January 2019 - keycloak-user - Jboss List Archives

Suppression of basic challenge on login of Web App?

by Chris Smith

I have a web app secured by KC. It authenticates against out Active Directory and that appears to be working. I'm developing using Tomcat as my web app server. When on a Windows client of a machine that is a member of my Active Directory, and Windows Internet options are set, Both Chrome and Internet Explorer do not put up the Browser challenge or forward to the KC login page. I have a requirement that a browser on a client that is not in my Active Directory log in with the users Active Directory user id and password. After a successful login, everything is great. My issue is that when running from a browser on a client that is not a member of the Active Directory domain, First the browser presents a Basic Challenge. Then regardless of what is entered or if the challenge is dismissed, the browser forwards as expected to the KC login page. How can the Basic Challenge Be suppressed? My web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1"> <display-name>SSO-Example</display-name> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name> MYREALM </realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>SSO-Example</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role> </web-app> My keycloak.json { "realm": "MYREALM", "auth-server-url": "https://my.keycloak:8443/auth", "ssl-required": "external", "resource": "MYCLIENT", "verify-token-audience": true, "credentials": { "secret": "my secret" }, "disable-trust-manager": true, "allow-any-hostname" : true, "use-resource-role-mappings": true, "confidential-port": 0 }

7 years, 3 months

1
0
0 / 0

Custom Email Attribute

by Kunal Kumar

Hi, There are some users from department in my company that uses the one SAME EMAIL for all its users, eventhough they all have their own user IDs. But Keycloak doesn't allow for different users to have the same email address. Is there any workaround for this? Lets say if I create a custom email attribute that connects to the mail LDAP attribute, how do I make Keycloak to recognise this custom email attribute as THE EMAIL ATTRIBUTE? Regards, Kunal

7 years, 3 months

1
0
0 / 0

Error! Failed to send email

by Kunal Kumar

Hi, I am trying to use the Forgot Password function for my Keycloak authentication. So I have already set On for the Forgot Password in the Login section. And I have tried to set up a the configurations under Realm > Email, where I put Host : smtp.gmail.com Port : 587 But when testing the connection, I keep getting the error *"Error! Failed to send email".* What could be the reason for this? Regards, Kunal

7 years, 3 months

2
1
0 / 0

Cross client authentication

by Tom Barber

Hi folks Trying to solve a question for one of my web developers. We have 2 apps one which authenticates against Keycloak using SAML and then a GUI that uses OIDC. When a user logs into the GUI it then performs a rest call to the SAML based client app. This causes a 401 currently, but as soon as I visit the SAML app and Keycloak logs in then the rest calls work. What aren’t we passing or config am I missing? Thanks Tom -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email.

7 years, 3 months

2
3
0 / 0

UMA Share Resource with a User via AuthZ Client

by Christian Sandmeier

Hi All, first of all Thanks for the great work. I have been using Keycloak in a Project for a couple of Months now and really like it. I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a resource with other Users. Given the following 4 Steps, i don't understand why the Permissions are not in the RPT token // Code for Steps 1 and 2 taken from here // https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar... // Code for Steps 3 and 4 taken from here // https://www.keycloak.org/docs/latest/authorization_services/index.html#ob... 1) Creating a Resource "Resource A" with Owner "demo" ResourceRepresentation resource = new ResourceRepresentation(); resource.setName("Resource A"); resource.setOwnerManagedAccess(true); resource.setOwner("demo"); resource.addScope("Scope A"); resource = getAuthzClient().protection().resource().create(resource); 2) Creating the User Permission for User "test" UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation(); newPermission.setName("User-Managed Permission"); newPermission.setDescription("User is allowed to access"); newPermission.addScope("Scope A"); newPermission.addUser("test"); ProtectionResource protection = getAuthzClient().protection("demo", "demo"); UmaPermissionRepresentation permission = protection.policy(resource.getId()).create(newPermission); 3) get a RPT for the User "test" for all Resources AuthzClient authzClient = AuthzClient.create(); AuthorizationRequest request = new AuthorizationRequest(); AuthorizationResponse response = authzClient.authorization("test", "test").authorize(request); String rpt = response.getToken(); 4) Listing the Permissions TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt); System.out.println("Token status is: " + requestingPartyToken.getActive()); System.out.println("Permissions granted by the server: "); for (Permission granted : requestingPartyToken.getPermissions()) { System.out.println(granted); } The Resource and Permission are saved correctly, i can correctly read them via the AuthZ Client but now i would assume that the Permission is in the RPT of the User "test". Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a problem in my Code because the Permission should be listed there? Btw. if i skip Step 2) and instead share the the Resource with the User in the "Keycloak -> My Account-> My Resources" Page, it works. But not with the UmaPermissionRepresentation. Thank you in Advance Best regards, Christian Sandmeier

