resource ids
by Corentin Dupont
Hi guys,
I discovered that you can provide your own id when creating resources:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{*"_id": "123-456"*, "type": "test", "name":"test",
"scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'
This is very practical for synchronizing the resources with my own database.
After some investigation, I found:
- the ID should be unique
- the name should be unique
Is that correct? The resource type is not used in the unicity.
In my application database, resources with different types are stored in
different collections, so two resources with different types *can* have the
same ID.
How do you suggest to solve this in Keycloak? Providing a keycloak ID of
the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not
collide.
Cheers
5 years, 2 months
Efficient per client session statistics
by Christian Becker
We've recently implemented a monitoring system, that's scraping the /session-count and /offline-session-count of each client. However we noticed, that this causes huge spikes on the Infinispan nodes (200k sessions and 2M offline sessions), also it's not very efficient and requires several hundred API calls.
Is there any metric system currently available that provides this data?
We're specifically looking for the per-client values as we had several incidents with misconfigured clients that created huge amounts of sessions. And we can never rule out reoccurrence, as long as per-client or per-user session limits are implemented.
5 years, 2 months
unsubscribe
by Sebastian Perkins - Hoist Group - Switzerland
5 years, 2 months
Potential Vulnerability on Login-action endpoint
by Hossein Doutaghy
Hi,
Web security scanner found that Keycloak Admin console is using GET with
login-actions endpoint. It points out that several parameters is visible in
url which can be sensitive. E.g. execution_session_code, client_id.
Scanner recommends not to use GET for sensitive parameters. Or even better
not accepting GET parameters for the endpoint at all.
Are the parameters for login-actions really sensitive? What are reason
that this endpoint allows both GET and POST form?
Moe Doutaghy
5 years, 2 months
Connecting to the app with the access token returns 401
by Alfonso Vidal García
I am trying to connect me into the Keycloak server that I deploy to upload a file with another web-app deployed that are connected.
export access_token=$(curl -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_secret=fd8187db-f7c3-4f93-a58c-a10e3865dfe5&username=afvg&password=afvg&client_id=login-app&grant_type=password' \
-v --noproxy localhost, http://localhost:8080/auth/realms/FocusocKeycloak/protocol/openid-connect... | jq --raw-output '.access_token')
curl -v -X POST \
--noproxy localhost, http://localhost:38080/api/upload \
-H "Authorization: Bearer "$access_token
Where in the first part, I take the access token to use it after in the access to app, but the second curl returns me Error 401,
< HTTP/1.1 401
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Length: 0
< Date: Wed, 23 Oct 2019 12:01:49 GMT
<
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
Is something missing?
P Please consider the environment before printing this e-mail.
5 years, 2 months
Unable to acquire JDBC Connection
by Corentin Dupont
Hi guys,
I get this error:
[0m [31m10:36:26,890 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-5447)
javax.resource.ResourceException: IJ000453: Unable to get managed
connection for java:jboss/datasources/KeycloakDS
Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire
JDBC Connection
Caused by: javax.resource.ResourceException: IJ000655: No managed
connections available within configured blocking timeout (30000 [ms])
I use Keycloak 4.4.0-Final and MySQL.
I saw this: https://issues.jboss.org/browse/KEYCLOAK-3539
But it seems to be closed already.
My application is very permission-intensive: on each API request (100 per
second), I request Keycloak permission. That might be wrong design, maybe I
should cache the permissions locally?
Best,
Corentin
5 years, 2 months
keycloakd-openshift images
by Brigman, Larry
My team was trying to install the jboss/keycloak-openshift image today and we found it not to be available from docker.io.
The docker hub web page for the image is returning 404.
Any details as to why the image is gone?
====================================================
Larry Brigman
Principle Software Engineer
CommScope
1725 NW 167th Place
Beaverton, OR 97006
503.495.9386
Larry.brigman(a)commscope.com
5 years, 2 months
Keycloak SAML 2.0 /sender-vouches
by Janzen Arthur (Centris AG)
Dear Keycloak-Team,
I'd like to know if it's possible to configure SAML 2.0 sender-vouches method attribute - couldn't find any information yet.
Many thanks in advance.
Br.,
Arthur Janzen
Application Developer
Centris AG
Grabackerstrasse 3 | 4502 Solothurn
D 032 625 97 26 | T 032 625 44 44
arhur.janzen(a)centrisag.ch<mailto:arhur.janzen@centrisag.ch> | www.centrisag.ch<http://www.centrisag.ch/>
5 years, 2 months
Spring Boot with KeyCloak CORS problem on log out
by Pavol Ozvalda
Hello, we used 6* and also 7* Keycloak with Java SpringBoot.
When our Angular front end calls Post request for "/logout" of our java app (which I think invalidate session), our app then calls Keycloak, which invalidate token, and redirects user using 302 http status to keycloak login page. Problem is, there is a CORS preflight call (Option) which blocks further (login screen) frontend call, even if I set Keycloak configuration properly (first * - for disabling - does not work, then "+" - for redirected url, even enumeration of all host/port combination of our backend java app). I can not get response from Keycloak to contain CORS headers.
So, once again in one sentence: There are no CORS headers from Keycloak, even Keycloak is configured properly for this.
In Spring boot i have:
keycloak.cors=true
keycloak.cors-max-age=1000
keycloak.cors-allowed-methods=POST,PUT,DELETE,GET
keycloak.cors-allowed-headers=ETag,Location
keycloak.cors-exposed-headers=Accept,Content-Type,If-Match,If-None-Match,Origin
Somebody described this problem here, but no response:
https://stackoverflow.com/questions/46220566/keycloak-cors-issue-when-bei...
Should I call logout in different way?
Thanks for da help.
5 years, 2 months
