keycloak-openshift:4.4.0.Final Docker image
by Hayden Fuss
Hello,
I noticed the Keycloak 4.4.0.Final Docker image was released a week or two
ago for jboss/keycloak but not for jboss/keycloak-openshift. Was this
intentional? If not, could one please be made?
We've been using the master tag in the meantime, and it seems like
something broke in it today when trying to apply the MariaDB CLI scripts
and on startup due to it always using a period file handler that can't
write to the disk in OpenShift. I've ensured that my standalone-ha.xml file
does not have a handler called "FILE" in it... see the stack trace below. I
can file a JIRA if need be.
Thanks!
Failed to read or configure the org.jboss.logmanager.LogManager
java.lang.IllegalArgumentException: Failed to instantiate class
"org.jboss.logmanager.handlers.PeriodicRotatingFileHandler" for handler
"FILE"
at
org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAction.validate(AbstractPropertyConfiguration.java:117)
at
org.jboss.logmanager.config.LogContextConfigurationImpl.doPrepare(LogContextConfigurationImpl.java:335)
at
org.jboss.logmanager.config.LogContextConfigurationImpl.prepare(LogContextConfigurationImpl.java:288)
at
org.jboss.logmanager.config.LogContextConfigurationImpl.commit(LogContextConfigurationImpl.java:297)
at
org.jboss.logmanager.PropertyConfigurator.configure(PropertyConfigurator.java:546)
at
org.jboss.logmanager.PropertyConfigurator.configure(PropertyConfigurator.java:97)
at org.jboss.logmanager.LogManager.readConfiguration(LogManager.java:170)
at org.jboss.logmanager.LogManager.readConfiguration(LogManager.java:132)
at java.util.logging.LogManager$3.run(LogManager.java:399)
at java.util.logging.LogManager$3.run(LogManager.java:396)
at java.security.AccessController.doPrivileged(Native Method)
at
java.util.logging.LogManager.readPrimordialConfiguration(LogManager.java:396)
at java.util.logging.LogManager.access$800(LogManager.java:145)
at java.util.logging.LogManager$2.run(LogManager.java:345)
at java.security.AccessController.doPrivileged(Native Method)
at
java.util.logging.LogManager.ensureLogManagerInitialized(LogManager.java:338)
at java.util.logging.LogManager.getLogManager(LogManager.java:378)
at org.jboss.modules.Main.main(Main.java:523)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAction.validate(AbstractPropertyConfiguration.java:115)
... 17 more
Caused by: java.io.FileNotFoundException:
/opt/jboss/keycloak/standalone/log/server.log (Permission denied)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at org.jboss.logmanager.handlers.FileHandler.setFile(FileHandler.java:151)
at
org.jboss.logmanager.handlers.PeriodicRotatingFileHandler.setFile(PeriodicRotatingFileHandler.java:104)
at
org.jboss.logmanager.handlers.FileHandler.setFileName(FileHandler.java:189)
at org.jboss.logmanager.handlers.FileHandler.<init>(FileHandler.java:119)
at
org.jboss.logmanager.handlers.PeriodicRotatingFileHandler.<init>(PeriodicRotatingFileHandler.java:72)
... 22 more
6 years, 3 months
Keycloak > FreeIPA 2FA integration
by Callum Smith
Dear All,
Keycloak and FreeIPA have separate integrations of 2FA, though very different obviously store keys in a different database. I was wondering whether you can configure Keycloak to authenticate against FreeIPA using the recommended SSSD method and also use the OTP/2FA as configured in FreeIPA on the backend?
https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sss...
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
6 years, 3 months
Implicit or Auth code flow for Angular/SPA apps
by Eric B
We are deploying a new Angular SPA which leverages Keycloak for its SSO
abilities using OIDC. The app is currently designed using Implicit flow to
retrieve short-lived access tokens via the keycloak JS adapter.
