Keycloak 6.0.1 "UUID LDAP attribute" property processed correctly only with "ObjectGUID" value.
by Алина Александровна Громова
Hi,
I have User Federation to connect with our Azure AD through LDAP. When I have the default value ‘objectGUID’ for UUID LDAP attribute property it processed correctly and in LDAP_ID user attribute I can see correct UUID formate.
Though, if user UUID provided not in ‘objectGUID’ but in ‘msDS-AzureADObjectId’ LDAP-attribute it doesn’t work. In this case, when I set ‘msDS-AzureADObjectId’ value into UUID LDAP attribute property I get incorrect string value in LDAP_ID.
It looks like KC can correctly process UUID only if it comes in ‘objectGUID’ attribute. In other cases, we get an incorrect result.
So, the problem in org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 where KC has hardcode action for ‘objectGUID’ value and other fields processed as a plain string. Also, ‘objectGUID’ always gets from LDAP as a binary field but ‘msDS-AzureADObjectId’ doesn't and I need to create user-attribute-ldap-mapper to mark this attribute as binary.
The way I fixed it locally:
* create user-attribute-ldap-mapper for ‘msDS-AzureADObjectId’ LDAP-attribute + mark this attribute as binary.
* set UUID LDAP attribute property to ‘msDS-AzureADObjectId’
* fix condition from org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 to
if (this.config.isActiveDirectory() && entryUUID instanceof byte[])
Is it a bug and can we expect a fix in future versions of KC?
-------
Regards
Alina Gromova
4 years, 9 months
User Redis as distributed caching store
by Yifei Sun
Hi guys, I am trying to setup Redis as cache store for Keycloak 6.0.1. It
seems Wildfly doesn't support Redis in its Infinispan subsystem, and a
workaround might be using a custom caching store. Has anyone done that yet?
Any help/information will be greatly appreciated. Thanks!
4 years, 9 months
SQL Server integrated authorization
by Chris Smith
My keycloak instance is planned to use SQL Server for its database.
It will be running on a Windows Server in an Active Directory domain
I'd like to not embed the User/Password in the standalone.xml file.
To enable this, the driver requires a windows dll to perform the db connection authentication.
So, I'm looking for the best way to accomplish this.
I'd rather not add -Djava.library.path=<path to folder> as a parameter when invoking standalone.bat
Is there a way to configure it in the module created for the JDBC driver jar?
4 years, 9 months
Keycloak bc-fips compliant
by Srinivas Nangunoori
Hi Experts,
Is keycloak bc-fips compliant? If yes, which version? Please help/guide us...
Thanks in advance.
-Srini
4 years, 9 months
How to do ?
by Christophe Lehingue
Hello,
When registering a user, and that the latter declines the "terms &
conditions": I would like to delete his data (when he clicked the
button labeled "decline").
Do you have any idea how I could do without modifying JAVA KEYCLOAK?
I was thinking of a SQL triger, but is there a simplest way to do that?
Regards,
Christophe
======= IN FRENCH ======
Bonjour,
Lors de l'inscription d'un utilisateur, et que ce dernier décline les
"terms & conditions" : je souhaiterais supprimer ses données (quand il a
cliqué sur le bouton intitulé "décline").
Avez-vous une idée de comment je pourrais faire sans modifier les souces
JAVA KEYCLOAK ?
J'avais penser à un triger SQL, mais y a t'il un moyen plus simple pour
faire cela ?
Cordialement,
Christophe
4 years, 9 months
Question regarding Token lifecycle in Keycloak
by Prasad Kris
Greetings,
We are using Keycloak as our OIDC IdP for the internal applications and
also for our kubernetes infrastructure, this setup is working great so far.
We have the Session Idle Timeout set to 7 days currently and the Session
Max Duration is set to 14 days and it works as expected for most of the
user's but few users are having issues and have reported that their session
is getting expired so fast. when checked in the admin UI, I see that
multiple active sessions from those user accounts, but they have been
presented with the login screen.
I checked the logs and other configurations but couldn't notice any issues,
so I believe that this has to do something in the user end as the settings
are working fine for the majority of the user accounts.. but would like to
know the root cause/more details first before coming to a conclusion.
I would appreciate if someone could guide me to grab more details which
will help to figure out the root cause of this issue,
Cheers
4 years, 9 months
ldap federation working | test connection / authentication buttons failing
by mj
Hi,
Keycloak 6.0.1, LDAP federation is working, users can logon and are
updated automatically regularly from ldap:
> 2019-07-02 17:39:49,761 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users from LDAP to local store: realm: our_realm, federation provider: our_realm-ad, last sync time: Mon Jul 01 17:39:43 CEST > 2019-07-02 17:39:50,067 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users finished: 3 imported users, 22 updated users
In keycloak, the configured ldap uri is ldap://localhost:389, where a
haproxy instance is listening that talks ldaps to our DCs.
The 'problem': in the keycloak GUI, the buttons 'Test authentication'
and 'Test connection' do not work:
"Error! Error when trying to connect to LDAP. See server.log for details."
But nothing logged in server.log, and haproxy does not even log a
connection attempt at all.
Anyone else seeing this..?
MJ
4 years, 9 months
Keycloak policy enforcer for bearer-only client
by Juan Camilo Vanegas
Hi.
I am developing a Node.js web app that uses Keycloak as authentication
service. I already have two clients: public client for the web app
(app-web) and bearer-only for the API (app-api). On the app-api I use
resources, scopes, policies, and permissions to control the access.
To check the permissions, I am using the keycloak.enforcer(...) from the
keycloak-connectmodule (npm keycloak-connect
<https://www.npmjs.com/package/keycloak-connect>). When I try to check
permission, the server always returns 403 Access denied response. But if I
change app-api from bearer-only to confidential (keeping the same
keycloak.json configuration file), the client works fine and is capable to
check permissions.
This problem seems to be because a bearer-only client cannot obtain tokens
from the server (keycloak similar question
<http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authori...>
).
My question is: Is this a normal behavior of Keycloak? Why allow the
Authorization tab in bearer-only clients if you cannot use the
keycloak.enforcer? Am I missing some configuration?
Thanks for your help.
Stackoverflow question:
https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bea...
4 years, 9 months
How to allow only tokens with a specific claim at identity brokering in KeyCloak?
by Iurii
Hello,
I am using KeyCloak with two external identity providers configured for
identity brokering. There is a requirement to not allow accessing the
application protected with KeyCloak if the token issued by one of the
external identity providers doesn't contain a specific claim.
In other words - if external IdP "A" issues a token without claim "xxx"
equal to "yyy", KeyCloak must not allow logging in.
Is it possible to configure this in KeyCloak, or I will have to modify the
application protected with KeyCloak to check this condition?
Thanks!
4 years, 9 months
