July 2018 - keycloak-user - Jboss List Archives

by Chirdeep Tomar

We are implementing a micro services architecture with services written in Spring/Vertx and .NET Core. So essentially these services are Resource Servers protecting resources and according to documentation resource servers are also clients in Keycloak. We have a few front end apps and 2 mobile apps for android and iphone which will also be clients in Keycloak. Questions 1) Should the front end apps and mobile apps be public client in Keycloak? 2) If each micro service which is a resource server is a client with credentials, how does access token generated for single clientid work across multiple micro services? Not sure how to tie it all together, thanks for your help. Chirdeep

6 years

2
1
0 / 0

Keycloak Login Recaptcha

by Ghinea Alexandru George

Hello, I've been trying to add recaptcha to the Login Page of the Keycloak, but it seems that I can't fix it. The recaptcha doesn't appear in the flow Browser even though I added the needed classes (LoginRecaptcha and Factory Recaptcha). Can you tell me which methods from the RegistrationRecaptcha I need in order to implement it in Browser and should I simply extend UsernamePasswordForm and Factory without implementing any other class? Thank you!

6 years

1
0
0 / 0

Implicit flow between two (or more) keycloak instances

by Yann Jouanin

Hello, I am currently trying to use implicit flow between two keycloak instances. My setup is : We have one keycloak used in our cloud and one on customer premise, federating the customer's ldap. Because there is no network connectivity between both the keycloak instances I want to use the implicit flow so the customer access our service in cloud, get redirected to our keycloak instance for login and then has the option to use its on premise instance configured as a OIDC identity provider. The setup work in a lab with standard flow, but with implicit flow, I get an error message "Standard flow is disabled for the client" Is implicit flow usable in this case? Best regards, Yann Jouanin

6 years

1
0
0 / 0

SAML client brokering to a SAML provider

by Victor Bail

Hi all, I'm trying to configure a client with SAML that authenticates in a keycloak provider going through a keycloak broker (keycloak provider and keycloak broker are in the same server in different realms). Client is a wildfly 11 using the keycloak-SAML adapter. Broker and provider are using keycloak 4.1.0. I have achieved an OIDC client connecting through the broker to the SAML provider, but I'm not able to do it with a SAML client. In the client, I have this configuration in the wildfly standalone.xml: <secure-deployment name="TestClientKeyCloakSAML.war"> <SP entityID="Broker" sslPolicy="EXTERNAL" logoutPage=" http://localhost:8280/auth/realms/Broker/protocol/saml"> <Keys> <Key signing="true"> <PrivateKeyPem></PrivateKeyPem> <CertificatePem></CertificatePem> </Key> </Keys> <IDP entityID="idp" signatureAlgorithm="RSA_SHA256" signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#"> <SingleSignOnService signRequest="true" validateResponseSignature="true" validateAssertionSignature="false" requestBinding="POST" bindingUrl=" http://localhost:8280/auth/realms/Broker/protocol/saml"/> <SingleLogoutService validateRequestSignature="true" validateResponseSignature="true" signRequest="true" signResponse="true" requestBinding="POST" responseBinding="POST" postBindingUrl=" http://localhost:8280/auth/realms/Broker/protocol/saml" redirectBindingUrl=" http://localhost:8280/auth/realms/Broker/protocol/saml"/> </IDP> </SP> </secure-deployment> The Identity Provider in the broker realm has this configuration: -SSO service URL: http://localhost:8180/auth/realms/Athens/protocol/saml And the SAML client has this configuration: -Client ID: http://localhost:8280/auth/realms/Broker -Client Protocol: SAML -Master SAML processing URL: http://localhost:8080/TestClientKeyCloakSAML/saml If we login from the client, we can go trough the broker and login in the provider, but the response from the provider arrives to the broker and returns this error: 10:22:00,529 WARN [org.keycloak.protocol.saml.SamlService] (default task-20) Unknown saml response. 10:22:00,529 WARN [org.keycloak.protocol.saml.SamlService] (default task-20) UserSession is not tagged as logging out. 10:22:00,529 WARN [org.keycloak.events] (default task-20) type=LOGOUT_ERROR, realmId=Broker, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_logout_response The problem is that the response is arriving to SAMLService.BindingProtocol.handleSamlResponse and it seems that that method only handles logout responses. What is the configuration needed to authenticate a SAML client through a broker to a SAML provider? Thanks! Victor.