7 years, 3 months

2
2
0 / 0

Common Clients, Client scopes, Roles among multi Realm

by Hari Prasad

Hi All, Please let me know is there any way to share Clients, Client Scopes, Roles among multiple Realm. Because I want use single Clients configurations and Role configurations among multiple Realm. Regards Hari Prasad

7 years, 3 months

1
0
0 / 0

Common Clients, Client scopes, Roles among multi Realm

by Hariprasad N

Hi All, Please let me know is there any way to share Clients, Client Scopes, Roles among multiple Realm. Because I want use single Clients configurations and Role configurations among multiple Realm. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

7 years, 3 months

1
0
0 / 0

Dynamically assign roles to user for single session

by Nikola Malenic

I have implemented different authenticators which users can choose when they login. Now, I would like to assign various roles to the user based on authentication method user has chosen. Those roles would be assigned to the user only in current session. Is this possible to achieve? I used a mapper to put user's decision on authentication method in the tokens, but how to map this property (field) to the specific role/roles? Best regards, Nikola

7 years, 3 months

1
0
0 / 0

Disable HTTP2 in Keycloak 4.6 container?

by Gareth Western

It looks like the wildfly server used for the Keycloak 4.6.0.Final image is configured to use HTTP2. Is there an easy way to disable this? I think it might be the cause of some strange behaviour in Chrome, similar to as described here: https://issues.jboss.org/browse/KEYCLOAK-2656. The related 'test http2' issue is pending for the Keycloak 5.x release, so i assume Keycloak 4.x does not officially support HTTP2, is that correct? Kind regards, Gareth

7 years, 3 months

1
1
0 / 0

keycloak-js: token in cookie

by Massimo Redaelli

I read here: http://lists.jboss.org/pipermail/keycloak-user/2014-December/001389.html that (if I understood correctly) at the time the javascript adapter didn't support returning the token in a cookie rather than in the response body. Is that still the case? I'm writing a SPA and I'm faced with the problem of where to store the token. Most tutorials just put it in local storage, or in a variable in memory, but I read around that it's very susceptible to XSS attacks, while using a secure, httponly cookie is much safer. What would you recommend? Thanks M.

7 years, 3 months

1
0
0 / 0

(no subject)

by Fluffy Mark Garces

I would like to have a confirmation and consultant for the usage of keycloak platform, I am new to this field and I havd been assigned to provide an SSO solution for our project, after a bunch of research, I decided to go to this platform hoping to solve the wanted feature: + goal: provide SSO solution to various SPs and/or IDPs (like our app can be plugged in any existing IDP with multiple SP) + our application: "App A" would like to be an SP only… and can be proved to integrate to other IDPs or SPs. + protocol to be used: SAML I just want to know if this can be done with this platform.. any advice or recommendations can be helpful, I would also like if possible to consult to some of you guys privately, I hope. Please help, I am just new to this and need people like you to guide me, Thanks in advance

7 years, 3 months

1
0
0 / 0

Authorization : Scope cannot be added to multiple permission

by Bruce Wings

(The configuration discussed below is done under the Authorization tab) I have created Authorization Scope. When I create 2 scope based permissions : *Perm1 and Perm2 *and add this scope to both, *no error is shown and scope is successfully added.* But when I look at the scopes at my client end, I see that only 1 permission has that scope. (scope gets reflected in whichever permission is added at the end. It gets disappeared from previous permission). Is this the intended behavior? The way I checked the scopes is by intercepting request and obtaining permission list in my Java client. *KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName());* *AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext();* *List<Permission> permList = (authzContext==null) ? null : authzContext.getPermissions();* *for(Permission perm : permList) {* * Set<String> scopeList = perm.getScopes();* * // other stuff* *}*

7 years, 3 months

1
1
0 / 0

entitlement api & Authorization API Endpoint not working (as documented)

by Suresh Mali

Hi I am trying to trying to get available permissions for a user I tried autherization end point as per the document curl -X POST -H "Authorization: Bearer ${AAT}" -d '{ "ticket" : ${PERMISSION_TICKET} }' "http://localhost:8080/auth/realms/moneysmart/authz/user_mgt" I get error HTTP/1.1 404 Not Found where $AAT below is users access token, moneysmart is realm and user_mgt is client_id $PERMISSION ticket obtained from http://localhost:8080/auth/realms/moneysmart/authz/protection/permission Not permission ticket api works, I tried entitilement API curl -X GET \ -H "Authorization: Bearer ${access_token}" \ "http://localhost:8080/auth/realms/moneysmart/authz/entitlement/user_mgt" This also gives error HTTP/1.1 404 Not Found Is there something else missing in setup or something else? -Suresh

