We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.
Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.
What is the best way to solve our issue?
Thanks in advance,
We have a use case where we’re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used.
The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference.
Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It’s like an additional consent step after user and client authentication rather than an additional authentication step.
My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/..., and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested.
I’m not sure it’s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it’s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this?
As an additional wrench, we’re still on v3.3.0 and upgrade is not on the schedule as of now.
The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.
Disclaimer: This might be a keycloak dev mailing list question.
We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues.
Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.
See this link here for 3.4.3 changes:
These are the 4.8 changes
In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:
PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak.
Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
How do you export a REALM from keycloak when running within a Docker
*If running Keycloak via docker, eg: using *
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
-e DB_VENDOR=h2 --name kc jboss/keycloak
How can you export a realm that you have added via the UI?
Thanks in Advance
We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this:
Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com]
Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com'
After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s....
When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role.
For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-... for more info about this.
The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that.
Did anyone else maybe run into this issue, and if so had another solution for it?
I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
Keycloak be setup for idP initiated SSO, which I've configured. I have
everything working great, but I'm running into an issue where Keycloak will
not passthrough a SAML attribute using mappers.
Per the docs here:
I need to pass a role attribute through that matches what I've setup as the
SAML Administrator Roles in Meraki. I've done that and have a role setup as
IT, Management, etc.
In Active Directory the 'department' attribute is set to the role that is
needed. I've created the federated mapper 'dept' that is mapped to
'department' in AD. Users in Keycloak have that attribute populated
successfully with the correct data.
In the client for Meraki, I've created a mapper name '
https://dashboard.meraki.com/saml/attributes/role' and set the it as a
'user property' with a property of 'dept' and a general friendly name and
then set the 'SAML Attribute Name' to role.
Looking at the SAML login, this never is passed through at all. The only
way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
https://dashboard.meraki.com/saml/attributes/role', it will then login
successfully to Meraki. There are other groups that will be logging into
Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
transaction when hardcoding the attribute:
I've never had this issue of passing other attributes through before, can
anyone let me know if I'm going about this wrong and if so, what am I
missing? Thanks :)
in the Admin Events / Login Events - View in the Administration Console
in Keycloak, I can see e.g. if users logged in or were assigned to a role.
However, the users are only referenced by their id.
I can determine the username by constructing an URL (e.g.
.../realms/<MY_REALM>/users/<UserId> ) and navigating to it.
Is there an easier way?
Password expiry policy not working for federated user. We can see that the
password has expired for LDAP user, which was set to 90 days, but user can
still login to UI via keycloak authentication.
Kindly point us what are we missing.
Please note we have enabled the switch to sync password policy with
Thanks & regards