April 2019 - keycloak-user - Jboss List Archives

by Arnault BESNARD

Hi, We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario. Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case. What is the best way to solve our issue? Thanks in advance, Arnault

1 year, 1 month

1
2
0 / 0

OIDC protocol extension

by Karipineni, Neelima,M.D.

We have a use case where we’re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It’s like an additional consent step after user and client authentication rather than an additional authentication step. My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/..., and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. I’m not sure it’s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it’s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? As an additional wrench, we’re still on v3.3.0 and upgrade is not on the schedule as of now. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

1 year, 3 months

3
4
0 / 0

Override "native" Keycloak providers

by Jerry Saravia

Hello, Disclaimer: This might be a keycloak dev mailing list question. We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues. Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map. See this link here for 3.4.3 changes: https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j... These are the 4.8 changes https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j... In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this: PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak. Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history. J Jerry Saravia Software Engineer T(516) 603-6914 M516-603-6914 virginpulse.com |virginpulse.com/global-challenge 492 Old Connecticut Path, Framingham, MA 01701, USA Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. v2.48

1 year, 4 months

2
1
0 / 0

UserRepresentation enabled Boolean

by Matthew Broadhead

org.keycloak.representations.idm.UserRepresentation (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...) has a property enabled which is of type java.lang.Boolean. Technically this should have getters and setters of getEnabled and setEnabled. A type boolean would have isEnabled and setEnabled. This stops it from working with JSF (https://stackoverflow.com/questions/14400222/boolean-properties-starting-...) This also applies to totp and emailVerified in the same class.

1 year, 6 months

2
3
0 / 0

How do you export a REALM from keycloak when running within a Docker container?

by Melissa Palmer

Hi How do you export a REALM from keycloak when running within a Docker container? *If running Keycloak via docker, eg: using * docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 --name kc jboss/keycloak How can you export a realm that you have added via the UI? Thanks in Advance Melissa

1 year, 6 months

2
5
0 / 0

LDAP user federation with AD range retrieval

by Sidney Beekhoven

Hello, We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this: Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112) at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380) at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316) at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236) … Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s.... When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role. For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-... for more info about this. The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that. Did anyone else maybe run into this issue, and if so had another solution for it? Kind regards, Sidney Beekhoven

1 year, 6 months

2
4
0 / 0

Meraki SP

by Aaron Echols

Hello All, I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that Keycloak be setup for idP initiated SSO, which I've configured. I have everything working great, but I'm running into an issue where Keycloak will not passthrough a SAML attribute using mappers. Per the docs here: https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboa... I need to pass a role attribute through that matches what I've setup as the SAML Administrator Roles in Meraki. I've done that and have a role setup as IT, Management, etc. In Active Directory the 'department' attribute is set to the role that is needed. I've created the federated mapper 'dept' that is mapped to 'department' in AD. Users in Keycloak have that attribute populated successfully with the correct data. In the client for Meraki, I've created a mapper name ' https://dashboard.meraki.com/saml/attributes/role' and set the it as a 'user property' with a property of 'dept' and a general friendly name and then set the 'SAML Attribute Name' to role. Looking at the SAML login, this never is passed through at all. The only way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded Attribute' with a 'Attribute Value' of 'IT' with a mapper name of ' https://dashboard.meraki.com/saml/attributes/role', it will then login successfully to Meraki. There are other groups that will be logging into Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML transaction when hardcoding the attribute: <saml:Attribute FriendlyName="Department" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IT </saml:AttributeValue> I've never had this issue of passing other attributes through before, can anyone let me know if I'm going about this wrong and if so, what am I missing? Thanks :) -- Aaron Echols

1 year, 6 months

1
2
0 / 0

Show Username in Admin Events / Login Events

by Guido Wimmel

Hi, in the Admin Events / Login Events - View in the Administration Console in Keycloak, I can see e.g. if users logged in or were assigned to a role. However, the users are only referenced by their id. I can determine the username by constructing an URL (e.g. .../realms/<MY_REALM>/users/<UserId> ) and navigating to it. Is there an easier way? Best regards, Guido

1 year, 6 months

2
4
0 / 0

Keycloak 6.0.1 released

by Stian Thorgersen

https://www.keycloak.org/2019/04/keycloak-601-released.html

1 year, 6 months

2
3
0 / 0

Password expiry policy not working for federated user

by kapil joshi

Hi All, Password expiry policy not working for federated user. We can see that the password has expired for LDAP user, which was set to 90 days, but user can still login to UI via keycloak authentication. Kindly point us what are we missing. Please note we have enabled the switch to sync password policy with federated user. Thanks & regards Kapil

1 year, 6 months

1
4
0 / 0

2020

2019

2018

2017

2016

2015

2014

keycloak-user April 2019