7 years, 3 months

1
0
0 / 0

Refreshing ID token and sliding session

by Olga Bon

I am studying Keycloak and related protocols OpenID & OAuth2. Everything is clear except one thing, how to maintain the sliding session for a logged in user. Maybe I misunderstand something. 1. Authorization Flow first of all redirects a user to the keycloak login page, after successful login the user is redirected to the redirect url with the authorization code. 2. Using this authorization code, a server side application connects to the keycloak server and exchanges the code for the Access token (also including client id, secret, etc) and ID token. 3. Access token is used by the server side application itself in order to retrieve details from the keycloak server, like user additional info, public key, etc. So the Access token is used by applications only. 4. The server side applications set a cookie with the received ID token. Now user can access protected resources. All in all we have 1. Access token stored on the server side and used only by applications or services to retrieve additional info from Keycloak. 2. Refresh token stored on the server side and used only by application or services to get new Access token 3. ID token stored in the user's cookies and used to access protected resources of the system. My question is, how can the ID token be refreshed. Consider the following case, a user is logged in and doing some actions in the system, but suddenly toke got expired. How this case should be handled? I have implemented my own flow called the Sliding session, so the token gets refreshed if any request is made, however I don't know how to handle this case with Keycloak. I would be grateful for any help regarding the matter.

7 years, 3 months

1
0
0 / 0

Keycloak with volume Mount

by Lahari Guntha

Hi All, I have launched keycloak as a container in a Virtual Machine. I have created Realms and configured clients to have SSO enabled for them. For some reason I got to restart the Docker in the VM in which I have this keycloak container. When I restarted docker service all the Configuration that was made earlier like the clients that I have configured are lost. Can we make it persistent? Can we have any mount point so that we can save the data onto host and then bring up the container with the mount point? Thanks and Regards, Lahari G =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

7 years, 3 months

2
1
0 / 0

Change target after password change?

by Craig Setera

Our current application uses PWM for password management tasks. We use their activation flow to set a password and also the forgotten password flow to change the password. In each of those cases, it is possible to specify the page to redirect to once the flow has been completed. This is used by us to redirect them back to our application. Is there anything similar for Keycloak? Right now, it seems like all of these flows end up in the account management interface. Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer*

7 years, 3 months

1
0
0 / 0

Authorization of action in application (client of KC)

by Nikola Malenic

I have an use case where I have to authorize an action in my application taken by the user. Here is how it should go: The user is logged in at KC and using my application. Now, my application would need to authorize one user action by sending the user to KC, where he would enter his OTP, and then, my application would get some kind of proof that user authorized the action (I don't know what should that be, yet). Do you have any idea how this could be achieved using KC? I guess action SPI would somehow be used. Thank you in advance, Nikola

7 years, 3 months

2
3
0 / 0

Re: [keycloak-user] SSL connection to Keycloak Server

by Luis Rodríguez Fernández

Hello Kunal, It looks like you have to update the "Valid Redirect URIs" field in your client application, see [1]. Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/server_admin/index.html#_clients El mié., 2 ene. 2019 a las 11:28, Kunal Kumar (<wolfbro92(a)gmail.com>) escribió: > Hi Luis, > > I am trying to configure SSL for Keycloak. I have already followed all the > steps, configurations in standalone.xml, and also creating and authorizing > the necessary certificates as well. But when connecting to my web app, it > has this particular error as in the attached file > > Are you familiar with this error? > > Regards, > Kunal > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett

7 years, 3 months

1
0
0 / 0

rest api to get resource permission evalauted

by Suresh Mali

I have created resources via api for a users {kc-host}:{kc-port}/auth/realms/{realm}/authz/protection/resource_set/ I have created policy which decides based on the relation between the resource owner and identity user like thisvar identity_user = $evaluation.context.identity.id;var resource_owner = $evaluation.permission.resource.getOwner(); var identity_user_attrs = $evaluation.realm.getUserAttributes(resource_owner) ;var allowed_agents = identity_user_attrs.allowed_agents ;if ( resource_owner == identity_user ){ $evaluation.grant(); }else if (allowed_agents !== null && allowed_agents[0].indexOf(identity_user) > -1 ) { $evaluation.grant();} else { $evaluation.deny();} I am able to evaluate the permission for various users & (agent users) on keycloak admin console in realm->client->autherization->evaluation tab It is evaluating properly How can I get same permission/ deny from a rest api so that I can call from my client on behalf of identity user with identity users access token as autherization (or other method or autherization) either simple permitted/deny or "permissions": [ { "scopes": [ "read" ], "rsid": "e1617f7c-dffe-42c9-b91f-476e8a810c4a", "rsname": "kyc1" } ] kind of output is required I tried {kc-host}:{kc-port}/auth/realms/{realm}//authz/protection/permission I get opaque permission ticket, how can I decode this? thank you Suresh

