Feature Request
by Sushil Singh
Hi,
As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes
ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also.
https://issues.jboss.org/browse/KEYCLOAK-11300
Thanks,
Sushil Pratap Singh
6 years, 7 months
Authorisation and public clients
by Pete Chown
Hello,
I have a public client and I can issue tokens for it. I would like to
be able to use Keycloak for access control as well, so for example I
might give a user the "admin" role and that would cause additional
scopes to be added to their tokens.
Unfortunately it looks as though the authorisation aspect of Keycloak is
only available to confidential clients. First of all, is that correct?
If my understanding is correct, is there some specific security issue
that arises if authorisation is applied to public clients? I can't
think of one, but perhaps I just haven't thought hard enough. :)
Suppose I have a confidential client, but I don't take any steps to keep
the "secret" secure. Is it then equivalent to a public client? In
other words could I work around this issue by making my client nominally
confidential, but not taking steps to conceal the secret? (There are
actually no steps I could take, because my client is just Javascript
running in a web page.)
Thank you for any help you can give, and many thanks to the developers
for this excellent software.
Pete
6 years, 7 months
Cross-Datacenter Replication Mode Question
by Townsley, Eric L
Hi,
We are looking into implementing cross datacenter replication. In looking at the doc's I see mention of using JBoss Data Grid. Will we need to purchase/license from Red Hat before we can proceed? Is there an alternate option, ie. community Data Grid solution?
Thanks
Eric
Please consider the environment before printing this email and any attachments.
This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
6 years, 7 months
Refresh token in client_credentials grant type
by Sebastian Rus
Hi,
I have created a client with 'confidential' Access Type for a microservice
which has to connect to other keycloak secured microservice. I enabled
"Service Accounts Enabled" option, which "[...] in terms of OAuth2
specification, enables support of Client Credentials Grant for client".
Everything seemed to be OK, until I saw a huge number of sessions for that
client. It turned out that that the token endpoint returns a refresh token.
A request interceptor I use in my microservice application just ignores the
refresh token and uses client credentials to obtain the new one - which
creates a new session every time new access token is issued.
Oauth2 specification (https://tools.ietf.org/html/rfc6749#section-4.4.2)
says that "A refresh token SHOULD NOT be included" for client_credentials
grant type. So why is it included? Is the presence of refresh token
configurable for 'confidential' Access Type and client_credentials grant?
Best regards,
Sebastian
6 years, 7 months
Max number of Realms supported each keycloak instance/node
by Nagendra Darla
Hello All,
I wondering if we have any documentation or suggestion on maximum number of
realms that can be created on a keycloak instance. If it is bases on
hardware configuration then is there any reference configuration
mentioned anywhere in keycloak documentation ?
Your help is much appreciated.
Thank You,
Nagendra Darla
6 years, 7 months
SSL connection to MySQL with self signed certificate
by Alexandre Filgueira
Hi
We are trying to test keycloak connecting to a MySQL database using TLS with self signed certificates.
The container where this keycloak is running already has a truststore and a keystore file to be used, but I can’t find documentation on how to proceed.
I saw that you can add the truststore with a block like:
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="${env.APP_CONFIG_SSL_DATABASE_DIR}/truststore"/>
<property name="password" value="${env.APP_STORE_PASS}"/>
<property name="hostname-verification-policy" value="ANY"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
But what about the keystore?
In a regular JAVA application I would need to run my java jar file with something like these for example:
java -Djavax.net.ssl.trustStore=${APP_TRUSTED_SERVERS} -Djavax.net.ssl.trustStorePassword=${APP_STORE_PASS} -Djavax.net.ssl.keyStore=${APP_KEYSTORE_CLIENT} -Djavax.net.ssl.keyStorePassword=${APP_STORE_PASS} -jar target/myjarfile.jar
In my truststore I would need to store the CA certificate from MySQL, and in my keystore the client certificate to connect.
Then in my connection-url block I just define some booleans like useSSL, requireSSL and verifyServerCertificate.
Thanks
6 years, 7 months
Re: [keycloak-user] Mappers with token exchange
by Andrew B Goldberg
I'm trying to set up token-exchange for an external token to internal token, and I ran into the same issue as below (using version 7.0.0) and wondering if this is a known issue, or if it is supposed to be working. If so, any particular setting or policy to look into changing to allow attribute mappers to work?
It may also be the case that my access token doesn’t contain all the claims being mapped, and usually the mappers apply to the id token. But it doesn’t seem like token-exchange supports exchanging an external id token.
