keycloak 5.0 integration with FranceConnect (IDP provider) no longer working
by Olivier Rivat
Hi,
I am testing the integration of keycloak to FranceConnect (French IDP
provider).
It is working fine with keycloak 4.81 (I have just tested it today), but
it is failing with keycloak 5.0.
The difference between the both is that keycloak 5.0 is adding
internally client_session_state on the idp request.
But FranceConnect idp is not recognizing client_session_state.
What could be done to overcome this issue, as the IDP has not changed.
Is it possibel to disbale this flag (client_session_state) so it does
not appear in the log of KC 5.0 ?
Please advise what could be done to have it working again.
Regards,
Olivier Rivat
==============================================================================
Traces are as follows between the both:
Keycloak 4.83 trace (OK)
2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 >> "[\r][\n]"
2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 >>
code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
grant_type=authorization_code&
client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 << "Server: nginx[\r][\n]"
2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11)
http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
2019-04
Keycloak 5.00 trace (Not working)
6:01:00,889 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 >> "
code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
grant_type=authorization_code&
client_session_state=n%2Fa&
client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
16:01:00,966 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Server: nginx[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Content-Length: 104[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Connection: keep-alive[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
http-outgoing-0 << "{"status":"fail","message":"The following fields are
not supposed to be present : client_session_state"}"
1
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
5 years, 1 month
Key Rotation
by Shetty, Shweta
Hi Folks,
As per the security need we need to provide the functionality of rotating keys. The access token is using RAS256 as key algorithm, but looks like the Keycloak signs the refresh token with a different algorithm by using HMAC (HS256). We have use case of offline tokens and would like to get new offline token when the key rotates. Is it possible to sign the refresh token with the same key as access token? The problem is we can only revoke refresh token – there is no way to rotate the refresh token key. Please advise? What do folks usually do?
Shweta
5 years, 1 month
User Export with Storage Providers inefficient
by keycloak-user@imber.wien
Hi,
I was doing some research on an issue we encountered with user export
(at boot-time). The export task was running for hours with ~50.000
LDAP-backed Users and eventually crashed. It obviously got slower and
slower with each user bulk.
I observerd that this also happens with local-only users, as soon as an
LDAP provider is configured and enabled.
SQL log output showed, that for each user-select for a given "page"
(limit and offset), all preceding pages are queried first, which
explains the deterioration over time (quadratic complexity).
The responsible Code (KC 4.8.3) is UserStorageManager#query(...). If any
enabled storage providers exist, this method queries all pages up the
requested one.
I then found this explanation of Summer 2016:
http://lists.jboss.org/pipermail/keycloak-dev/2016-June/007448.html
> Right now I've implemented something that is pretty inefficient to keep it backward compatible right now. Basically I iterate all providers from the beginning until the page desired is identified and filled up. Minimally it is a stop gap until I get everything working.
... so it seems to be a concession to backwards compatibility, back when
storage federation got refactored.
Can you think of workaround to make user export usable for us?
Do you plan to drop or improve the current pagination behavior at some
point?
Thanks,
best regards,
Mario.
5 years, 1 month
Custom account provider not working after upgrading to 4.8.3.Final
by abhishek raghav
Hi -
We have implemented a custom account provider which
implements AccountProviderFactory and the implementation class
extends FreeMarkerAccountProvider. It is packaged and deployed as a
provider with a service definition file.
This used to be work in keycloak 3.4.3.Final but not after we upgrade to
keycloak 4.8.3.Final.
We also identified that the provider is not even registering/initialized
during boot time of keycloak. Could somebody please tell - whether keycloak
has removed support of extending Account provider SPI. Or there is any
other way to extend the account provider in keycloak 4.8.3.Final.
Any help is greatly appreciated.
Thanks
-Abhishek
5 years, 1 month
Re: [keycloak-user] User creation
by Vlasta Ramik
On 4/12/19 10:49 AM, Pavel Drankov wrote:
>
> registration should be an atomic
>
> Sure, I agree with you. But, a user is created after the first step by
> default. How can I make the user creation process consisted of two
> steps atomic?
I suppose you've implemented custom SPI execution [1],
Then in admin console in "Authentication" tab you should make a copy of
"Registration" flow. Then you have to add new execution [Actions -> Add
execution] (your custom execution with sms validation) to "Copy Of
Registration Registration Form" and then you make the execution "REQUIRED".
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#_provi...
>
> Best wishes,
> Pavel
>
>
> On Fri, 12 Apr 2019 at 09:54, Vlasta Ramik <vramik(a)redhat.com
> <mailto:vramik@redhat.com>> wrote:
>
> Hey Pavel,
>
> inline
>
> On 4/10/19 5:36 PM, Pavel Drankov wrote:
> > Hello,
> >
> > I'm trying to implement a two-step registration process based
> keylock. On
> > the first step enters the same information as in the default
> registration
> > form, but with the addition of telephone number. On the second
> step, he
> > enters a code received via an SMS message.
> >
> > The problem I faced is that if a user successfully filled the
> first step
> > registration form and failed to enter a valid code on the second
> step, he
> > is not able to use the same email address on the first
> step(because of "Email
> > already exists." error). Is there a way to clean up not fully
> registered
> > users and allow them to re-register if they have not finished
> all the step
> > from the registration flow.
>
> It doesn't sound right, I think the registration should be an atomic
> operation, so either both steps are successful and user is
> registered or
> the user is not registered.
>
> To tell more I'd need to know more information how you've
> developed the
> described functionality.
>
> Regards,
>
> V.
>
> >
> > Best wishes,
> > Pavel
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
5 years, 1 month
Re: [keycloak-user] keycloak 5.0 integration with FranceConnect (IDP provider) no longer working
by Hans Zandbelt
France Connect IDP is not ignoring extra parameters in the token request as
the spec dictates; this has also proven to be a problem with other OIDC RPs
Hans.
