multiple reset credentials flows
by Arnault BESNARD
Hi,
We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.
Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.
What is the best way to solve our issue?
Thanks in advance,
Arnault
4 years, 7 months
Lookup user by federated identity email?
by Jeffrey Sambells
I have a Keycloak instance set up with users who can login via Google, Twitter, etc. I have another separate service (not Keycloak) that also allows login via Google. I’m trying to associate the users from one service to the others. From this other service I can get the email associated with the Google account. Is it possible to locate search for the Keycloak user that has the identical email address in their federated Google identity? I don’t want to look up using the Keycloak specific email as it may be different from the email associated with the federated identity.
Ideally I’m looking to do this via the REST api but didn’t see an appropriate endpoint.
Thanks,
Jeffrey
4 years, 7 months
Keycloak quickstart not working
by Alfonso Vidal García
I used this example from Keycloak Quickstarts to do a little test from my Keycloak server and see if works.
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-sp...
For me it's not working, where each time than I try to connect it through the browser returns an Error 404.
I have this configuration in the application.properties:
server.port = 38080
keycloak.realm=FocusocKeycloak
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=external
keycloak.resource=login-provider-web
keycloak.public-client=false
keycloak.credentials.secret=secret
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].name = protected
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*
# Turn off the logs
logging.level.root=OFF
logging.level.org.springframework.boot=OFF
spring.main.banner-mode=OFF
And in the keycloak.json is this,
{
"realm": "FocusocKeycloak",
"auth-server-url": "http://127.0.0.1:8080/auth",
"ssl-required": "external",
"resource": "login-app",
"verify-token-audience": true,
"credentials": {
"secret": "145ca6f7-19c8-4478-b092-ba685a52d985"
},
"use-resource-role-mappings": true,
"confidential-port": 0
}
Am I wrong with anything? Or am I missing anything? I didn't change any further configuration in the project downloaded from github.
P Please consider the environment before printing this e-mail.
4 years, 7 months
New user forum
by Stian Thorgersen
We appreciate that not everyone loves mailing lists, so we decide to start
a new forum where you can ask for help.
Check it out at https://keycloak.discourse.group/
A big benefit of the forum compared to the mailing list is that we can
hopefully over time build up a great resources with already asked questions.
4 years, 7 months
Docker container, why use a passworded source image?
by Max Allan
Hi,
I'm building my own keycloak container with theme etc. built in (because to
run in AWS ECS attaching volumes with the theme is not really possible and
I will need some other code mods later).
I notice the source OS has recently changed from a jboss image to RHEL's
ubi8-minimal.
Which is fine, except that it pulls the image from a repo that requires
authentication, which is a bit annoying.
Not only do you need auth, but your account needs a "subscription".
Anyone got an idea of the rationale behind using the "
registry.redhat.io/ubi8-minimal" instead of "
registry.access.redhat.com/ubi8-minimal" which doesn't need any
authentication?
It seems like an extra speed bump in the way for absolutely no reason to me!
4 years, 7 months
Does Keycloak support access control for SAML clients?
by Pavel Zinchenko
I configured a client that uses a SAML protocol. I have a lot of users
imported from LDAP.
Now I was faced with the need to control access to the SAML client,
but did not find out how to configure it.
Does Keycloak support access control for SAML clients? If does, then
could someone help me find the documentation for the settings?
4 years, 7 months
keycloak-quickstart not working
by Alfonso Vidal García
Hello everyone!
I am trying to deploy a keycloak-quickstart, the app-authz-spring-security one, modified with my parameters but I can't access to the app through the browser, it always give me the 404 error NOT FOUND.
I have the application.properties like this:
server.port = 38080
keycloak.realm=FocusocKeycloak
keycloak.auth-server-url=http://localhost:8080/auth
keycloak.ssl-required=external
keycloak.resource=login-provider-web
keycloak.public-client=false
keycloak.credentials.secret=secret
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].name = protected
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /*
# Turn off the logs
logging.level.root=OFF
logging.level.org.springframework.boot=OFF
spring.main.banner-mode=OFF
And the keycloak.json
{
"realm": "FocusocKeycloak",
"auth-server-url": "http://127.0.0.1:8080/auth",
"ssl-required": "external",
"resource": "login-app",
"verify-token-audience": true,
"credentials": {
"secret": "145ca6f7-19c8-4478-b092-ba685a52d985"
},
"use-resource-role-mappings": true,
"confidential-port": 0
}
It is the only thing that I modified. Any suggestion? Thanks in advance!
P Please consider the environment before printing this e-mail.
4 years, 7 months
Database problems running a clustered multi-site keycloak on MariaDB
by Doswald Alistair
Hello,
We're running into some important errors when running a keycloak on a multi-site cluster with MariaDB as our multi-master database. We have a setup similar to https://www.keycloak.org/docs/latest/server_installation/index.html#cross..., with keycloak 7.0.0 and MariaDB 10.1.37. Each site will write to its own database cluster, and we thought that MariaDB would handle the replication and transactions correctly.
It works well, until we get the following types of errors on the database, and then everything crashes:
2019-10-03 14:09:46 140205469263616 [ERROR] Slave SQL: Could not execute Delete_rows_v1 event on table cloudtrust-int-keycloak.EVENT_ENTITY; Can't find record in 'EVENT_ENTITY', Error_code: 1032; handler error HA_ERR_KEY_NOT_FOUND; the event's master log FIRST, end_log_pos 883, Internal MariaDB error code: 1032
2019-10-03 14:09:46 140205469263616 [Warning] WSREP: RBR event 2 Delete_rows_v1 apply warning: 120, 591931
2019-10-03 14:09:46 140205469263616 [Warning] WSREP: Failed to apply app buffer: seqno: 591931, status: 1
at galera/src/trx_handle.cpp:apply():351
Retrying 4th time
2019-10-03 14:09:46 140205469263616 [ERROR] Slave SQL: Could not execute Delete_rows_v1 event on table cloudtrust-int-keycloak.EVENT_ENTITY; Can't find record in 'EVENT_ENTITY', Error_code: 1032; handler error HA_ERR_KEY_NOT_FOUND; the event's master log FIRST, end_log_pos 883, Internal MariaDB error code: 1032
2019-10-03 14:09:46 140205469263616 [Warning] WSREP: RBR event 2 Delete_rows_v1 apply warning: 120, 591931
2019-10-03 14:09:46 140205469263616 [ERROR] WSREP: Failed to apply trx: source: 4f98589f-e5bd-11e9-9eb9-12b92fd5aeef version: 3 local: 0 state: APPLYING flags: 1 conn_id: 395 trx_id: 991166 seqnos (l: 18625, g: 591931, s: 591930, d: 584704, ts: 31567167461519)
2019-10-03 14:09:46 140205469263616 [ERROR] WSREP: Failed to apply trx 591931 4 times
2019-10-03 14:09:46 140205469263616 [ERROR] WSREP: Node consistency compromized, aborting...
.....................
>From our analysis, it seems that a transaction was not able to be replayed, which caused the database to shutdown to protect consistency. This can seem to happen with race conditions from multiple writes. Looking into it we found in the following document https://galeracluster.com/library/kb/trouble/multi-master-conflicts.html this passage "When two transactions are conflicting, the later of the two is rolled back by the cluster. The client application registers this rollback as a deadlock error. Ideally, the client application should retry the deadlocked transaction. However, not all client applications have this logic built in."
Does anyone else have a similar setup? If yes, have you encountered this problem? Is there a known resolution?
Best regards,
Alistair Doswald
4 years, 7 months