August 2019 - keycloak-user - Jboss List Archives

How to configure my client for use ADMIN REST API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'

by Christophe Lehingue

Hello, how to configure a client so that the user can use the user removal API? [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sd... Whenever I try to call this request REST => I get the following error message: "resulted in a 401/403 Unauthorized`" Can you help me ? Thank you

6 years, 4 months

4
4
0 / 0

Keycloak Offline User Sessions and Online User Sessions

by Nagendra Darla

Hello Keycloak experts, We have below challenges in out project where we are building User Access Management using Keycloak. 1. *Offline User Sessions:* When a Offline token is used from two different machines, There is only one Session that will be created and session will have the IP address of the machine from where the User Session is first created. Because of this we cannot suspect any suspicious activity by hackers. Should n't we create different sessions even though same offline token is used from different machines. 2. *Why there is no separate REST end point to get only Online User Sessions: *Below REST end point returns all the User Sessions ie., both Offline and Online User Sessions. GET /{realm}/clients/{id}/user-sessions You help is much appreciated ! Thank you, Nagendra Darla

6 years, 5 months

1
1
0 / 0

resource ids

by Corentin Dupont

Hi guys, I discovered that you can provide your own id when creating resources: curl -X POST " http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d '{*"_id": "123-456"*, "type": "test", "name":"test", "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", "ownerManagedAccess": true}' This is very practical for synchronizing the resources with my own database. After some investigation, I found: - the ID should be unique - the name should be unique Is that correct? The resource type is not used in the unicity. In my application database, resources with different types are stored in different collections, so two resources with different types *can* have the same ID. How do you suggest to solve this in Keycloak? Providing a keycloak ID of the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not collide. Cheers

6 years, 5 months

3
10
0 / 0

multiple reset credentials flows

by Arnault BESNARD

Hi, We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario. Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case. What is the best way to solve our issue? Thanks in advance, Arnault

6 years, 6 months

1
2
0 / 0

Keycloak Gatekeeper configuration with SPA

by Yumna Ghazi

Hello everyone, I'm using Keycloak as an identity manager and since it also provides optional authorization, I decided to use it to suit my access control requirements as well. I have multiple microservices that I want to protect using Keycloak Gatekeeper like the configuration below but with separate Gatekeepers per service. --------- ----------- ----------- ------------ | UI | ---> | Proxy | ---> | GateK | ---> | Service | --------- ------------ ----------- ------------ | || | v -----------------------------------> Keycloak Aside from the CORS related issues this creates (KEYCLOAK-9099 <https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important issue that I'm struggling with. My UI already has keycloak js integrated with a public client specifically for itself, which I was using for login initially. Now that I want to use the Gatekeeper proxy, I want my login/token refresh to happen on the UI such that it would automatically generate the requisite cookies for Gatekeeper, because I want to disable redirection on Gatekeeper and send 401 directly in case of expired/bad/no token. a) Is my understanding correct and is this the correct approach? b) If so, how can I login via Keycloak directly or via Gatekeeper and get the required cookies (without some proxy-level hacking)? Right now I'm hovering between a couple of options, from using Kong oidc with some custom authorization to using Gatekeeper. Any help would be much appreciated. Thanks. Yumna

6 years, 7 months

2
1
0 / 0

Evaluation of RPT in admin console does not match Rest request result...

by Axel

Hello. Keycloak 6.0.1 and 7 Can anyone help me with understanding of evaluating RPT? Scenario: 2 Realm Roles - RoleA and RoleB 1 user with both realm roles 2 clients: clientA public (or confidential) with Scope=RoleA clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB When I go to clientB Authorization-Evaluate set Client = clientA set User = user choose Any resource with scope(s) Any scope. and see: { "jti": "7692f97f-3907-4e1b-a784-663c52f33bc7", "exp": 1567062109, "nbf": 0, "iat": 1567061809, "aud": "clientB", "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607", "typ": "Bearer", "azp": "clientA", "auth_time": 0, "session_state": "ff2e581c-0663-4b8c-9332-629b02c02729", "acr": "1", "realm_access": { "roles": [ "RoleA" ] }, "authorization": { "permissions": [ { "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139", "rsname": "Default Resource" } ] }, "scope": "email profile", "email_verified": false, "preferred_username": "user" } here I see that I have only RoleA (that is correct - I'm going through clientA) But when I make requests: curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d 'grant_type=password' ' http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token' grab access-token and curl -X POST \ http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \ -H "Authorization: Bearer access-token-from-first-curl" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=clientB" I get different jwt: { "jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2", "exp": 1567062641, "nbf": 0, "iat": 1567062341, "iss": "http://localhost:8280/auth/realms/TestRPT", "aud": "clientB", "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607", "typ": "Bearer", "azp": "clientA", "auth_time": 0, "session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e", "acr": "1", "realm_access": { "roles": [ "RoleB", "RoleA" ] }, "authorization": { "permissions": [ { "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139", "rsname": "Default Resource" } ] }, "scope": "email profile", "email_verified": false, "preferred_username": "user" } Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT request? Our main target is: when user goes through clientA to clientB, clientB should receive only those roles that the user has in clientA. We have many applications-clients and we want to limit some of them. How can we achieve this? Thanks in advance. Alexey Makarevich.

