Re: [keycloak-user] keycloak does not send backchannel logout requests to Admin URL
by mn@fstrk.io
Oh, so Spring Security adapter is not part of Keycloak, it is just used
to interact with it from the calling application! This I understand.
In this case however, I don't understand why the adapter matters. Isn't
the adapter's job over after the session is authenticated? What is
special about redirecting to /authorize and then POSTing to /token with
Spring Security adapter compared to other languages/frameworks?
11.11.19 23:06, Leonid Rozenblyum пишет:
> Well since Spring Security adapter is used inside Java client software
> to secure communication with Keycloak, and you're developing your
> software in Python - it seems to be another problem...
>
> According to the docs:
>
>
> *Admin URL*
> For _Keycloak specific_ client adapters, this is the callback endpoint
> for the client. The Keycloak server will use this URI to make
> callbacks like pushing revocation policies, performing backchannel
> logout, and other administrative operations. For Keycloak servlet
> adapters, this can be the root URL of the servlet application. For
> more information see Securing Applications and Services Guide.
>
> It looks like Python OIDC library is not keycloak-specific, so Admin
> URL is NOT an option to set up backchannel logout.
>
> On Mon, Nov 11, 2019 at 9:41 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>
> I would love to try it, but I am a Python guy and I am not sure
> how to figure out Keycloak internals :) is there anyway you can
> point me to look for the instructions on how to do it?
>
>
>
> 11.11.19 22:27, Leonid Rozenblyum пишет:
>> Ok, I see.
>> But do you use Spring Security adapter in your application?
>> If yes, a workaround for KEYCLOAK-10266
>> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
>> before 8.0.0 release.
>>
>> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
>> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>>
>> I am using the Docker version, and 8.0.0 has not been
>> released in Docker yet:
>> https://hub.docker.com/r/jboss/keycloak/tags
>>
>> so I guess the only option for me is wait for the 8.0.0
>> Docker release then.
>>
>>
>> 11.11.19 17:56, Leonid Rozenblyum пишет:
>>> Hi. What adapter are you using?
>>> Spring Security adapter had a bug which was recently fixed
>>> and the fix should be part of 8.0.0
>>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>>
>>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io
>>> <mailto:mn@fstrk.io> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>>>
>>> I created a client in Keycloak and set up a test admin URL
>>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>>> (this is a
>>> webhook testing site).
>>>
>>> After that, I performed an OpenID login via this client,
>>> and then sent a
>>> logout request to Keycloak.
>>>
>>>
>>> I did this a couple of times, and tried two ways of
>>> logging a user out:
>>>
>>> - redirecting to
>>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>>>
>>> <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>>
>>> - force logging out of the user via Keycloak admin
>>> interface:
>>> http://prntscr.com/pv1v76
>>>
>>> The user indeed gets logged out. However, in both of
>>> these cases I don't
>>> see any requests coming out from Keycloak. The testing
>>> website shows
>>> zero registered requests.
>>>
>>>
>>> How do I make this work?
>>>
>>>
>>>
>>>
>>> --
>>> Mikhail Novikov
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> <mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>> Михаил Новиков
>> Ведущий разработчик
>> fstrk.io <http://fstrk.io>
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
4 years, 5 months
Re: [keycloak-user] keycloak does not send backchannel logout requests to Admin URL
by mn@fstrk.io
I would love to try it, but I am a Python guy and I am not sure how to
figure out Keycloak internals :) is there anyway you can point me to
look for the instructions on how to do it?
11.11.19 22:27, Leonid Rozenblyum пишет:
> Ok, I see.
> But do you use Spring Security adapter in your application?
> If yes, a workaround for KEYCLOAK-10266
> <https://issues.jboss.org/browse/KEYCLOAK-10266> is possible even
> before 8.0.0 release.
>
> On Mon, Nov 11, 2019 at 6:48 PM mn(a)fstrk.io <mailto:mn@fstrk.io>
> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>
> I am using the Docker version, and 8.0.0 has not been released in
> Docker yet: https://hub.docker.com/r/jboss/keycloak/tags
>
> so I guess the only option for me is wait for the 8.0.0 Docker
> release then.
>
>
> 11.11.19 17:56, Leonid Rozenblyum пишет:
>> Hi. What adapter are you using?
>> Spring Security adapter had a bug which was recently fixed and
>> the fix should be part of 8.0.0
>> https://issues.jboss.org/browse/KEYCLOAK-10266
>>
>> On Mon, Nov 11, 2019 at 6:14 AM mn(a)fstrk.io <mailto:mn@fstrk.io>
>> <mn(a)fstrk.io <mailto:mn@fstrk.io>> wrote:
>>
>> I created a client in Keycloak and set up a test admin URL
>> https://webhook.site/12c50381-0814-441a-82bb-1a68c8366a60
>> (this is a
>> webhook testing site).