7 years, 3 months

1
0
0 / 0

[Api][Configuration]Create user from API rest : 401 Unauthorized

by Gwenael Perier

Hi everybody, I tried to create a user from the rest API : I've got my token from my client : curl -X POST " https://mykeycloak.io/auth/realms/myrealkm/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_secret=xxxxxxxxxxxxxx" \ -d 'grant_type=client_credentials' \ -d 'client_id=myclient-openid' and i tried to create an user : curl -X POST 'https://mykeycloak.io/auth/admin/realms/site5.bayardev.com/users' -H 'Authorization: Bearer MYACCESSTOKEN" -H 'Content-Type: application/json' -d '{"username":"cjbarker5","enabled":true,"emailVerified":false,"firstName":"CJ","lastName":"Barker","credentials":{"type":"password","value":"newPas1*","temporary":false}}' -v And i get only : HTTP/1.1 401 Unauthorized I tried to configure my client with roles (manage-users) Full Scope is Allowed. I don't know what to do for add the possibility to my client to add user in keycloak. Thanks for any advice.

7 years, 4 months

1
1
0 / 0

Using Self Signed Certificate for SSL with Keycloak as authenticator

by Kunal Kumar

Hi all, I'd like to know if Keycloak is able to be connected to my test web app, which is currently running on a self signed certificate instead of an officially signed one? Regards, Kunal Kumar

7 years, 4 months

2
1
0 / 0

Common Client among multiple Realm

by Hariprasad N

Hi All, Can I have common client among multiple realms. As per our product requirement we have to maintain multiple Tenants hence multiple Realms, each Realm should have client with id 'enliven-ui' and same client configuration. The problem with this approach is when ever there is change in client config. examples: 1. Root URL is changed, 2. Redirect URL changed, 3. In Authorization I want to add new Resource/Policy/Permission/Scope. Then I have to go admin console, then go to each individual realm and select client 'enliven-ui' do the require changes or using admin REST API do changes in each Realm programatically. Instead of this can I have common client. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

7 years, 4 months

1
0
0 / 0

keycloak helm chart SSL configuration

by Leigh Kennedy

Hi, I have been using keycloak for a while via the helm chart. IT has been working find using http. However I am trying to get it to use a certificate. I have struggled to find any clear documentation on how to do this. This is what I have at the moment (you can see commented out a few things I have tried. keycloak: username: test password: xxx service: nodePort: 32666 type: NodePort persistence: deployPostgres: false dbVendor: postgres dbName: keycloak dbHost: qmi-minikube.local.net dbPort: 5432 dbUser: test dbPassword: xxx #extraEnv: | # - name: PROXY_ADDRESS_FORWARDING # value: "true" ingress: enabled: true # annotations: #kubernetes.io/ingress.global-static-ip-name: "keycloak-static-ip" # kubernetes.io/ingress.allow-http: "false" # ingress.kubernetes.io/ssl-redirect: "true" path: /auth hosts: - keycloak.elastic.example tls: - hosts: - keycloak.elastic.example secretName: elastic-example-tls Can anyone see what I am doing wrong here? I know my certificate is ok as I use it in another nginx ingress config (not running while this one is) and It works fine. Thanks. Leigh Kennedy

7 years, 4 months

1
0
0 / 0

No Default theme - Null Pointer Exception

by Cono D'Elia

Hi All: My use case was to automatically direct the user to a custom theme depending on the device they are using e.g: native mobile vs other. The theme selector will make a decision based on User Agent and direct the end-user accordingly. I created a theme selector based on the source code snippets provided from https://www.keycloak.org/docs/latest/server_development/index.html#_provi.... I basically did a copy and paste. I was able to deploy the theme and it appeared in the Provider's tab in the Admin console. I copied the base theme as 'my-theme'. When I restart the Keycloak server it fails to start throwing an NPE indicating that there is No Default theme. I was wondering if I needed any other code or configuration that is not stated in that particular section to get this going? I couldn't find a working sample online, so if I can be directed to one that would be great. Thanks a bunch! Chuck.

