SAML Logout Response 403 Forbidden
by Manuel Waltschek
Hello,
I am still trying to logout from my wildfly10 keycloak saml client application.
I already described my issues in https://lists.jboss.org/pipermail/keycloak-user/2019-June/018550.html
Quick summary:
I am trying to logout by calling
private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String contextPath = req.getContextPath();
resp.sendRedirect(contextPath + "?GLO=true");
}
from a servlet. I am getting a LogoutResponse from my keycloak IdP with the following status code:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
It seems, that the client cannot handle this response and therefore redirects to a page with content
<html><head><title>Error</title></head><body>Forbidden</body></html>
with status code 403 Forbidden.
I would appreciate any further help, thank you in advance,
regards
[Logo]
Manuel Waltschek BSc.
+43 660 86655 47<tel:+436608665547>
manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at>
https://www.prisma-solutions.com
PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 Mödling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
5 years, 5 months
Persistent sessions
by Leonid Rozenblyum
Hello!
I saw these questions in the mailing list 2017 and earlier but would like
to double check.
We'd like to enable persistent session feature of WildFly in Keycloak (in
non-HA environment)
By doing this in standalone.xml
<persistent-sessions path="sessionsStorage"/>
It looks like the feature is not working correctly with keycloak: after
keycloak reboot the sessions look lossed.
Is it a misconfiguration at my side or a totally not supported feature by
keycloak?
Thanks in advance for explanation
5 years, 5 months
Single Logout in Identity brokering mode
by Leonid Rozenblyum
Hello!
I'm working on Single Logout in Identity broker mode.
App -> Keycloak (OpenIdConnect)
Keycloak -> 3'd party (SAML)
Documentation to keycloak states that there are 2 ways to execute logout.
1) HttpServletRequest.logout().
2) redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...
If I execute 2) it indeed causes Keycloak send SAML Logout request to the
3'd party Idp.
However if I execute 1) SAML logout request is not sent thus 3'd party
session is still valid.
(I see that by enabling trace logging in keycloak and by fact that user is
still logged in)
Is it something by design/misconfiguration at my side or a bug?
5 years, 5 months
Allowed SAML audiences?
by Craig Setera
If I have a SAML identity provider setup, what would the allowed audience
values look like by default? Is there any place in the UI that I can see
the allowed audience values?
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
5 years, 5 months
Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final
by JTK
I've read through all the documentation I can find online both with the
official documents and everything else I could find and I believe I have
everything setup, with additional logging turned on, but I'm not getting
any type of prompt for a x509 certificate when logging in.
Here is the excerpts from the standalone.xml file where ssl-realm was
added to the management security-realms and under the subsystem.
<management>
<security-realms>
......
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keycloak.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</authentication>
</security-realm>
......
<subsystem xmlns="urn:jboss:domain:undertow:7.0"
default-server="default-server" default-virtual-host="default-host"
default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default1" socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="default" socket-binding="https"
security-realm="ssl-realm" verify-client="REQUESTED"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log worker="default"
directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
I've setup the Authentication Flows for the Browser to have x509/Validate
Username Form above the new Browser flow and it's required.
Everything is setup per the KeyCloak documentation to include the binding
settings.
The only thing I'm not sure about is if the keycloak.jks and truststore.jks
files are the issue.
I have enabled extra logging as best I know, but I'm not seeing anything in
the logs of any relevance when trying to authenticate into the Keycloak
Realm.
Can anyone assist? We are looking to most likely purchase this as a product
through RedHat SSO if it works well to get the support we need, but I've
been hung up on this for a few weeks and I know it shouldn't be this hard.
Thanks,
J
5 years, 5 months
Override "native" Keycloak providers
by Jerry Saravia
Hello,
Disclaimer: This might be a keycloak dev mailing list question.
We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues.
Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.
See this link here for 3.4.3 changes:
https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j...
These are the 4.8 changes
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j...
In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:
PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak.
Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.
J
Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com
|virginpulse.com/global-challenge
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.48
5 years, 5 months
KEYCLOAK-3205
by Andrew Martel
Hello,
My company is waiting on the functionality to have encrypted client secrets: https://github.com/keycloak/keycloak-community/blob/master/design/secure-....
Would someone be able to provide me with a timeline on when this will be released?
Thanks,
Andrew Martel
CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory.
