May 2019 - keycloak-user - Jboss List Archives

GROUP-LDAP-MAPPER for Dynamic Groups in LDAP

by Charles Joseph Malata

Hi, Is the default "GROUP-LDAP-MAPPER" for ldap able to work with Dynamic Groups(Using the groupOfURLs objectclass)? I noticed that the behaviour of that mapper seem to expect that the objectclass used should be groupOfNames. Appreciate any help. Cheers, Charles

5 years, 7 months

1
0
0 / 0

Get users api very slow when federation is enabled

by Firoz Ahamed

Hi, We have a setup where federation is enabled in keycloak and have some 200 users imported from the federation. The get users REST api call now takes around 30 seconds to return the details of the 200 users ! Without the federation enabled, it only takes a few seconds to get 1000s of users. I believe the slowness is because keycloak checks with the federation for each user. Is there some way to turn this check off ? Any help would be greatly appreciated. Thanks in advance, Firoz

5 years, 7 months

1
0
0 / 0

Integrate keycloak and kafka

by jeet parmar

Hello All, Need some pointers on how I can integrate Keycloak with Kafka so that whenever there are events sent on Kafka eg. CREATE_REALM , DELETE_USER etc.. for keycloak, keycloak should react to them according to events. Any pointers would greatly help on this. Thanks, Jeet Glabbr https://glabbr.me/jeety

5 years, 7 months

1
0
0 / 0

Keycloak integration with AWS IAM

by Bob Dannehl

Hello everybody, I am currently evaluating, if there is a way to connect our Keycloak to the new IAM Authentication of Amazon RDS (PostgreSQL) in order to isolate databases and get rid of the security impact of long term database credentials. Instead of having a static datasource configuration the Keycloak is registered at AWS IAM as relying party and then would have to get access tokens (later refresh tokens) from IAM in order to access its database. See this link for further information AWS RDS IAM feature: https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-postgresql-... Do you have an idea, if such would work with keycloak out of he box or how to solve it in another way (e.g. SPI)? Thanks in advance, Bob ________________________________ Pflichtangaben anzeigen<http://www.deutschebahn.com/pflichtangaben/20190509> Nähere Informationen zur Datenverarbeitung im DB-Konzern finden Sie hier: http://www.deutschebahn.com/de/konzern/datenschutz

5 years, 7 months

1
0
0 / 0

keycloak-gatekeeper doing compression offloading without the instruction to do so

by Malte Schmidt

Hello, I recently discovered strange behaviour of an application which is being protected by gatekeeper when I noticed that the resources from the application are being transmitted uncompressed. Looks like that the "content-encoding: gzip" header gets missing and the response to the client/reverse proxy happens uncompressed, after being passed through gatekeeper. I tried to search the documentation for gatekeeper and this behaviour, but failed to find anything of use. Ideas on how to pass already compressed data through gatekeeper or any other opinions? Normal communication from the client over the reverse proxy to the application server: Client to reverse proxy GET /test.js HTTP/1.1 [...] Accept-Encoding: deflate, gzip Reverse proxy to application server GET /test.js HTTP/1.1 [...] Accept-Encoding: deflate, gzip Answer from the application server over the reverse proxy to the client HTTP/1.1 200 OK [...] vary: accept-encoding content-encoding: gzip keycloak-gatekeeper added to the chain, between the reverse proxy and the upstream Gatekeeper to its upstream GET /test.js HTTP/1.1 [...] Accept-Encoding: gzip Upstream to gatekeeper HTTP/1.1 200 OK [...] vary: accept-encoding content-encoding: gzip Gatekeeper to client HTTP/1.1 200 OK [...] Vary: accept-encoding

5 years, 7 months

2
1
0 / 0

Keycloak Tomcat adapater and Tomcat SSO

by Leonid Rozenblyum

Hello! I need integrating 6 webapps which are running on Tomcat SSO with Keycloak (using SAML 2.0 protocol although OpenIdConnect is also possible). Does keycloak Tomcat adapter support Tomcat SSO (which is implemented in SingleSignOn Valve)? The idea is if I logged in to WebApp1 in Tomcat via Keycloak and then trying using WebApp2, we shouldn't go authenticating to keycloak and instead reusing Tomcat SSO session.

