May 2019 - keycloak-user - Jboss List Archives

by Corentin Dupont

Hi guys, I noticed that if I request permissions with one client, it is faster than with another one. For instance: TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=cdupont&password=xxx&grant_type=password&*client_id=api-server*&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0' "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" | jq .access_token -r` time curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H "Authorization: Bearer $TOKEN" -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions" *real 0m0,196s* user 0m0,000s sys 0m0,006s TOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'username=cdupont&password=xxx&grant_type=password&*client_id=dashboard*' "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" | jq .access_token -r` time curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H "Authorization: Bearer $TOKEN" -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#devices:view&response_mode=permissions" *real 0m2,142s* user 0m0,006s sys 0m0,006s The only difference between the two commands is the client (highlighted in red). With the second client, it takes 2 seconds more consistently. Any idea? I might be a cache problem... Cheers Corentin

7 years

3
6
0 / 0

keycloak+angular+serviceworker

by Ahlers P. (Peter)

Hello, It's my first time here on this mailing list. So please be gentle when I'm break a netiquette. I'm working on a project with Keycloak, keycloak.js, keycloak-angular, Angular and serviceworkers. We have multiple Angular applications with each there own client. All the applications using the same realm. Every application is using the default serviceworker of Angular. We see strange behavior when navigating between applications. 1) Urls which contains a part of the first url and a part of the second url. 2) Navigating between applications and the client-id is from the current application and the redirect-url is from the second application. I know it's a specific setup, but is anyone recognize his behavior? Kind regard, Peter

7 years

1
0
0 / 0

Fine-grained enough for local group admins?

by Per Erik Gransøe

Hi Can I solve the following with KeyCloak, with fine-granted permissions enabled? (also posted here: https://stackoverflow.com/questions/51616770/keycloak-restricting-user-ma...): We have Group X and Group Y. The role 'Group X Admin' can do the following: 1. Can create users without a group. 2. Can assign users without a group to group X. 3. Can edit and manage users in group X. 4. Cannot see/edit/manage users in group Y. Med venlig hilsen / Kind regards [Systematic Logo]<http://www.systematic.com/> Per Erik Gransøe Senior Systems Engineer Søren Frichs Vej 39, 8000 Aarhus C Denmark Mobile: +45 3038 6841 Per.Erik.Gransoe(a)Systematic.com<mailto:Per.Erik.Gransoe@Systematic.com> www.systematic.com<http://www.systematic.com>

7 years

2
1
0 / 0

Does keycloak support multi-hop database schema upgrades

by Shiva Prasad Thagadur Prakash

Hi Guys, Does keycloak/Liquibase support multi-hop schema migration? Thanks & regards, Shiva

7 years

3
6
0 / 0

Re: [keycloak-user] User Export with Storage Providers inefficient

by Mario Imber

Hi, are there any news on this one? Should I rather create a Jira task for this user export issue? Thanks, regards, Mario. Am 27.05.2019 um 10:04 schrieb mario(a)imber.wien: > Hi, > > I was doing some research on an issue we encountered with user export > (at boot-time). The export task was running for hours with ~50.000 > LDAP-backed Users and eventually crashed. It obviously got slower and > slower with each user bulk. > > I observerd that this also happens with local-only users, as soon as an > LDAP provider is configured and enabled. > > SQL log output showed, that for each user-select for a given "page" > (limit and offset), all preceding pages are queried first, which > explains the deterioration over time (quadratic complexity). > > The responsible Code (KC 4.8.3) is UserStorageManager#query(...). If any > enabled storage providers exist, this method queries all pages up the > requested one. > > I then found this explanation of Summer 2016: > http://lists.jboss.org/pipermail/keycloak-dev/2016-June/007448.html > >> Right now I've implemented something that is pretty inefficient to >> keep it backward compatible right now. Basically I iterate all >> providers from the beginning until the page desired is identified and >> filled up. Minimally it is a stop gap until I get everything working. > > ... so it seems to be a concession to backwards compatibility, back when > storage federation got refactored. > > Can you think of workaround to make user export usable for us? > > Do you plan to drop or improve the current pagination behavior at some > point? > > Thanks, > best regards, > Mario. > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

7 years

1
0
0 / 0

LDAP user federation with AD range retrieval

by Sidney Beekhoven

Hello, We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this: Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112) at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380) at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316) at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236) … Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s.... When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role. For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-... for more info about this. The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that. Did anyone else maybe run into this issue, and if so had another solution for it? Kind regards, Sidney Beekhoven