5 years, 5 months
Public and Bearer-only role propagation
by Stelios Kyprou
Hello guys,
I am trying to work with the following setup, with the goal of eventually
propagating Keycloak roles from the public client (front-end) to Spring
Security Roles of a bearer-only client (back-end):
Client Name Client Type Client Role Full Scope Allowed
portals-frontend public TEST_ROLE FALSE
portals-backend bearer-only
VERSIONS:
*Spring Boot:*
org.keycloak:keycloak-spring-boot-2-starter:4.0.0.Final
org.springframework.boot:spring-boot-starter-security:2.1.4.RELEASE
*Angular:*
angular: 7
"keycloak-angular": "6.1.0"
*Keycloak Server:*
4.0.0.Final
My Angular app is using *portals-frontend *client
My Spring-Boot-2 app is using *portals-backend *client
When running this setup, the back-end verifies the token, but it does not
map the *portals-frontend* client Roles into *spring security
principal.deatils.roles*. The only way I managed to do this is two ways;
1. Set *Full Scope allowed* to *true. (*I don't like this since we can't
restrict the roles in each client token*)*
2. Use the same KC client in the back-end as the one used in the
front-end app. (This means that new front-end apps that will need different
rights, therefore a new client, will not be able to use the same back-end
service)
*QUESTION:*
Is there a 3rd way, where I keep my configuration as is, and manage to map
KC Roles into spring security's *principal.details.roles *list in the
back-end and include the front-end client roles?
Thanks in advance!
P.S:
*Additional context:*
The Spring-Boot-2 configurations is:
keycloak:
realm: internal-portals
bearer-only: true
auth-server-url: <VALID URL>
ssl-required: external
resource: portals-backend
confidential-port: 0
principal-attribute: preferred_username
use-resource-role-mappings: true
With the following security config:
@KeycloakConfiguration
class SecurityConfig(private val securityProperties: SecurityProperties) :
KeycloakWebSecurityConfigurerAdapter() {
@Bean
fun keycloakConfigResolver(): KeycloakConfigResolver {
return KeycloakSpringBootConfigResolver()
}
@Autowired
@Throws(Exception::class)
fun configureGlobal(auth: AuthenticationManagerBuilder) {
val keycloakAuthenticationProvider =
keycloakAuthenticationProvider()
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper())
auth.authenticationProvider(keycloakAuthenticationProvider)
}
@Bean
override fun sessionAuthenticationStrategy():
SessionAuthenticationStrategy {
return NullAuthenticatedSessionStrategy()
}
...
}
5 years, 5 months
keycloak 2.5.5-final with bc-fips-1.0.1.jar
by Srinivas Nangunoori
Hi Experts,
We want to integrate bc-fips in our application. We have changed our standalone.xml (Wildfly) to use BCKFS keystore and changed java.security to use
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
and
keystore.type=bcfks
Copied bc-fips-1.0.1.jar to
jre/lib/ext
/modules/system/layers/base/org/bouncycastle/fips
But when I start my application, I see following error,
Caused by: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider
at org.keycloak.common.util.PemUtils.<clinit>(PemUtils.java:41)
at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:63)
at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:137)
at org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(KeycloakServletExtension.java:135)
at io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(DeploymentManagerImpl.java:252)
at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:152)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
Not sure what I am missing. Could any one help me here.
-Srini
5 years, 5 months
Serving SPA + API with keycloak-gatekeeper
by Rafael Almeida
Hello,
I think I must be missing something. I have a SPA and a backend. Currently,
for simplicity, they are being served together from the same hostname (and
server). I was able to configure keycloak-gatekeeper in front of it and
everything seemed to work well at first. The / (root), which serves my SPA,
redirects the user and, after they login, all endpoints become available.
However, if the user logs out and still have the SPA loaded, the javascript
will attempt to make requests to the API, but it will be unauthorized at
this time. The API, however, instead of giving out a helpful 401, will
respond with a 307. Understandable.
I looked into the gatekeeper's docs and there is a no-redirects option.
However, it's a global one, rather than per endpoint. That means that the
only option to get the behaviour I want is to have two gatekeepers, one for
the API and the other for the SPA, both sharing the same encryption key (so
that they use the same session). They also need to be behind the same load
balancer so they share hostnames. I think that'd work but it seems rather
cumbersome. What am I missing? Am I doing things in a very unusual way? How
else could I set this up?
Thanks,
Rafael
5 years, 5 months