For context, my identity provider here is Microsoft azure oidc (not the built-in social one, but a custom one added using all the standard microsoftonline.com OAuth endpoints). And the main claim I’m looking for is “groups” (which does show up when logging into this provider directly).
Thanks!
Andrew
---- older message:
Hello, We're using token exchange to enable logins for social media providerusers, using their respective native apps. So the tokens are obtained viaofficial SDKs/apps, then sent our backend to be exchanged for a keycloaktoken, which is then used throughout. The problem is, attribute importers don't seem to be running for tokensthat are exchanged with this method. We have a mapper to export the user'sfacebook id ("Social Profile JSON Field Path" set to "id") to custom userattribute, but it doesn't seem to be working. (except of course when Ilogin "properly" and not use the token exchange process at all) Are there any settings that I'm missing? Recommendations? (Keycloak 5.0. Same with 4.1) Thanks
Kemal
6 years, 7 months
Restrict who can login a client app
by Paul Luk
hi,
in keycloak, i have defined an active directory for 'user federation'.
i have also define a client application (OpenID connect). by default, all
user (in the AD) can login the client.
now i want to restrict only certain user (e.g. by AD group, by AD attribute
value) can login the client ( i have tried the 'authorization' feature, but
it seems still allowing non-valid user to login the client [a JWT token
issued]).
i have a search and find this post:
https://stackoverflow.com/questions/54305880/how-can-i-restrict-client-ac...
Which mention 2 methods:
- by coding a custom AD authenticator .
- by 'authorization' (failed for me...user still able to login and JWT
token issued)
can you please share your way to achieve this?
6 years, 7 months
Cross-site DB Replication Question
by Hossein Doutaghy
Hi,
We have 2 GEO redundant sites having Keycloak installed in standalone-ha
mode. Each site has its own Galera cluster and mariadb replication is
happening between the two sites.
Keycloak uses few URLs which are specific to a single site, for
example the *Base
URL* which the keycloak redirects the user to, once the authentication is
successful. The syntax of *Base URL* is :
https://<SITE_VIP>:8443/servicemanager
What we have noticed is since the entire mariadb data gets replicated from
Site A to Site B so does the above Base URL and because of which when we
access the service manager client on site B that is protected by Keycloak
B, then it redirects us to the service manager client in Site A in case of
successful authentication. In other words, in both the service manager
clients in Keycloak server A and B i.e. 10.88.9.74 and 10.88.9.64, the base
URL is same and when we change the base URL on any one of the sites, it
gets replicated to the other one. (Can be seen upon clearing realm cache)
How can we prevent this data to be replicated as they are more site
specific? Is it safe to just exclude the CLIENT table in database from the
replication by using mariadb selective replication technique?
Thanks,
Moe
6 years, 7 months
User registration
by John Norris
Hello,
this is not really a problem but some feedback on the user registration feature in keycloak.
This should be a really useful feature. It is simple to turn on in the admin console. And suddenly there is a new link in login page. But I am not sure how useful it is from a practical viewpoint.
The user can register and, from a keycloak perspective, is then logged in to the application. But because the app will be set up to use roles, the app does not see the user as authenticated and so is prevented from seeing the protected url. The solution would be to have a default role set up in the client, perhaps with low permissions until further verification takes place.
But there may be other things that need to take place such as adding the user to the apps database.
So would it be useful, in addition to the user registration yes/no switch, to have a url that a newly registered is sent to for other actions to take place?
I know that events should be able to deal with this but I had real trouble trying to get custom events to work (in fact never did, keycloak would crash when changes were made to standalone.xml file).
So not a complaint, not a bug, just some feedback and very much my opinion based on limited keycloak experience and knowledge.
6 years, 7 months
Change resource Ids
by Corentin Dupont
Hi guys,
I would like to change the IDs of all my Authorization resources (in order
to match the Ids in my main database).
What is the recommended way?
I could write a script that go through them all with the REST API, delete,
re-create...
Or run some commands directly in the MySQL database? I'm not sure about its
structure, though, and I will be afraid to break something.
Thanks
Corentin
6 years, 7 months
Back channel logout request is not sent when keycloak session is expires
by Nagendra Darla
Hi all,
I am facing a challenge in my keycloak implementation.
I integrated multiple applications running on JBoss with Keycloak. When I kill a keycloak session from the keycloak console it sends back channel logout request to all the connected apps through admin URLs. But when the keycloak session expires it does not send back channel logout request to the applications. Why there is a difference in behavior in these two cases.
I would also like to know if there is any SPI or hook that can be used to send back channel logout request when session expires in keycloak?
