keycloak api access
by Sankar P
Hi,
I installed a new keycloak setup using kubernetes, helm charts
helm install codecentric/keycloak
Now when I try to login through the web interface, I am able to login to
the keycloak setup using a `keycloak` user and an auto-generated password
(say `TsIeWcqrig2YIs`). However, when I repeat the same authenticate
request using curl, I get the a HTTP 400 with the following error message
in the keycloak logs:
The curl command that I use is:
```
curl -X POST -k -v -d "username=keycloak&password=TsIeWcqrig2YIs"
https://example.com/auth/realms/master/login-actions/authenticate\?sessio...
```
I have tried logging in without the url parameters too and get the same
error. I got these url params from the web client when it logged in via the
front end. Is there something I am doing wrong ?
The reason why I want to do the API based login, is because, I want to add
an user and set the password for that user, after my keycloak pod is
installed. I could not find a reliable way to do this. Any pointers on how
to do this ?
Thanks.
--
Sankar P
http://psankar.blogspot.com
5 years, 2 months
Themes doesnt deploy
by Pavel
Hello
I follow the documentation how to deploy themes on keycloak.
I've used those attached files (mytheme.jar), then, I copied them into
deployment directory. The server logs shows as follow:
*11:13:11,857 INFO [org.jboss.as.server.deployment] (MSC service thread
1-1) WFLYSRV0027: Starting deployment of "mytheme.war" (runtime-name:
"mytheme.war")**
**11:13:12,020 INFO [org.wildfly.extension.undertow] (ServerService
Thread Pool -- 71) WFLYUT0021: Registered web context: '/mytheme' for
server 'default-server'**
**11:13:12,091 INFO [org.jboss.as.server] (DeploymentScanner-threads -
1) WFLYSRV0010: Deployed "mytheme.war" (runtime-name : "mytheme.war")*
[pavel@pavel-pc deployments]$ ls -tlr
total 20
-rw-r--r-- 1 pavel pavel 8888 ago 24 13:14 README.txt
-rw-r--r-- 1 pavel pavel 11 sep 30 11:13 *mytheme.war.deployed*
-rw-r--r-- 1 pavel pavel 3315 sep 30 11:13 mytheme.war*
*
So, everything supposed to work properly, but when I go to
realm-settings and look for the theme, *nothing is there*.
I'm using Manjaro.
*[pavel@pavel-pc ~]$ java -version*
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-b05)
OpenJDK 64-Bit Server VM (build 25.222-b05, mixed mode)
*[pavel@pavel-pc keycloak]$ ls -l*
total 230444
drwxr-xr-x 10 pavel pavel *4096 ago 24 13:14 keycloak-7.0.0*
I use the next command on linux.
jar cf mytheme.jar META-INF/* mytheme/*
it produces *mytheme.jar* file.
*What Am I doing wrong?*
Thanks so much
Best Regards
Pavel
5 years, 2 months
Different Authenticator Behavior for Registering via 'protocol/openid-connect' vs '/login-actions'
by Harness, Josh
Hello -
Given a client and an authentication flow override specified for that client, when you register using the following default registration URL, the override seems to be skipped and the login succeeds without using the override:
/auth/realms/{realm}/login-actions/registration?client_id={client}
However, when you register using the following openid-connect URL, the authentication flow override executes successfully:
/auth/realms/{realm}/protocol/openid-connect/registrations?client_id={client}
Is this a bug or is it by design? Out of curiosity, what is the intended difference between the login-actions vs the openid-connect registration URL?
Thanks!
______________________________________
Josh Harness
Principal Software Architect | JTV
9600 Parkside Drive | Knoxville, TN 37922
Email: Josh.Harness(a)jtv.com | www.jtv.com<https://www.jtv.com/>
Knoxville-Bangkok-Jaipur-Mumbai-Hong Kong
5 years, 2 months
Validating User Password Prior to Allowing Account Updates
by Harness, Josh
Hello -
To enforce a higher level of security, we're wanting to require the user to supply their password whenever they update their profile in the account application of keycloak (e.g. email, first name, last name). Ideally, we'd want the password submitted along with the profile changes. If the password validates, then the profile is allowed to be updated (similar to how the update password screen works currently).
How would I accomplish this? The AccountFormService seems to be the class handling this but there appears to be no SPI for extending it. I did find the following JIRA but am unsure if the proposed profile SPI would accomplish what we need:
https://issues.jboss.org/browse/KEYCLOAK-2966
Any tips or pointers would be most appreciated.