7 years, 4 months

1
0
0 / 0

Can't request resource permissions by resource name by service account client and not user

by Or Harary

Hey, I'm using version 4.8.1 and i'm trying to check resource permissions on another client with the token endpoint, by the resource name, with a client's access token, and i'm getting "Resource with id [{resourceId}] does not exist". I have a service account client "foobarservice". I want this service account client, to check his permissions on a "foobaresource" resource from another client "otherservice". myrealm -- "foobarservice" Service Account Client -- -- foobar resource (with always grant policy and permission) -- "otherservice" Service Account Client I did "client_credentials" login with the "foobarservice" and got an access_token. With that token, I tried: curl -X POST http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \ -H "Authorization: Bearer {foobarservice_access_token}" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions" And got 400 bad request with the not found error. When i'm doing the same request with some user's token, it works well. I looked into the code (my knowledge of JAVA is very basic) and it seems to be because of this: https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278... Is this the expected behavior? or a bug? Because when I used version 3.4 it did work Thanks, Or

7 years, 4 months

1
1
0 / 0

getting resource owner and loggedin (identity) user attributes in evaluation context

by Suresh Mali

Each user has one or more resource e.g. 'account' Each user is assigned one or more agents. (agent is different user in the system with role agent) I have added them in user attributes e.g let us say there is user_a who has account resource there are users with agent roles say 'agent_a', 'agent_b', 'agent_c' In user_a is attribute I have added attribute allowed_agents = [ 'agent_a' ,'agent_b'] in agent_a & agent_b have attibutes allowed_users = ['user_a'] Now in policy evaluation I want to ensure when agent_a & agent_b try to access resource owned by user_a they are allowed while agent_c is not allowed how do I access resource owners attributes and or identity ownes attributes I want to write a evaluation like something like this is it possible to get $permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or $identity.attributes['allowed_users'] to return ['user_a'] so that I can evaluate the match something like beowrule "Authorize Resource Owner" dialect "mvel" when $evaluation : Evaluation( $identity: context.identity, $permission: permission, $permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id) ) then $evaluation.grant(); end

7 years, 4 months

2
1
0 / 0

Mapping in additional user roles

by Tom Barber

Hi folks, This may have a simple answer in which case I apologise. I’ve been tasked with fronting some web apps with Keycloak connected via SAML to AD FS as the ID provider. I found this http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html so planned to do similar. The next issue I face is that the AD FS service is hosted by a different entity and we don’t have the ability to change yet we need to map roles in. What extension points are there available to us in Keycloak that allows a user to login but then have us assign roles by looking them up in a *different* AD server and pulling their roles from there? Thanks Tom -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email.

7 years, 4 months

1
1
0 / 0

Realm Custom Attributes

by Hariprasad N

Hi All, Can we add realm level custom attributes. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

7 years, 4 months

2
2
0 / 0

Conflicting scopes in permissions always gets deny, maybe this should be configurable?

by Or Harary

Hey, Let's say I want to allow creating custom roles with custom permission on scopes (to allow access to multiple resource types and actions). So per role, I wanted to create a matching permission with the allowed scopes (resource-type-foo-create/resource-type-bar-create/etc..) and policies accordingly (role/client/user/group). So if I have: Role A Allowed: foo-create, foo-read, bar-read Role B Allowed: foo-read, bar-read Because they have conflicting scopes, foo-read always gets denied. So as I see, it can't be done this way. Maybe there should be a Decision Strategy to permissions evaluation like in a single permission with policies? Thanks, Or

7 years, 4 months

1
0
0 / 0

Fwd: Multi-tiered Permissions

by Warren, Scott

Hi, I need some input on the best way to solve authorization for a retail chain scenario. Here's the scenario: A retailer has 10,000 stores and 30,000 users While each user has a primary store, they can work in other stores in their region At his/her primary store UserA (clerk) has the following scopes: POS, DailyCloseout For secondary stores, a UserA has only the POS scope While there are many more scopes, and user roles, the problem to solve is this multi-tiered permissions structure. UserA's permissions depend on the store context. I've set up stores as resources (of type "store"), each resource has a storeNbr attribute I've set up scopes of POS, DailyCloseout, SalesReports, etc. I'm struggling with a clean way to tie a user to his/her "storeX" : [ "scopeA", "scopeB", "scopeC"]. I put this structure in as a user attribute, and after mapping it, got it working with a javascript policy but that's a maintenance nightmare at best. I can set up roles with names like <storeNbr>.<scopeA>. It's better than the user attribute route, but still feels like a hack. I'm guessing I could write a Drools policy that could, using the identity from the context, read from a database that contains this structure. BUT this provider is in tech preview / not supported, so I'm not excited about this route. Lastly, I guess I could write a custom policy provider. These last two require me to maintain a separate database (and app to maintain it), so I'm not thrilled with either of them. So, what have I missed? Is there an elegant way to solve this? Thanks for your help! Scott -- Scott G. Warren SUM Global Technology swarren(a)sumglobal.com 678.469.3455

