volume for hdb content of container?
by Joachim Lindenberg
Hello,
I am experimenting with keycloak using https://hub.docker.com/r/jboss/keycloak and default database, i.e. h2. Is there a means to have h2 persist the database to a file on a docker volume and load at startup instead of starting configuration from scratch? My environment does not need to support lots of users and afai understood the database is primarily for configuration when not replication ldap users. Using any of the other databases looks overkill to me.
Or if that perception is wrong, I am wondering why my configuration was lost after trivial reconfiguration of my docker-compose.yml..
Any suggestion?
Thanks, Joachim
6 years, 6 months
ldaps from keycloak container
by Joachim Lindenberg
Hello,
I am trying to set up keycloak using a container and configure authentication against my ldap (a samba active directory). I configured ldaps://ldap.example.dom:636 in the user interface and test connection succeeds. However authentication of the bind user fails with the following exception:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 88 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 101 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 107 more
I was expecting that I have to import a CA and therefore configured environment variable X509_CA_BUNDLE to point to a cert as described in https://hub.docker.com/r/jboss/keycloak/ “Setting up TLS(SSL)”, but the section is not really clear whether it also applies for trust to LDAPs.
Any suggestion?
Thanks, Joachim
6 years, 6 months
Retrieving user permissions with client_id and client_secret alone
by Akhil Lawrence
Hi Folks,
I am trying to write my own policy enforcement point in pythton.
I am able to retrieve permissions of a user if *username* and *password* is
provided.
But is there a way by which I can retrieve the user permissions only using
my *client_id* and *client_secret*
Thanks.
6 years, 6 months
Query on application integration for SAML flow (IDP initiated flow)
by abhijeet chauhan
Hi,
We have integrated our app so that app acts as oauth client to Keycloak and
keycloak is acting as Identity broker for incoming SSO flows (SAML).
APP (oauth client) <- > Keycloak <-> SAML Identity Providers.
Here we generate the SSO url in app so that we select the SAML identity
providers using kc_idp_hint that points the SAML IDP configured in Keycloak
(this is SAML SP SSO flow) and it is working perfectly well.
However I have questions how can I get this SSO integration working for
SAML IDP initiated flow, I tried doing IDP initiated flow with this and I
see Keycloak generating exceptions / errors.
I know oauth / oidc are always initiated at RP (relying party) here APP,
however if Keycloak can create user session and create Identity of user
(for IDP initiated flow) and send browser to a specific url (specified on
IDP through RelayState) than APP can initiate the SSO flow and as user will
have the session on Keycloak, keycloak can redirect user to redirect_uri on
app to have the session . Any thoughts how to get it working. ?.
Thanks,
Vijay
6 years, 6 months
Hide Keycloak codes exchange from the URL
by Corentin Dupont
Hi guys,
is it possible to hide the complex URL Keycloak redirects to when login?
For example Keycloak redirects to:
https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/au...
Which looks complicated (it was criticized by the users).
I use Keycloak-JS wrapper.
I came across the option 'silentCheckSsoRedirectUri':
https://github.com/keycloak/keycloak-documentation/blob/master/securing_a...
But I'm not sure it's working.
Thanks,
Corentin
PS. I copy below a similar message posted on the mailing list for reference.
[keycloak-user] OIDC login URLs, how to hide them from the user?? *Max
Allan* max.allan+keycloak at surevine.com
<keycloak-user%40lists.jboss.org?Subject=Re:%20%5Bkeycloak-user%5D%20OIDC%20login%20URLs%2C%20how%20to%20hide%20them%20from%20the%20user%3F%3F&In-Reply-To=%3CCADNp1BbVc6A-HsiTszRV_TJY%2BQHH4q%2BQyFeSfqhPWc-dVD1jLw%40mail.gmail.com%3E>
*Tue Jan 22 10:36:05 EST 2019*
- Previous message: [keycloak-user] Gatekeeper docker configuration
question
<https://lists.jboss.org/pipermail/keycloak-user/2019-January/017009.html>
- Next message: [keycloak-user] Error controller is not invoked if
authentication failed
<https://lists.jboss.org/pipermail/keycloak-user/2019-January/017011.html>
- *Messages sorted by:* [ date ]
<https://lists.jboss.org/pipermail/keycloak-user/2019-January/date.html#17010>
[
thread ]
<https://lists.jboss.org/pipermail/keycloak-user/2019-January/thread.html#...>
[
subject ]
<https://lists.jboss.org/pipermail/keycloak-user/2019-January/subject.html...>
[
author ]
<https://lists.jboss.org/pipermail/keycloak-user/2019-January/author.html#...>
------------------------------
Hi,
When a user hits a (Keycloak gatekeeper) protected site, they get
redirected to the keycloak server login page, a URL like this :
https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/au...