>>
>> After that, I performed an OpenID login via this client, and
>> then sent a
>> logout request to Keycloak.
>>
>>
>> I did this a couple of times, and tried two ways of logging a
>> user out:
>>
>> - redirecting to
>> http://.../auth/realms/myrealm/protocol/openid-connect/logout
>> <http://127.0.0.1:8080/auth/realms/myrealm/protocol/openid-connect/logout>
>>
>> - force logging out of the user via Keycloak admin interface:
>> http://prntscr.com/pv1v76
>>
>> The user indeed gets logged out. However, in both of these
>> cases I don't
>> see any requests coming out from Keycloak. The testing
>> website shows
>> zero registered requests.
>>
>>
>> How do I make this work?
>>
>>
>>
>>
>> --
>> Mikhail Novikov
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Михаил Новиков
> Ведущий разработчик
> fstrk.io <http://fstrk.io>
>
--
Михаил Новиков
Ведущий разработчик
fstrk.io
4 years, 5 months
Springboot app polls only 100 records from keycloak
by vinayak kelapkar
Hi Team,
We have integrate springboot application with keycloak however we are able
to poll only 100 records from keycloak and application does not throw any
exception but we want all the records to be loaded in springboot
application is there any configuration or sample code to do that ?
UsersResource users = keycloak.realm(realm).users();
log.info("Total user count from keycloak is " +
users.count());//100 records only processed and application return 200 Ok
success
Regards,
4 years, 5 months
Re: [keycloak-user] Spring Boot and Keycloak
by John Norris
Yes, disabling csrf does allow the non GET requests to work.
Thank you so much - at least I now know what I have to look at.
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
To: "John Norris" <johnnorris-10(a)outlook.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 11/11/2019 14:08:09
Subject: RE: Re[2]: Spring Boot and Keycloak
>John
>
>You have CSRF turned on in your Spring config so it will expect the correct CSRF code to be returned in all PUT, POST and DELETE requests. Without it Spring, for me anyway, returns 403. It's not Keycloak that is doing that, well not at this stage anyway.
>
>Your original GET request response should include the CSRF token value you need to send back to your Spring app.
>
>Turn off csrf in your below config and test it again, at least with it off temporarily you can test your Keycloak implementation.
>
>Tony
>
>
>
>-----Original Message-----
>From: John Norris [mailto:johnnorris-10@outlook.com]
>Sent: 11 November 2019 14:04
>To: Tony Harris <Tony.Harris(a)oneadvanced.com>; keycloak-user(a)lists.jboss.org
>Subject: Re[2]: Spring Boot and Keycloak
>
>Hi Tony,
>thanks for this.
>So the spring code already contained the crsf code. Is that not working properly?
>
>------ Original Message ------
>From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
>To: "John Norris" <johnnorris-10(a)outlook.com>; "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
>Sent: 11/11/2019 12:18:43
>Subject: RE: Spring Boot and Keycloak
>
>>I have seen 403 responses when the CSRF token is not sent with the request.
>>
>>
>>The Spring security code is
>>
>> protected void configure(HttpSecurity http) throws Exception
>> {
>> super.configure(http);
>> http
>> .authorizeRequests()
>> .antMatchers("/**").hasRole("user")
>> .antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
>> .permitAll()
>> .anyRequest()
>> .authenticated()
>> .and()
>> .csrf()
>> .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
>> }
>>
>
>________________________________
>
>Please consider the environment: Think before you print!
>
>
>This message has been scanned for malware by Websense. www.websense.com
4 years, 5 months
kcadm full stacktrace and logging
by Diana Maria Bratu
Hi,
I am using Keycloak 4.8.3.Final and trying to import a keystore using the
kcadm.sh script.
It is failing with a generic error "500 Internal Server Error" and because
I have no clue about what's wrong, I would like to see the full stacktrace.
However seems that it is cut.
Do you know how can I get the full stacktrace?
$ ./kcadm.sh create components -r testrealm -s name=java-keystore -s
providerId=java-keystore -s providerType=org.keycloak.keys.KeyProvider -s
parentId=78db13f6-9dd0-4d5d-95c0-341873969890 -s 'config.priority=["101"]'
-s 'config.enabled=["true"]' -s 'config.active=["true"]' -s
'config.keystore=["/keycloak/keystore.jks"]' -s
'config.keystorePassword=["Passw0rd"]' -s 'config.keyPassword=["Passw0rd"]'
-s 'config.alias=["secure-key"]'
HTTP error - 500 Internal Server Error
org.keycloak.client.admin.cli.util.HttpResponseException: HTTP error - 500
Internal Server Error
at
org.keycloak.client.admin.cli.util.HeadersBodyStatus.checkSuccess(HeadersBodyStatus.java:61)
at
org.keycloak.client.admin.cli.util.HttpUtil.checkSuccess(HttpUtil.java:329)
at
org.keycloak.client.admin.cli.commands.AbstractRequestCmd.process(AbstractRequestCmd.java:363)
at
org.keycloak.client.admin.cli.commands.AbstractRequestCmd.execute(AbstractRequestCmd.java:126)
at
org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63)
at
org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48)
at
org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException:
... 11 more
I've checked the logging config
(/keycloak/bin/jboss-cli-logging.properties) and tried to change values to
DEBUG but not sure how to edit it in order to see the full stacktrace.
