Missing form parameter: grant_type while using the REST API
by Stephan Wehner
Hello,
I'm trying to get an access token from my Keycloak Server. I'm sending a
post request to
http://localhost:12345/auth/realms/testRealm/protocol/openid-connect/toke...
with additional header "Content-type: application/x-www-form-urlencoded;
charset=UTF-8".
The response I get is:
HTTP/1.1 400 Bad Request
Connection: keep-alive
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json
Content-Length: 84
Date: Tue, 28 May 2019 10:14:08 GMT
{"error":"invalid_request","error_description":"Missing form parameter:
grant_type"}
Do you have any idea what is the cause of the problem? Did I miss something
to configure? The administration console works well. I'm using Keycloak
6.0.1 as standalone.
I had to change the port because the default port is not free on my host.
Could it be, that I missed something there?
Thank you!
5 years, 7 months
Is it possible to disable not-before-policy token? Oidc client is crashing because it's there
by Bruno Medeiros
Hi, everyone.
First off, I've been using Keycloak in production for quite a while now, it
is working great, thanks everyone involved!
I'm trying to add a new Oidc client now which is a third-party cloud
service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
The error that shows up to the user is:
Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
After a few emails with their support team, they said:
"*... The error is related to the “not-before-policy” parameter that is
included in the response which is not part of the OIDC protocol but a
Keycloak specific extension. This parameter gets its value from: Clients ->
{client name} -> Revocation*
*We set this option to none hoping that it will not be included in the
response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
find a way to remove this parameter from the response. You need to contact
Keycloak and ask them if there is any way to remove this parameter from the
response, since it is not part of the OIDC protocol.*"
Well, yes, it's a Keycloak-specific extension, but they shouldn't be
crashing because it's there, AFAIK they should be just ignoring this in the
token and proceeding with the login process.
Based on our experience so far, we are going to have a hard time
"convincing" them about that, though, so I was wondering if Keycloak allows
us to disable the not-before-policy to a specific client, or even in the
realm at all?
If not, any pieces of advice on how to support the fact that they should
not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
specs broadly enough so far to be sure about that and sustain my opinion.
Cheers,
--
BrunoJCM
5 years, 7 months
SAML not be able to proceed SP assertion
by Olivier Rivat
Hi,
I am using Keycloak 6.0.1 and trying to connect to an external IDP using
SAML V2.
The steup has been working laster year with leycloak 3.4.3
I am able to authenticate against the IDP, and I can see teh SAM packet
returned using teh SAML tracer.
I haven't seen any dispcrency.
But on keycloak, I obtain the message
We're sorry,
Login timeout
with the following trace
19:52:23,399 INFO [org.keycloak.saml.validators.ConditionsValidator]
(default task-3) Assertion id18815101930494101523411623 is not addressed
to this SP.
19:52:23,399 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default
task-3) Assertion expired.
19:52:23,400 WARN [org.keycloak.events] (default task-3)
type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=demo, clientId=null,
userId=null, ipAddress=127.0.0.1, error=invalid_saml_response
I've just visited the code of ConditionsValidator.java, where the
warning is issued, but cannot figure out what could be wrong.
Any idea of waht could be causing such an issue ?
Regards,
Olivier Rivat
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
5 years, 7 months
CSRF token in user management pages
by vasleon
Dear All,
According to the page here
<https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html>
the only part of Keycloak that really falls into CSRF is the user
account management pages. It mentions that in order to protect from
CSRF, keycloak uses a state cookie.
I imagine that the user account management pages are the ones under the
url = http://localhost:8180/auth/realms/demo/account/, is this correct?
If yes, the cookies i can see available in this page are an
AUTH_SESSION_ID cookie and a KC_RESTART. I do not see a "stateChecker"
value.
I can see these files are related to csrf checking in the code of
keycloak server
* services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
* adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakCsrfRequestMatcher.java
* services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java
Can someone who has knowledge over this verify that the user account
management pages is referring to the url provided above and if not
expand on which pages are csrf protected?
