April 2019 - keycloak-user - Jboss List Archives

Is it possible to extend the default max size of user attributes?

by Matthieu Huin

Hello, I would like to store a user's public SSH keys as a custom attribute in Keycloak 5.0. Unfortunately it seems that the default max size of attributes is 255 characters. Is it possible to configure this to an arbitrarily higher value? Thanks, MHU

5 years, 8 months

2
2
0 / 0

Issue with logut

by admadm＠virgilio.it

Hello, we installed KC 5.0.0 and started developing java api, now we've encountered a problem with logout. When we try to logout user via java, auth with valid toke (clientid + secret), we get http failure with 400 response: invalid_client_credentials. Now we've debugged the code and Discovered that the ClientIdAndSecretCredentialsProvider class has null clientsecret, how is that possible? How could we fix this?

5 years, 8 months

1
0
0 / 0

Keycloak -2FA Token Reset

by Sandeep Sancheti

Hi, I’m helping my organisation to build and portal framework and one of the module is user login where Keycloak is being used as IDAM. One of the feature which we have enabled is 2 factor authentication and I’ve requirement to allow user to reset their 2FA token but my understanding from reading few blogs is that it is only possible via forgotten password flow. Is my understanding correct or I’m missing something? Could you please advise. One of the other team is using WS02 as API manager and there’s option where if user need to reset token then admin can delete secret key from user’s profile which will then prompt user to rescan a new code on attempt to login. If Keycloak doesn’t have out of the box feature, can similar steps be done in Keycloak to reset token? Regards Sandeep

5 years, 8 months

2
1
0 / 0

Re: [keycloak-user] Help setup SSL certificate on keycloak

by Sylvain Malnuit

Francesco, If you use the official Keycloak image, they introduce cer file conversion mechanism. (see previous answer) and https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x50 9.sh and readme https://github.com/jboss-dockerfiles/keycloak/tree/master/server (find TLS) Otherwise (custom docker image ), You must use Wildfly mechanism and implement the same mechanism to import your certificale. If Keycloak(Wildfly) doesnt detect jks, it will generate a jks with auto-signed certificate (see warning in logs). In Docker environment, you can mount (secrets ) your certificates and convert them to jks (see KEYSTORES_STORAGE in x509.sh script for exemple) bye De : Francesco Longo [mailto:francesco.longo@linksfoundation.com] Envoyé : mercredi 17 avril 2019 17:53 À : Sylvain Malnuit <sylvain.malnuit(a)lyra-network.com> Objet : Re: [keycloak-user] Help setup SSL certificate on keycloak Hi! Thank you for your answer, but I can't understand. I have a valid certificate (.cer file) and I don understand how to import on keycloak.. The problem is that I use keycloak on a docker container on a portainer configuration. I provide HTTPS with a selfsigned certificate running docker container and keycloak with a mapped port like 8443. Now I cannot understand how to setup this certificate on keycloak and the guide/tutorial is not so clear because I don't understand where to put the .cer file and what file edit... I have to create a keystore from the .cer file? Could you provide me a better understanding procedure? Thank you very much! <https://linksfoundation.com/firma/links_logo.png> <https://www.facebook.com/linksfoundation/> Facebook | <https://twitter.com/linksfoundation> Twitter | <https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-kno wledge-for-society/> LinkedIn Francesco Longo Rsearcher | <https://linksfoundation.com/> Linksfoundation.com T. +39 0112276440 francesco.longo(a)linksfoundation.com <mailto:nome.cognome@linksfoundation.com> Personal account: LinkedIn <https://www.linkedin.com/in/france193/> | Skype <https://join.skype.com/invite/jt9vIqDeuk6G> _____ <https://linksfoundation.com/firma/recycle.png> Rispetta l'ambiente, pensa prima di stampare questa e-mail Please consider the environment before printing this email _____ Questo documento è formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne è proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie. Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _____ From: Sylvain Malnuit <sylvain.malnuit(a)lyra-network.com <mailto:sylvain.malnuit@lyra-network.com> > Sent: Wednesday, April 17, 2019 16:05 To: Francesco Longo; keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> Subject: RE: [keycloak-user] Help setup SSL certificate on keycloak Hi, It's an internal mechanism of Wildlfy (see http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial -for-configuring-ssl-https-on-wildfly) You create a keystore (jks) in a expected folder (or override the path with a parameter) and declare realm in wildlfy. It's not very difficult. Follow the tutorial and it's workfine. Depending the version of keycloak (associated Wildlfy version - Elytron or not), cli command scan be different. Good luck -----Message d'origine----- De : keycloak-user-bounces(a)lists.jboss.org <mailto:keycloak-user-bounces@lists.jboss.org> [mailto:keycloak-user-bounces@lists.jboss.org] De la part de Francesco Longo Envoyé : mercredi 17 avril 2019 15:31 À : keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> Objet : [keycloak-user] Help setup SSL certificate on keycloak Goodmorning, I'm Francesco Longo and I'm a researcher at Links Foundation. I'trying to setup keycloak as authentication and authorization service for a European project and I have some problem setting up an SSL certificate. I find the way to use HTTPS in keycloak using docker (just run the docker image with the 8443 port mapping and it automatically create a self-signed certificate) but I'd like to put a valid SSL certificate because I get the error "self signed certificate" when I do some request to my keycloak protected server... I found your guide where it is explained how to put a certificate but it is not clear to me where it is necessary to put the keystore file and what file to edit or modify in order to have HTTPS. I'll be very gratefull if some of you could help me to solve my doubts. Thank you very much for your availability. Best regards, [LINKS Foundation] Facebook<https://www.facebook.com/linksfoundation/> | Twitter<https://twitter.com/linksfoundation> | LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovati <https://www.linkedin.com/company/links-%E2%80%93-leading-innovati%0bon-&- knowledge-for-society/> on-&-knowledge-for-society/> Francesco Longo Rsearcher | Linksfoundation.com<https://linksfoundation.com/> T. +39 0112276440 francesco.longo(a)linksfoundation.com <mailto:francesco.longo@linksfoundation.com%3cmailto:nome.cognome@linksfou ndation.co> <mailto:nome.cognome@linksfoundation.co m> Personal account: LinkedIn<https://www.linkedin.com/in/france193/> | Skype<https://join.skype.com/invite/jt9vIqDeuk6G> ________________________________ [Please consider the environment] Rispetta l'ambiente, pensa prima di stampare questa e-mail Please consider the environment before printing this email ________________________________ Questo documento è formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne è proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie. Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