7 years, 4 months

3
10
0 / 0

Run keycloak at root "/" context, not "/auth"

by Artem Grebenkin

Hi folks, is it possible to run keycloak at root "/" context, not "/auth" Kind regards Artem

7 years, 4 months

2
1
0 / 0

Realm.toRepresentation results in com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException

by Frank Franz

Hello, I'm using the java admin client to create a realm and some other setting. In this process I like to update the realm (set authentication bindings for registration flow and credential flow) therefore I from my actual knowledge have to transfer the realm to the realm representation. Doing this calling realm.toRepresentation() results in the following error: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs. ProcessingException: com.fasterxml.jackson.databind.exc. UnrecognizedPropertyException: Unrecognized field " offlineSessionMaxLifespanEnabled" (class org.keycloak.representations.idm. RealmRepresentation), not marked as ignorable (101 known properties: " directGrantFlow", "otpPolicyDigits", "identityProviderMappers", " revokeRefreshToken", "identityProviders", "userFederationMappers", " rememberMe", "duplicateEmailsAllowed", "dockerAuthenticationFlow", " otpSupportedApplications", "adminEventsDetailsEnabled", "registrationFlow", "editUsernameAllowed", "clients", "users", "emailTheme", "realm", " actionTokenGeneratedByAdminLifespan", "authenticatorConfig", "components", "certificate", "updateProfileOnInitialSocialLogin", "otpPolicyType", " accessCodeLifespanUserAction", "protocolMappers", "id", "accountTheme", " maxDeltaTimeSeconds", "enabledEventTypes", "verifyEmail", "applications", " waitIncrementSeconds", "eventsListeners", "eventsExpiration", " defaultDefaultClientScopes", "defaultOptionalClientScopes", "passwordPolicy", "clientTemplates", "registrationAllowed", "userManagedAccessAllowed", " notBefore", "otpPolicyAlgorithm", "actionTokenGeneratedByUserLifespan", " permanentLockout", "socialProviders", "otpPolicyInitialCounter" [truncated]]) Can you pleas give me a hint how to resolve this? Thanks in advance. Andreas

7 years, 4 months

3
3
0 / 0

How to update a 'remember me' session?

by Alex Chatziparaskewas

Hi All, We are using the keycloak javascript adapter. In the same way as the token and refresh token can be updated gracefully in the background using its updateToken method, is there any means by which the same can be done to a 'remember me' session? Thanks & Regards, Alex

7 years, 4 months

2
2
0 / 0

Authorization with javascript adapter

by Hariprasad N

Hi Alex Chatziparaskewas, *i know you are using javascript adapter for authentication(for login), can we use javascript adapter for authorization also like resource protection.* -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

7 years, 4 months

2
6
0 / 0

Request parameter in idp url

by Pulkit Srivastava

Need your help for some issue. I have configured an IDP in keycloak, i am sending a request parameter in single sign on url field in IDP as: url?ab=cd Issue i am facing is sometimes keycloak appends this parameter to the redirect url but sometimes it does not. Any idea as to why this is happening? Any help would be appreciated. Thanks in advance. Thanks, Pulkit

7 years, 4 months

1
0
0 / 0

kcinit status

by Fox, Kevin M

Not much has happened with kcinit in a long time and it has a few outstanding bugs in the way of working for us. What is the status of the project? Thanks, Kevin

7 years, 4 months

3
6
0 / 0

Get Authorization Permissions with Bearer Token

by Hariprasad N

Hi All, I have a client with authorization enabled. I am able to get Bearer token. My requirement is how can i get all authorization permissions with Java or JS or Angular. Is there any endpoint to get authorization permissions with Bearer token. -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

7 years, 4 months

1
0
0 / 0

Authorization in Angular

by Hariprasad N

Hi All, I am using keycloak-angular to integrate our Angular App to keycloak. Authentication is working fine but authorization not working with angular. Authorization working fine with spring boot and normal java webapps. Please help to resolve authorization problem with angular. Regards Hari Prasad N -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore – 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m* *www.ramyamlab.com* <http://www.ramyamlab.com/>

