Need help on keycloak SSO configuration
by vandana thota
Hello All,
Its been long time almost spent 4 months , I was trying to configure
single sign on for an application which is deployed on Wildfly server
Our env is wildfly 11 final , using keycloak final 4.0.0.0. Till now I did
not able to reach the goal
I need help for the followin configuration . Especially from the step 6
to 11
1. Set up a client for your application in Keycloak
2. Set up a broker in Keycloak that points to Okta and sets that as the
automatic delegate. This means no keycloak login screen would be shown and
it would delegate directly to Okta for authentication.
3. Log into Okta
4. Get to Okta app screen.
5. Click on app link
6. App redirects to Keycloak for authentication
7. Keycloak redirects automatically to Okta
8. Okta sees you are already logged in
9. Redirects back to Keycloak
10. Creates SAML assertion or OIDC token for client
11. Redirects back to app.
Thanks,
Vandana
5 years, 9 months
SAML setup
by Hylton Peimer
I have an application connected to Keycloak using the Spring Boot adaptor.
There is a client with Open-Id Connect protocol, and the login page is
displayed in Keycloak and everything works.
Recently I've been trying to add SAML support, and make my application an
SP. I've done the following with two different IDPs, but neither works:
1) Create a new client for SAML and import the IDP metadata
2) SSO to the application with a POST binding
I get the following lines in the Keycloak docker container log:
14:33:42,922 WARN [org.keycloak.protocol.saml.SamlService] (default
task-2) Unknown saml response.
14:33:42,923 WARN [org.keycloak.events] (default task-2)
type=LOGOUT_ERROR, realmId=myrealm, clientId=null, userId=null,
ipAddress=80.176.43.230, error=invalid_token
How can I debug this?
Hylton
5 years, 9 months
Retrieve all permissions
by Corentin Dupont
Hi again,
with Keycloak 4, is there a way to retrieve all permissions (like with the
old entitlement API)?
5 years, 9 months
why where admin-cli scopes removed?
by Federico Navarro Polo - Info.nl
Hello,
We recently upgraded our Keycloak version to a more recent one, and found out that the scopes of admin-cli client were updated.
After looking in JIRA, I found this issue https://issues.jboss.org/browse/KEYCLOAK-5724 , which probably is the reason for it.
However, it’s not clear to me what was exactly the reason. Was it removed only because the token was growing too long, or were there any security concerns in regards to the client scope?
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | -<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
5 years, 9 months
Download jks-file for a confidential client
by Matuszak, Eduard
Hello
I tried to get the jks-keystore file for a confidential client residing in a realm by utilizing the API
.. /certificates/jwt.credential/download
While generating and download via
../certificates/jwt.credential/generate-and-download
works fine getting a .jks-file of about 2 kb in size, the pure download afterwards gives also a .jks-file, but with only about 700 bytes in size. Both files are inspectable by keytool
keytool -list -keystore keycloak-testrealm-testclient-client.jks -storepass Pw_Kc_Str -v
, where the "generate-and-download"-file in addition gives a warning that a proprietary format is used.
It turnes out, that the creation of a token for the confidential client via the keystore-file fails with the tiny simply "dowloaded" .jks-file fails, whereas it works fine by taking the bigger "generate-and-download"ed jks-file.
My question is: Is this a bug, that ".. /certificates/jwt.credential/download" does not return the same (and proper) .jks-file than "../certificates/jwt.credential/generate-and-download" or is it possible to download the correct working .jks by other means? Inspection of Keycloak's class ClientAttributeCertificateResource did not give any suggestions to me.
Best regards , Eduard Matuszak
PS: My Keycloak version is 2.5.5
Attachment:
Here the test-bashscript I used
# -----------------------------------------------------------------------------------------------
# TEST SCRIPT
# Test if Keycloak store for client in a realm exists, create if not existing. Download in any case
# ------------------------------------------------------------------------------------------------
# TEST PARAMETERS
KEYCLOAK_HOST=<IP-address-ofKeycloak>
kcEndpoint="http://$KEYCLOAK_HOST:8080"
KEYCLOAK_ADMIN_PASSWORD=<kc_admin_password>
realmName=testrealm
clientName=testclient
kcFileNamePart=${realmName}
# TEST PARAMETERS END
echo "Getting an Access Token from Keycloak"
curl -s -D/tmp/http-result \
-d "username=admin" \
-d "password=$KEYCLOAK_ADMIN_PASSWORD" \
-d "grant_type=password" \
-d "client_id=admin-cli" \
$kcEndpoint/auth/realms/master/protocol/openid-connect/token \
| sed -n 's .*"access_token":"\([^"]*\)".* \1 p' > /tmp/kc-token
grep HTTP /tmp/http-result
#-----------------------------------------------
#Get clientId of ${clientName} if still existing
#-----------------------------------------------
echo "Get clientId of ${clientName} if still existing"
curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients
echo "using path $curlPath"
status=$(curl -s -o /dev/null \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
-w '%{http_code}' $curlPath)
if [ $status -eq 200 ] ; then
echo "Try to exctract clients from response..."