6 years, 7 months

2
1
0 / 0

Not able to extend User Storage SPI without changing Keycloak configuration files

by David VS

Goal: Setup custom federation which extends ldap provider. Question: What is the proper way to extend the ldap federation while adding one more configuration input? (without changing internal keycloak files) I followed the steps in https://www.keycloak.org/docs/latest/server_development/index.html#_user-... and specify my own provider and providerFactory, In admin console, when trying to create the federation "custom-ldap", most of the input fields do not have a label and some buttons like "Test connection" are missing. The configuration property that I added and customized has label/default value/tooltip. If it is not possible to extend the form, is there an easy way how to inherit the same UI form from the ldap federation page in my extension? (Im new to keycloak, and do not have experience with Freemarker). Thank you so much for your support, David

6 years, 7 months

3
3
0 / 0

Keycloak 7 release

by Stian Thorgersen

https://www.keycloak.org/2019/08/keycloak-700-released.html Note - Keycloak Gatekeeper 7 is not ready yet and will be released next week

6 years, 7 months

2
3
0 / 0

Identity provider mapper - Attribute to role

by Matteo Restelli

Hi all, We're trying to setup an Attribute to role mapper inside our SAML 2.0 identity provider. The problem is that our attribute contains whitespaces. How can we map an attribute with whitespaces to a role? Currently surrounding it with double quotes or single quotes doesn't work. Any thoughts on that? Thank you, Matteo -- Like <https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq>I Connect <https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message.

6 years, 7 months

2
4
0 / 0

Unable to get SAML ForceAuthn to work

by Neil Russell

Hey, I'm trying to get ForceAuthn to work with a third party who is using Shibboleth but have been unable to get it to force re-authentication if I have an existing session. I've inspected the SAML request and ForceAuthn is being passed in the request, one issue is that Shibboleth passes ForceAuthn="1" instead of ForceAuthn="true" and the parser doesn't appear to handle that. I made a fix to the StaxParserUtil class to try and get it working but even though I can now see that parser is returning true when the ForceAuthn attribute is read I'm still not getting the expected behaviour and I'm not sure where to look next. Any suggestions would be appreciated, am I looking in completely the wrong place? Thanks, Neil Russell

6 years, 7 months

3
5
0 / 0

SAML Assertion Expiration v4.8.0

by gambol

Hiya Was wondering if anyone else has come across this error before. After upgrading to v4.8.0 users are complaining about intermittent login failures via the federated IDP 09:14:46,188 INFO [org.keycloak.saml.validators.ConditionsValidator] (default task-434) Assertion _cc9a97f8-2a30-49e8-bca5-8eefcd49d592 expired. 09:14:46,188 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-434) Assertion expired. 09:14:46,188 WARN [org.keycloak.events] (default task-434) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xxxx, clientId=null, userId=null, ipAddress=xxxxxxxxx, error=invalid_saml_response The federated IDP is backed by ADFS Googling around the issue seems to suggest a diff on clocks; but the time on all the worker nodes (running in kubernetes) is all fine; and the upstream broker (ADFS) said their time is fine. Anyone seen this before? .. even better, anyone know of a solution? :-) Thanks in advance Rohith

6 years, 7 months

2
1
0 / 0

Theme caching

by Barish Yumerov

Hello, I am running keycloack in a docker container using this iamge: jboss/keycloak I created a few themes, and disabled caching by editing ./standalone/configuration/standalone.xml as <theme> <staticMaxAge>-1</staticMaxAge> <cacheThemes>false</cacheThemes> <cacheTemplates>false</cacheTemplates> ... </theme> alghough this, I can see changes only if I restart the docker container. I even clear all type of caches for the ralm in the admin pannel but still I cannot see any changes :( How I can clear cache without restarting docker container or is there any setting that disables caching in dev mode? Thank you in advance! Best Regards, B Yumerov

6 years, 7 months

3
2
0 / 0

Context based User Roles

by Siddhartha Moitra

Hi, Recently started using Keycloak as our IAM. I have a use case where user-roles can change based on some contextual data. The contextual data can be stored as User Attributes but how do I map the user to the derived role. All the roles exist as Realm roles. Any pointers will be much appreciated. Thanks, Sid

6 years, 7 months

1
0
0 / 0

Keycloak Javascript Adapter - How Tied to Keycloak?

by Ben Ashley

Hi, Bit of a strange question from me. How tied to Keycloak server is the Keycloak Javascript adapter when it comes to enabling OIDC and OAuth2 flows? If we have a client application written using it, would it be possible to replace Keycloak with another compliant identity provider (like AzureAD or Auth0)? Cheers, Ben Ashley

