expiration for temporary password
by pavel.kokush
Hi
Is it possible to set expiration for temporary password?
Use case:
User ask for reset password, system do call
org.keycloak.admin.client.resource.UserResource.resetPassword method with
temporary=true flag in model.
System provide new temporary password to use (by email or something).
When user try to change this temporal password, then keycloak UserResource.
resetPassword should fail if temporary password expired (and then user must
repeat flow).
Of course temporary and normal password should have different expiration
period.
Is it possible in keycloak? If not, then any hint on how to do it with
keycloak extension (without forking keycloak) ?
Thanks,
Pavel
6 years, 10 months
Registration page still shown with existing session
by Rains, Chris
Hi,
If I successfully login and then manually navigate to the registration endpoint (protocol/openid-connect/registrations), the registration form is returned. If I complete the form, I am getting a “different_user_authenticated” error. Is this expected behavior? I would have expected my existing session to be recognized when I first navigated to the registration page, and not even see the registration form.
Thanks!
- Chris Rains
6 years, 10 months
user data insights
by Simon Neaves
Hi,
I have some feature requests around user data insights. As far as I'm
aware, it's not possible to filter the User list in the keycloak admin to
find out, for example,
- Which users have enabled 2FA
- Which users have incomplete actions (e.g. verify email)
- Have disabled accounts
- Have logged in in the last 6 months (e.g. sort by 'last logged in' or
'account created' etc.)
- View/filter a custom attribute
In an ideal world, we'd perhaps generate some reports (e.g. % users with
2FA) as a pie chart, but in the first instance, just some basic
filters/sorts on the user list would be invaluable.
Perhaps this work relates to the work proposed at
https://github.com/stianst/keycloak-community/blob/master/design/observer...
Thanks,
*Simon Neaves *Technical Director | *Aerian*
Like us on *Facebook* <https://www.facebook.com/aerianstudios> | Follow us
on *Twitter* <https://twitter.com/aerianstudios>
simon(a)aerian.com
www.aerian.com
<http://www.aerian.com/%22%20%5Co%20%22blocked::http://www.aerian.com/%22%...>
+44 (0) 845 408 6009
+44 (0) 773 946 9564
The information contained in this message is for the confidential use of
the addressee(s). It is not to be relied upon by any person(s) before
receiving subsequent written confirmation of its contents. aerian studios
accepts no responsibility or liability whatsoever (including liability in
negligence) for any loss or damage suffered by any person(s) acting upon
the information contained in this message. By using this system or by
sending us emails you consent to the monitoring or recording of email and
other terms as stated in aerian studios Email and Internet Use Policy.
Please visit us on http://www.aerian.com
6 years, 10 months
ADMIN_EVENT_ENTITY Exception
by Henning Waack
Dear all.
We currently see the following exception in your KC 5.0 server log. Any
idea what could be the root cause for this?
Thanks in advance
Henning
2019-06-13 09:42:08,669 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(default task-676) SQL Error: 1366, SQLState: 22007
2019-06-13 09:42:08,670 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-676)
(conn=3571) Incorrect string value: '\xC5\xABras"...' for column
`keycloak`.`ADMIN_EVENT_ENTITY`.`REPRESENT
ATION` at row 1
2019-06-13 09:42:08,671 ERROR
[org.hibernate.internal.ExceptionMapperStandardImpl] (default task-676)
HHH000346: Error during managed flush
[org.hibernate.exception.DataException: could not execute statement
]
2019-06-13 09:42:08,671 WARN [com.arjuna.ats.arjuna] (default task-676)
ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for
SynchronizationImple< 0:ffff91eff4af:-1becb8ba:5d0021fb:346da5,
org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization@360e1f51
>: javax.persistence.PersistenceException:
org.hibernate.exception.DataException: could not execute statement
at
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154)
at
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
at
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188)
at org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460)
at
org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:511)
at
org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3283)
at
org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2479)
at
org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:473)
at
org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:352)
at
org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)
at
org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)
at
org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
at
org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
at
org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
at
com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
at
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:360)
at
com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
at
com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1288)
at
com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
at
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
at
org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
at
org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
at
org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
at
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
at
org.keycloak.services.resources.admin.UserResource.updateUser(UserResource.java:173)
--
Henning Waack | IT Consultant
codecentric AG | Hochstraße 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
|Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>
tel: +49 (0)151 108 515 29
www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz
Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche
und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie
bitte sofort den Absender und löschen Sie diese E-Mail und evtl.
beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen
evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.
