June 2019 - keycloak-user - Jboss List Archives

by GESLIN Fabrice

Hi, Is there a way to customize the content of the access token that is delivered to client applications ? This question is an attempt to revive this old thread: https://lists.jboss.org/pipermail/keycloak-user/2016-February/004784.html . The idea is to deliver basic JWT access tokens to public clients. This token can be exchanged later on at the resource server level with a full-fledged JWT. Regards, Fabrice Geslin Groupe La Poste Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.

6 years, 9 months

2
2
0 / 0

Changed email is written to DB without verification, then the account is blocked

by Lukasz Lech

Hello, I have a following scenario. The user has changed email. Because of the typo the new email is invalid. The email was saved to the DB without verification, which makes it impossible to log in using valid email. The new email requires verification, which is impossible, because it is invalid. The user is effectively blocked. I've discovered this misbehavior in 4.8.1 Is my realm configured wrongly, or this is a known misbehavior? Or maybe it was our failure that we have allowed users to change email, which should be immutable by design? Best regards, Lukasz Lech

6 years, 9 months

1
0
0 / 0

setup expiration for temporary password

by pavel.kokush

Hello Is it possible to setup expiration for temporary password ? (different from expiration for normal password) If not possible, then any hint on how to implement it with keycloak extension (without forking keycloak) ? BR, Pavel

6 years, 9 months

1
0
0 / 0

Allow access unauthenticated users

by Ali Ahmadzadeh Asl

Hi I'm using Keycloak 6.0.0 in Spring Boot and my application properties file is like this: keycloak.realm=my-realm keycloak.resource=my-app keycloak.ssl-required=external keycloak.principal-attribute=preferred_username keycloak.auth-server-url=http://localhost:8080/auth keycloak.credentials.secret=f3222288-26c7-4487-83ec-67c111fa3e13 keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied keycloak.securityConstraints Indeed, I want to get security constraints from Keycloak server (by setting config 'on-deny-redirect-to'). In Keycloak admin panel, I have only two permissions for client 'my-app', the default one (which generated automatically by Keycloak) and permission which only allow users having ROLE_REST for accessing /rest/* URL pattern. But there is a problem, after running the project and accessing the main page (/), the browser redirects to '/access-denied'. How can I config Keycloak from admin panel to allow unauthenticated users access main page of server?? I'm waiting for your responses, Thanks

6 years, 9 months

1
0
0 / 0

Configure Keycloak to be able to delegate authentication to other application

by Cécile Radix Saint-Martin

Hi, We wish to use Keycloak as our IDP for our application (frontend + REST micro services). We want to give users the possibility to authenticate using their credentials of another application (login + password). In the same time, our application needs to call this other application APIs and for this, needs the custom token returned by the application during authentication (this application is not OIDC compliant). First I wanted to implement a custom identity provider for Keycloak, as it enables to store token of external IDP. But there is very few documentation about that and only examples I found are for OIDC providers. So finally I decided to implement a custom authenticator (org.keycloak.authentication.Authenticator). I want to be sure that with a custom authenticator, I will be able to : - Store custom tokens of the other application, provide it to a client API and refresh it if expired - Create user in Keycloak if it does not exist (if authentication with the other application succeed) Anyone can confirm ? *Cécile RADIX SAINT-MARTIN* *mailto:cecile.saintmartin@gmail.com <cecile.saintmartin(a)gmail.com>*

6 years, 9 months

2
2
0 / 0

KEYCLOAK SAML logout not working as documented

by Manuel Waltschek

Hello KC Community, I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10. Documentation says 3.1.8. Logout There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true. This will log you out if you have an SSO session with your browser. As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much. @Override public void logout() throws ServletException { SecurityContext sc = exchange.getSecurityContext(); sc.logout(); if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) { HttpSession session = getSession(false); if(session != null) { session.invalidate(); } } } Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect. When I do the following: private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = req.getContextPath(); req.logout(); resp.sendRedirect(contextPath + "?GLO=true"); it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden. Please also see: https://issues.jboss.org/browse/KEYCLOAK-2191 and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html Regards, [Logo]to m Manuel Waltschek BSc. +43 660 86655 47<tel:+436608665547> manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at> https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 Mödling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt

6 years, 9 months

2
4
0 / 0

Latest documentation not showing on Google

by Stian Thorgersen

For some reason our latest documentation is not showing on Google. This issue started happening when we changed the toolset for our docs. Does anyone have any clue why this is happening and what we can do to resolve this?

6 years, 9 months

1
0
0 / 0

Keycloak caching issue

by Farzad Panahi

Hi, I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a load-balancer in front of them. I noticed that sometimes I am getting inconsistent RPTs meaning that I send two queries and the two RPTs returned have different granted permissions in them. So I wend behind the load-balancer and queried each node individually. It turns out that one of the nodes is always returning wrong set of permissions in RPT. If I go to the admin console and clear the realm cache, then both nodes would return the same correct permissions right away. This is so intermittent. I am not sure what is causing this. I cannot find any clue in the logs. There is not much out there. I do not know how to reproduce this. Anyone with similar issue? Any suggestions? Cheers Farzad

