Keycloak Registration Flow: do not expose "Email already exists."
by Borislav Sirakov
Hi,
My purpose is to entirely remove the "Email already exists." validation
from the registration flow. That way I want to prevent exposing any
information (to the other users) who is registered and who is not.
So, when the user tries to register with an existing email I want to
redirect him to the email validation template immediately, that way I
want to make him think that he is registered. Meanwhile keycloak must
not create a new user or update the user profile at all, it has to skip
these steps.
I have tried the FormActionFactory and FormAction interfaces, but just
changing the validation and success methods doesn't seem enough. Any
suggestions how to override the last step which actually sets the user
into the storage and sends a verification email and instead of that just
redirect the user to the verify email page? Is it possible?
Other suggestions, solutions how to achieve described effect (or other
way to prevent exposing that info) are welcomed. Thank you!
Regards,
Borislav
5 years, 5 months
Support for MongoDB
by Federico Punzo
Hi,
I'm evaluating using MongoDB as the persistence database for a big KeyCloak
deployment.
However, it appears that currently MongoDB is not supported.
Would you please confirm?
Thanks!
Federico Punzo | Tech Director - BigData Studio
GLOBANT UY: +598 2 927 2270 ext. 37071 | US: +1 877 215 5230 ext. 37071
<https://www.facebook.com/Globant> <http://www.twitter.com/globant>
<http://www.linkedin.com/company/globant> <http://www.globant.com/>
--
The information contained in this e-mail may be confidential. It has been
sent for the sole use of the intended recipient(s). If the reader of this
message is not an intended recipient, you are hereby notified that any
unauthorized review, use, disclosure, dissemination, distribution or
copying of this communication, or any of its contents, is strictly
prohibited. If you have received it by mistake please let us know by e-mail
immediately and delete it from your system. Many thanks.
La información
contenida en este mensaje puede ser confidencial. Ha sido enviada para el
uso exclusivo del destinatario(s) previsto. Si el lector de este mensaje no
fuera el destinatario previsto, por el presente queda Ud. notificado que
cualquier lectura, uso, publicación, diseminación, distribución o copiado
de esta comunicación o su contenido está estrictamente prohibido. En caso
de que Ud. hubiera recibido este mensaje por error le agradeceremos
notificarnos por e-mail inmediatamente y eliminarlo de su sistema. Muchas
gracias.
5 years, 5 months
On the gateway, the Keycloak adapter (KeycloakWebSecurityConfigurerAdapter) skips the token after the user logs off
by Al
On the gateway, the Keycloak adapter (KeycloakWebSecurityConfigurerAdapter) skips the token after the user logs off:
1. User entered the application. Session is active. Remember the token (Authorization: bearer)
2. The user exits the application (keycloak.logout()). No session in keycloak.
3. Make a request to auth/realms/realm/account with the saved token. No access. Good.
4. Make a request to the resource through the gateway (KeycloakWebSecurityConfigurerAdapter) with the saved token - there is access. Bug!?
Shouldn't this check the KeycloakWebSecurityConfigurerAdapter by default?
How to make gateway not to pass the token after keycloak.logout()?
----------------
5 years, 5 months
Fwd: Keycloak 4.4.0 - WFLYSRV0056: Server boot has failed in an unrecoverable manner
by Gerard Habchi
Hey All,
I'm running into a strange issue trying to run keycloak version 4.4.0 in
docker...