So, a typical new user journey looks like "type in https colon slash *which
slash was it? oh that one* and another slash ww dot website dot com *oops
no, www and dot org dot uk ENTER"
*I don't want to type _that_ in again : Click Bookmark button QUICK*
So they've now bookmarked a login page that includes a state of 7103....
The session they have works and if they don't use their bookmark, it works.
If they come back to it later, and use the bookmark, get asked to login and
then get a "403 authorisation denied" error.
The gatekeeper logs say :
1.5481603986412873e+09 error State parameter mismatch
1.5481603986665585e+09 error unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}
So, how can I make this user journey easier with keycloak?
Ideally I'd like to hide the auth urls completely, their browser doesn't
need to know they're authenticating on different site.
I tried a "sign-in-page" with a frame containing the login page from
keycloak :
<html>
<frameset cols="100%">
<frame src="{{ .redirect }}">
</frameset>
</html>
(and change the security settings for frame-ancestors )
And when you've logged in, you get an empty page with a 403 error.
Gatekeeper says "unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}" again.
Keycloak says :
type=CODE_TO_TOKEN_ERROR, realmId=86979f4f-7314-4fb6-86bc-3516fcb0c3ae,
clientId=alb, userId=01cf3b8f-498e-46b8-815e-6a9a5c2dda1c,
ipAddress=180.430.597.666, error=invalid_code,
grant_type=authorization_code,
code_id=02221f30-faa5-48ad-aae6-a5adec6a705a,
client_auth_method=client-secret
(ip address etc. has been obfuscated)
IF the user is clever, they can then remove
the oauth/authorize?state=ba4fcb0d-6ecf-4afe-8b98-e0fbcbc4ca25 from the URL
in the browser and the session carries on quite happily.
Is there a setting I'm getting wrong in keycloak somewhere that is breaking
this?
In this first instance, we are returning to an old "state". I can imagine
that not working.
But the second setup, I'm just logging in to keycloak, in a frame, nothing
else has changed from a "working" setup, just the login page is in a frame.
(I also need to figure out how to escape the frame!!)
Thanks,
Max
6 years, 6 months
Authenticate unix users
by Ajinkya Thakare
Hi all,
Is there any way to authenticate local Unix users via Keycloak for a client application? The user can be on the server machine where Keycloak is hosted.
Regards,
Ajinkya Thakare
6 years, 6 months
Callbacks when I rotate my keys or revoke my JWT tokens
by Daniel Souza
Hi,
In my implementation, I am validating the JWT tokens locally, keeping the public keys in a local cache to avoid making multiple calls to the Keycloak server.
I won't know when a key in the server is no longer enabled or valid, therefore I could end up validating an invalid JWT token locally.
I would like to know if Keycloak has a way to configure callbacks when I rotate my keys. Does it have?
Then I can update my keys in the cache…
In the case of JWT token revocation, can tokens be individually revoked in Keycloak? Is this feature available?
Are there callbacks implemented in case I have JWT tokens revoked?
Thank you in advance.
Regards,
Daniel.
6 years, 6 months
Keycloack Multi -Tenancy question
by Litom Segal
We are considering using Keycloack in a multi-tenant fashion.
Each of our customer's account has its own users, and applications
installed, and we also provide services API's consumed by various clients.
We will have a large number of tenants.
I found an open issue from 2017 that mentions that Keycloak may have some
scalability issues with a large number of realms.
https://issues.jboss.org/browse/KEYCLOAK-4593
And also this thread from 2016,
https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html,
that states that "Keycloak was not designed to support multi-tenancy
directly."..."In that regards we have never tested with high amounts of
realms as we expect there to be few realms (up to 10 most likely)."
I was wonder if there was any progress on the multi-tenancy use case, and
are there any best practices on how to setup Keycloack to support it.
On the other hand, is there any other approach to handle our use-case?
Thanks,
Litom
--
Litom Segal
Software Engineer
T: +972-74-700-4097
<https://www.linkedin.com/company/164748> <https://twitter.com/liveperson>
<https://www.facebook.com/liveperson/?ref=bookmarks>
Our mission is to make life easier by transforming how people communicate
with brands. <https://liveperson.docsend.com/view/drieh2u>
--
This message may contain confidential and/or privileged information.
If
you are not the addressee or authorized to receive this on behalf of the
addressee you must not use, copy, disclose or take action based on this
message or any information herein.
If you have received this message in
error, please advise the sender immediately by reply email and delete this
message. Thank you.
6 years, 6 months
Websockets with Keycloak
by Wolfgang Ederer
Hi,
we are building an app with keycloak.
The backend uses nodeJS the frontend is also written in JavaScript.
Is there a recommended way how to secure a websocket channel with Keycloak?
e.g. Heartbeats vs sending Token with each message?
Thanks!
Best Regards
Wolfgang Ederer
6 years, 6 months