However, recently, I've been seeing some emails in the ietf mailing list (
https://www.ietf.org/mail-archive/web/oauth/current/msg16969.html)
indicating that Auth code should be preferred over implicit flow due to
security issues of having access tokens show up in browser history and/or
log files (if any SSL termination/inspection is in place/etc).
I understand the security concerns with having an AT show up anywhere in a
log file. I do not, however, understand how the Auth Code flow can be
considered as more secure, or why it should be preferred over Implicit
flow. Isn't having the Refresh Token in the browser/SPA a higher security
risk than having a short-lived AT in a log file?
What is the preferred mechanism to use today? Is there a recommended
approach?
Thanks,
Eric
6 years, 3 months
Configure spring application with Spring Security Adapter and Multi Tenancy
by Mattia Bello
Hello,
i tried to integrate keycloak Spring Security Adapter and Multi Tenancy but i encountered some problems.
I followed the guide step by step:
1. I installed keycloak on server and runned it in standalone mode on port 8180.
2. I added the dependency in pom file:
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-security-adapter</artifactId>
<version>4.4.0.Final</version>
</dependency>
Because my spring app is a old spring app, i prefer use the xml configure to manage the security.
I created keycloakApplicationContext.xml with the configuration describe in the guide (attached keycloakApplicationContext.xml file).
The guide continue introduce the Multi tenancy:
The Keycloak Spring Security adapter also supports multi tenancy. Instead of injecting AdapterDeploymentContextFactoryBean with the path to keycloak.json you can inject an implementation of the KeycloakConfigResolver interface. More details on how to implement the KeycloakConfigResolver can be found in Multi Tenancy.
3. Then, to implement the Multi tenancy i followed the section:
I created the PathBasedKeycloakConfigResolver java class (attached PathBasedKeycloakConfigResolver.java file) and added rows in web.xml file (attached web.xml file).
In the previous point, the guide describe that:
Instead of injecting AdapterDeploymentContextFactoryBean with the path to keycloak.json you can inject an implementation of the KeycloakConfigResolver interface. More details on how to implement the KeycloakConfigResolver can be found in Multi Tenancy
But in the Multi Tenancy section i didn't found the istructions to do that.
In the web.xml i specify the path to keycloak.json and it is required to create the bean. If i delete it the app when starting will will go to error.
What do i do to use Multi Tenancy?
Thanks to all
Mattia Bello
Developer
[Descrizione: cid:image001.jpg@01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>
6 years, 3 months
4.4.0.Final tag on Docker Hub?
by Rob Noble
Hello,
The 4.4.0.Final tag hasn't appeared on https://hub.docker.com/r/jboss/keycloak/tags/ yet? Did something fail, or am I just being too impatient?
Thanks,
Rob.
The contents of this email and any attachment are confidential to the intended recipient(s). If you are not an intended recipient: (i) do not use, disclose, distribute, copy or publish this email or its contents; (ii) please contact the sender immediately; and (iii) delete this email. Our privacy policy is available here: https://origamienergy.com/privacy-policy/. Origami Energy Limited (company number 8619644); Origami Storage Limited (company number 10436515) and OSSPV001 Limited (company number 10933403), each registered in England and each with a registered office at: Ashcombe Court, Woolsack Way, Godalming, GU7 1LQ.
6 years, 3 months
Roles in Keycloak not updated from external identityprovider after first login
by Spur von Haselnüssen
Hello,
I'm using Keycloak 4.4.0.Final in combination with an external
identityprovider to authenticate users.
The eIdP is using the OpenID Connect protocol and has mappers in KC
defined to map from a claim in the ID token received from the eIdPs
token endpoint to roles defined in my Keycloak server.
This works as expected for the first login (when the user was
previously unknown to Keycloak) and the user is assigned all roles it
has with the external identityprovider.
Unfortunately the roles for the user aren't updated when the user logs
in any time after that and the ID token contains extra or less roles.
(Mappers are defined and work on the first login).
The user info endpoint is currently unused and disabled.