Please see errors below;
I'm not really sure why this is occurring ¯\_(ツ)_/¯
2019-07-24 05:59:44,892 DEBUG [org.jboss.as.config] (MSC service thread
1-1) VM Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
-Dorg.jboss.boot.log.file=/opt/jboss/keycloak/standalone/log/server.log
-Dlogging.configuration=file:/opt/jboss/keycloak/standalone/configuration/logging.properties
2019-07-24 05:59:45,105 INFO [org.jboss.vfs] (MSC service thread 1-3)
VFS000002: Failed to clean existing content for temp file provider of type
temp. Enable DEBUG level log to find what caused this
2019-07-24 05:59:46,976 INFO [org.jboss.as.controller] (Controller Boot
Thread) OPVDX002: Failed to pretty print validation error: null
2019-07-24 05:59:46,978 ERROR [org.jboss.as.server] (Controller Boot
Thread) WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
at org.jboss.as.server.ServerService.boot(ServerService.java:377)
at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to load
module org.jboss.as.clustering.infinispan
at
org.jboss.as.controller.parsing.DeferredExtensionContext.load(DeferredExtensionContext.java:100)
at
org.jboss.as.server.parsing.StandaloneXml_5.readServerElement(StandaloneXml_5.java:203)
at
org.jboss.as.server.parsing.StandaloneXml_5.readElement(StandaloneXml_5.java:124)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:111)
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:52)
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:122)
at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:76)
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:126)
... 3 more
Caused by: java.util.concurrent.ExecutionException:
javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to load module
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:192)
at
org.jboss.as.controller.parsing.DeferredExtensionContext.load(DeferredExtensionContext.java:92)
... 10 more
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to load
module
at
org.jboss.as.controller.parsing.DeferredExtensionContext.loadModule(DeferredExtensionContext.java:129)
at
org.jboss.as.controller.parsing.DeferredExtensionContext.access$000(DeferredExtensionContext.java:44)
at
org.jboss.as.controller.parsing.DeferredExtensionContext$1.call(DeferredExtensionContext.java:74)
at
org.jboss.as.controller.parsing.DeferredExtensionContext$1.call(DeferredExtensionContext.java:71)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1349)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: org.jboss.modules.ModuleLoadException: Error loading module from
/opt/jboss/keycloak/modules/system/layers/base/org/jgroups/main/module.xml
at
org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:314)
at
org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:270)
at
org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:231)
at
org.jboss.modules.LocalModuleFinder.parseModuleXmlFile(LocalModuleFinder.java:250)
at
org.jboss.modules.LocalModuleFinder.lambda$findModule$1(LocalModuleFinder.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at
org.jboss.modules.LocalModuleFinder.findModule(LocalModuleFinder.java:195)
at org.jboss.modules.ModuleLoader.findModule0(ModuleLoader.java:693)
at org.jboss.modules.ModuleLoader.findModule(ModuleLoader.java:686)
at org.jboss.modules.ModuleLoader.loadModuleLocal(ModuleLoader.java:496)
at
org.jboss.modules.DelegatingModuleLoader.preloadModule(DelegatingModuleLoader.java:57)
at org.jboss.modules.Module.addPaths(Module.java:1252)
at org.jboss.modules.Module.link(Module.java:1622)
at org.jboss.modules.Module.relinkIfNecessary(Module.java:1650)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:296)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:280)
at
org.jboss.as.controller.parsing.DeferredExtensionContext.loadModule(DeferredExtensionContext.java:111)
... 10 more
Caused by: org.jboss.modules.xml.XmlPullParserException: Failed to add
resource root 'jgroups-3.6.13.Final.jar' at path 'jgroups-3.6.13.Final.jar'
(position: END_TAG seen ...esources>\n <resource-root
path="jgroups-3.6.13.Final.jar"/>... @32:57) caused by:
java.io.FileNotFoundException:
/opt/jboss/keycloak/modules/system/layers/base/org/jgroups/main/jgroups-3.6.13.Final.jar
(No such file or directory)
at
org.jboss.modules.xml.ModuleXmlParser.parseResourceRoot(ModuleXmlParser.java:1091)
at
org.jboss.modules.xml.ModuleXmlParser.parseResources(ModuleXmlParser.java:906)
at
org.jboss.modules.xml.ModuleXmlParser.parseModuleContents(ModuleXmlParser.java:680)
at
org.jboss.modules.xml.ModuleXmlParser.parseDocument(ModuleXmlParser.java:441)
at
org.jboss.modules.xml.ModuleXmlParser.parseModuleXml(ModuleXmlParser.java:312)
... 26 more
Caused by: java.io.FileNotFoundException:
/opt/jboss/keycloak/modules/system/layers/base/org/jgroups/main/jgroups-3.6.13.Final.jar
(No such file or directory)
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(ZipFile.java:225)
at java.util.zip.ZipFile.<init>(ZipFile.java:155)
at java.util.jar.JarFile.<init>(JarFile.java:166)
at java.util.jar.JarFile.<init>(JarFile.java:145)
at org.jboss.modules.xml.JDKSpecific.getJarFile(JDKSpecific.java:33)
at
org.jboss.modules.xml.ModuleXmlParser$DefaultResourceRootFactory.createResourceLoader(ModuleXmlParser.java:1591)
at
org.jboss.modules.LocalModuleFinder.lambda$new$0(LocalModuleFinder.java:103)
at
org.jboss.modules.xml.ModuleXmlParser.parseResourceRoot(ModuleXmlParser.java:1089)
... 30 more
2019-07-24 05:59:46,982 FATAL [org.jboss.as.server] (Controller Boot
Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner;
exiting. See previous messages for details.