Could you please help me?
# Additional logger names to configure (root logger is always configured)
loggers=org,javax,org.jboss.as.cli,org.aesh
logger.org.level=OFF
logger.javax.level=OFF
# assign a lower level to enable CLI logging
logger.org.jboss.as.cli.level=OFF
# assign a lower level to enable aesh logging
logger.org.aesh.level=OFF
# Root logger level
logger.level=${jboss.cli.log.level:INFO}
# Root logger handlers
# uncomment to enable logging to the file
logger.handlers=FILE
# File handler configuration
handler.FILE=org.jboss.logmanager.handlers.FileHandler
handler.FILE.level=DEBUG
handler.FILE.properties=autoFlush,fileName
handler.FILE.autoFlush=true
handler.FILE.fileName=${jboss.cli.log.file:jboss-cli.log}
handler.FILE.formatter=PATTERN
# Formatter pattern configuration
formatter.PATTERN=org.jboss.logmanager.formatters.PatternFormatter
formatter.PATTERN.properties=pattern
formatter.PATTERN.pattern=%d{HH:mm:ss,SSS} %-5p [%c] %s%e%n
Thank you.
4 years, 5 months
Re: [keycloak-user] Spring Boot and Keycloak
by John Norris
Hi Tony,
thanks for this.
So the spring code already contained the crsf code. Is that not working
properly?
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
To: "John Norris" <johnnorris-10(a)outlook.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 11/11/2019 12:18:43
Subject: RE: Spring Boot and Keycloak
>I have seen 403 responses when the CSRF token is not sent with the request.
>
>
>The Spring security code is
>
> protected void configure(HttpSecurity http) throws Exception
> {
> super.configure(http);
> http
> .authorizeRequests()
> .antMatchers("/**").hasRole("user")
> .antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
> .permitAll()
> .anyRequest()
> .authenticated()
> .and()
> .csrf()
> .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
> }
>
4 years, 5 months
Spring Boot and Keycloak
by John Norris
Hello,
I have used keycloak to handle authorisation and authentication for a Spring Boot app which uses REST.
I can get a token and use it for successful GET requests but for POST, PUT, DELETE, I get a 403 Forbidden error.
I have set up a single realm role - "user" and associated that role with the users.
The keycloak enteries in application properties are
# keycloak
keycloak.auth-server-url=http://mint191:8080/auth
keycloak.realm=SpringBootKeycloak
keycloak.resource=bikes-app
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
The Spring security code is
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/**").hasRole("user")
.antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
When I use curl and a token for POST
curl -H "Authorization: Bearer $TOKEN" -k -w "\n" -X POST -d '{"fields": "values"}' -H "Content-Type: application/json" https://mint191:8453/api/v1/bicycles
I get a response of
{"timestamp":"2019-11-11T10:39:38.027+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/api/v1/bicycles"}
Is there more configuration that I have to do with keycloak? Have I got the security code wrong in Spring?
Regards,
John
4 years, 5 months
URL to download the public certificate of IdPs
by Rafael Weingärtner
Hello guys,
I was wondering, is there a URL in Keycloak that one can use to download
the public certificate (PEM or some other format) of the IdP? I do know
about the "jwks_uri", but that only gives me the public key. However, I
need a public certificate. I have been through both Keycloak and OpenID
Connect specs, but so far I could not find anything.
Any help here would be greatly appreciated.
--
Rafael Weingärtner
4 years, 5 months
Keycloak filters on spring boot 2 adapter
by Andrey Dryahkhlov
Hi all,
We are using keycloak 7.0.0 as microservice in cloud for users logins and
for microservice-to-microservice communications. All our services use a
spring boot and keycloak spring bott 2 adapter to validate/parse token.
We found that in case if token is expired we see at least 4 error messages
about that in our logs.
This is due to that keycloak adapter provides 4 filters:
- KeycloakAuthenticatedActionsFilter
- KeycloakAuthenticationProcessingFilter
- KeycloakPreAuthActionsFilter
- KeycloakSecurityContextRequestFilter
As i understand there is only KeycloakAuthenticationProcessingFilter filter
required to initialize a security context. Can any one explain the goal for
other filtes? Are they really needed? Or it is used for special cases like
sso/login/logout and so on...
I could not find any java doc or documents on keycloak site related to it.
Thanks in advance,
Andrey.
4 years, 5 months