Get Outlook for iOS<https://aka.ms/o0ukef>
NOTICE: This email and all attachments may contain information that is confidential, private or protected by attorney-client privilege. If you believe that you are not an intended recipient, please do not copy, forward, or rely on the contents of this email in any way. Please notify the sender and delete or destroy any copy of this email and its attachments. Sender reserves and asserts all rights to confidentiality, including all privileges that may apply.
6 years, 7 months
Brute Force Detection issue: login failure count not resetting after successful login
by Vishnu Prakash
*Hi Keycloak team,I have enabled Brute Force Detection in Keycloak. But the
login failure count is not resetting after successful login. As per the
Permanent Lockout Algorithm described in keycloak documentation, the
failure count should reset on successful login. It is described as follows
in the documentation, 1. On successful login1. Reset count2. On failed
login1. Increment count2. If count greater than Max Login Failures1.
Permanently disable user3. Else if time between this failure and the last
failure is less than Quick Login Check Milli Seconds1. Temporarily disable
user for Minimum Quick Login WaitWhen a user is disabled they can not login
until an administrator enables the user; enabling an account resets
count.Can someone comment on this? Is it a bug or expected behaviour? Any
help will be appreciated.Thanks & Regards,Vishnu Prakash*
6 years, 7 months
External User Storage Provider Works Only One Time
by Yasiru Tittagalla
Hi,
I have created a custom SPI to get the users from my existing oracle
database and then create them in the keycloaks own database but and the
user sync is done via federation link.
When I'm logging into the system for the first time with existing user it
works fine and registers the user but when I change the enabled state or
delete a user from my existing oracle database according to logic I have
written it should be reflected in the keycloak database but it doesn't go
through my SPI simply giving me the following error,
[org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator]
(default task-2) Provider not found or not enabled for realm
migration-provider.
I have implemented the ImportedUserValidations validate method correctly
also.
It would be of great help if you can help me on this matter.
Thank you,
Regards,
Yasiru.
6 years, 7 months
Allocating Role Assignment Responsibilities with OIDC / Keycloak
by Steve Ramage
Hello,
I'm building an application that will use OIDC to authenticate (and potentially make some simple authorization decisions) and I have some questions about the best way to do that. Keycloak is our reference implementation, but we would like to do this in a completely generic way.
The context is that our application has three classes of users, teachers, students and parents for example, and they under go completely different life cycles and have different responsibilities in our application. In some deployments of our software the teachers may be part of a school district with SSO functionality, and they have a different set of capabilities in our application (and our application knows that they are teachers). We also have students who may be centrally registered, and we may have parents who are publicly registered or signed up manually. We would like Keycloak or whatever IdP that is chosen, to manage all of this complexity for us and essentially we just need to know the class of user. There is zero possible need for users to switch classes, students don't become teachers, etc...
There are two broad ways I can see our application handling this within the context of OIDC.
1) My first thought from going over the OpenID Connect protocol, was that we could use scope/claims for this. When we redirect the user to the IdP, we ask for a specific additional scopes (i.e., "openid teacher" or "openid student" or "openid parent"). If the user doesn't have these roles in Keycloak, then we don't get the actual claims and we can reject the request. The issue that I have is I can't seem to get this workflow to work with Keycloak, where there is a scope type based on the role, and only users with that role can successfully give us that claim. I can get the claim to appear in the claims returned but not conditionally in this sense. I can also get the information in other claims returned by Keycloak, but this seems Keycloak specific, and it seems like other identity providers would have different structures, and we would have to support different introspection of the various tokens, or make that configurable, which is less than ideal.
2) We could just wire our application up to use three different configurations for IdPs, one for teachers, students and parents. This could be managed in different realms in Keycloak. The drawback of this approach is that in some cases we need to ask the user who they are (teacher / student / parent) before we can authenticate them.
Anyway I'm not even sure if the above two are the right approach at all, and maybe I'm looking at the problem backwards. In particular, the role and scope/claims are specific to our application, our application really isn't asking for authorization to protected resources that the the end users own, we are just piggy backing on it, to determine role in a simple RBAC system, maybe that is simply a mistake, and we should leave the role assignment in the application (although that vastly increases scope, and seems weird since Keycloak has a whole bunch of complex role management functionality that we couldn't leverage or coordinate between services). Alternatively maybe we can impose some constraints on IdPs and say that they have to support say a role claim, that has one of three possible values in the tokens, either teacher / student / parent. Maybe that is a very reasonable imposition to make on a dedicated Identity Management System.
I'd appreciate any advice anyone had on this problem.