2019-07-24 05:59:47,028 INFO [org.jboss.as] (MSC service thread 1-2)
WFLYSRV0050: Keycloak 4.4.0.Final (WildFly Core 5.0.0.Final) stopped in 15ms
Gerard Habchi
*DevOps Engineer*
ghabchi(a)console.com.au | 1300 131 311
AU 1300 131 311 | NZ 0508 641 199
Console| console.com.au
<http://www.console.com.au?utm_source=signaturesatori&utm_medium=email&utm...>
Head Office Level 2 200 Adelaide Street Brisbane QLD 4000
<http://www.twitter.com/consoleau> <http://www.facebook.com/consoleau>
<https://www.linkedin.com/company/console-australia-new-zealand>
------------------------------
<https://consolegroup.zoom.us/webinar/register/9715590027745/WN_FrkgwzGvQ7...>
5 years, 5 months
CORS Headers not present on OPTIONS request
by David Leonard
Hello everyone,
We're running a Keycloak 6.0.1 cluster running in kubernetes, and we're
running into issues with CORS requests by Kibana as a part of
refreshing the access token. Here is the situation
1. User logs into the SP and is able to successfully authenticate.
2. The users token expires in the background.
3. The SP notices this expired token, and attempts to refresh the token
starting to issue an auth request to Keycloak. It issues an 'OPTIONS'
request to determine what it can perform, and this request is missing
headers. Here is the full output sample from curl:
[jboss@keycloak-dev-0 ~]$ curl '
http://127.0.0.1:8080/auth/realms/globalauth/protocol/openid-connect/auth...'
-X OPTIONS -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0' -H 'Accept: */*' -H 'Accept-Language: en-
US,en;q=0.5' --compressed -H 'Access-Control-Request-Method: GET' -H
'Access-Control-Request-Headers: content-type,kbn-version' -H 'Referer:
https://kibana.[[SPURL]]/app/kibana' -H 'Origin: https://[[SPURL]]' -H
'Connection: keep-alive' -H 'Host: [[IDPURL]]' -v
* About to connect() to 127.0.0.1 port 8080 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> OPTIONS /auth/realms/globalauth/protocol/openid-
connect/auth?client_id=fps-
demo&response_type=code&redirect_uri=https%3A%2F%2F[[SPURL]]%2Fauth%2Fo
penid%2Flogin&state=hP95iVphOxSnWk0tkjE2rg&scope=openid%20profile%20ema
il%20address%20phone HTTP/1.1
> Accept-Encoding: deflate, gzip
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
> Accept: */*
> Accept-Language: en-US,en;q=0.5
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: content-type,kbn-version
> Referer: https://[[SPURL]]/app/kibana
> Origin: https://[[SPURL]]
> Connection: keep-alive
> Host: [[IDPURL]]
>
< HTTP/1.1 204 No Content
< Date: Tue, 23 Jul 2019 20:38:39 GMT
<
* Connection #0 to host 127.0.0.1 left intact
[jboss@keycloak-dev-0 ~]$
Here is the configuration of the client, the "Web Origins" item has
been set to the specific origin, +, and *. The result is the same
across all.
{
"clientId": "fps-demo",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://kibana.[[SPURL]]"
],
"webOrigins": [
"+"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.multivalued.roles": "false",
"saml.force.post.binding": "false",
"saml.encrypt": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "client roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-client-role-mapper",
"consentRequired": false,
"config": {
"multivalued": "true",
"userinfo.token.claim": "false",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "roles",
"jsonType.label": "String",
"usermodel.clientRoleMapping.clientId": "fps-demo"
}
},
{
"name": "allowed web origins",
"protocol": "openid-connect",
"protocolMapper": "oidc-allowed-origins-mapper",
"consentRequired": false,
"config": {}
}
],
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}
Help is appreciated. We've tried multiple different combinations of
configs with no success.
Thanks! David
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.
5 years, 5 months
Questions about scope-permissions and resource types
by Álvaro Gómez
Hi,
We are using UMA and scope-permissions to manage fine grained access to
resources. We've
noticed that we can specify a set of involved resources when defining
scope-permissions (The UI
only supports specifying a single resource but the API allows defining a
set of resources).
Referencing the involved resources in a scope-permission using a fixed list
could be problematic
if the size of that list is big enough. We think it would be useful to
group all the resources using a
resource-type and specify that resource-type in the scope-permission as one
can do in a
resource-permission. Is there any reason why this is not supported in a
scope-permission?
Having a resource type reference available in scope-permissions would be
useful solving the following scenario:
* Given a large amount of bank accounts, each one represented by a resource
(associated with some
scopes like read, update or delete) in the Resource Server and owned by
an specific user.