Thanks!
______________________________________
Josh Harness
Principal Software Architect | JTV
9600 Parkside Drive | Knoxville, TN 37922
Email: Josh.Harness(a)jtv.com | www.jtv.com<https://www.jtv.com/>
Knoxville-Bangkok-Jaipur-Mumbai-Hong Kong
5 years, 2 months
User Session Reset
by Мартынов Илья
Hello,
I am trying to implement the following scenario with KC. We have two
applications, SP1 and SP2, that use KC. KC has identity broker pointing to
external IDP. Desired scenario:
1. User agent goes to SP1, he's being redirected to KC and then to extIDP
2. User authenticated in extIDP, and being redirected to KC and then to SP1
with some attributes from extIDP
3. SP1 creates user entity in SP2 basing on attributes from extIDP and
attributes collected by SP1
4. User entity in SP2 is synced to user federation store used by KC.
5. User should be able to SSO to SP2. Session in SP2 should obtain
attributes set by SP1.
The problem is 2 different user entities (instances of UserModel) created
at KC at step #2 and #4. I plan to drop 1st entity, and set identity
federation with extIDP for 2nd entity. But we also need to change user
session in KC, it should contain 2nd user entity data. Otherwise SSO to SP2
won't work.
Surprisingly, I've found a
method org.keycloak.models.UserSessionModel#restartSession that looks like
does the job. I plan to add custom Authenticator and call session reset
from there.
How do you think, will it work?
Thank you
5 years, 2 months
SQL User Storage SPI provider
by Isaac Carroll
Has anyone written a generic User Store SPI provider that accesses an SQL
database such as PostgreSQL? I know it's possible to write my own, but if
one already exists it would be very helpful.
Thank you.
5 years, 2 months
Version
by Corentin Dupont
Hi guys,
just a quick (fun) question: what's happening with Keycloak versions??
They seem to fly these days... Versions 3 and 4 stayed around 1 year each,
but in a couple of months we got versions 5, 6 and 7...
Cheers
5 years, 2 months
Regression in import of Authentication Required Action in version 7.0.0
by Wisniewski Mariusz
It seems that there is a regression in the import of "Required Actions".
I have made the following test :
I import a new realm (json file) with required actions that each have a "priority" value.
The order is respected in version 6.0.1, but it isn't in version 7.0.0
Can anyone reproduce this problem and confirm there is indeed a regression ?
Greetings.
Mariusz Wisniewski
5 years, 2 months
How can I import client with scope?
by Axel
Hello.
I'm searching a way to import clients. But I need to limit their scope.
Nor partial import nor cli knows about scope...
In admin console this json will import only client without scope:
{
"scopeMappings": [
{
"client": "testClient",
"roles": [
"testRole"
]
}
],
"clients": [
{
"clientId": "testClient"
}
]
}
In cli:
kcadm get scopeMappings -r TestRPT
Resource not found
I can insert directly to DB
INSERT INTO SCOPE_MAPPING (......
but it make no sense, cause it needs then to reboot KC.
So, is it a way to import client with scope or to add roles to scope of
existing client on the fly?
And one more big question - why comboboxes in admin console are not
resizable? only 5 visible elements - it is very little.
Thanks in advance.
Alexey Makarevich.
5 years, 2 months
Spring boot 2.1.8 and keycloak 7 fails to start (HttpSessionManager.class] conflict)
by nino martinez wael
I've tried to create a jira issue but, there are some troubles with my
redhat / keycloak jira account. I could not find an existing issue.
Quickstart:
https://github.com/nmwael/blog/tree/master/keycloak_7_spring_boot_2
Failure message, which seems to have been a problem before:
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.1.8.RELEASE)
***************************
APPLICATION FAILED TO START
***************************
Description:
The bean 'httpSessionManager', defined in class path resource
[com/johannesinnerbichler/personapp/SecurityConfig.class], could not be
registered. A bean with that name has already been defined in URL
[jar:file:/C:/Users/m24669/.m2/repository/org/keycloak/keycloak-spring-security-adapter/7.0.0/keycloak-spring-security-adapter-7.0.0.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]
and overriding is disabled.
Action:
Consider renaming one of the beans or enabling overriding by setting
spring.main.allow-bean-definition-overriding=true
Process finished with exit code 1
--
Best regards / Med venlig hilsen
Nino Martinez
5 years, 2 months