Cheers,
Steve Ramage
6 years, 7 months
@Inject KeycloakPrincipal in EJB container
by Vagelis Savvas
Dear community,
as the subject says, how can the org.keycloak.KeycloakPrincipal be
@Inject-ed in say a @Stateless bean?
I tried injecting a java.security.Principal but I couldn't get a
KeycloakPrincipal out of it.
I also tried creating a CDI @Producer (annotated with @RequestScoped)
producing the KeycloakPrincipal
but that didn't work either because KeycloakPrincipal can't be proxied.
(That's mostly for convenience since @Resource SessionContext ctx and
then ctx.getCallerPrincipal()
answers the KeycloakPrincipal but I wouldn't want to do that explicitly
in every business method)
This is on 17.0.1 Wildfly with the Elytron Keycloak adapter.
Cheers,
Vagelis
6 years, 7 months
Fwd: Fine grain access to User Federation management
by Leonardo Casanova
Hello,
I have been trying to fine grain user federation out of the "manage-realm"
role in order to allow a user to add a user storage (ldap or kerberos),
without giving all the capabilities that manage-realm provides.
My use case is that I would like to have admins, that are capable of
configuring their own user storage, but unable to change how the clients
authorization flows work.
"manage-realm" will give capabilities like renaming the whole realm which
would change how as well the authorization endpoints in that realm.
After several attempts, trying to add a custom resource with the keycloak
URI that returned the HTTP status forbidden 403
(/auth/admin/realms/{realm}/components?type=org.keycloak.storage.UserStorageProvider).
I realized that this might not be an available feature, reading the full
list of permission in the link below confirmed my doubts.
https://www.keycloak.org/docs/7.0/server_admin/#_fine_grain_permissions
Is what I am trying to accomplish somehow possible already? If not why I
would like to understand why is user federation tied the "manage-realm"
role? Perhaps my scenario does not make sense in the context of the
Keycloak architecture.
So far the only option I believe I have left, is to build a client with a
service account that has the "manage-realm" role, then I can use the
Keycloak REST API
to manage the user storages, and create custom permissions towards my
client endpoints, to authorize the users. The downside of this approach is
that the events produces will be registered as coming from the service
account in my client
instead of the user himself.
Best Regards
Leonardo
6 years, 7 months
Keycloak Gatekeeper: Support Relative/Internal URLs for Airgapped Environments
by Yannis Zarkadas
Hi all,
I am a contributor to the Kubeflow project, which is a machine learning
platform built on top of Kubernetes.
Recently, we (Arrikto) implemented a reference architecture for OIDC
Authentication in Kubeflow.
More details can be found in this article:
https://journal.arrikto.com/kubeflow-authentication-with-istio-dex-5eafdf...
After 3 months of testing this setup with users, we gathered feedback from
users operating in onprem, airgapped environments which lead to the
following use case:
We want to use an OIDC authenticating proxy for securing an on-prem,
airgapped Kubernetes Cluster.
For an OIDC Provider, we use Dex, which lives in the same cluster and
connects with LDAP.
Keycloak Gatekeeper is a great project that has caught our attention and we
would
love to use it to cover our use-case.
We have the following user requirements:
- Don't make any requests that exit and reenter the cluster. This means
that the OIDC Client should
talk to the OIDC Provider using its internal address.
- Work behind any origin URL. This lets users use kubernetes port-forward
to debug issues and work behind
a proxy.
To solve these requirements we came up with the following:
- Use the OIDC Provider's internal address for the {discovery, jwks, token,
userinfo}_endpoint.
This means the OIDC Client won't make a request to a public address that
would exit and
reenter the cluster.
- Use relative URLs for the authorization_endpoint and redirect_uri. We
know that our OIDC Client and
OIDC Provider live behind the same origin, so we can redirect from one to
the other using relative
URLs.
We haven't found a way to set up Gatekeeper to support this use-case.
I would greatly appreciate it if you could help me understand if this is a
valid use-case for
Gatekeeper to support.
If yes, I'd love to contribute to it and if not, I'd like to understand why.
Thanks in advance,
Yannis Zarkadas
6 years, 7 months
Database connection spurious failure when adding a new client via admin-cli
by Nicolò Di Domenico
Hello everyone,
I’m currently struggling with an issue that appears with no regular pattern whatsoever. I’m deploying Keycloak to a server via Ansible, and later in the playbook I create a new client using its dedicated module. The problem is that the first time everything’s fine, but when I call the playbook again to make some modifications, it sometimes gets stuck when using admin-cli to add the client: if that happens, the server returns with a 500 error and everything stops. By looking at the logs, it looks like that Keycloak for some reason loses connection to the MariaDB server, and it won’t make it again until I restart Keycloak manually, because every subsequent database connection will fail.
