July 2019 - keycloak-user - Jboss List Archives

by Felipe Roca

Hi, I am trying to set up the example in Server development - 8.3 Authenticator SPI Walk Through, the implementation of an authenticator that requires that a user enter in the answer to a secret question. The documentation assures this code is available in examples/providers/authenticator but it is not in the github repository and I can't find the keycloak-demo-6.0.0.[zip|tar.gz], where I assume this code may be. Could anyone point me to the url to download this version of distribution files? Thank you very much for your time and efforts, Best regards, -- Felipe Roca Blaya Software Engineer - HOP Ubiquitous S.L. www.hopu.eu <http://www.hopu.eu> C/Luis Buñuel 6 30562, Ceutí, Murcia. Spain - logo_hop <http://www.hopu.eu/> - face <https://www.facebook.com/hopubiquitous/> Twitter <https://twitter.com/HOPUbiquitous> google <https://plus.google.com/+HOPUbiquitousCeut%C3%AD?hl=es> vimeo <https://vimeo.com/hopu> linkedin <https://www.linkedin.com/company-beta/3810080/>

5 years, 5 months

3
3
0 / 0

Wrong redirect url from KK

by David Karlsen

I do IDP logon with request to redirect to https://myhost.mydomain/somecontext/#/login but the redirect received is: https://myhost.mydomain/somecontext/?code=somecode&state=somestate#/login notice how the fragment comes at the end, and the parameters in-between. Is this a known issue? I would guess it is quite common for angular-apps to want to be redirected back into a well known route. -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen

5 years, 5 months

1
1
0 / 0

Is communication between keycloak instances and the distributed infinispan caches secure ?

by Hossein Doutaghy

Hi, Does it use TLS to encrypt data sync between Keycloak instances when the Infinispan caches are synced? Does those caches contain sensitive data? There does not seem to be much documentation that indicates the communication between keycloak and the distributed infinispan caches is secure. Moe Doutaghy

5 years, 5 months

1
0
0 / 0

Setup of role model with two layers in keycloak

by Sven Voigt

Hello there! I'm part of a frontend project and I need some help to bring our authorization model into keycloak. We're building on node.js and the whole project uses stateless micro services - both in our frontend middleware and for the whole backend services we use. The frontend uses the standard JS adapter for session and token management. So far we have identified four roles: travel agent, back office, configurator and data security officer. That's easy so far. My problem is how to model the next authorization layer we need. For example: For the travel agents we want to be able to grant per person whether he can see specific customer data or is able to cancel orders. There are about 6-8 options for the travel agents. Thus, for the back office there shall be options for stock operations or different views on orders and so on. Like the backend we don't persist any data! That's why I have store all the things in keycloak and find a way to easily bring these information back to our middleware. Here's what I tried / thought of so far: * Use groups for the first layer and roles for the second one. --> doesn't work because the groups don't get exposed in the token. * Use realm roles for the upper and attributes for the lower hierarchy. --> attributes are not included in the access token. * Use realm roles for the upper and client roles on the lower hierarchy. --> works, but we have to make sure that roles on the second layer are definitely associated with only one role on the first layer. I don't know how yet. * Use roles for the first layer and resources on the second one. --> That seems to get very close to what we need. But at the moment I can't figure out the correct approach with all these policies and permissions... Thanks for any help and please let me know, if I shall provide some further information. Sven

5 years, 5 months

1
0
0 / 0

Alternative first broker login for linking only

by Rob Resendez

We have a use case that is sort of a hybrid of the typical IDP login (First Broker Login) and "linking only" via the UMA app. That is to say, we'd like the login form to enumerate IDP buttons, but instead of falling into "Create User If Unique" execution, we would need to fall into some flow similar to the "Handle Existing Account" merge/link process. Can anyone advise whether there are existing executions I can compose or ought to consult in some way? Thanks in advance Rob Resendez [cid:CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG]<https://www.cpsi.com/> Electronic Mail Confidentiality Notice: This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents.

