Can't add second admin user of realm Keycloak
by Roman Ok
There are realms in Keycloak: master and custom. Both have admin users.
Custom realm admin adds new user new_admin and assigns role admin to him via admin console.
The user can access his account details at auth/realms/custom/account/.
However, error Forbidden You don't have access to the requested resource pops when new_admin user tries to enter realm administration console at auth/admin/custom/console/.
The same issue happens even when master realm admin adds new admin user to custom realm.
I'm using Keycloak 4.3.0.
Is it a bug or realm can't have two admins?
4 years, 6 months
Re: [keycloak-user] [keycloak-dev] Keycloak 7.0.1 Released
by Stian Thorgersen
We only include CVEs and major regressions in micro releases. We simply
don't have the capacity to backport all bug fixes.
The next release will be Keycloak 8.0.0, which should be out in a few weeks.
On Wed, 16 Oct 2019 at 18:27, Jon Koops <jonkoops(a)gmail.com> wrote:
> Hi Stian,
>
> I've been working on getting the update in for Keycloak Angular and I
> noticed that an essential commit with a fix for the TypeScript definitions
> has not been included in the JavaScript Adapter. I am referring
> specifically to the following commit:
> https://github.com/keycloak/keycloak/commit/bc5b4de79e4d30630042216d686a2...
> .
>
> The TypeScript definition as before this commit incorrectly defaults to a
> native PromiseType instead of legacy promises. This results in broken
> builds for any application using TypeScript with what is perfectly
> functioning code.
>
> [image: image.png]
>
> Regards,
> Jon
>
> On Wed, Oct 16, 2019 at 5:07 PM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> This release contains a number of CVE fixes as well as 3 items worthy
>> highlighting:
>>
>> * Container image base image has changed due to lack of CVE fixes in
>> previous base image
>> * Fixes keycloak.js issue when used in module environment
>> * Removes support for uploading custom JavaScript providers over REST.
>> Custom JavaScript providers now have to be uploaded to the Keycloak server
>> directly
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
4 years, 6 months
Keycloak 7.0.1 Released
by Stian Thorgersen
This release contains a number of CVE fixes as well as 3 items worthy
highlighting:
* Container image base image has changed due to lack of CVE fixes in
previous base image
* Fixes keycloak.js issue when used in module environment
* Removes support for uploading custom JavaScript providers over REST.
Custom JavaScript providers now have to be uploaded to the Keycloak server
directly
4 years, 6 months
Facebook Indentity provider cause error: different_user_authenticated
by Mariusz Chruscielewski - INFO
Hi, we have an error on website that is secured by Keycloak Tomcat adapter,
Prerequsites:
- 2 facebook accounts, both linked to website
Steps:
- Remove all cookies for website – start as clean new user
- Login to facebook
- Login to website using facebook identity provider
- All works fine
- Logout from facebook (Don't logout from website)
- Close browser tab with website and do not reopen for at least 1 hour
- Wait some time (above 1 hour) so browser session is gone, and only Keycloak remembers that you were logged
- go back to website
- you will be redirected to facebook login page
- login with ANOTHER Account
- BANG ! 500 error
- Keycloak logs:
2019-10-16 10:43:12,214 WARN [org.keycloak.events] (default task-1441) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=vi, clientId=vinl, userId=9c865fb5-531a-4bec-9589-254c89234b8f, ipAddress=88.88.888.8, error=different_user_authenticated, identity_provider=facebook, consent=no_consent_required, previous_user=7e516fef-7d06-4f74-8816-b6519eb86b75, identity_provider_identity=tomlxxxxxx(a)xxxxxx.xx, code_id=39284d1d-1ad8-4710-bb8e-520dace03a7e
Looks like Keycloak has problem because of not logged out session before, and changed account of identity provider. Can we do anything about it? We have set “remember me” to true, and made a redirect filter so if user has remember me set and should be logged into keycloak, website will redirect him to place where adapter can perform login. Apparently at that step, Keycloak detects that FB session has been terminated, so redirects you to login screen. I also got information that this might happen for the same FB account, when user doesn’t use PC for few days and then tries to visit our website. Is that anything we can fix in Keycloak configuration?
Kind regards
Mariusz Chruścielewski
4 years, 6 months
Keycloak multi-tenancy implementation idea
by Vinay Matam
Hi,
We are an opensource company with an ERP based system built in
microservices approach.
We want to implement a SSO and RBAC for our system (for cloud/on-premise)
both. Earlier we were thinking of running one instance per customer but
that would be an overkill and too difficult to manage.
Second, we decided to create one realm/customer but that hits a ceiling in
adding more realms in one instance.
So, we were trying and came up with an idea of creating one database per
customer and dynamically link it with the Keycloak instance based in the
subdomain of the authentication URL.
By default, Keycloak uses a datasource to store different data like user
information etc and this is configured in the standalone.xml configuration
file. Our idea is to have a custom datasource configured here instead of
the actual database. This custom datasource can be a microservice or some
application or a custome provider which handles the part of pointing to
different datasources (one per customer) based on a unique parameter. This
way we can achieve a clear separation between mutliple customers and
implement multi-tenancy.
Could someone who has worked on something similar before let us know if
this is something possible ?
and put us in the right direction ?
Thank you!
4 years, 6 months
Custom SPI does not appear in list
by Alfonso Vidal García
Hello everyone!
I deployed an Custom SPI Provider into my Keycloak Server, but it does not appears in the list to configure it on the Admin Console. Anyone knows what it is happening?
Thanks in advance!
P Please consider the environment before printing this e-mail.
4 years, 6 months
Springboot adapter/Undertow/Tomcat + Authz with request.body claim
by Błażej Adamczyk
Hello everyone,
Has anyone tried to read and push {request.body} as a claim in one of
the following adapters: Springboot/Undertow/Tomcat?
Trying Springboot with different containers I get the same result: the
inputstream/channel is being read at an early stage in the flow and is
not wrapped (buffered) what makes the body inaccessible for further
application logic (parsers etc.).
I've created an issue here:
https://issues.jboss.org/browse/KEYCLOAK-11712
Maybe I'm doing something wrong? Maybe there is some easy way to make
the inputstream buffered in undertow or tomcat??
--
Kind regards,
Blazej
4 years, 6 months
Keycloak Master Password & Query String
by Namık Barış İDİL
Hello All,
Is there any way to have a master password which can enter all users account? Another thing I would like to ask if there is any way to have something in a query string in the login page. I mean, I would like to redirect a user from another page to login page and I would like to embed some information to the redirect link.
Thanks in advance.
Barış
4 years, 6 months
