercer los derechos de acceso, rectificación, supresión y oposición, limitar el tratamiento de sus datos, o directamente oponerse al tratamiento, o ejercer el derecho a la portabilidad de los mismos. Todo ello, mediante escrito, acompañado de copia de documento oficial que le identifique, dirigido al RESPONSABLE. En caso de disconformidad con el tratamiento, también tiene derecho a presentar una reclamación ante la Agencia Española de Protección de Datos. También podrá oponerse a nuestros envíos de comunicaciones comerciales (Art.21.2 de la LSSI) a través de la siguiente dirección de correo electrónico: info@kairosds.com <mailto:info@kairosds.com>

6 years, 6 months

1
0
0 / 0

How to check permission when issuing token

by Hiroyuki Wada

Hi, Our customer has a requirement that they want to check whether the authenticated user has sufficient permission to access the service(RP) when issuing token. I came up with an idea using custom protocol mapper which checks the assigned roles as follows: https://gist.github.com/wadahiro/b777c49b61766c8f634981756aedffaa By using this mapper, token endpoint returns 403 Forbidden error if the authenticated user doesn't have sufficient role. Is this a good way? Or is there a better way to do it? Best Regards -- Hiroyuki Wada Nomura Research Institute, Ltd.

6 years, 6 months

1
0
0 / 0

Authorization header from third party site

by Schaar, Andrew

Hello, We are receiving authorization headers from a third party that links to our site. The endpoint being hit is not secured via spring security, however because an authorization header is on the request KeycloakAuthenticationProcessingFilter.java is attempting to authenticate the request. The result is a VerificationException from AdapterRSATokenVerifier and subsequently a 401 and a poor user experience. I am wondering if you have any advice regarding the scenario where an invalid authorization header is received when requesting unsecured endpoints. We are using the Keycloak spring security adapter 3.4.2.Final Thanks! Andrew

6 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2018