5 years, 8 months

1
0
0 / 0

Azure AD - ImmutableID

by Aaron Echols

Hello All, I've been working on getting SAML2 working with Azure AD Education. I've gotten it working using the article listed below, with the exception of the ImmutableID (When you attempt to login to Azure AD, Keycloak generates a random GUID to each user who attempts to login). I can convert get their ImmutableID and the users can login successfully: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-con... So to set the tone here, I'm federating all my accounts from Server 2016 AD with 2016 forest level. I'm trying to figure out how to get each users ImmutableID by converting the objectGUID to the ImmutableID and add the following attribute to every user which is populated with the ImmutableID: saml.persistent.name.id.for.urn:federation:MicrosoftOnline Azure AD's ImmutableID is based off of the objectGUID in the on-prem AD and not stored in the local AD from what I can tell. I have to use Get-MsolUser PoSH commandlet to get their ImmutableID. How do I convert the objectGUID by importing it into Keycloak, then converting it to the ImmutableID in Keycloak for all users? It sure would stink adding it by hand to every user... I'm able to convert the objectGUID locally using something like, but is useless in Keycloak: $userUPN = "user(a)domain.com" $guid = [guid]((Get-ADUser -LdapFilter "(userPrincipalName=$userUPN)").objectGuid) $immutableId = [System.Convert]::ToBase64String($guid.ToByteArray()) Thanks in advance for any assistance :) -- Aaron Echols

5 years, 8 months

1
1
0 / 0

Publish login events to a MQTT broker

by Matthieu Huin

Hello, I've been trying to follow [1] in order to have Keycloak 5.0 publish login events to a MQTT Broker, but I don't see any messages being sent to the broker when logging in to any realm. I've attached my standalone.xml config file after running the cli script. Is there anything I am missing? Is there a better way to achieve this? Thanks, MHU [1] https://issues.jboss.org/browse/KEYCLOAK-2302?focusedCommentId=13191048&p...

5 years, 8 months

2
1
0 / 0

Configure authorization to only allow subset of user management actions?

by Jared Blashka

I've got a client application that wants to be able to remotely trigger the password reset flow for some users. I see the execute-actions-email endpoint on the user resource but it looks like the only permission check present looks to see if that client has full management access for that user or not. I don't want to allow the possibility of the client managing other aspects of the user. Is there any way I can restrict this client to only trigger the update password action or would I be better off adding my own RealmResourceProvider for this?

5 years, 8 months

1
0
0 / 0

Help setup SSL certificate on keycloak

by Francesco Longo

Goodmorning, I'm Francesco Longo and I'm a researcher at Links Foundation. I'trying to setup keycloak as authentication and authorization service for a European project and I have some problem setting up an SSL certificate. I find the way to use HTTPS in keycloak using docker (just run the docker image with the 8443 port mapping and it automatically create a self-signed certificate) but I'd like to put a valid SSL certificate because I get the error "self signed certificate" when I do some request to my keycloak protected server... I found your guide where it is explained how to put a certificate but it is not clear to me where it is necessary to put the keystore file and what file to edit or modify in order to have HTTPS. I'll be very gratefull if some of you could help me to solve my doubts. Thank you very much for your availability. Best regards, [LINKS Foundation] Facebook<https://www.facebook.com/linksfoundation/> | Twitter<https://twitter.com/linksfoundation> | LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-kno...> Francesco Longo Rsearcher | Linksfoundation.com<https://linksfoundation.com/> T. +39 0112276440 francesco.longo(a)linksfoundation.com<mailto:nome.cognome@linksfoundation.com> Personal account: LinkedIn<https://www.linkedin.com/in/france193/> | Skype<https://join.skype.com/invite/jt9vIqDeuk6G> ________________________________ [Please consider the environment] Rispetta l'ambiente, pensa prima di stampare questa e-mail Please consider the environment before printing this email ________________________________ Questo documento è formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne è proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie. Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

5 years, 8 months

3
3
0 / 0

basic questions regarding realm limitations and user provider (sap)

by Hanspeter Zach

We're considering using Keycloak as our IAM and we've now been asked a few basic questions that someone on the list might be able to answer. - Are there any limitations (performance?) on the number of realms that can be created? Does anyone have any experience? - There is a need to have the same user base (AD) across multiple realms. Does the user provider have to be entered for each realm, or can this be done more elegantly with the master realm? - Are there any empirical values regarding the connection of SAP (EWM) as Identity Provider or even as User Provider? Thanks for the information! --- PGP-Key: .: https://keybase.io/hpz/key.asc :. mail AT hpzach.at

5 years, 8 months

1
0
0 / 0

keycloak-quickstarts: docker and/or docker-compose?

by Melissa Palmer

Hi Are there any docker images and or docker-compose files from Keycloak quickstarts? ie: that setup the Keycloak server (with imported Realm), WildFly server with Keycloak client adapter into it Thanks in Advance Melissa

5 years, 8 months

3
6
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user April 2019