Keycloak invalid redirect_uri behind proxy
by Miguel Martinez
Miguel Martinez <martinezmiguel.ar(a)gmail.com>
11:05 AM (37 minutes ago)
to keycloak-user
Hi
I am trying to use keycloak to secure an application. I added the keycloak
adapter to the JBoss EAP.
The JBosss EAP is behind a apache balancer, which is behind the another
apache( that exposes the app to Internet).
(Apache Dmz)--->(Apache Balancer)--->(JBoss EAP with keycloak adapter)
I would like to know if it is posible that keyclock adapter build the
redirect_uri from the header X-Forwarded-Host.
Thank you in advance.
Best regards.
JBboss-EAP-6.4
4 years, 11 months
keycloak-gatekeeper + fine-grained authorization
by Tyler Johnson
I'm trying to figure out how to use keycloak-gatekeeper with the
fine-grained authorization option in Keycloak.
I set up the authorization and ran an evaluation within the Keycloak UI
that correctly gave DENY for user 'test', but when I use that same user to
log in through gatekeeper, it says it's permitted and directs me to
upstream.
Is there anything I need to enable on gatekeeper side to have it enforce,
or any pointers here?
Thanks,
Tyler
4 years, 11 months
Adding information from a 3rd party service into JWT token
by Michael Isvy
hi,
thanks a lot for the hard work on Keycloak! I've been using it for a few
days and have been quite impressed by the UI, features and level of
documentation.
I have a custom requirement. When users authenticate, in case of successful
authentication,I need to call a 3rd party API, collect additional
information and place it into my JWT token.
I am in the process of doing it by coding my own Mapper (extending
AbstractOIDCProtocolMapper). I was wondering if this is the correct way to
do it or if there is a simpler way to achieve my goal.
Regards,
Michael.
4 years, 11 months
Vanilla not working
by JAKOBI Pascal
Hi there
I am completely new to jboss & keycloak, so...
I installed keycloak 6.0.1-2 and wildfly 16.0.0-1. Both products run after carefully following the quickstart instructions : I can create users in KC, the vanilla page displays, etc.
However, when I click on the "login" button, the basic auth window raises and the entering correct information does not unblock this (I am looping).
I ran jboss-cli and I can see keycloak stuff in my wildfly standalone.xml...
Any idea ?
Thank you in advance
P
4 years, 11 months
What Specification says my brokered IdP key is invalid?
by Ryan Slominski
I'm seeing a lot of messages like the following in my log file:
2019-05-22 14:28:56,312 WARN [org.keycloak.storage.jpa.KeyUtils] (default task-xx) The given key is not a valid key per specification, future migration might fail: f:jlab-ldap:ryans
(1) What specification are we talking about? OAuth? What does it say?
(2) I assume the problem is when I created an LDAP user storage provider I created it on the command line with specific ID "jlab-ldap". Why is this bad? Must it be a totally random UUID?
The log messages seems to occur whenever a user links an account from a brokered IdP to their account in the Keycloak realm. (The brokered IdP is also Keycloak)
4 years, 11 months
Wildfly Client Adapter Session Expiration
by Ryan Slominski
Is there any documentation on how session expiration works with respect to the Wildfly client adapter. If the Keycloak idle session timeout expires, it seems to automatically expire a Wildfly client session too. In my client application web.xml I have an expiration of 8 hours. However, it appears the 30 minute default Keycloak idle session expiration is overriding this. After 30 minutes of idle time if I return to my client application I am logged out and the Keycloak log file contains:
WARN [org.keycloak.events] (default task-41) type=REFRESH_TOKEN_ERROR, realmId=xxxx, clientId=xxxxx, userId=null, ipAddress=xxx.xx.xx.xxx, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
I assume I can bump up Keycloak session idle as a workaround, but this means ALL applications must have a long expiration. I was wondering if once authenticated to an application on Wildfly that application could control its own JSESSIONID session expiration? The fact that we set session expiration in two places is confusing as it seems the one in web.xml is not honored.
Ryan
4 years, 11 months
users created through rest api not enabled
by Matthew Broadhead
using Keycloak 4.5.0 standalone. CentOS 7
we have been using the REST api to create users by POSTing a
UserRepresentation to /{realm}/users
it still works fine but the two properties setEnabled and
setEmailVerified are being ignored
userRepresentation.setEnabled(true);
userRepresentation.setEmailVerified(true);
even running a subsequent PUT and setting the values has no effect.
we have not changed our configuration at all for a long time. perhaps a
system update has caused this?
4 years, 11 months