* Users can manage their own accounts following the UMA rules (Sharing
specific scopes of their
accounts with other users).
* Some user with an Administrator role should be able to read ALL accounts
without having them
shared with him and without needing to update any permission when a new
bank account is created.
We would like to "group" all accounts using a resource-type and define a
single permission "can-read-bank-account"
which grants access to the scope read of all bank accounts to the owner
(via JS policy) and to any administrator
user (using a role policy). If we protect the following endpoint:
GET /accounts/3273af-544b3940-211da3
, using the resource "bank-account-3273af-544b3940-211da3" and the scope
"read", both the resource owner
and the Administrator user must be granted when evaluating the permission
"can-read-bank-account".
5 years, 5 months
Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/services/validation/Validation
by Bo.Y@dell.com
Hi Experts,
When I follow https://www.keycloak.org/docs/latest/server_development/index.html#packag... step by step to do customize the validation in keycloak. After I throw my jar into standalone/deployment, it creates a deployed file and the log shows the jar is deployed. I can found my execution in keycloak admin console which shows in the screen shot below. But when it comes to register page, after I click register button with my filled content I got exception in keycloak log file. I also checked `standalone.xml` and `jboss-deployment-structure.xml` which seems fine too which means it include "keycloak-services-4.7.0.Final.jar". I don't find any useful information in the search. So could anyone help to have a look please?
Keycloak version:
compile group: 'org.keycloak', name: 'keycloak-core', version: '4.7.0.Final'
compile group: 'org.keycloak', name: 'keycloak-server-spi', version: '4.7.0.Final'
compile group: 'org.keycloak', name: 'keycloak-server-spi-private', version: '4.7.0.Final'
compile group: 'org.keycloak', name: 'keycloak-services', version: '4.7.0.Final'
[Screen Shot]
[cid:image003.jpg@01D53D9A.DBB94DF0]
[Exception]
09:04:01,128 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-35) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/services/validation/Validation
at com.xxxxxx.registerformcustom.validate(registerformcustom.java:51)
at org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:214)
at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:627)
at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:681)
at org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:661)
at sun.reflect.GeneratedMethodAccessor1030.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegati
5 years, 5 months
Forbidden 403
by Nicola Messina
Hi,
i'm trying to recreate the photoz-uma-example, so, on keycloak i created two client, resource and assigned permission, created JAX-RS server and created an HTML5 & plain Javascript client (not AngularJS, i dont know angular), so, if i use the policy based on user role, everything goes well, i can create resource, view resource, view shared resource, but wen i use the "Owner only policy" in javascript, i obtain ever the 403 Forbidden.
what am I doing wrong?
I think I'm wrong in the client, but I don't understand what I have to send to keycloak server.
I'm doing this, should be enough?
authorizationRequest.ticket = ticket;
// send the authorization request, if successful retry the request
identity.authorization.authorize(authorizationRequest).then(function (rpt)
I'll have some stupid things wrong
Thanks in advance.
5 years, 5 months
Define custom roles for different companies
by jim lim
Hi,
I'm currently evaluating whether or not Keycloak's authorization service is
a good option for us. My question is regarding RBAC. I want to allow users
to be able to define custom roles. There are two models - companies and
users. Each company has their own set of users. Is there a way to separate
the roles by company? I want to display a list of roles defined by a
company so that when an admin needs to assign a role to a user, they won't
be assigning roles defined by another company. For example, if role1 were
defined by company1 and role2 were defined by company2, I can only assign
role1 to users from company1 and role2 to users from company2.
5 years, 5 months
Trust between two standalone Keycloak Instances
by Aditya Bhole
Hello,
I’m new to Keycloak and building a prototype SSO framework for my company. The use case is that my company has 3 clients; A, B and C. Now each client is going to have its own Keycloak instance; KA, KB and KC. Now what I want is when I login through client A I should be logged into client B and C as well. And same goes for all the clients. So for this to happen, is there a way of establishing trust between these three Keycloak instances KA, KB and KC?
I’ve successfully established an SSO by using KA as a broker and KB as an IDP. But this is only a master slave kind-of an architecture. When I log in to A, I’m automatically logged into B. But if I log into B, I won’t be automatically logged into A. Is it possible for KA to be a broker for KB and KB to be a broker for KA at the same time?
TL;DR :
Is there a way where Keycloak only acts as a broker and trust is established between multiple such Keycloak instances?
I hope my question makes sense. Please point me in the right direction if I’m looking at this in the wrong way.
Thanks,
Aditya
5 years, 5 months