6 years

1
0
0 / 0

keycloak and application configuration | how to resolve this error

by vandana thota

ESC[0mESC[31m16:36:59,379 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /sample/: java.lang.NullPointerException at java.lang.String.contains(String.java:2133) at org.keycloak.adapters.saml.elytron.KeycloakHttpServerAuthenticationMechanism.evaluateRequest(KeycloakHttpServerAuthenticationMechanism.java:82) at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114) at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77) at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115) at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94) at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78) at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

6 years

1
0
0 / 0

AT as Query Param

by Simon Faust

Hi, I've a REST Server secured using bearer-only. Now I'm stuck with the file download usecase (no token in http header). According to KEYCLOAK-2650 <https://issues.jboss.org/browse/KEYCLOAK-2650> it's possible to pass Access Token as a Query Parameter (guess its name is "access_token", right?). On testing that every request I make gets redirected to /sso/login. Am I missing some configuration? It seems that the Keycloak adapter does not try at all to get a token from query param... I'm using keycloak-spring-security-adapter 3.2.1 Thanks in advance, Simon

6 years

1
1
0 / 0

revocation of permission / policy for user managed resource does not influence activeness issued RPT for that resource

by stefan.wachter

Hi, I finally managed to setup a scenario where an RPT gives access to a "user managed" resource that was created by the protection api (https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...) and that is protected by a permission / policy that was created using the policy api (https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...). The policy checks the email by evaluating some JavaScript: $evaluation.getContext().getIdentity().getAttributes().getValue('email').asString(0).startsWith('$email')) $evaluation.grant() After the resource and its accompanying policy is created by api calls they appears on the "Keycloak Account Management" user interface in the "My Resources" section. Access with a suitable RPT is granted. However, when the permission / policy is revoked then the RPT that was issued based on that policy remains "active". The RPT can even be refreshed! What has to be done in order to revoke the RPT and/or its refresh token? -- Best regards, *Stefan Wachter INST-ICM/BSV-BS* Tel. +49(711)811-58477 *Be**QIK *

6 years

3
3
0 / 0

Best Practices in Production environment

by Rakesh Alladi

Hi All, In terms of securing the REST Api,can someone please shed somelight on what are the OIDC/OAuth Flow considerations one should consider that are at par with Best Practices to be implemented in Production environment: 1. How should a REST service be secured and configured in Keycloak? Should we use Access Type as "bearer-only" or "Confidential" 2. How should an Internal REST client is configured? Should we use "Offline Access" or "Client Credentials" 3. How should an External REST client is configured? Should we use "Client Credentials" Any help on the above is much appreciated. Thanks Rakesh -- IMPORTANT: The information contained in this message is intended only for the confidential use of the designated recipient. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately and delete this message and any attachments from your computer. Thank you.

6 years

1
0
0 / 0

WARN [org.keycloak.events] (default task-49) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Demo-Realm, clientId=null, userId=null, ipAddress=10.4.7.2, error=invalid_code, identity_provider=saml-sample-app

by vandana thota

Hello Can any one knows how to resolve this below error : WARN [org.keycloak.events] (default task-49) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Demo-Realm, clientId=null, userId=null, ipAddress=10.4.7.2, error=invalid_code, identity_provider=saml-sample-app Thanks.

6 years

1
0
0 / 0

Fine grain permission for a realm admin user that can also create client and create a User in his Realm

by Ansari, Hasebullah

Hello all, I have a use case scenario with indulges fine grain permission settings for an admin of a particular realm that should create a client and create a user with restrictions like he must not play with the client ‘realm-management’ and that he must not map realm-admin to himself. The problem is I can achieve to restict the realm admin to manage one client or restrict him to map only said roles but then he cannot create client or create user himself because he requires more coarse role like ‘manage-users’ or ‘manage-clients’. And once I give the realm admin these two roles then he could do everything in the realm and this is the problem. So in short, 1. I want to have a realm-admin that can create users and clients in his dedicated realm 2. Also I want to make sure that he doesn’t have access to play around with realm-management client and that he doesn’t have access to map roles to himself or other users with something like ‘manage-user, manage-realm, manage, manage-clients’ Cheers, __________________________________________________________________________________________________________________________ Besuchen Sie LOGIN MASTER<https://login-master.com/> – Die Lösung für die Benutzerverwaltung für das Web. __________________________________________________________________________________________________________________________ Hasebullah A Ansari Master of Engineering in IT, Heidelberg IT Specialist / Java Entwickler Syntlogo GmbH Mercedesstraße 1 D-71063 Sindelfingen Email: hasebullah.ansari(a)syntlogo.de<mailto:hasebullah.ansari@syntlogo.de> Website: www.syntlogo.de<http://www.syntlogo.de/> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir Sie höflichst, diesen Umstand unverzüglich dem Absender mitzuteilen und die Nachricht zu löschen. Jede nicht genehmigte Weiterverbreitung oder Vervielfältigung ist nicht gestattet. Da wir Echtheit und Vollständigkeit des Nachrichteninhalts nicht garantieren können, sind die vorstehenden Ausführungen rechtlich nicht bindend. Eine Haftung hierfür wird daher ausgeschlossen. This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information. Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee the genuineness or completeness of the information contained in this message, the statements set forth above are not legally binding. Accordingly, we cannot accept liability therefore. Stuttgart HRB 245317, Geschäftsführer Dr. G. Baruzzi, USt-ID: DE 219566705 __________________________________________________________________________________________________________________________

6 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2018