Also please verify that indeed the 3 files above are responsible for
csrf chekcing
Thank you
5 years, 7 months
Securing RESTful API Best Practices
by Farzad Panahi
Hi,
I am very new to Keycloak. I have a RESTful API implemented with json:api
<https://jsonapi.org/> spec which I want to secure using Keycloak.
I just want to ask the Keycloak community for best practices when it comes
to securing RESTful APIs.
My endpoints will be something like:
GET /api/books --> return all books the user has access for
GET /api/books/123 --> return book with id = 123
My challenge now is to figure out how to define resources in Keycloak.
Should I add all my books as resources to Keycloak? And then define the
permission between each user and resource?
What would be the best practice to implement "GET /api/books" to return
only the books the logged in user has access to? Should I query the
Keycloak API to get all the resources the logged in user has access to, in
the backend?
Thanks
Farzad
5 years, 7 months
Logout-User
by Konstantinos Schoinas
Hi all,
I am wondering if there is a way to make the user relogin after a
certain amount of time of inactivity?
Although i am not refering to the SSO session max value.
For example i wanna have something like this.
Relogin :4 hours (relogin because of inactivity )
SSO Session Max: 8 hours ( relogin because session expired )
Thanks in Advance,
Konstantinos
5 years, 7 months
Avoid collisions and links of external accounts
by Asier Aguado Corman
Dear Keycloak users/developers,
We're trying to configure Keycloak to use an LDAP user federation together with identity brokering on social providers (such as GitHub). We want these accounts to be dissociated as different logins, i.e. different usernames or unique IDs without adding them to an existing account. The Keycloak login flow currently allows for duplicate emails, but if a social account logs in with the same username as an internal LDAP account this will result in a username collision. This is not good for our use case, as we don't want to associate these accounts in Keycloak.
In summary,
1) We can't use login with email: we don't want to trust an email from an external provider. We can avoid this by disabling it and allowing duplicate emails. It would be great though to still allow email login for LDAP users.
2) We would need a way to generate usernames from external accounts, something like mapping 'asieraguado' to 'asieraguado@github', so they can be unique. We think that linking accounts will be confusing for our users, and we don't want them to select any username.
Any ideas on how to achieve this configuration?
Best regards,
Asier Aguado
5 years, 7 months
Keycloak Docker Domain Cluster
by Frank Herrmann
Hello,
As part of our upgrade to 6.0.1 we are looking to use the Keycloak docker
images. Our currently installation (3.4.3) uses a domain cluster. While
reviewing the Keycloak docker image, it appears that it only supports
standalone or standalone-ha (for clustering). Am I missing something, or
will I need to customize the Keycloak docker image for domain clustering?
Or was it specifically left out of the official docker image for a good
reason?
Thanks,
-Frank
--
FRANK HERRMANN
ASSOCIATE SOFTWARE ARCHITECT
T: 561-880-2998 x1563
E: frank.herrmann(a)modmed.com
[image: [ Modernizing Medicine ]] <http://www.modmed.com/>
[image: [ Facebook ]] <http://www.facebook.com/modernizingmedicine> [image:
[ LinkedIn ]] <http://www.linkedin.com/company/modernizing-medicine/> [image:
[ YouTube ]] <http://www.youtube.com/user/modernizingmedicine> [image: [
Twitter ]] <https://twitter.com/modmed> [image: [ Blog ]]
<http://www.modmed.com/BlogBeyondEMR> [image: [ Instagram ]]
<http://instagram.com/modernizing_medicine>
[image: [ MOMENTUM 2019 ]] <https://momentum.modmed.com/>
--
*CONFIDENTIALITY NOTICE:* This e-mail message may contain material
protected by the Health Insurance Portability and Accountability Act of
1996 and its implementing regulations and other state and federal laws and
legal privileges. This message is only for the personal and confidential
use of the individuals or organization to whom the message is addressed. If
you are an unintended recipient, you have received this message in error,
and any reading, distributing, copying or disclosure is unauthorized and
strictly prohibited. All recipients are hereby notified that any
unauthorized receipt does not waive any confidentiality obligations or
privileges. If you have received this message in error, please notify the
sender immediately at the above email address and confirm that you have
deleted or destroyed the message.
5 years, 7 months