I’ll leave down here the link to a gist with the server logs, the standalone.xml configuration file, and MariaDB and its JDBC version.
https://gist.github.com/ndido98/971e19ba2b071f34d37055d973234e7e
Thank you in advance for your help.
Greetings,
Nicolò
6 years, 7 months
Liferay 6.2 with Keycloak
by Yeo Wee Tat (NCS)
Hi all
I have install Keycloak 6.0.1 Tomcat 7 adapter in Liferay 6.2 for SSO authentication and authorization.
I have download keycloak.json to our web application WEB-INF and add below for context and web tomcat XML.
The integration between Liferay and Keycloak SSO have no issue.
However I have a doubt about protected resources in <security-constraint> tag. Currently I have added /group/*, hence all URL path is /group value required to log in.
If I would like to add URL /admin/* to use Liferay login page instead of SSO Login page , how to do it ? Thanks
---- context.xml
<Context path="/XXXX" crossContext="true" allowLinking="true">
<Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>
---- web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Lawnet</web-resource-name>
<url-pattern>/group/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>XXXXX</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
Best Regards and Thanks
Wee Tat , Yeo (NCS)
Consultant, NCS Pte Ltd
WARNING: This e-mail transmission is intended only for the addressee. Privileged/Confidential information may be contained in this message. If you are not the intended addressee, you should delete it and must not copy, distribute it or take any action in reliance thereon. Communication of any information in this email to any unauthorised person is an offence under the Official Secrets Act (Cap 213). Please notify the sender immediately if you have received this by mistake.
6 years, 7 months
Cannot send verification/update password email behind reverse proxy
by Dave B
Hi all,
I'm really struggling with this one. We can't send verification emails when
the docket image is behind a reverse proxy. I'm using nginx and everything
works apart from the email functionality, none of which works. We can get
tokens, verify tokens etc. But no email functionality works.
The realm functions fine on a local instance and sends emails as expected.
Can't see anything in the logs. This is a killer for us so if anyone has
any ideas please contact asap.
Dave
6 years, 7 months
Keycloak Offline User Sessions and Online User Sessions
by Nagendra Darla
Hello Keycloak experts,
We have below challenges in out project where we are building User Access
Management using Keycloak.
1. *Offline User Sessions:* When a Offline token is used from two
different machines, There is only one Session that will be created and
session will have the IP address of the machine from where the User Session
is first created. Because of this we cannot suspect any suspicious activity
by hackers. Should n't we create different sessions even though same
offline token is used from different machines.
2. *Why there is no separate REST end point to get only Online User
Sessions: *Below REST end point returns all the User Sessions ie., both
Offline and Online User Sessions.
GET /{realm}/clients/{id}/user-sessions
You help is much appreciated !
Thank you,
Nagendra Darla
6 years, 7 months
Recommended way for a custom login page
by Nils Christian Ehmke
Hi,
We are using Keycloak in a Spring Boot based application with Spring
Security. Now we need to add the realm somehow dynamically to the
request. As there is also the requirement to not use the default
Keycloak login page I decided to add a custom made login page for this.
My thoughts on this:
* I can change the redirect to the login url by setting it at the
KeycloakAuthenticationEntryPoint in the
KeycloakWebSecurityConfigurerAdapter.
* I could assemble the login url (with the realm) manually based on the
user's input.
But now I feel a little bit lost. Even if I perform the POST request to
the Keycloak server, how do I announce this to the Keycloak Adapter and
especially to Spring Security? Would I use the Javascript Adapter
instead? Can I somehow use the existing Java Keycloak Adapter?
Thanks for your help and best regards,
Nils
6 years, 7 months
Re: [keycloak-user] Efficient per client session statistics (solved)
by Christian Becker
When checking the source code, I found, that this is already implemented with the "client-session-stats" endpoint. The only downside is, that it requires Keycloak v4 and older versions only return the sessions, but not offline sessions.
A global endpoint would be even nicer, but this is good enough and better than several hundred calls.
On 23.10.19, 20:19, Christian Becker wrote:
We've recently implemented a monitoring system, that's scraping the /session-count and /offline-session-count of each client. However we noticed, that this causes huge spikes on the Infinispan nodes (200k sessions and 2M offline sessions), also it's not very efficient and requires several hundred API calls.
Is there any metric system currently available that provides this data?