On Mon, Apr 15, 2019 at 9:03 AM <keycloak-user-request(a)lists.jboss.org>
wrote:
>
> Hi Cedric,
>
> Please find attached my demo realm json file of KC 5.0.
> (client secret is strarred).
>
> TO add the idp provider, I select add user provider and select "keycloak
> openID provider".
> After this, I do select all teh fields manually.
>
>
> Regards,
>
> Olivier Rivat
>
>
>
>
> Le 15/04/2019 ? 08:18, cedric(a)couralet.eu a ?crit?:
> > Le Lundi, Avril 15, 2019 08:11 CEST, Olivier Rivat <orivat(a)janua.fr> a
> ?crit:
> >
> >> Hi Cedric,
> >>
> >> I am integrating? KC (SP)? to FranceConnect (IDP) dierctly out of the
> box.
> >> I haven't written any KC code module extension and FranceConnect is
> >> configured as an IDP for KC.
> >>
> > Could you share your Idp configuration (minus the secrets) ?
> > Did you choose "keycloak OpenId Connect" or "OpenId Connect v1.0". How
> did you test from one version to another (export/import, manual conf,
> upgrade?)
> >
> > C?dric,
> >
> >
> >> FranceConnect Integration is working fine with KC 4.81, but it is
> >> failing with KC 5.00.
> >> Only diff I noticed is that internally there is this
> >> client_session_state flag added with KC 5.0.
> >> This is what makes the integration failing
> >>
> >> Regards,
> >>
> >> Olivier Rivat
> >>
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
> <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> <http://www.janua.fr/images/6g_top.gif>
>
>
>
5 years, 1 month
Re: [keycloak-user] Keycloak Identity Broker to LDAP User Storage?
by A. A.
Actually, I've traced the source of my challenge I believe to this excellent analysis:
https://issues.jboss.org/browse/KEYCLOAK-4433?focusedCommentId=13364626&p...
In my case, I have a few attributes in OpenLDAP that have constraints associated with them (we are using the constraints overlay/extension provided by OpenLDAP). Those constraints prevent the creation of the "default" dummy object. I have confirmed that watching the logs: Keycloak first tries to create a dummy empty object, then moves forward with modifying the returned entry.
Is there a workaround to this? Or a configuration option that instead of create empty then modify, instead simply does create with full attributes?
5 years, 1 month
Re: [keycloak-user] Login with email in keycloak not working for federated user
by Lorenzo Luconi Trombacchi
Hi Kapil,
sorry I have no experience with LDAP and LDAP user federation. I developed a keycloak user federation plugin for our internal database and as I said e-mail authentication works fine.
Lorenzo
> Il giorno 12 apr 2019, alle ore 03:03, kapil joshi <kapilkumarjoshi001(a)gmail.com> ha scritto:
>
> Hi Lorenzo,
>
> We are using JavaScript adapter for the client and stable helm chart for keylock, somewhere I read we need a mapping of LDAP mail attribute with username. But I didn't exactly got what was it. Can someone point me to that.
>
> Thanks
> Kapil
>
> On Thu, 11 Apr 2019, 20:10 Lorenzo Luconi Trombacchi, <lorenzo.luconi(a)iit.cnr.it <mailto:lorenzo.luconi@iit.cnr.it>> wrote:
> Just tested with my user federation implementation and it works (4.8.3.Final). I can login to my app using email address.
> You must implements UserLookupProvider interface and getUsersByEmail method.
>
> Lorenzo
>
>
> > Il giorno 11 apr 2019, alle ore 15:59, kapil joshi <kapilkumarjoshi001(a)gmail.com <mailto:kapilkumarjoshi001@gmail.com>> ha scritto:
> >
> > Hi Team,
> >
> > Login with email in Keycloak not working for federated user, please note
> > that we have enabled the switch to Login With Email.
> > Can some point us what are we missing.
> >
> > Thanks & regards
> > Kapil
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
5 years, 1 month
Users having Roles at Departments
by Alper Kara
What is the right way of having effect areas of roles like:
-Department1
--SubDepartment1
--SubDepartment2
-Department2
--SubDepartment3
--SubDepartment4
user - role@SomeGroupOrDepartment
Joe - manager@SubDepartment1
Kim - manager@Department2
Jim - user@Department2
Joe - user@Department1
Kim - qa@Department1
Kim - user@SubDepartment2
...
In the end we want to say in our applications
manager of Department 1 --> can write files
all users - -> can read files
all managers --> can have reports
any role in Sub Department 1 --> can use CAD
...
etc.
so to speak is there a good way to have effective role in triplets instead
of tuples... If my understanding is correct at the moment we have to create
composite roles with departments, In any living organization there are
multiple roles like employee, manager etc. with different departments doing
different things like human resource manager can read personal files,
where IT manager can access svn, and all managers can post announcement
emails where ordinary users can have different access rights depending on
department...
5 years, 1 month
Keycloak Identity Broker to LDAP User Storage?
by A. A.
Hello,
We have successfully configured Keycloak as an identity broker, and used some SAML attribute mappers to pull SAML claims into user attributes within Keycloak, e.g. national-id, birthdate, and so on.
We also have configured an LDAP storage backend under User Federation, along with attribute to LDAP mappers.
Is there a way to configure Keycloak to push a newly verified user (I mean after email verification) attributes into LDAP automatically? It dawned on me that the user-LDAP mapping is more of a "pull from LDAP into Keycloak" type of mapping and not the other way around. I do know there is a sync option but I was wondering if the push from SAML to Keycloak to LDAP could be done in "one transaction" on first login?
5 years, 1 month