"First broker login" is used as the first login flow.
Nothing for post login flow yet (experimented with that but didn't
find anything useful so far, but I guess I need to define something
here, but what exactly?).
How would I go about updating the roles of a user from the claims in
an ID token from an external identityprovider at their second login
like at their first login?
Greetings,
Stephan
6 years, 3 months
how to create a user with restricted manager-user rights/role for a group
by Madhu
Hi,
I need to create a group in master realm, where any user in this group can do manage-users for any other user belong to the group. users in this group will not be able to manage any other user (example the master realm's admin user).
I need this kind of facility to work around the issue of every growing access token mentioned in https://issues.jboss.org/browse/KEYCLOAK-1268
My idea is to have a seperate group in master realm who will have view-users, create-realm and manage-user permissions. (but they should be able to manage other co users in this group alone).Once a new realm is created, the user who created becomes the default admin in the newly provisioned realm, after creating the realm the logged in user will appoint a new user (beloning to the new realm) as the admin and relinquish his own rights to be the admin of the new realm.. (thus, keeping his own auth token size at bay)...
But since the user who created the realm belongs to mater realm and has manage-user access, i would like to ensure that this user does not inadvently/or intentionally mess up the master realm's admin users access.
Can some one guide on how to setup a group which has restricted manage-user access (i.e. perform manage users for group members alone)..
Regards,Madhu
6 years, 3 months
add self signed certificate for external IDP without root acces
by triton oidc
Hi,
It may be a wildfly issue but i'm not sure.
I'm not root on the server (i can't do an update-ca-trust)
i configured an external IDP, when keycloak wants to exchange the code for
the ID token to the external IDP, i get a certificate exception.
I tried adding the certificate in the keystore.
There is no trustore.jks in the standalone.xml, i guess it's using the
system trustore
Should i create an empty trustore.jks and try to put it in the
standalone.xml ?
but i might loose other external IDP with real public certificate.
I'm sure it's very simple, but i can't get it to work.
I'll take any hints
I'll update if i find the solution.
Thanks
Amaury
6 years, 3 months
Not able to retrieve password from using keycloak admin api
by Prince Anand Anandaraj
Hi,
I am pretty new to keycloak and currently working on to secure an
application using keycloak. Currently, I am using keycloak version 3.4.3.
I am trying to retrieve password of a user using the keycloak admin api
in java.
keycloak =
Keycloak.getInstance(keyCloakProperties.getProperty("keycloak.baseURL"),
keyCloakProperties.getProperty("keycloak.loginRealm"),
keyCloakProperties.getProperty("keycloak.loginId"),
keyCloakProperties.getProperty("keycloak.loginPwd"),
keyCloakProperties.getProperty("keycloak.clientId"),
keyCloakProperties.getProperty("keycloak.secretKey"));
realmResource =
keycloak.realm(keyCloakProperties.getProperty("keycloak.userRealm"));
realmResource.users().get(userId).toRepresentation().getCredentials();
The last line of code suppose to return a list with type
<CredentialRepresentation> but I get only null. Am I missing something.
Did anyone else face this issue.. If yes please help!!
Thanks in advance..
Thanks and regards,
Prince Anand
Disclaimer : http://www.objectfrontier.com/maildisclaimer.html
Disclaimer : http://www.objectfrontier.com/maildisclaimer.html
6 years, 3 months
Passwords with umlauts
by zitrone@gmx-topmail.de
Hi,
I have a problem with user passwords which contain umlauts (like Ö Ä Ü,
common ones in germany). They will be stored, but when i try to get a
token, it always fails with "Invalid user credentials".
I read
https://www.keycloak.org/docs/3.4/server_installation/index.html#unicode-...
on how to enable unicode in the DB, but i don't get which columns to
alter. Since the password will be stored hashed and salted, will
altering the DB have any effect at all?
Technical setup:
Keycloak 3.4.3.Final
with an Oracle DB
Regards
zitrone
6 years, 3 months