We're specifically looking for the per-client values as we had several incidents with misconfigured clients that created huge amounts of sessions. And we can never rule out reoccurrence, as long as per-client or per-user session limits are implemented.
6 years, 7 months
Admin Console Error Messages Are Not Internationalized
by Hossein Doutaghy
Hi,
I am using keycloak version 6.0.1. But when I change the language to
specific language other than English in admin console error messages are
still in English and not in selected language
*Steps to reproduce: *
1) Make sure "Internationalization Enabled" is "ON" for the realm
2) Go to respective realm login page, select a different language (other
than English) and login
3) Try to create scenario where keycloak throws error. Ex: create a user
with username which already exists.
4) Notice the error message is still in English not in the language you
selected at login page.
Please find attachment for error snapshot.
Is this expected behavior or a bug ? Please guide me through this.
Thank you.
6 years, 7 months
Supported MySQL versions (for KeyCloak 4.8.3 and 7.0.1)
by AMIEL Patrice
Hi everybody,
I'm trying to find a documentation giving the list of MySQL versions that are supported by KeyCloak 4.8.3 and by the very latest 7.0.1, but I was not able to find it.
Can someone provide a pointer to that ?
Thanks a lot!
Best regards
Patrice
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
6 years, 7 months
SAML implementation of Keycloak Identity Providers
by Thankam Sreedharan Vipin
Dear Keycloak team,
I have a question about the SAML implementation associated with the `Identity Providers` in Keycloak - Is it able to consume a (SAML) metadata file with many IdPs listed in it? Also I assume that it misses support for a discovery service that is necessary to handle multiple IdPs in one place. Can you please comment on the same.
I know I can manually configure single IdP in Keycloak.
Thanks in advance,
Vipin
6 years, 7 months
Keycloak issue - Wrong ECDSA signature R and S encoding
by Ori Doolman
Hi,
There is a Major bug opened since February this year, which prevents us from deploying Keycloak as an IDP, since we are using Java SpringBoot and ECDSA algorithm for signing the tokens:
https://issues.jboss.org/browse/KEYCLOAK-9651
We cannot change the signature algorithm due to other limitations.
Is there any plan to resolve that?
Can you speed it up?
Thank you,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
6 years, 7 months
unsubscribe
by Sebastian Perkins - Hoist Group - Switzerland
6 years, 7 months
resource ids
by Corentin Dupont
Hi guys,
I discovered that you can provide your own id when creating resources:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{*"_id": "123-456"*, "type": "test", "name":"test",
"scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'
This is very practical for synchronizing the resources with my own database.
After some investigation, I found:
- the ID should be unique
- the name should be unique
Is that correct? The resource type is not used in the unicity.
In my application database, resources with different types are stored in
different collections, so two resources with different types *can* have the
same ID.
How do you suggest to solve this in Keycloak? Providing a keycloak ID of
the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not
collide.
Cheers
6 years, 7 months
Efficient per client session statistics
by Christian Becker
We've recently implemented a monitoring system, that's scraping the /session-count and /offline-session-count of each client. However we noticed, that this causes huge spikes on the Infinispan nodes (200k sessions and 2M offline sessions), also it's not very efficient and requires several hundred API calls.
Is there any metric system currently available that provides this data?
We're specifically looking for the per-client values as we had several incidents with misconfigured clients that created huge amounts of sessions. And we can never rule out reoccurrence, as long as per-client or per-user session limits are implemented.
6 years, 7 months
unsubscribe
by Sebastian Perkins - Hoist Group - Switzerland
6 years, 7 months
Potential Vulnerability on Login-action endpoint
by Hossein Doutaghy
Hi,
Web security scanner found that Keycloak Admin console is using GET with
login-actions endpoint. It points out that several parameters is visible in
url which can be sensitive. E.g. execution_session_code, client_id.
Scanner recommends not to use GET for sensitive parameters. Or even better
not accepting GET parameters for the endpoint at all.
Are the parameters for login-actions really sensitive? What are reason
that this endpoint allows both GET and POST form?
Moe Doutaghy
6 years, 7 months
Connecting to the app with the access token returns 401
by Alfonso Vidal García
I am trying to connect me into the Keycloak server that I deploy to upload a file with another web-app deployed that are connected.
export access_token=$(curl -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_secret=fd8187db-f7c3-4f93-a58c-a10e3865dfe5&username=afvg&password=afvg&client_id=login-app&grant_type=password' \
-v --noproxy localhost, http://localhost:8080/auth/realms/FocusocKeycloak/protocol/openid-connect... | jq --raw-output '.access_token')
curl -v -X POST \
--noproxy localhost, http://localhost:38080/api/upload \
-H "Authorization: Bearer "$access_token
Where in the first part, I take the access token to use it after in the access to app, but the second curl returns me Error 401,
< HTTP/1.1 401
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Length: 0
< Date: Wed, 23 Oct 2019 12:01:49 GMT
<
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
Is something missing?