5 years, 7 months

1
0
0 / 0

Proper naming for User Based Access Control

by Stefanidis, Kyriakos

Hello all, In the topic of Keycloak authorization services. I was wondering if there is a proper, or at least a nicer than mine, naming scheme for the names of the resources, policies and permissions when trying to set up UBAC. The scenario: There are N resources of a specific type "box" Specific users need to have access to specific resource The management is done centrally by the realm admin A solution: Create N resources with the name "box##" and the uri scheme is "/resources/box/##" Create N (user based) policies with the name "Only users that access box##" Create N (resource based) permissions with the name "Allow access to box##" My comments: The solution seems a bit verbose and bulky and I couldn't find a more structured naming scheme. If I add S scopes to the concept then I have S*N policies and permissions with the scope as part of the policy and permission names. Are there any more structured ways of setting up UBAC in keycloak that I am missing here? At least, are there any better naming schemes that I could use? Best regards, Kyriakos Stefanidis

5 years, 7 months

1
0
0 / 0

keycloak 4.8.3 ReadOnlyException on new SAML client with ldap federation

by Iain Steers

Hey folks, We upgraded to keycloak 4.8.3 fairly recently. We were on version 4.2.1. All existing SAML and OAuth clients work as expected and there are no issues signing into them. However, we just created a new SAML client and don't seem to be able to successfully complete the auth process. With the vague error message: “Unexpected error when handling authentication request to identity provider” Digging into the logs I found a stacktrace[1]. This occurs on login attempts with this new client. Our User Federation backend is a read-only ldap. Some searching of the jboss jira and web didn't find much related to this. Any help would be appreciated. This is reproducible for us across two separate instances of keycloak backed by separate ldap backends. Thanks, Iain [1] May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-733) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/washington/ May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 WARN [org.keycloak.services] (default task-733) KC-SERVICES0013: Failed authentication: org.keycloak.storage.ReadOnlyException May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.utils.ReadOnlyUserModelDelegate.setSingleAttribute(ReadOnlyUserModelDelegate.java:48) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.models.cache.infinispan.UserAdapter.setSingleAttribute(UserAdapter.java:137) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.protocol.saml.SamlProtocol.getPersistentNameId(SamlProtocol.java:366) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.protocol.saml.SamlProtocol.getNameId(SamlProtocol.java:324) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.protocol.saml.SamlProtocol.authenticated(SamlProtocol.java:380) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:790) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:742) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:876) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1008) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:878) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) May 07 20:01:05 keycloak-01 standalone.sh[947]: at sun.reflect.GeneratedMethodAccessor673.invoke(Unknown Source) May 07 20:01:05 keycloak-01 standalone.sh[947]: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at java.lang.reflect.Method.invoke(Method.java:498) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) May 07 20:01:05 keycloak-01 standalone.sh[947]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) May 07 20:01:05 keycloak-01 standalone.sh[947]: at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) May 07 20:01:05 keycloak-01 standalone.sh[947]: at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) May 07 20:01:05 keycloak-01 standalone.sh[947]: at java.lang.Thread.run(Thread.java:748)

5 years, 7 months

3
2
0 / 0

Service account token mappers?

by Gary Kennedy

I want to use a service account token to call the admin API (for it's realm) and have discovered that the token needs the "resource_access" claim (with appropriate "realm-management" roles). I don't want user tokens generated through the client to have the claim (unless absolutely necessary). How can I get mappers to only apply to the service account token? Or find the mappers used for the service account tokens? If I add the client roles mapper to the client I still don't get the "resource_access" claim in the service account token. (Keycloak 4.8.2) Cheers, Gary

5 years, 7 months

2
7
0 / 0

Cannot verify ES256 JWT token

by jeet parmar

Hello All, I was using RS256 algo till now and had not problems in verifying them until i upgraded to 6.0.1 as i wanted to use ES256. After upgrading to 6.0.1 and changing default token algo ES256 I am no longer able to validate token signature. Step to reproduce. Create a realm Add ecdsa-genenrated key provider with P-256 Set default token algo ES256 Generate a JWT token using login procedure go to https://jwt.io/ select algo as ES256 Paste the token Paste the public key which you get from Keys tab for ECDSA key. It fails with invalid signature. Above same workflow with RSA256 works perfectly fine. Please help on this. Thanks, Jeet Glabbr https://glabbr.me/jeety

5 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2019