6 years, 9 months

2
5
0 / 0

Keycloak Gatekeeper to secure API services via Bearer Token results to 307

by Ed Dave Tan

Hi, I have deployed Keycloak Gatekeeper to Kubernetes using helm chart here: https://hub.kubeapps.com/charts/gabibbo97/keycloak-gatekeeper/1.2.1 The configuration I used is: listen=0.0.0.0:3000 --set discoveryURL=https://domain.com/auth/realms/manager --set upstreamURL=http://up-domain.com:port --set ClientID=manager --set ClientSecret=$secret --set rules={"uri=/*|roles=manager"} --set droolsPolicyEnabled=false My intended use case for Keycloak Gatekeeper is use it to secure API services. 1.) I imagine the flow will be like Angular frontend (using JS Adapter) to login the user. 2.) Angular frontend will receive Bearer Token from authentication. 3.) Angular frontend will send Bearer Token to Keycloak Gatekeeper to access needed resources. So far I tested accessing the resource directly by accessing the 0.0.0.0:3000 via kubectl portfoward. Which worked fine. I was redirected to the login page then redirected to the resource after successful login. However, I tried mimicking my intended workflow via Curl. (Similar to this https://medium.com/@vcorreaniche/securing-serverless-services-in-kubernet... ) 1.) I was able to get the access token and refresh token from using: curl -X POST \ 'https://domain.com/auth/realms/manager/protocol/openid-connect/token' \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'username=manager1&password=<manager1_passowrd>&grant_type=password&client_id=manager-service&client_secret=<secret>' 2.) I'm getting a HTTP 307: Temporary Redirect. When I try to access the resource using: curl -H 'Authorization: Bearer <access_token>' \ --proxy http://127.0.0.1:3000 http://up-domain.com/api/v1/manager \ -v > --proxy http://127.0.0.1:3000 http://up-domain:port/api/v1/manager \ > -v * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0) > GET http://up-domain:port/api/v1/manager HTTP/1.1 > Host: up-domain:port > User-Agent: curl/7.58.0 > Accept: */* > Proxy-Connection: Keep-Alive > Authorization: Bearer <TOKEN> > < HTTP/1.1 307 Temporary Redirect < Content-Type: text/html; charset=utf-8 < Location: /oauth/authorize?state=8688edc1-f05d-49c5-ae33-f4f10605d8d8 My question: Is my intended work flow viable using Keycloak Gatekeeper? Or Did I do something wrong? PS: My Keycloak version is 5.0 and I change the image being pulled by the helm chart above to 5.0.0 because the 4.8.0.Final cant be found. *Note: droolsPolicyEnabled is set to false since it was causing issue in starting Keycloak.

6 years, 10 months

1
0
0 / 0

Realm-specific authorization following cross-realm authentication

by luis.villaca＠petrobras.com.br

Greetings, I would like to understand the best strategy to implement a scenario of realm-specific authorization in Keycloak after cross-realm authentication. A "brief" context: My company has its own corporate authentication and authorization services. The first one returns the status based on user credentials (e.g. already logged, invalid credentials, etc). The second one relates a distinct service to each application, and is used for retrieving application-specific roles. So this service, when provided with a username and the app credentials, retrieves a list of user roles. We plan on decoupling the applications from it. So we configured Keycloak instance to allow the usage of OpenIDConnect. For security, we created a JKS keystore for our certificate and set the SSL properties in our standalone.xml. We created our own Keycloak plugin (implementing org.keycloak.storage.UserStorageProviderFactory, and extending UserStorageProvider, UserLookupProvider, and CredentialInputValidator) that currently interacts with our corporate service for authenticating and pulling the roles. This was configured as a UserFederation in realms A and B (for apps A and B), each along with application-specific settings for interacting with our corporate service. We also configured each app (springboot) with its certificate (PrivateKeyEntry) and a a Keycloak JKS Truststore. Using spring-security-oauth2-autoconfigure features (application.yml) we configured keycloak settings. It works fine, since each app redirects to the IDP (configured with its specific realm) and is able to authenticate and pull the client mapped roles, further correlated to our secured resources in our WebSecurityConfigurerAdapter extension (SpringSecurity). Now we have two applications (A and B) performing this strategy and we want SSO. For testing that we picked up the secret from realm A "broker" client, used it to configure an identity provider in realm B (i.e., pointing to realm A urls and this broker client). As we set the redirector in realm B Authentication config, it works as expected. A user tries to access a protected resource in B, is directed to realm A, authenticating there and coming back, bringing only Keycloak default roles to B (uma_authorization, not the "A" roles). So here is the strategy I thought for this scenario: 1) Create an authentication-only Realm with a configured user federation that calls our corporate authentication Service only to authenticate users 2) Set realms A and B with above realm broker configured as their identity providers 3) Assign realm-specific roles in realms A and B. Maybe using their specific UserFederation? Could it be set under Post Login Flow? It should call our corporate application-specific authorization Service and assign those roles to the user (if needed, creating those realm roles). Any thoughts or references/examples on that (specially step 3)? Thanks, regards, Luis "O emitente desta mensagem � respons�vel por seu conte�do e endere�amento. Cabe ao destinat�rio cuidar quanto ao tratamento adequado. Sem a devida autoriza��o, a divulga��o, a reprodu��o, a distribui��o ou qualquer outra a��o em desconformidade com as normas internas do Sistema Petrobras s�o proibidas e pass�veis de san��o disciplinar, c�vel e criminal." "The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions." "El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorizaci�n, su divulgaci�n, reproducci�n, distribuci�n o cualquier otra acci�n no conforme a las normas internas del Sistema Petrobras est�n prohibidas y ser�n pasibles de sanci�n disciplinaria, civil y penal."

6 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2019