5 years, 5 months

1
0
0 / 0

Is it possible to invalidate token in Spring Security Adapter

by Ondrej Scerba

Hi, Is it possible to invalidate token in "offline validator" in Spring Security Adapater? Thanks, Ondrej

5 years, 5 months

2
3
0 / 0

obtaining RTP by resource name

by Stefanidis, Kyriakos

Hello all, ...more specifically people that use keycloak authorization services. While dealing with RTPs (without permission tickets) for both user and centrally managed resources we encountered an inconsistent behavior and would like to know if it is considered a bug or works as intended (and why) The story: When a resource is owned by the resource provider (a client), you can get a RTP by providing either the resource id (uuid) or the resource name in the "permissions" parameter. Ex. "res1" is owned by "client.id" and given "update" scope permission to user "usr" via policy/permission combo $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res1.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res1.name#scope" //correct RTP with "update" for "res1" When a resource is owned by a user, you can only get a RTP by providing the resource id (uuid) in the "permission" parameter. Requesting by name returns an "Resource with id [res2.name] does not exist." Ex. "res2" is owned by "usr" and has an "update" scope $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res2.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res2.name#scope" //"Resource with id [res2.name] does not exist." The interesting thing is that If you request a RTP without specific "permission" property, keycloak returns the correct RTP with "update" for both res1 and res2 as it should. Our tests also shown that this behavior does not rely on the "user managed" property but only the "owner" property Is this supposed to happen? If yes, why? If no, which one of the two is the buggy behavior? The behavior for the user owned or the client owned resource? The main reason for this email is that the fact that you can obtain RTP based on resource name is immensely helpful for us since the other clients (other than the resource provider) cannot get the resource id from keycloak but they do know what they are looking for (the resource name). Not being able to get RTP based on resource name for user owned resources, forces us to use a generic RTP for all resources every time which could become a burden if a user can access a very large number of resources. Best regards, Kyriakos Stefanidis

5 years, 5 months

2
4
0 / 0

Reset credentials link without tab_id parameter

by Craig Setera

We have a need to jump into the reset credentials flow from outside the Keycloak login page. When initiating from the login page, the URL looks like the following: https://keycloak-host/auth/realms/fm/login-actions/reset-credentials?clie... <http://keycloak:8080/auth/realms/fm/login-actions/reset-credentials?clien...> However, when initiating the forgotten password flow, we don't have access to the tab_id, so we have been using: https://keycloak-host/auth/realms/fm/login-actions/reset-credentials?clie... <http://keycloak:8080/auth/realms/fm/login-actions/reset-credentials?clien...> While this works to change the password, it ends up resulting with the account management user interface at the end, and saving from there causes an internal server error. The user-facing results are definitely not ideal. Is there any way to make this work properly if not launching from the login page? I don't see anything in the Javascript adapter documentation relative to reset credentials flow, so I don't know if there is any way to form that URL? Any help appreciated. Craig ================================= *Craig Setera* *Chief Technology Officer*

5 years, 5 months

1
0
0 / 0

[keycloak-users] [jackson-databind] is default typing enabled in keycloak

by Shiva Prasad Thagadur Prakash

Hi guys, I was looking into CVE-2019-12814 and CVE-2019-12086. These are related to default typing in jackson-databind. *Is default typing enabled in keylock?* When I searched in code base I didn't see it enabled but I wanted to be sure and hence mailed you guys! Thanks, Shiva

5 years, 5 months

1
0
0 / 0

Getting this exception Caused by: javax.persistence.EntityExistsException: A different object with the same identifier value was already associated with the session : [org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity#org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity$Key@e3a03493]

by Aditya mamidala

We are trying to authenticate an existing user via Keycloak so implemented a custom SPI and added the custom SPI as User Federation "Getting a different object with the same identifier value was already associated with the session exception" when trying to add a user with role from a custom SPI to Keycloak database Please find the exception message *Caused by: javax.persistence.EntityExistsException: A different object with the same identifier value was already associated with the session : [org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity#org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity$Key@e3a03493]* We are trying to use Keycloak *6.0.1* for authentication and using the custom provider to authenticate the users the user details are are in custom provider using Storage provider SPI @Override public UserModel getUserByUsername(String username, RealmModel realm) { UserModel userModel = new UserAdapter(session, realm, model, repository.findUserByUsernameOrEmail(username)); RoleModel roleModel = realm.getRole("user"); * // Adding the 'user' RoleModel to the UserModel object* userModel.grantRole(roleModel); return userModel; } The exception is happening when adding the "user" role and the realm this user is trying to add has role 'user' when i don't add the user role web application is redirected to keycloak web page for adding the user .... Realm containing the user role also there are no existing users fin the realm [image: Screen Shot 2019-07-01 at 4.46.39 PM.png] Newbie to Keycloak. Appreciate the community guidance in resolving the issue please. Thanks, Aditya

5 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2019