X-509 Client certificate thumbprint authentication
by Amol Bagul
Hi,
I have millions of devices connected to keycloak server to acquire access
token.
I don't have all devices added as user in Keycloak.
Can I have X-509 Client certificate authentication based on Client cert
Thumbprint.
How I can support this ?
-Amol
4 years, 6 months
SameSite and Secure
by Matthew Broadhead
keycloak-7.0.0
sorry if this has been asked before, i did search around.
just yesterday i started getting this message in javascript console:
A cookie associated with a cross-site resource at
https://secure.domain.tld/ was set without the `SameSite` attribute. A
future release of Chrome will only deliver cookies with cross-site
requests if they are set with `SameSite=None` and `Secure`. You can
review cookies in developer tools under Application>Storage>Cookies and
see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
is this because i am not passing certain headers through httpd proxy or
is this something that needs implementing in keycloak?
4 years, 6 months
Why is session authentication strategy bean needed?
by Leonid Rozenblyum
Hello.
Documentation for Keycloak Spring Security adapter (
https://www.keycloak.org/docs/6.0/securing_apps/index.html#_spring_securi...
) has a paragraph:
"You must provide a session authentication strategy bean which should be of
type RegisterSessionAuthenticationStrategy for public or confidential
applications and NullAuthenticatedSessionStrategy for bearer-only
applications."
I wonder why is it a requirement for public applications?
It looks like KeycloakAuthenticationProcessingFilter is not using the
session registry itself (it just sets up sessionAuthenticationStrategy into
HttpSecurity and KeycloakAuthenticationProcessingFilter) but my question
is: why is it 'must have' for public/confidential applications?
(this feature may be useful when concurrent sessions filter is enabled but
what if it's not in use?)
Thanks for clarifying!
4 years, 6 months
Change 403 Message
by Florian Fußeder
Hello,
is there a way to change the message displayed on the 403 json response?
If i try to to access a resource that i don't have the permissions for, i
get the following json response:
{
"timestamp": "2019-10-07T13:31:47.274+0000",
"status": 403,
"error": "Forbidden",
"message": "Access to the requested resource has been denied",
"path": "/api/"
}
but what i want is:
{
"timestamp": "2019-10-07T13:31:47.274+0000",
"status": 403,
"error": "Forbidden",
"message": "To access these resources mail to ....",
"path": "/v1/"
}
I know i could do a redirect via policy-enforcer, but i have to avoid a
redirect.
Greetings,
Florian
4 years, 6 months
Keycloak null pointer exception on launch with a custom postgres setup
by Sankar P
Hi
I am getting the following NullPointerException when Keycloak is getting
launched.
A few points about the setup. I have installed keycloak, say k1, in one
machine with postgres, say pg1 as the config store. Then I created a custom
realm, some users, client scope in that setup. Then I took a dump of the
postgres setup via:
```
kubectl exec nordic-mole-postgresql-0 -- bash -c "PGPASSWORD=pguser pg_dump
-U pguser -d pgdb " > db.sql
```
Now I used the postgres dump thus obtained to build another postgres docker
image, say `pg2`
```
FROM library/postgres:11.3
ENV POSTGRES_USER pguser
ENV POSTGRES_PASSWORD pguser
ENV POSTGRES_DB pgdb
COPY db.sql /docker-entrypoint-initdb.d/
```
Now I brought up a fresh version of keycloak, say k2, which talks to this
new pg2 postgres instance via the following command.
```
helm install codecentric/keycloak -f values.yaml
```
The values.yaml contains connection details for the 2nd database:
```
keycloak:
persistence:
deployPostgres: false
dbVendor: postgres
dbName: pgdb
dbHost: postgres # Resolved through k8s service
dbPort: 5432
dbUser: pguser
dbPassword: "pguser"
```
Now I have two questions:
1) Should I report the following crash in a bug system of some kind ?
2) Is there a simpler, cleaner way of creating a new realm, new user via
the `values.yaml` instead of taking dump of postgres ? Are there any good
tutorials, github projects etc. that explain this ?
Thanks.
The Stacktrace of the actual crash below:
13:34:03,343 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("subsystem" => "microprofile-metrics-smallrye")]):
java.lang.NullPointerException
at
org.wildfly.extension.microprofile.metrics.MicroProfileMetricsSubsystemAdd$2.execute(MicroProfileMetricsSubsystemAdd.java:86)
at
org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1412)
at
org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521)
at
org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:472)
at
org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:434)
at org.jboss.as.server.ServerService.boot(ServerService.java:435)
at org.jboss.as.server.ServerService.boot(ServerService.java:394)
at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:374)
at java.lang.Thread.run(Thread.java:748)
--
Sankar P
http://psankar.blogspot.com
4 years, 6 months
Web project
by Alfonso Vidal García
Hi everyone!
I am trying to do a web app and having the logging through keycloak. And this point I have a server with Keycloak, and I now I want to deploy a web app to test the login service, and I am trying to make the login, but It always returns error 404.
Anyone have an example to test it?
Thanks in advance!
P Please consider the environment before printing this e-mail.
4 years, 6 months
Export the access token using mod_auth_openidc
by Nicolas Lagiewski
Hello,
The problem is as follows. I have a web application running on an apache
server that makes a CURL call to a REST service. In order to secure my
service, I need to specify the access token in the headers of my CURL call,
but I don't understand how to export session information using
mod_auth_openidc. Can you help me, or explain if it's possible to do this
operation using this module?
Thanks.
4 years, 6 months
Admin log with a company's email, authenticated by Google
by Piotr Jander
Hi all,
My team would like to disable an admin account with a password for the
admin realm, and instead grant administrative rights to anybody who logs in
with our company's email domain (@luna-lang.org). (We are a small company,
so we believe it's okay at this stage)
Our email is hosted at Google, so we'd like to delegate login to
Google/Gmail (when logging to the admin console with an @luna-lang.org
email).
Is this possible and does it sound like a good practice?
Thanks,
Piotr Jander
4 years, 6 months