6 years, 7 months

1
0
0 / 0

Using Keycloak Gatekeeper for Auth-Code-Flow over multiple microservices

by Seán Kelleher

Hi Stian, > The alternative is to have a backend for your front-end that deals with > obtaining tokens. The front-end uses a httponly cookie to be authenticated > against the backend, but never has access to the token directly. This has > the limitation that front-end and backend has to be hosted on same domain > and if you need to call external services it needs to be proxies through > the backend. It is harder to do though. Would it make sense to use Gatekeeper for this? The backend could require bearer tokens as usual but Gatekeeper could be in charge of using the authorisation code flow to log the user in and proxying the frontend's requests to the backend, mapping the cookies to the corresponding bearer tokens. It's probably more limiting than your solution for handling external services, but it could be a quick way of setting up this type of token handling? Kind regards, Seán.

6 years, 7 months

1
0
0 / 0

Keycloak admin rest api performance

by Mark de Jong

Hi, Keycloak starts to having high latencies when there are 50–100 concurrent users interacting with the Admin REST API. I tested this by using Gatling and run a specific flow which involves calling the Admin REST API. Keycloak uses a H2 database during the performance test. Keycloak is ran in a docker container within docker for Mac. We are using the following endpoints frequently: POST /users - to create a new user GET /roles - to get realm roles POST /users/{userId}/role-mappings/realm - to assign realm roles to a user I tried increasing memory in the JVM flags, but that didn’t help. It shouldn’t be a problem to have that many users right ? How can I diagnose what’s going on? Is there a metric endpoint (Prometheus available)? Are there any other diagnostics I can run? Greets, Mark

6 years, 7 months

1
0
0 / 0

SLO in Identity Brokering

by Karol Buler

Hi Keycloaks! We have a Keycloak as an Identity Broker (KC) and external OIDC Identity Provider (EIDP), which we integrate with Keycloak. Our Android/iOS application is integrated with the Keycloak, but Authentication is handled by EIDP. There is also another Android/iOS application integrated only with EIDP. SSO is working very well in both ways. SLO in the way KC -> EIDP also is working. The problem is when user is logging out from the application integrated only with EIDP. KC doesn't know anything about this logout and Android/iOS application integrated with KC is still logged in. The question is how we should do that in the proper way? BR, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com<https://www.adbglobal.com> This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED. Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.

6 years, 7 months

1
0
0 / 0

Login and Logout between two application on different subdomains

by Tom Pearson

Hi, We have two applications on different subdomains. One is written with Grails 2 and the other with Laravel. The Grails app is integrated with Keycloak via a modfied Spring Security plugin and the Laravel app with Socialite. Individually both work correctly. However, when a user logs to one, we want them to be automatically logged in the other. Similarly, when the user logs out of one, we want them to be automatically logged out of the other. This is not working. Both applications use the same client and realm. Any help would be appreciated as we have no solution to this apart from maybe using a custom cookie. Regards, Tom Pearson

6 years, 7 months

1
0
0 / 0

Users to group mapping

by Shetty, Shweta

Our login times are not acceptable with keycloak since during the login keycloak is doing the users to the group mapping. Is there any way we can seperate the two concerns of logging in (validating the password vs this group mapping). Is there a way to schedule this users to group mapping in the background after the login is finished ? Any input is appreciated , since we do have large groups which the users belong too and the performance is painfully bad. Shweta

6 years, 7 months

2
1
0 / 0

How to add gidNumber and uidNumber when federated with openLDAP

by Shiva Prasad Thagadur Prakash

Hi Guys, I am trying to find a way to populate the gidNumber and uidNumber when a user is created in LDAP via Keycloak. I don't want to use hardcoded-attribute-mapper as it would put the same value to all the users. Is there is a way to populate these values when a user is created at the Keycloak side? For "posixAccount" in LDAP these are MUST be present attributes and LDAP throws error if these values are not present when a user is created. Eagerly waiting for your reply. Thanks, Shiva

