Re: [keycloak-user] Implicit flow between two (or more) keycloak instances
by Yann Jouanin
Hello community,
Has anybody a clue on this topic?
Best regards,
Yann
>
> I am currently trying to use implicit flow between two keycloak instances.
> My setup is :
> We have one keycloak used in our cloud and one on customer premise,
> federating the customer's ldap.
>
> Because there is no network connectivity between both the keycloak
> instances I want to use the implicit flow so the customer access our service
> in cloud, get redirected to our keycloak instance for login and then has the
> option to use its on premise instance configured as a OIDC identity provider.
> The setup work in a lab with standard flow, but with implicit flow, I get an
> error message "Standard flow is disabled for the client"
>
> Is implicit flow usable in this case?
>
> Best regards,
> Yann Jouanin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 4 months
Permissions: Slow/complex interactions
by Corentin Dupont
Hi guys,
I experience some performance issue on my API server using Keycloak.
After someone issue a GET on my API server, here is what happens:
- API server -> DB server: get requested resources
- API server -> Keycloak: get client token (to get resources)
- API server -> Keycloak: get resources (to complement DB server with
resource owner & visibility)
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
At this point the filtered resources are returned.
But this process is quite slow. I noticed a call to KC can take up to 100ms.
The complete call on the API server can take up to 600ms on my laptop, in
localhost setting.
The delays become noticeable on my UI...
With a resource SPI strategy (if developed), it should be:
- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
- Keycloak -> DB server: get resources
There is a little less requests. Additional gain is that resources are not
split between 2 databases.
I wonder if resources could be pushed during the permission request? Like a
"pushed claim".
This would be even more straightforward:
- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission and push resources
Can this work?
6 years, 4 months
How to login without username and password
by bejond
Hi developers,
I want to use mobile number and SMS text code to login to keycloak. But keycloak requires username and password to login. I copy Authentication of Browser, and remove "Username Password Form", and I add my own "Mobile OTP" SPI. When I open login page, it shows "Invalid username or password", the log says
" 21:00:03,638 WARN [org.keycloak.events] (default task-106) type=LOGIN_ERROR, realmId=test1, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri, redirect_uri=http://localhost:8080/auth/admin/master/console/
21:00:45,711 WARN [org.keycloak.services] (default task-107) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: authenticator: mobile-otp-authenticator"
Is there a way to remove "Username and Password Form" and login with my own SPI? Or can I override default "Username and Password Form" with my own logic? I mean "override" is: I write a new SPI without changing keycloak source code.
If I can't achieve this, I think I need to use other OAuth open source application and bind to keycloak as an Identity Provider and change the source of OAuth application to achieve my goal. It will be better if I can achieve my goal without another IdP.
Thanks in advance.
6 years, 4 months
Custom Email Validation
by zitrone@gmx-topmail.de
Hi,
is there a way to do a custom email validation befor changing/creating
an email via the admin rest api?
I already tried to use an eventlistener to catch the adminevents create
and update on an usertype, but i think they are fired after changing the
accountdata. I also did not find a way to canncel the event from inside
the listener.
Regards
6 years, 4 months
enable/disable permissions via the Java API
by Graser Leon (INST-CSS/BSV-OS)
Hi all,
for a project we currently try to automate out Keycloak setup programmatically using the Java API. So far I figured out most of the requirements except for one feature. How can I enable/disable the permissions of an object such as a group or a role? In the web UI they have a tab called "Permissions" with a boolean switch to enable/disable them and if I have a look at the HTTP calls I find a PUT call to my group similar to <url>/auth/admin/realms/<realm-name>/groups/<id>/management/permission with a payload of { enabled: true }. As of now I extended the org.keycloak.admin.client.resource.GroupResource interface to make it happen using RESTeasy. Is there an already existing way in the Java API to accomplish that?
Thanks in advance for any ideas.
Regards,
Leon
6 years, 4 months
Hot deploy in domain mode
by Yegui Cai
Hi.