clientId=$(curl $curlPath \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
| jq '.[] | select(.clientId == "'${clientName}'") | .id' | cut -d'"' -f 2)
echo "clientId: $clientId"
else
echo "Error (HTTPStatus=$status): It seems that the Keycloak is not reachable via the provided path $curlPath"
exit 1
fi
# ----------------------------------------------------------
# Keycloak > Try to download keystore file for ${clientName}
# ----------------------------------------------------------
echo "Keycloak > Try to get the keystore file for ${clientName}"
curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients/$clientId
curl -s -D/tmp/http-result \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
-d '{"keyAlias": "'$clientName'", "realmAlias": "'$realmName'", "realmCertificate": false, "format": "JKS", "keyPassword": "Pw_Kc_Clnt", "storePassword":"Pw_Kc_Str"}' ${curlPath}/certificates/jwt.credential/download > /opt/ccp/auth/keycloak-${kcFileNamePart}-client.jks
grep HTTP /tmp/http-result
status404=$(grep HTTP /tmp/http-result | grep -c 404)
status200=$(grep HTTP /tmp/http-result | grep -c 200)
if [ $status404 -ne 0 ] ; then
echo "No certificate created so far -> Keycloak > Generating ${clientName} client certificate and downloading keystore"
curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients/$clientId
curl -s -D/tmp/http-result \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
-d '{"keyAlias": "'$clientName'", "realmAlias": "'$realmName'", "realmCertificate": false, "format": "JKS", "keyPassword": "Pw_Kc_Clnt", "storePassword":"Pw_Kc_Str"}' ${curlPath}/certificates/jwt.credential/generate-and-download > /opt/ccp/auth/keycloak-${kcFileNamePart}-client.jks
grep HTTP /tmp/http-result
else
if [ $status200 -ne 0 ] ; then
echo "Keycloak > Try to download keystore file for ${clientName}"
curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients/$clientId
curl -s -D/tmp/http-result \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
-d '{"keyAlias": "'$clientName'", "realmAlias": "'$realmName'", "realmCertificate": false, "format": "JKS", "keyPassword": "Pw_Kc_Clnt", "storePassword":"Pw_Kc_Str"}' ${curlPath}/certificates/jwt.credential/download > /opt/ccp/auth/keycloak-${kcFileNamePart}-client.jks
grep HTTP /tmp/http-result
else
echo "Could not test for certificate existence for client ${clientName}"
exit 1
fi
fi
5 years, 9 months
How to specify local Gitlab HOST
by So Be
Hi,
I configured keycloak to work with our GITLAB instance but still
redirecting to the global gitlab.
In keycloak configuration page I see no entry about the url of gitlab.
How and where can I set up this?
I suppose through env variable.
Thank you.
Regards
Sofiane.
5 years, 9 months
Re: [keycloak-user] Keycloak Server boot has failed in an unrecoverable manner
by Shaik Salam
Hi,
We have installed docker on linux operating system in vm and running keycloak server as container.
Tying to restart server(ex: ./bin.standalone.sh) but boot is failed due to following port conflicts.
Could you please let us know is any modifications needed on ports or interface's ip address for respective files(ex: standalone.xml,host.xml etc).
Please provide suitable solution and in which files modification needs to do, to rectify following errors and find log file for more information.
Thanks in advance.
11:10:48,087 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.undertow.listener.default: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.default: Address already in use /127.0.0.1:8080
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
11:10:48,325 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: java.net.BindException: Address already in use /127.0.0.1:9990
at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:340)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
11:10:48,388 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.undertow.listener.https: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.https: Address already in use /127.0.0.1:8443
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
failure description: {
"WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "java.net.BindException: Address already in use /127.0.0.1:9990"},
"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
"Services that were unable to start:" => ["org.wildfly.management.http.extensible.shutdown"],
"Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
}
}
11:10:49,024 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
"Services that were unable to start:" => [
"jboss.deployment.discovery.\"keycloak-server.war\"",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"com.sun.faces.config.ConfigureListener\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.faces.webapp.FacetTag\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.ScriptFreeTLV\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.filters.KeycloakSessionServletFilter\".START",
"jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.listeners.KeycloakSessionDestroyListener\".START",
"jboss.deployment.unit.\"keycloak-server.war\".deploymentCompleteService",
"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service",
"jboss.undertow.deployment.default-server.default-host./auth"
],
"Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
}}
BR
Salam
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
5 years, 9 months
Offline_access token expires or goes stale in random manner
by Soumya Mishra
Hello,
I had set offline access token for a lot of users at the same time.
Their Offline
Session Idle timeout has been set to a very high number so that it expires
rarely.
But I have noticed lately that some of the tokens are expiring in random
manner. No clue what's the problem and how can I debug. Can you throw some
light on what the problems might be?
I have a setup of 3 node keycloak instance talking to each other via
muticast protocol.
Regards,
Soumya
5 years, 9 months
