EventListenerProvider that removes an existing offline session/token Posteingang x Benachrichtigungen x
by Michael Hunziker
Hi everyone!
I need some advice in implementing an EventListenerProvider that makes sure
that there is only one offline session/token per user (as soon as the user
logs in on another device the provider should make sure that the other
session/token is deleted).
I would expect that calling
"userSessionProvider.removeOfflineUserSession(realmModel, userSession);"
should be enough in the code below... But it does not delete anything in
"OFFLINE_CLIENT_SESSION" and "OFFLINE_USER_SESSION".
Am I missing something? Is this even doable?
Cheers Michael
@Override
public void onEvent(Event event) {
final String realmId = event.getRealmId();
final String userId = event.getUserId();
final EventType eventType = event.getType();
if (isRelevantEvent(realmId, eventType) && userId != null) {
RealmModel realmModel = realmProvider.getRealm(realmId);
UserModel userModel = session.users().getUserById(userId,
realmModel);
final UserSessionProvider userSessionProvider =
session.sessions();
final List<UserSessionModel> userSessions =
userSessionProvider.getOfflineUserSessions(realmModel, userModel);
userSessions.stream()
.filter(userSession ->
!userSession.getId().equals(event.getSessionId()))
.forEach(userSession -> {
log.warn("Removing already existing offline user
session {}", userSession.getId());
userSessionProvider.removeOfflineUserSession(realmModel, userSession);
});
}
}
private boolean isRelevantEvent(final String realmId, final EventType
eventType) {
return eventType != null && eventType == EventType.LOGIN &&
realmId != null && realmId.equals(MY_REALM);
}
6 years, 4 months
Mail System Error - Returned Mail
by Mail Delivery Subsystem
�l%�yrN���v%\�1��.2Mki:K����?��*����^���EE��\��Z��,}K`�
��������:#X��<��p�
B��?0�1&����V�Wo��6�z5V��VP��������bh��R���}�g���� 6g���mY�s-�kz1�\���t�
���������;����?hDB��X��L��/�(�5m1���[��T/���0a��<d��N
������]�MA�9(����R�X��$>:�����|�efm�}mR�
fr�}KB�H�O/M��~,�uxq��Q�W�M�Y�^)���i����!���m`S�s�w$�_��zl����C���.r�}�j6k��?D�Eb�)Z���|����f4����D�3�C��"Z����#c�-��D�Ps�K�}6�yd6��^"EZ'h�Pq�^��;����(��9�����(�}������G-�������k��]����� �z����i��$�:m!J��u���q��lj�k:9������M���W����Gr�y�P#���8����zxR�8
JZ��k(���8����)�ZgEji���K�0"W4��m_�q���eO�$��[>��^�#Xe-�2�|88��P�O���0��2��zd���������^����d��������R�%���Za�[��
���z�����
|�J��p�&���a�����mn
�HXxIEC�5z'�8e�`��uW��x���&o��
2x�������
xr��V����(�|��Q`u0�{��l�I����E�!����������D�R��&�G��
���E2���\/4V8��k��T�[*%
� ��A�3?W��U%h`�"#�a�wRe���5��Gi�<�.��%9������/kg�X��$G"�,wl���eR"
]x��DLM��R�� ��l��l�&5���b���x��j1p�6�����.�Z�E��/�*
X
����c$anO
6 years, 4 months
Keycloak customised credential model
by Mangna POUTOULI
We desire to create customised credential SPI for device fingerprinting. We
developed an authenticator SPI but we got an issue about credential size.
By default standard credential model limits the secret attribute to 4 KB.
Our fingerprint requires around 30 KB. What is the best way to solve this
issue ? Based on our research, I think there are 3 different approaches:
1. split the fingerprint in 4K blocks. Simple to develop but it will
increase credential table entries by 8 ! Also, the 4K default size might
change in a future release.
2. extend userstorage and credentialModel classes. I’m not sure of this
solution as the users are local to Keycloak.
3. extend UsercredentialStore and create a new credential table.
>From my perspective, this should be the best solution but not sure it will
be possible. I’ll be happy to get community advice. Thanks,
6 years, 4 months
kcadm - LDAP adding a variable as part of script
by Jamie McDowell
Hi,
I am trying to add a variable as part of my kcadm. As an example this is for adding the connectionURL from an environment variable. Version is 3.4.3
my ". ldapenv" has all the environment information and this is ran first of all as part of my script.
echo "Set the environment...". ldap.env
echo "Creating LDAP provider for users..."/opt/jboss/keycloak/bin/kcadm.sh create components \--server $KEYCLOAK_SERVER \--user $KEYCLOAK_USER \--password $KEYCLOAK_PASSWORD \-r $NEW_REALM \-s id=$LDAP_USER_ID \-s name=ldap-users \-s providerId=ldap \-s providerType=org.keycloak.storage.UserStorageProvider \-s parentId=$REALM_ID \-s 'config.priority=["0"]' \-s 'config.fullSyncPeriod=["-1"]' \-s 'config.changedSyncPeriod=["-1"]' \-s 'config.cachePolicy=["DEFAULT"]' \-s 'config.evictionDay=[]' \-s 'config.evictionHour=[]' \-s 'config.evictionMinute=[]' \-s 'config.maxLifespan=[]' \-s 'config.batchSizeForSync=["1000"]' \-s 'config.editMode=["WRITABLE"]' \-s 'config.syncRegistrations=["true"]' \-s 'config.vendor=["other"]' \-s 'config.usernameLDAPAttribute=["mail"]' \-s 'config.rdnLDAPAttribute=["uid"]' \-s 'config.uuidLDAPAttribute=["entryUUID"]' \-s 'config.userObjectClasses=["inetOrgPerson, organizationalPerson, top, person"]' \-s 'config."connectionUrl"=['$LDAPHOST']'
When the script has completed and log into keycloak to check the settings, under connectionURL this shows $LDAPHOST when i should be expecting something like ldap://example.com (this is what is set in my ldap.env)
I know when i hard-code the ldaphost this works fine.
I have tried various ways using single quotations, double quotations but just cant seem to get this to populate with the correct output.
Regards,
Jamie
6 years, 4 months
Auth0 Lock alternative
by Robert Smol
Hi,
is there any similar project like Auth0 Lock? Something that would allow me
to embed Keycloak's login page into my classical web app? Currently
whenever I need to login the user, I forward him to Keycloak, but there are
demands to show the login window directly on our webpage.
Robert
6 years, 4 months
Need info for network security
by Pakira, Ranjan
Hi,
We are planning to setup Keycloak in new Network and network security team need some information. Can you please help us with the answer of the following queries?
How is this user data secured in rest and in transit?
How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc?
Thanks & Regards,
Ranjan Pakira
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
6 years, 4 months
KEYCLOAK_SESSION cookie not getting set in Keycloak 4.1.0. Was getting set in Keycloak 3.4.3
by Test Oauth
In keycloak 3,4.3:
First time I run the app, AUTH_SESSION_ID, KEYCLOAK_IDENTITY,
KEYCLOAK_SESSION cookies are set and next time I run the app (before
session idle timeout), I do not have to relogin as session cookie has a
valid session.
In keycloak 4.1.0 ,
First time I run the app and login: AUTH_SESSION_ID cookie is set. Next
time I run the app, KC_RESTART cookie gets set and I am presented the login
form again. My assumption is KC_RESTART cookie gets set because there is no
valid KEYCLOAK_SESSION cookie. Am I right?
How can I resolve this issue? I am sure there is some config I have missed.
6 years, 4 months