I know in standalone mode, hot deploy can be done by putting the jar file
under standalone/deployments. How can I do hot deploy in domain mode?
Thanks!
Yegui
6 years, 4 months
Dynamically branded login?
by Craig Setera
We build and host a multitenant application that is currently using
homegrown authentication and authorization (using Picketlink). We are
considering a move to Keycloak. My preference would be to use the login
flows that are built in to Keycloak rather than building our own, however
that is dependent on whether we can properly brand those login flows on a
per-customer basis in some dynamic way.
In looking at the theme SPI support, it appears to be mostly targeted to
supporting mulitple "static" themes. Is it possible to make a theme that
is dynamic based on, for example, a query parameter? Are there any
examples anywhere on how that might be possible? Would Keycloak carry
through query parameters if they were provided when launching the login
flow?
Thanks,
Craig
6 years, 4 months
kcadm - adding a protocol-mapper
by Jamie McDowell
Hi,
I am trying to add a client protocol-mapper however when i try and run this i get a HTTP error - 500 Internal Server Error
opt/jboss/keycloak/bin/kcadm.sh create \clients/<id>/protocol-mappers/models \-r demorealm \-s protocol=openid-connect \-s protocolMapper=oidc-usermodel-realm-mapper \-s consentRequired=false \-s config.claim.name=group_membership \-s config.jsonType.label=String \-s config.id.token.claim=true \-s config.access.token.claim=true \-s config.userinfo.token.claim=true \-s config.multivalued=true \-s name=Realm \
I can confirm that kcadm works as i have been able to create groups, LDAP mappers, realms etc...
In the server.log i can see the below error when i run the above
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-109) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can notat [Source: io.undertow.servlet.spec.ServletInputStreamImpl@55dee6f8; line: 1, column: 119] (through reference chain: org.keycloak.representations.idm.ProtocolMapperRepresentation["co at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234) at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122) at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075) at com.fasterxml.jackson.databind.deser.std.StringDeserializer.deserialize(StringDeserializer.java:60)
Appreciate if anyone can advise on this (keycloak version is 3.4.3)
Thanks Jamie
6 years, 4 months
EventListenerProvider that removes an existing offline session/token Posteingang x Benachrichtigungen x
by Michael Hunziker
Hi everyone!
I need some advice in implementing an EventListenerProvider that makes sure
that there is only one offline session/token per user (as soon as the user
logs in on another device the provider should make sure that the other
session/token is deleted).
I would expect that calling
"userSessionProvider.removeOfflineUserSession(realmModel, userSession);"
should be enough in the code below... But it does not delete anything in
"OFFLINE_CLIENT_SESSION" and "OFFLINE_USER_SESSION".
Am I missing something? Is this even doable?
Cheers Michael
@Override
public void onEvent(Event event) {
final String realmId = event.getRealmId();
final String userId = event.getUserId();
final EventType eventType = event.getType();
if (isRelevantEvent(realmId, eventType) && userId != null) {
RealmModel realmModel = realmProvider.getRealm(realmId);
UserModel userModel = session.users().getUserById(userId,
realmModel);
final UserSessionProvider userSessionProvider =
session.sessions();
final List<UserSessionModel> userSessions =
userSessionProvider.getOfflineUserSessions(realmModel, userModel);
userSessions.stream()
.filter(userSession ->
!userSession.getId().equals(event.getSessionId()))
.forEach(userSession -> {
log.warn("Removing already existing offline user
session {}", userSession.getId());
userSessionProvider.removeOfflineUserSession(realmModel, userSession);
});
}
}
private boolean isRelevantEvent(final String realmId, final EventType
eventType) {
return eventType != null && eventType == EventType.LOGIN &&
realmId != null && realmId.equals(MY_REALM);
}
6 years, 4 months
Auth0 Lock alternative
by Robert Smol
Hi,
is there any similar project like Auth0 Lock? Something that would allow me
to embed Keycloak's login page into my classical web app? Currently
whenever I need to login the user, I forward him to Keycloak, but there are
demands to show the login window directly on our webpage.
Robert
6 years, 4 months