7 years, 4 months

1
0
0 / 0

Keycloak Admin Client: Unrecognized field "access_token"

by Nhut Thai Le

Hello, I'm using keycloak admin-client 4.6.0.Final to manage keycloak server. I'm getting this error when trying to remove a session: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: java.io.IOException: java.security.PrivilegedActionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (10 known properties: "tokenType", "notBeforePolicy", "otherClaims", "token", "sessionState", "refreshExpiresIn", "scope", "expiresIn", "refreshToken", "idToken"]) at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper); line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) Here is my code (similar to https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar... ) SSLContext ssl = null; File trustore = new File("pathToKS.keystore"); ssl = getSSLContextWithTrustore(trustore, "ksPassword"); System.setProperty("javax.net.ssl.trustStore", trustore.getAbsolutePath()); ResteasyJackson2Provider jacksonProvider = null; jacksonProvider = new ResteasyJackson2Provider() {}; ObjectMapper objectMapper = new ObjectMapper(); jacksonProvider.setMapper(objectMapper); Keycloak connection = Keycloak.getInstance("https://kc.com:8543/auth", "master", "admin", "admin", "admin-cli", null, ssl, jacksonProvider); RealmResource realm = connection.realm(realmName); realm.deleteSession(kcSessionId); I did some search on google and mostly found that the issue is related to resteasy-jackson-provider being used instead of resteasy-jackson2-provider but as you can see from my code, i'm already using resteasy-jackson2-provider so i'm not sure what else could cause this. Here is the full stacktrace: javax.ws.rs.WebApplicationException: Cannot logout user wuth session cede2747-424c-405f-a4a2-c4d804ef5883 at com.castortech.util.keycloak.KeycloakAdminBroker.lambda$129(KeycloakAdminBroker.java:3729) at com.castortech.util.keycloak.KeycloakAdminBroker.ensureCL(KeycloakAdminBroker.java:3136) at com.castortech.util.keycloak.KeycloakAdminBroker.logout(KeycloakAdminBroker.java:3732) at com.castortech.iris.ba.webviewer.richlet.AppRichletHelper.service(AppRichletHelper.java:137) at com.castortech.iris.ba.webviewer.richlet.AppRichlet.service(AppRichlet.java:13) at org.zkoss.zk.ui.impl.UiEngineImpl.execNewPage0(UiEngineImpl.java:514) at org.zkoss.zk.ui.impl.UiEngineImpl.execNewPage(UiEngineImpl.java:365) at org.zkoss.zk.ui.http.DHtmlLayoutServlet.process(DHtmlLayoutServlet.java:205) at org.zkoss.zk.ui.http.DHtmlLayoutServlet.doGet(DHtmlLayoutServlet.java:140) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at com.castortech.iris.ba.webviewer.internal.ZkLayoutServlet.lambda$1(ZkLayoutServlet.java:59) at com.castortech.util.threading.ThreadingUtils.runWithContextClassLoader(ThreadingUtils.java:72) at com.castortech.iris.ba.webviewer.internal.ZkLayoutServlet.service(ZkLayoutServlet.java:58) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) at com.castortech.iris.ba.webviewer.servletfilter.HeadersFilter.doFilter(HeadersFilter.java:67) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at com.castortech.iris.ba.web.filters.KeycloakSessionFilter.doFilter(KeycloakSessionFilter.java:78) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:206) at com.castortech.iris.ba.web.filters.AuthenticationFilterForWebViewer.doFilter(AuthenticationFilterForWebViewer.java:61) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340) at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:293) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:503) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Unknown Source) Caused by: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: java.io.IOException: java.security.PrivilegedActionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (10 known properties: "tokenType", "notBeforePolicy", "otherClaims", "token", "sessionState", "refreshExpiresIn", "scope", "expiresIn", "refreshToken", "idToken"]) at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper); line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:156) at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:150) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) at com.sun.proxy.$Proxy46.grantToken(Unknown Source) at org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89) at org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69) at org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64) at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:587) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76) at com.sun.proxy.$Proxy51.deleteSession(Unknown Source) at com.castortech.util.keycloak.KeycloakAdminBroker.lambda$129(KeycloakAdminBroker.java:3724) ... 58 more Caused by: javax.ws.rs.ProcessingException: java.io.IOException: java.security.PrivilegedActionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (10 known properties: "tokenType", "notBeforePolicy", "otherClaims", "token", "sessionState", "refreshExpiresIn", "scope", "expiresIn", "refreshToken", "idToken"]) at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper); line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:368) at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:261) at org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:231) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:120) ... 74 more Caused by: java.io.IOException: java.security.PrivilegedActionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (10 known properties: "tokenType", "notBeforePolicy", "otherClaims", "token", "sessionState", "refreshExpiresIn", "scope", "expiresIn", "refreshToken", "idToken"]) at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper); line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:145) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56) at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:334) ... 77 more Caused by: java.security.PrivilegedActionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (10 known properties: "tokenType", "notBeforePolicy", "otherClaims", "token", "sessionState", "refreshExpiresIn", "scope", "expiresIn", "refreshToken", "idToken"]) at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper); line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at java.security.AccessController.doPrivileged(Native Method) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:137) ... 80 more Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (10 known properties: "tokenType", "notBeforePolicy", "otherClaims", "token", "sessionState", "refreshExpiresIn", "scope", "expiresIn", "refreshToken", "idToken"]) at [Source: (org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper); line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61) at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:822) at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:1152) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1582) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1560) at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:294) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:151) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1574) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:965) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider$1.run(ResteasyJackson2Provider.java:140) ... 82 more Hope to get some hint. Thai Le