P Please consider the environment before printing this e-mail.
6 years, 7 months
Unable to acquire JDBC Connection
by Corentin Dupont
Hi guys,
I get this error:
[0m [31m10:36:26,890 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-5447)
javax.resource.ResourceException: IJ000453: Unable to get managed
connection for java:jboss/datasources/KeycloakDS
Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire
JDBC Connection
Caused by: javax.resource.ResourceException: IJ000655: No managed
connections available within configured blocking timeout (30000 [ms])
I use Keycloak 4.4.0-Final and MySQL.
I saw this: https://issues.jboss.org/browse/KEYCLOAK-3539
But it seems to be closed already.
My application is very permission-intensive: on each API request (100 per
second), I request Keycloak permission. That might be wrong design, maybe I
should cache the permissions locally?
Best,
Corentin
6 years, 7 months
keycloakd-openshift images
by Brigman, Larry
My team was trying to install the jboss/keycloak-openshift image today and we found it not to be available from docker.io.
The docker hub web page for the image is returning 404.
Any details as to why the image is gone?
====================================================
Larry Brigman
Principle Software Engineer
CommScope
1725 NW 167th Place
Beaverton, OR 97006
503.495.9386
Larry.brigman(a)commscope.com
6 years, 7 months
Keycloak SAML 2.0 /sender-vouches
by Janzen Arthur (Centris AG)
Dear Keycloak-Team,
I'd like to know if it's possible to configure SAML 2.0 sender-vouches method attribute - couldn't find any information yet.
Many thanks in advance.
Br.,
Arthur Janzen
Application Developer
Centris AG
Grabackerstrasse 3 | 4502 Solothurn
D 032 625 97 26 | T 032 625 44 44
arhur.janzen(a)centrisag.ch<mailto:arhur.janzen@centrisag.ch> | www.centrisag.ch<http://www.centrisag.ch/>
6 years, 7 months
Spring Boot with KeyCloak CORS problem on log out
by Pavol Ozvalda
Hello, we used 6* and also 7* Keycloak with Java SpringBoot.
When our Angular front end calls Post request for "/logout" of our java app (which I think invalidate session), our app then calls Keycloak, which invalidate token, and redirects user using 302 http status to keycloak login page. Problem is, there is a CORS preflight call (Option) which blocks further (login screen) frontend call, even if I set Keycloak configuration properly (first * - for disabling - does not work, then "+" - for redirected url, even enumeration of all host/port combination of our backend java app). I can not get response from Keycloak to contain CORS headers.
So, once again in one sentence: There are no CORS headers from Keycloak, even Keycloak is configured properly for this.
In Spring boot i have:
keycloak.cors=true
keycloak.cors-max-age=1000
keycloak.cors-allowed-methods=POST,PUT,DELETE,GET
keycloak.cors-allowed-headers=ETag,Location
keycloak.cors-exposed-headers=Accept,Content-Type,If-Match,If-None-Match,Origin
Somebody described this problem here, but no response:
https://stackoverflow.com/questions/46220566/keycloak-cors-issue-when-bei...
Should I call logout in different way?
Thanks for da help.
6 years, 7 months
keycloak-gatekeeper https question
by Sankar P
Hi,
I have setup keycloak and keycloak-gatekeeper as two pods in a kubernetes
setup. I have setup an nginx controller to frontend these.
Now, when keycloak-gatekeeper is getting launched, I pass:
helm install gatekeeper --set discovery_url="http://keycloak-svc"
Where `keycloak-svc` is the service URL for the keycloak service. However,
when a browser request is made, this url gets sent to the browser where
this cannot be resolved (as it is internal to the kubernetes cluster).
Instead of this url, if I pass:
helm install gatekeeper --set discovery_url="https://ingress_ip/auth"
which is the keycloak public url via the ingress, then there is a different
issue as:
https certificate for `https://ingress_ip` could not be verified.
How do I fix this ? Is there anyway I can ask kavach-gatekeeper to ignore
certificate validations for keycloak discovery_url ?
Thanks.