6 years, 10 months
Keycloak RestAPI to Assign Multiple Groups
by Hossein Doutaghy
Hi,
We are planning to assign multiple groups to a single user via a REST API
call but it seems like keycloak does not currently an API for multiple
groups assignment to users.
As per keycloak API documentation, it is only possible to assign a single
groups to a user in each API call.
Does Keycloak support OneUser-to-MultipleGroups API?
Thanks,
Moe Doutaghy
6 years, 10 months
keycloak update/create realm with localization
by Dennis Knorr
Hi,
i try to create/update a realm with de localization. therefore i enable
internationalization, set defaultLocale to de and set themes to
keycloak, with clicking in the AdminUI this works.
When i try to update an existing realm with the following script, it
does not work. neither with POST or PUT. Any idea what i do wrong? any
tips how to do creating/updating realms properly via REST API? This is
harder than i expected.
###########################################################
benutzer01@vm:~/keycloakscripts$ cat scripts/update_realm.sh
#!/bin/bash
set -o noclobber
set -o errexit
set -o pipefail
set -o nounset
# Debugging
#set -xv
if [[ $# -lt 2 ]]; then
cat <<EOF
usage:
$0 ENVIRONMENT REALMNAME
EOF
exit 1
fi
# sourcing ENV files
source scripts/_header.sh
REALM=$2
ADMINTOKEN=$(curl -s \
-d "client_id=admin-cli" \
-d "username=${KEYCLOAK_USER}" \
-d "password=${KEYCLOAK_PASSWORD}" \
-d "grant_type=password" \
"https://${APP_URL}/auth/realms/master/protocol/openid-connect/token" |
jq -r .access_token)
echo "admin token successfully acquired"
curl -s \
-X PUT
-H "Authorization:bearer ${ADMINTOKEN}" \
-H 'Content-Type: application/json' \
-d "@$REALM/${SCRIPT_PARAMETER}/realm.json" \
"https://${APP_URL}/auth/admin/realms"
echo "realm '$REALM' update"
benutzer01@vm:~/keycloakscripts$ cat myrealm/MYENV/realm.json
{
"realm": "myrealm",
"enabled": true,
"requiredCredentials": [
"password"
],
"accessTokenLifespan": 7200,
"eventsEnabled": true,
"eventsExpiration": 7200,
"internationalizationEnabled": true,
"loginTheme": "keycloak",
"accountTheme": "keycloak",
"adminTheme": "keycloak",
"emailTheme": "keycloak",
"defaultLocale": "de"
}
benutzer01@vm:~/keycloakscripts$ scripts/update_realm.sh MYENV myrealm
# this should change the settings for myrealm.
##########################################
6 years, 10 months
Performance tunning of Keycloak
by Nick Su
Hi There
I have done some load testing against Keycloak v5.0 since we are trying to use Keycloak as SSO for our project. However the performance is quite far lower than we expect, we run Keycloak in a 12c and 24g memory vm, and the highest rps is only around 70 rps,so I am wondering any tunning can help to increate the performance?
I have tested it with this command ab -T 'application/x-www-form-urlencoded' -n 100000 -c 10000 -p post.data http://192.168.135.92:8080/auth/realms/master/protocol/openid-connect/token
and also tested with locust, script as below:
from locust import HttpLocust, TaskSet
import requests
import json
import time
def get_token(l):
l.client.post("http://192.168.135.92:8080/auth/realms/test/protocol/openid-connect/token", {"client_id": "admin-cli", "username": "test", "password": "password", "grant_type": "password"}, headers={"Connection": "close"})
def get_users(l):
requests.adapters.DEFAULT_RETRIES = 5
r = requests.post("http://192.168.135.92:8080/auth/realms/master/protocol/openid-connect/token", data= {"client_id": "admin-cli", "username": "admin", "password": "password", "grant_type": "password"}, headers={"Connection": "close"}).text
h = {"Authorization": "Bearer "+json.loads(r)["access_token"], "Connection": "close"}
l.client.get("http://192.168.135.92:8080/auth/admin/realms/master/users", headers=h, verify=False)
class UserBehavior(TaskSet):
tasks = {get_token: 1}
class WebsiteUser(HttpLocust):
task_set = UserBehavior
Thank you
6 years, 10 months
Cross-realm authentication followed by realm-specific authorization in Keycloak
by luis.villaca@petrobras.com.br
Greetings,
I would like to understand the best strategy to implement cross-realm
authentication with realm-specific authorization in Keycloak.