6 years, 7 months

1
0
0 / 0

Re: [keycloak-user] Auth-Code-Flow over multiple microservices

by Hans Zandbelt

on the latter option, see also: https://hanszandbelt.wordpress.com/2017/02/24/openid-connect-for-single-p... Hans. On Thu, Aug 29, 2019 at 10:13 PM <keycloak-user-request(a)lists.jboss.org> wrote: > > You need to decide if you want the front-end to hold tokens or not. If > front-end holds tokens you can do Auth code flow securely with pkce and > public clients. That means your front-end should move secure and you should > really only store tokens temporarily in the window state rather than in > html5 storage. This is perfectly acceptable in most cases. > > The alternative is to have a backend for your front-end that deals with > obtaining tokens. The front-end uses a httponly cookie to be authenticated > against the backend, but never has access to the token directly. This has > the limitation that front-end and backend has to be hosted on same domain > and if you need to call external services it needs to be proxies through > the backend. It is harder to do though. > > An hybrid approach like you mention doesn't make any sense to me. > > On Tue, 27 Aug 2019, 11:18 bob sheknowdas, <bob.skd(a)googlemail.com> wrote: > > > Hi, > > > > I have a setup and a usecase that seems to be quite unique (according to > my > > google search effords). > > > > I use a frontend consisting of pure java script (microservice 1). > > Behind that runs a backend created with java spring boot (microservice > 2). > > > > To authenticate users I want to switch from the implict flow to the > > auth-code-flow for additional security. > > However, this additional security can not be achieved using a pure java > > script client... > > > > So I had the following idea: > > Integrating the backend into the auth-code-flow of the frontend. > > I was planing to let the request to the authorization-endpoint be handled > > by the frontend alone, but than proxy the request to the token endpoint > > through the backend (where the client secret is injected). > > > > Does the keycloak spring-boot-adapter provide any useful functionality > for > > this usecase? > > Is this a good idea in general? > > > > I am thankful for any help or comment provided :) > > > > Best > > Bob > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > -- hans.zandbelt(a)zmartzone.eu ZmartZone IAM - www.zmartzone.eu

6 years, 7 months

1
0
0 / 0

Kerberos token for VDI login

by Halling-Brown, Chris HLTH:EX

Hi, newbie to KC I am afraid. Looking to leverage KC for authentication purposes, logging users from multiple domains into a VDI solution hosted by a target domain. The intention is to have the user authenticate with their local IdP creds to create a true SSO solution that logs them into a VDI in the target domain. The platform we are architecting depends on a secure workspace, preferably delivered by VMware Horizon View VDI's to access an application using AD (full Kerberos integration) to manage RBAC. [cid:image001.png@01D5599A.C65088E0] Has anyone out there achieved something similar or am I smoking the good stuff? Cheers Chris

6 years, 7 months

1
1
0 / 0

Keycloak Issuing the same token with jwt/issuer and jwt/jwksUri

by Jayathirth, Pramod Raghavendra

Hi All, I am trying to run an oauth authentication and authorization server like a keycloak along with the istio to enable some form of credentials management. I saw that many people had run into the same. I am following this, https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1..... I am able to successfully block the user without token. I am able to get the token as well. But the curl with token authorization fails from Istio's side. (curl -H "Authorization: Bearer $token" customer-tutorial.$(minishift ip).nip.io). Also I have been using keycloak from a few weeks. I saw that it gives the same token every time. Is this behavior normal? Are you aware of any such issue that you would have faced? Or Did you suggest any other tutorial/Page that explains this better? I am using 1.2.2 istio and keycloak 6.0.1. Please do let me know on how to proceed. Regards, Pramod Raghavendra Jayathirth

6 years, 7 months

1
0
0 / 0

Custom actions on a password, when an user change passwords?

by Rémy Grünblatt

Hello, I'm searching for a way to execute a custom action when an user defines or changes its password. The goal is to save the password in another format (the ultimate goal is being able to do scram/sha1 on the id of the users), while maintaining the normal operation of keycloak (we don't want to change the way keycloak stores its passwords, we just want a sort of copy). Does it ring a bell for someone in there? Do you know of a way to do that? Thanks, Rémy

6 years, 7 months

1
0
0 / 0

Auth-Code-Flow over multiple microservices

by bob sheknowdas

Hi, I have a setup and a usecase that seems to be quite unique (according to my google search effords). I use a frontend consisting of pure java script (microservice 1). Behind that runs a backend created with java spring boot (microservice 2). To authenticate users I want to switch from the implict flow to the auth-code-flow for additional security. However, this additional security can not be achieved using a pure java script client... So I had the following idea: Integrating the backend into the auth-code-flow of the frontend. I was planing to let the request to the authorization-endpoint be handled by the frontend alone, but than proxy the request to the token endpoint through the backend (where the client secret is injected). Does the keycloak spring-boot-adapter provide any useful functionality for this usecase? Is this a good idea in general? I am thankful for any help or comment provided :) Best Bob