7 years, 4 months

1
0
0 / 0

Incorrect UMA Policy Evaluation

by Lamina, Marco

Hi, I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting “response_mode=decision”, I get: { "result": true } There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco

7 years, 4 months

3
8
0 / 0

Keycloak with ADFS

by work test

Hi folks, I set up my keycloak instance with ADFS using the article http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html After configuring my confidential client application using oidc protocol, I get to the login page and login using my ADFS credentials, but after login, I get redirected back to the Keycloak login page and not to my application. I don't see any errors even using the Chrome saml tools. What am I missing? My goal is to have several applications using the single signon realm configured with ADFS and have Keycloak be the broker so that the applications only have to deal with Oauth2 + OIDC and not the saml. Thanks for your help. Hskc

7 years, 4 months

1
0
0 / 0

account creation process with email verification : problem or normal behavior ?

by François Gourrier

hello to everyone and very happy new year, I am faced with the following problem: I want to enable email verification when creating an account I ticked the "default action" box for "Verify Email" in "authentication". the observed behavior is as follows: - when a user creates an account via a public form, he receives an email with a link with the following structure: HOST /realms/connect/login-actions/action-token? = XXXXXXclient_id = XXXX XXXX = & tab_id - when he clicks on the link, it is sent back to his account (HOST / realms / connect / account /) and is therefore connected That's not at all the behavior I was expecting Another scenario: - when a user creates an account, he receives an email with a link with the following structure: HOST /realms/connect/login-actions/action-token?Key = XXXXXXclient_id = XXXX XXXX = & tab_id - when he takes this link and the copy in another browser than the one used to create the account, it is sent to a page with the message "Confirm the validity of the email address XXXX" with a button "Click here" - if the user clicks on the button, the account is created and he has to authenticate to connect This second scenario is the one expected. Have I forgotten something in understanding the features? Obviously, a cookie is created and associated with the account during its creation which explains that it is already identified when it is returned to its account Thank you in advance for your lights. I'am using Keyclaok 4.5.0 FGOURRIER

7 years, 4 months

1
0
0 / 0

Keycloak logout API not working properly

by Shubham Akodiya

Hi, I'm using the log out API( https://localhost:8080/auth/realms/my-realm-name/protocol/openid-connect/...) and sending all the required parameters i.r refresh_token, client_id and client_secret. The API working properly but the user can still able to use the access_token to access the APIs. How to revoke that access_token? Thanks, Shubham Akodiya

7 years, 4 months

2
1
0 / 0

Keycloak 4.8.0.Final released

by Stian Thorgersen

To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. For details on what is included in the release check out the Release notes <https://www.keycloak.org/docs/latest/release_notes/index.html> The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed.

7 years, 4 months

2
2
0 / 0

Cross Realm authorization

by david_christian.herrmann＠daimler.com

Hello, we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using: AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session); if (authResult == null) { throw new NotAuthorizedException("Bearer token required"); } And if(!auth.hasClientRole(client,"view-users")){ throw new NotAuthorizedException("Necessary permission not available"); } We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users. So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm. Here AuthenticationManager.AuthResult authResult = authManager.authenticateBearerToken(session); if (authResult == null) { throw new NotAuthorizedException("Bearer token required"); } Always results in unauthorized. Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal? Mit freundlichen Grüßen / With kind regards David Herrmann RD/UIA Team Rising Stars [Computergenerierter Alternativtext: RDIU] Daimler AG HPC G464 70546 Stuttgart Mobil: +49 176 309 369 87 What3Words Address: ellbogen.sprüche.anfänge E-Mail: david_christian.herrmann(a)daimler.com<mailto:david_christian.herrmann@daimler.com> Daimler AG Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

7 years, 4 months

2
9
0 / 0

SSL connection to Keycloak Server

by Kunal Kumar

Hi guys, I have 5 web apps that use Keycloak for authentication. But none of them are using SSL yet. How is the practice done? Do i need to set SSL on the Keycloak server for the Keycloak authentication page to have the secured lock symbol? Or is setting SSL to my web apps enough? I am not very clear about Keycloak and its SSL implementation, I hope someone can help explain to me. Regards, Kunal

7 years, 4 months

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user January 2019