A "brief" context:
My company has maintained, for years, its own corporate authentication +
authorization Service (internal solution), for which every application gets
a distinct SOAP service, based on application-specific credentials.
This service, when provided with user and those app credentials,
authenticates and retrieves a list of user roles (application-specific).
We plan on replacing this service soon, and the first step we thought was
decoupling the applications from it.
First thing we did was configuring Keycloak instance to allow the usage of
OpenIDConnect. We created a JKS keystore for our certificate and set the
SSL properties in our standalone.xml.
Then we coded a Keycloak plugin (implementing
org.keycloak.storage.UserStorageProviderFactory, and extending
CredentialInputValidator) that interacts with our corporate service for
authenticating and pulling the roles based on configured values provided by
ProviderConfigurationBuilder.
We deployed this plugin and configured a Keycloak UserFederation.
We then configured two spring-boot apps, in realms A and B, setting their
certificates (PKEntry and Keycloak JKS). Using
spring-security-oauth2-autoconfigure dependency lib features, we configured
all keycloak connectivity settings (access token url, clientid, secret,
etc) for each realm.
At this point it works fine: each app redirects to the configured IDP (on
its specific realm) and is able to authenticate and pull their
client-specific mapped roles, further correlating them to secured resources
in a WebSecurityConfigurerAdapter extension (SpringSecurity).
Now we want SSO. Basically we would like to have authenticated users
identity propagated to other realms (as application may link to each
other), but pull authorizations according to realm-specific roles (a second
step).
The strategy I thought:
1) Create a single Realm (named GLOBALAUTH for instance) with a configured
user federation that calls our corporate authentication Service to
authenticate users
2) Set realms A and B with GLOBALAUTH broker configured as identity
providers
3) Maintain realms A and B with their specific UserFederation for further
pulling out user roles, calling our corporate application-specific
aothorization Service. (need to check
Is there a better strategy to follow to provide cross-realm authentication
with realm-specific authorization?
A side question from step 2 above - I got the following exception as we
access a secured resource in app B, a Bad Gateway.
Here is what is happening:
0 - Redirection happens (302) to https://b.com/login
1 - Redirection happens (302) to
https://corp.keycloak.com:9443/auth/realms/B/protocol/openid-connect/auth?
2 - Redirection happens (303) to
https://corp.keycloak.com:9443/auth/realms/B/broker/brkrGLOBALAUTH/login?
3 - Redirection happens (303) to
https://corp.keycloak.com:9443/auth/realms/GLOBALAUTH/protocol/openid-con...
As we input a valid user /pass
4 - Redirection after POST
https://corp.keycloak.com:9443/auth/realms/GLOBALAUTH/login-actions/authe...
5 - Bad Gateway (502) on
https://corp.keycloak.com:9443/auth/realms/B/broker/brkrGLOBALAUTH/endpoint?
Fails with "Unexpected error when authenticating with identity
provider"
Keycloak logs show:
09:49:48,572 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-161)
:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
It seems like a trust issue, any ideas?
Thanks, regards,
Luis
"O emitente desta mensagem � respons�vel por seu conte�do e endere�amento. Cabe ao destinat�rio cuidar quanto ao tratamento adequado. Sem a devida autoriza��o, a divulga��o, a reprodu��o, a distribui��o ou qualquer outra a��o em desconformidade com as normas internas do Sistema Petrobras s�o proibidas e pass�veis de san��o disciplinar, c�vel e criminal."
"The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions."
"El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorizaci�n, su divulgaci�n, reproducci�n, distribuci�n o cualquier otra acci�n no conforme a las normas internas del Sistema Petrobras est�n prohibidas y ser�n pasibles de sanci�n disciplinaria, civil y penal."
6 years, 10 months
vitess support
by Fox, Kevin M
Has anyone tried Keycloak on top of Vitess? Seems like it might be a good fit for clustering/HA.
Thanks,
Kevin
6 years, 10 months