6 years, 7 months

2
1
0 / 0

Keycloak Domain TCP Clustering of Sessions in AWS not auto-failing over to node

by JTK

I have two nodes setup in a cluster using TCP port 7600 and I see them join the cluster in the logs. On Master: [Host Controller] 15:07:18,293 INFO [org.jboss.as.domain.controller] (Host Controller Service Threads - 7) WFLYHC0019: Registered remote slave host "dev-slave1", JBoss Keycloak 6.0.1 (WildFly 8.0.0.Final) On Slave: [Host Controller] 15:03:12,603 INFO [org.jboss.as.host.controller] (Host Controller Service Threads - 3) WFLYHC0148: Connected to master host controller at remote://10.10.10.77:9999 In the WildFly admin panel I see the server group: auth-server-group which is ha and then I see both servers in the group and they are both green. I've set the distributed-cache setup to 2 in domain.xml, so it should be sharing session information: <distributed-cache name="sessions" owners="2"/> <distributed-cache name="authenticationSessions" owners="2"/> <distributed-cache name="offlineSessions" owners="2"/> <distributed-cache name="clientSessions" owners="2"/> <distributed-cache name="offlineClientSessions" owners="2"/> <distributed-cache name="loginFailures" owners="2"/> <distributed-cache name="actionTokens" owners="2"> Here is the logs on the master showing there a new cluster has been received: 2019-08-26 15:03:19,776 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [dev-master|0] (1) [dev-master] 2019-08-26 15:03:19,779 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [dev-master|0] (1) [dev-master] 2019-08-26 15:03:19,780 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [dev-master|0] (1) [dev-master] 2019-08-26 15:03:19,780 INFO [org.infinispan.CLUSTER] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [dev-master|0] (1) [dev-master] 2019-08-26 15:03:19,875 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [dev-master|0] (1) [dev-master] And on the slave: 2019-08-26 15:07:29,567 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [dev-slave1|0] (1) [dev-slave1] 2019-08-26 15:07:29,572 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [dev-slave1|0] (1) [dev-slave1] 2019-08-26 15:07:29,572 INFO [org.infinispan.CLUSTER] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [dev-slave1|0] (1) [dev-slave1] 2019-08-26 15:07:29,574 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [dev-slave1|0] (1) [dev-slave1] 2019-08-26 15:07:29,635 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [dev-slave1|0] (1) [dev-slave1] I believe I read somewhere that I was supposed to see the master and slave together in the logs an not just master or slave. Maybe this is my issue, but I don't know how to resolve it. I can't use multi-cast as it's disabled in AWS and almost all cloud providers. When I launch the master and let it come up, then launch the slave I can see all the traffic for the session on the master. As soon as I stop the master, the slave is looking for the master, but when I click on the website, it just hangs waiting for a connection and then eventually logs me out, and I end up logging back in, and now I'm on the slave node. The shared sessions are not happening. Is there something else I need to do or set? I have this setup in my domain.xml configuration as well: <server-group name="auth-server-group" profile="ha"> <jvm name="default"> <heap size="64m" max-size="512m"/> </jvm> <socket-binding-group ref="ha-sockets"/> <system-properties> <property name="jboss.cluster.tcp.initial_hosts" value="10.10.10.77[7600],10.10.10.27[7600]"/> </system-properties> </server-group> In my host.xml on the slave I have this setup to reach back to the master as the domain controller <domain-controller> <remote protocol="remote" host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/> </domain-controller> Any help would be appreciated

6 years, 7 months

2
6
0 / 0

Is there a LTS version of Keycloak

by Paul Edison

Hi, is there any version as LTS from Keycloak, that is meant to be uses for productive use? Or is there any strategy for long time usage of Keycloak? Kind Regards, Paul

6 years, 7 months

3
2
0 / 0

Log newly synced users form federated LDAP

by Paul Edison

Hi, I’m using a Keycloak with a LDAP federated as user source. The users should be synced manually. What I now would need is to know on a sync what users get newly synced to the Keycloak store and which are simply get updated. Is there a way and get it configured and logged to some logfiles or to the UI? Kind Regards, Paul

6 years, 7 months

3
2
0 / 0

Non-public version of keycloak?

by Paul Luk

In the redhat sso roadmap page, I found the redhat sso 7.3.3 is based on a keycloak of version 4.8.11...And I can't find those versions in keycloak.org and within... Is it means that there are non-public keycloak versions ? I need redhat subscription so as to use those versions? Best regards, Paul

6 years, 7 months

2
1
0 / 0

How to export Keycloak Data with second instance? Or should i use db tools?

by konphite＠mailbox.org

Hello together, iam relative new to keycloak. Iam reading the documentation of keycloak about import/export data. The documentation looks a little bit short to me and, honestly, it confused me why there are only few questions about this in the www. I hope some more experienced user can help me, because i think its a standard problem: I want to backup my keycloak Data. Whats the right way? Backup the data over the standalone.sh, or backup the whole postgredb via db tools? In my feeling, the import/export keycloak function over standalone.sh looks not like a real backup option, more like a "migration-tool" to migrate the data from one database to another. Am i wrong? If i using the standalone.sh, how i can backup my data while my instance is running? I cant stop they keycloak server in production for daily backups. I read in the mailing list, that is possible to run "a second instance" of Jboss on the same server, when i start the standalone.sh with other port binding (i.e : with -Djboss.socket.binding.port-offset=). But iam wondering: How can i stop this instance after the backup is done? Is this really best practice? Iam thanksfull for any help best regards Konphite

6 years, 7 months

2
1
0 / 0

Keycloak - Supported Database Versions - PostgreSQL

by Townsley, Eric L

Hi, What versions of Postgres does Keycloak support? Thanks Eric Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.