--
Sankar P
http://psankar.blogspot.com
6 years, 7 months
Poll - should we have both a mailing list and a forum, or only one?
by Stian Thorgersen
We recently introduced a new Discourse forum as a place to ask for help in
the community. We believe a forum is better suited than a mailing list as
it will create a great resource of knowledge, while the mailing list is
very hard to search.
The plan was to continue with keycloak-user(a)lists.jboss.org at least for a
while to then revisit if we should drop a mailing list completely.
However, due to a lot of technical difficulties with
keycloak-user(a)lists.jboss.org (bouncing emails and users being
unsubscribed) we have decided to move away from lists.jboss.org completely.
Question now is should we only have the Discourse forum or should we also
have a Google Groups mailing list?
Downside of having both is that the community will be fragmented and there
is a good risk that with multiple places to ask questions there are less
people listening and ready to reply.
So we'd like to ask the community what you think? Please fill in the poll
at https://forms.gle/3URYHPU2wYToJcGh8 and let us know your opinion!
6 years, 7 months
JBoss does not redirect to Keycloak login
by Alfonso Vidal García
I am using the Keycloak Quickstart app-authz-springboot to delegate all the authorization to Keycloak server,
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-sp...
If I do mvn spring-boot:run into the project, and I put localhost:8080 it redirects to Spring login instead of the keycloak one. I read in other issues that including the web.xml into the project it solves it, but it returns me the next error,
[ERROR] Failed to execute goal org.springframework.boot:spring-boot-maven-plugin:2.2.0.RELEASE:run (default-cli) on project login-focusoc-web: Application finished with exit code: 1 -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.springframework.boot:spring-boot-maven-plugin:2.2.0.RELEASE:run (default-cli) on project login-focusoc-web: Application finished with exit code: 1 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.apache.maven.plugin.MojoExecutionException: Application finished with exit code: 1 at org.springframework.boot.maven.RunMojo.runWithForkedJvm (RunMojo.java:108) at org.springframework.boot.maven.AbstractRunMojo.doRunWithForkedJvm (AbstractRunMojo.java:284) at org.springframework.boot.maven.AbstractRunMojo.run (AbstractRunMojo.java:249) at org.springframework.boot.maven.AbstractRunMojo.execute (AbstractRunMojo.java:205) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
The web.xml I added is,
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>login-provider-web</module-name>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>FocusocKeycloak</realm-name>
</login-config>
<security-role>
<role-name>ROLE_USER</role-name>
</security-role>
</web-app>
Anyone can help me?
P Please consider the environment before printing this e-mail.
6 years, 7 months
Import realm issue (KC v7.0.1)
by Ondrej Scerba
Hi,
It seems that import realm in Keycloak 7.0.1 doesn't work properly. I'm importing realm with client with fullScopeAllowed set to true. Realm and client is imported but client has full scoper allowed set to false.
Ondrej
6 years, 7 months
Missing claims from custom scope
by James Mitchell
I have some custom claims which are added to the access token at login.
This is working fine, verified the token has the claims etc...
Today I have added user impersonation to the client app - it is not using
the direct "naked grant" to request a token on behalf of a user.
I get a valid token back, but it is missing the claims from the custom
client scope.
I have tried with, and without adding a scope to the request, and also
adding the client scope as default for the realm and the client - but the
claims are still not added to the token.
Suggestions?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
6 years, 7 months
Keycloak Quickstart does not work
by Alfonso Vidal García
Hi everyone!
I just downloaded the quickstart example from git, and I am trying to deploy app-authz-springboot and it returns
Failed to execute goal org.springframework.boot:spring-boot-maven-plugin:2.2.0.RELEASE:run (default-cli) on project app-authz-springboot: Application finished with exit code: 1 -> [Help 1]
Anyone knows what it is happening?
P Please consider the environment before printing this e-mail.
6 years, 7 months
Error when testing email connection
by Dave B
Hi,
Fairly new to keycloak so do help me out with logging etc.
I have logging set to info on a keycloak instance running in the docker
file with a postgres database behind an nginx proxy which terminates my ssl.
When I'm creating my realm, I want to set up an email address from which to
send update password requests etc. However when I test connection through
the admin console I get a box which says "Error: An unexpected server error
has occurred". and nothing is logged.
Need help with this as soon as anyone can as there've been a number of
issues we've had which have caused our keycloak config to go really long.
Dave
6 years, 7 months
Authorization Example Web
by Alfonso Vidal García
Hello!
I am looking for a web Project example to apply the Authorization Policies from Keycloak. Anyone know where can I found anything?
Thanks in advance!
P Please consider the environment before printing this e-mail.
6 years, 7 months
