We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.
Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.
What is the best way to solve our issue?
Thanks in advance,
We have a use case where we’re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used.
The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference.
Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It’s like an additional consent step after user and client authentication rather than an additional authentication step.
My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/..., and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested.
I’m not sure it’s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it’s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this?
As an additional wrench, we’re still on v3.3.0 and upgrade is not on the schedule as of now.
The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
Disclaimer: This might be a keycloak dev mailing list question.
We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues.
Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.
See this link here for 3.4.3 changes:
These are the 4.8 changes
In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:
PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak.
Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this:
Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s....
When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role.
For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-... for more info about this.
The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that.
Did anyone else maybe run into this issue, and if so had another solution for it?
The link  only shows support on RHEL and Windows environments. Do you mean to say the 2023 date is also valid for OpenJDK running in the Docker-version of Keycloak, regardless of underlying architecture?
> >From the support perspective, Red Hat offers extended support till June
> 2023 .
> Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess we
> still have plenty of time to do the switch, so I wouldn't rush things too
> BTW, why do you need JDK11, especially in the container?
>  https://access.redhat.com/articles/1299013
>> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com> wrote:
>> Sorry, end of january (my fault):
>> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java
>> and OpenJDK will most probably start to diverge, as OpenJDK will not have
>> access to Oracle repos (afaik). So the speed of security fixes will depend
>> on willigness of community to fix the upcomming issues.
>> From: Meissa M'baye Sakho <msakho at redhat.com>
>> Sent: Tuesday, October 23, 2018 11:04 AM
>> To: Pavel Micka <Pavel.Micka at zoomint.com>
>> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] Java 11 (Docker container base)
>> Pavel, where did you get the information that the official Java 8 support
>> will cease at the end of december?
>> Le lun. 22 oct. 2018 à 16:33, Pavel Micka <Pavel.Micka at zoomint.com<mailto:
>> Pavel.Micka at zoomint.com>> a écrit :
>> Hello everyone,
>> What is the plan for Java 11 support? The point is that current versions
>> of Docker containers are based on OpenJDK 8, but the official Java 8
>> support will cease at the end of December. Will Keycloak use Java 11 by
>> that time or will it rely on updates provided by the community.
>> This is important to us, as Keycloak is important part of our app security.
>> // I have found this ticket in Jira, but it does not provide too many
>> details: https://issues.jboss.org/browse/KEYCLOAK-7811
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
Using Keycloak , it's possible to declare client like a service account .
Client secret becomes API key.
In my case, I'm going to generate 10 clients (10 API keys).
I have tried to use Keycloak-gatekeeper to cover this use case but GK
support only one client.
In my case, I 'm understanding that I must create 10 instances of GT :(.
Is there a way to associate various client to one instance of GT
(different paths .) ?
Thxs for your help.
I try to configure a kc-saml idp broker for an external IdP. The logout request from the external idp to the saml broker unfortunately does not contain NameID and therefore org.keycloak.dom.saml.v2.protocol.LogoutRequestType.getNameID() returns null in org.keycloak.broker.saml.SAMLEndpoint. This leads to a nullpointerexception to be thrown.
There is a requirement for us to support nameid-format:unspecified, since USERID is delivered via saml attribute. I configured this in IdP configuration, but it seems that settintg nameid-format to unspecified has no effect (does this also default to persistent?). Am I mixing up these things? Is there a workaround for this issue?
I hope anyone can help me or at least answer me this time. Regards,
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
is it possible to get backchannel logout working with a single openid-connect client, which is used by multiple webapps?
To get backchannel logout working for a single webapp I had to set the Admin URL to a specific URL of one webapp.
I expected that Keycloak stores from where the session is initiated and knows where the backchannel logout has to be sent to.
I could create for each webapp a specific client and set the Admin URL accordingly, but that is too much configuration work for over 100 webapps.
Do I misunderstand the public Access Type?
H�ttenwerke Krupp Mannesmann GmbH, Ehinger Str. 200, D-47259 Duisburg
Gesch�ftsf�hrung: Dr. Herbert Eichelkraut, Dr. Gerhard Erdmann, Carsten Laakmann
Vorsitzender des Aufsichtsrats: Prof. Dr.-Ing. Heinz J�rg Fuhrmann
Sitz der Gesellschaft: Duisburg
Eintragung im Handelsregister: Amtsgericht Duisburg HRB 4716