6 years, 7 months

2
1
0 / 0

Unable to change login theme to other than base

by Ana maria Jordan

Dear all. We are testing Keycloak as SAML2 gateway to some both external and internal systems we are to integrate with. We downloaded and configured Keycloak server (standalone) version 6.0.1, created a new realm, and for the initial tests add some clients running on Tomcat. We are able to authenticate to those clients via SAML2 protocol, but the problem is that I would like to configure the login page for them to be the one provided by the corresponding realm theme, and get only the base theme’s login page. Did I misunderstand the documentation (3.6 Theme Selector -> “By default the theme configured for the realm is used […]”)? Could any of you figure out what I am doing wrong? Many thanks in advance for the help. Best regards.

6 years, 7 months

1
0
0 / 0

OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined

by Iommi Underwood

Hi, I am currently setting up Cloudflare access with a generic openID provider as an access login method with Keycloak. The configuration is complete from both ends, however when I test from cloudflare, after the authentication is done I see the error "OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined". From a trace that I took on the keycloak server, I see that the server is authenticating the user and responding back, but cloudflare is still displaying this error. Below is the TCP stream between client (cloudflare) and server (keycloak): ******************* START STREAM ******************* GET /auth/realms/[**SUPRESSED**]/protocol/openid-connect/auth?client_id=cloudflare-access&redirect_uri=https%3A%2F%2F[**SUPRESSED**].cloudflareaccess.com%2Fcdn-cgi%2Faccess%2Fcallback&response_type=code&state=b59047eb1016be0d59b306a2c35b74d9323864549c7d7ae2c78775e890b4c04c.JTdCJTIyaG9zdG5hbWUlMjIlM0ElMjJ4Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGJTIyJTJDJTIyYXVkJTIyJTNBJTIyJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjJiZGY3ZmY5Ni1kNzg4LTRmZGUtYWE1Ny1hNmFmOTZkOWM0ZmUlMjIlMkMlMjJpc0VudFNldHVwJTIyJTNBZmFsc2UlMkMlMjJpc0lEUFRlc3QlMjIlM0F0cnVlJTJDJTIybm9uY2UlMjIlM0ElMjJjNWhPRTZFN3dIMHo0WTdGJTIyJTdE&scope=openid+email+profile HTTP/1.1 Host: keycloak.[**SUPRESSED**].io:8180 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: cross-site Referer: https://dash.cloudflare.com/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: AUTH_SESSION_ID=dc1416f0-fc39-457d-80fd-48daa16db16b; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJqdGkiOiI3ZDI4YWQ0ZS0zN2U1LTRkMWEtOWZkNS0zYzQ1YjQ2MzQzNzAiLCJleHAiOjE1NjY5MzI2NDYsIm5iZiI6MCwiaWF0IjoxNTY2ODk2NjQ2LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsueGNhbGliZXIuaW86ODE4MC9hdXRoL3JlYWxtcy9YQ2FsaWJlciIsInN1YiI6ImU5NDA3OWJhLTNhNzUtNDc1ZS1hM2MyLWFiZTIyMjY4MWFiYSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImRjMTQxNmYwLWZjMzktNDU3ZC04MGZkLTQ4ZGFhMTZkYjE2YiIsInN0YXRlX2NoZWNrZXIiOiJTeDJOSEZoc1lSUDk2TFF5S3RiZDNINVc3UzhKSXdqX3BLcE1ZSEFiNWhBIn0.zHM0hLg96gEPGTdaBjX0KSaZ4hGoETTKc-efvfqni90; KEYCLOAK_SESSION=[**SUPRESSED**]/e94079ba-3a75-475e-a3c2-abe222681aba/dc1416f0-fc39-457d-80fd-48daa16db16b; _ga=GA1.2.424301711.1560267296; __cfduid=d23d08383e8ff667abef204b0821031e01562311327; __zlcmid=tPiP7fQJt3UNtf; _gid=GA1.2.1095447441.1566802604 HTTP/1.1 200 OK Cache-Control: no-store, must-revalidate, max-age=0 Set-Cookie: AUTH_SESSION_ID=3aae7e12-8755-412f-b565-a65c9b756f9a; Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJjaWQiOiJjbG91ZGZsYXJlLWFjY2VzcyIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8veGNhbGliZXIuY2xvdWRmbGFyZWFjY2Vzcy5jb20vY2RuLWNnaS9hY2Nlc3MvY2FsbGJhY2siLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLnhjYWxpYmVyLmlvOjgxODAvYXV0aC9yZWFsbXMvWENhbGliZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly94Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbS9jZG4tY2dpL2FjY2Vzcy9jYWxsYmFjayIsInN0YXRlIjoiYjU5MDQ3ZWIxMDE2YmUwZDU5YjMwNmEyYzM1Yjc0ZDkzMjM4NjQ1NDljN2Q3YWUyYzc4Nzc1ZTg5MGI0YzA0Yy5KVGRDSlRJeWFHOXpkRzVoYldVbE1qSWxNMEVsTWpKNFkyRnNhV0psY2k1amJHOTFaR1pzWVhKbFlXTmpaWE56TG1OdmJTVXlNaVV5UXlVeU1uSmxaR2x5WldOMFZWSk1KVEl5SlROQkpUSXlKVEpHSlRJeUpUSkRKVEl5WVhWa0pUSXlKVE5CSlRJeUpUSXlKVEpESlRJeWFXUndTV1FsTWpJbE0wRWxNakppWkdZM1ptWTVOaTFrTnpnNExUUm1aR1V0WVdFMU55MWhObUZtT1Raa09XTTBabVVsTWpJbE1rTWxNakpwYzBWdWRGTmxkSFZ3SlRJeUpUTkJabUZzYzJVbE1rTWxNakpwYzBsRVVGUmxjM1FsTWpJbE0wRjBjblZsSlRKREpUSXlibTl1WTJVbE1qSWxNMEVsTWpKak5XaFBSVFpGTjNkSU1IbzBXVGRHSlRJeUpUZEUifX0.nRE_5ul_l3S9FA8-mN23OzZUGGSYN_khFaQ4HSxeuWM; Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/ Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]; HttpOnly Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**] Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]; HttpOnly Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**] X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; Date: Tue, 27 Aug 2019 09:05:11 GMT Connection: keep-alive X-Robots-Tag: none Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff Content-Type: text/html;charset=utf-8 Content-Length: 3013 Content-Language: en <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">; <html xmlns="http://www.w3.org/1999/xhtml"; class="login-pf"> <head> <meta charset="utf-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta name="robots" content="noindex, nofollow"> <meta name="viewport" content="width=device-width,initial-scale=1"/> <title>Log in to [**SUPRESSED**]</title> <link rel="icon" href="/auth/resources/5.0.0/login/keycloak/img/favicon.ico" /> <link href="/auth/resources/5.0.0/login/keycloak/node_modules/patternfly/dist/css/patternfly.css" rel="stylesheet" /> <link href="/auth/resources/5.0.0/login/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css" rel="stylesheet" /> <link href="/auth/resources/5.0.0/login/keycloak/lib/zocial/zocial.css" rel="stylesheet" /> <link href="/auth/resources/5.0.0/login/keycloak/css/login.css" rel="stylesheet" /> </head> <body class=""> <div class="login-pf-page"> <div id="kc-header" class="login-pf-page-header"> <div id="kc-header-wrapper" class=""><div class="kc-logo-text"><span>[**SUPRESSED**]</span></div></div> </div> <div class="card-pf "> <header class="login-pf-header"> <h1 id="kc-page-title"> Log In </h1> </header> <div id="kc-content"> <div id="kc-content-wrapper"> <div id="kc-form" > <div id="kc-form-wrapper" > <form id="kc-form-login" onsubmit="login.disabled = true; return true;" action="http://keycloak.[**SUPRESSED**].io:8180/auth/realms/[**SUPRESSED**]/login..."; method="post"> <div class="form-group"> <label for="username" class="control-label">Username or email</label> <input tabindex="1" id="username" class="form-control" name="username" value="" type="text" autofocus autocomplete="off" /> </div> <div class="form-group"> <label for="password" class="control-label">Password</label> <input tabindex="2" id="password" class="form-control" name="password" type="password" autocomplete="off" /> </div> <div class="form-group login-pf-settings"> <div id="kc-form-options"> </div> <div class=""> </div> </div> <div id="kc-form-buttons" class="form-group"> <input tabindex="4" class="btn btn-primary btn-block btn-lg" name="login" id="kc-login" type="submit" value="Log In"/> </div> </form> </div> </div> </div> </div> </div> </div> </body> </html> POST /auth/realms/[**SUPRESSED**]/login-actions/authenticate?session_code=f3NG2Rjv0G4ymg2pQqwGMvrxu_rXJXtmZnDCZgsPkb4&execution=07ebd6fc-53e0-4fae-a6dd-5e32b9cf1b73&client_id=cloudflare-access&tab_id=IAnjjExJu-4 HTTP/1.1 Host: keycloak.[**SUPRESSED**].io:8180 Connection: keep-alive Content-Length: 30 Cache-Control: max-age=0 Origin: http://keycloak.[**SUPRESSED**].io:8180 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://keycloak.