7 years

2
4
0 / 0

Keycloak IDP and python3-saml interoperation

by adam scislowicz

Summary: I am building a SAML authentication system using Keyloack as the IDP, and the python3-saml module to implement the SP. See configuration outline below. I can successfully initiate via IDP or SP. If SP I will be redirected to the IDP. The IDP will then redirect me to the SP's ACS binding and I observe the following logs from the IDP and SP respectively. The following log from python3-saml sticks out 'http://10.0.0.3:9082/metadata/ is not a valid audience for this Response' IDP LOGS [org.keycloak.services.managers.AuthenticationSessionManager] (default task-3) Found AUTH_SESSION_ID cookie with value 65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp [org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found in the requests header [org.keycloak.services.util.CookieHelper] (default task-3) {1} cookie found in the cookies field [org.keycloak.services.managers.AuthenticationSessionManager] (default task-3) Found AUTH_SESSION_ID cookie with value 65545797-a5c8-415b-9b79-f0bdcf706743.nac-idp [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-3) getUserSessionWithPredicate(65545797-a5c8-415b-9b79-f0bdcf706743): remote cache not available [org.keycloak.protocol.AuthorizationEndpointBase] (default task-3) Sent request to authz endpoint. We don't have root authentication session with ID '65545797-a5c8-415b-9b79-f0bdcf706743' but we have userSession.Re-created root authentication session with same ID. Client is: nac-lander . New authentication session tab ID: cfS0YI4bjUk [org.keycloak.authentication.AuthenticationProcessor] (default task-3) AUTHENTICATE [org.keycloak.authentication.AuthenticationProcessor] (default task-3) AUTHENTICATE ONLY [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) processFlow [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: auth-cookie requirement: ALTERNATIVE [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator: auth-cookie [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) invoke authenticator.authenticate: auth-cookie [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator SUCCESS: auth-cookie [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: auth-spnego requirement: DISABLED [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) execution is processed [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: identity-provider-redirector requirement: ALTERNATIVE [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) Skip alternative execution [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: null requirement: ALTERNATIVE [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) Skip alternative execution [org.keycloak.services.managers.AuthenticationSessionManager] (default task-3) Removing authSession '65545797-a5c8-415b-9b79-f0bdcf706743'. Expire restart cookie: true [org.keycloak.events] (default task-3) type=LOGIN, realmId=master, clientId=nac-lander, userId=b615f353-672d-4b83-93ee-4f7ceddf543b, ipAddress=10.255.0.2, auth_method=saml, redirect_uri= http://10.0.0.3:9082/?acs, consent=no_consent_required, code_id=65545797-a5c8-415b-9b79-f0bdcf706743, username=admin [org.keycloak.services.managers.AuthenticationManager] (default task-3) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/, max-age: -1 [org.keycloak.services.managers.AuthenticationManager] (default task-3) Expiring remember me cookie [org.keycloak.services.managers.AuthenticationManager] (default task-3) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/ SP LOGS nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv | acs nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv | http://10.0.0.3:9082/metadata/ is not a valid audience for this Response ... nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv | {'https': 'off', 'http_host': ' 10.0.0.3:9082', 'server_port': 9082, 'script_name': '/', 'get_data': MultiDict([('sso', '')]), 'post_data': MultiDict([])} nacdev_nac-lander.1.qb2jndj0smik@ubuntusrv | <onelogin.saml2.auth.OneLogin_Saml2_Auth object at 0x7f2cfa62cda0> CONFIGURATION OUTLINE IDP: Keycloak Client: nac-lander Master SML Processing URL: http://10.0.0.3:9082/ IDP Initiated URL Name: 'nac-lander' : http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander Assertion Consumer Service URL: http://10.0.0.3:9082/?acs SP: python3-saml { "strict": true, "debug": true, "sp": { "entityId": "http://10.0.0.3:9082/metadata/", "assertionConsumerService": { "url": "http://10.0.0.3:9082/?acs", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" }, "singleLogoutService": { "url": "http://10.0.0.3:9082/?sls", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "x509cert": "", "privateKey": "" }, "idp": { "entityId": "http://10.0.0.3:8080/auth/realms/master/protocol/saml/", "singleSignOnService": { "url": " http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "singleLogoutService": { "url": " http://10.0.0.3:8080/auth/realms/master/protocol/saml/clients/nac-lander", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }, "x509cert": "<onelogin_connector_cert>" }}

7 years

2
1
0 / 0

Spring Boot Adapter and Post Requests

by zitrone＠gmx-topmail.de

Hi, i'm currently developing my first spring boot website with keycloak authentication. Everything works nicely except one problem. I have some <form>s on my site that send post-requests. These work usualy fine but when the accesstoken is expired something strange happens. The request gets redirectet to /sso/login, gets redirected to the keycloak (/auth...), gets redirected back to /sso/loin (so far so good) but then it redirects to GET localhost:8080 (where my app is running, but it uses GET and drops the path) So far i tried to permit access to the sso login entrypoint like sugested here: https://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-... without sucess. I tried to use put request, just to learn that html form does not support anything else than get and post. Now i switched to get for all my forms which works but does not feel right. Any pointers on how to solve this? Regards PS: Currently working on Keycloak 3.4.3 but not in the position to change this any time soon :(

7 years

1
0
0 / 0

Can a confidential Access Type client also accept bearer tokens?

by Ryan Slominski

I'm using the Wildfly client adapter to secure access for a web application and it works fine. However, I was wondering if I could have a script to programmatically post some data to one of the web application's end points via a cron job. The examples I have found of doing this assume you have a dedicated "bearer-only" access type client. Do I have to create a separate client for this or can I re-use the existing web application end point, which has access type Confidential? I'm looking at the example here: http://planet.jboss.org/post/getting_started_with_keycloak_securing_a_res... Thanks, Ryan

7 years

2
2
0 / 0

Custom Theme error message {{notification.header}} {{notification.message}}

by Ondrej Scerba

Hi, I'm trying to implement custom theme for Keycloak and I'm receiving error when accessing admin page "{{notification.header}} {{notification.message}}". Any clue what could be wrong and I how can I fix it? Thanks, Ondrej

7 years

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2019