[**SUPRESSED**].io:8180/auth/realms/[**SUPRESSED**]/proto... Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: AUTH_SESSION_ID=3aae7e12-8755-412f-b565-a65c9b756f9a; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJjaWQiOiJjbG91ZGZsYXJlLWFjY2VzcyIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8veGNhbGliZXIuY2xvdWRmbGFyZWFjY2Vzcy5jb20vY2RuLWNnaS9hY2Nlc3MvY2FsbGJhY2siLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLnhjYWxpYmVyLmlvOjgxODAvYXV0aC9yZWFsbXMvWENhbGliZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly94Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbS9jZG4tY2dpL2FjY2Vzcy9jYWxsYmFjayIsInN0YXRlIjoiYjU5MDQ3ZWIxMDE2YmUwZDU5YjMwNmEyYzM1Yjc0ZDkzMjM4NjQ1NDljN2Q3YWUyYzc4Nzc1ZTg5MGI0YzA0Yy5KVGRDSlRJeWFHOXpkRzVoYldVbE1qSWxNMEVsTWpKNFkyRnNhV0psY2k1amJHOTFaR1pzWVhKbFlXTmpaWE56TG1OdmJTVXlNaVV5UXlVeU1uSmxaR2x5WldOMFZWSk1KVEl5SlROQkpUSXlKVEpHSlRJeUpUSkRKVEl5WVhWa0pUSXlKVE5CSlRJeUpUSXlKVEpESlRJeWFXUndTV1FsTWpJbE0wRWxNakppWkdZM1ptWTVOaTFrTnpnNExUUm1aR1V0WVdFMU55MWhObUZtT1Raa09XTTBabVVsTWpJbE1rTWxNakpwYzBWdWRGTmxkSFZ3SlRJeUpUTkJabUZzYzJVbE1rTWxNakpwYzBsRVVGUmxjM1FsTWpJbE0wRjBjblZsSlRKREpUSXlibTl1WTJVbE1qSWxNMEVsTWpKak5XaFBSVFpGTjNkSU1IbzBXVGRHSlRJeUpUZEUifX0.nRE_5ul_l3S9FA8-mN23OzZUGGSYN_khFaQ4HSxeuWM; _ga=GA1.2.424301711.1560267296; __cfduid=d23d08383e8ff667abef204b0821031e01562311327; __zlcmid=tPiP7fQJt3UNtf; _gid=GA1.2.1095447441.1566802604 username=[**SUPRESSED**]&password=[**SUPRESSED**]HTTP/1.1 302 Found Connection: keep-alive Cache-Control: no-store, must-revalidate, max-age=0 Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJqdGkiOiI5ZDEyY2Y2NS00MzRlLTQ3ZjItODAyYi01MTFiMDFmZjVkMTUiLCJleHAiOjE1NjY5MzI3MTYsIm5iZiI6MCwiaWF0IjoxNTY2ODk2NzE2LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsueGNhbGliZXIuaW86ODE4MC9hdXRoL3JlYWxtcy9YQ2FsaWJlciIsInN1YiI6ImU5NDA3OWJhLTNhNzUtNDc1ZS1hM2MyLWFiZTIyMjY4MWFiYSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjNhYWU3ZTEyLTg3NTUtNDEyZi1iNTY1LWE2NWM5Yjc1NmY5YSIsInN0YXRlX2NoZWNrZXIiOiJOQ3M2LVR2T0JPaVg3VWIyUzM3NldvV3piOF91M1pVUXY1ODVOVU5mV2pBIn0.BOFLzvv6qXrMopCHd6uas0g_ywNDHskE3WRvwwS2oWY; Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly Set-Cookie: KEYCLOAK_SESSION=[**SUPRESSED**]/e94079ba-3a75-475e-a3c2-abe222681aba/3aae7e12-8755-412f-b565-a65c9b756f9a; Version=1; Expires=Tue, 27-Aug-2019 19:05:16 GMT; Max-Age=36000; Path=/auth/realms/[**SUPRESSED**]/ Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly P3P: CP="This is not a P3P policy!" Location: https://[**SUPRESSED**].cloudflareaccess.com/cdn-cgi/access/callback?state=b59047eb1016be0d59b306a2c35b74d9323864549c7d7ae2c78775e890b4c04c.JTdCJTIyaG9zdG5hbWUlMjIlM0ElMjJ4Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGJTIyJTJDJTIyYXVkJTIyJTNBJTIyJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjJiZGY3ZmY5Ni1kNzg4LTRmZGUtYWE1Ny1hNmFmOTZkOWM0ZmUlMjIlMkMlMjJpc0VudFNldHVwJTIyJTNBZmFsc2UlMkMlMjJpc0lEUFRlc3QlMjIlM0F0cnVlJTJDJTIybm9uY2UlMjIlM0ElMjJjNWhPRTZFN3dIMHo0WTdGJTIyJTdE&session_state=3aae7e12-8755-412f-b565-a65c9b756f9a&code=af698d46-23a0-44e2-9832-71f5434ccf69.3aae7e12-8755-412f-b565-a65c9b756f9a.975d74ab-0c36-465e-bb38-32a0559eca73 Content-Length: 0 Date: Tue, 27 Aug 2019 09:05:16 GMT ******************* END STREAM ******************* Let me know if you have any further queries. Regards, Iommi

6 years, 7 months

1
0
0 / 0

Re: [keycloak-user] check-sso not working as expected with iframe

by Michal Hajas

Sorry, I am not sure I fully understand the question, if my answer is not what you expected, please describe your issue properly with some steps to reproduce and describe what behavior you expect or if you think this is a bug, feel free to file an issue in our Jira. If your webpage is configured as check-sso, it means you do not require authentication (the page is visible also for users which are not authenticated). If an authenticated user is logged out in a separate tab he is redirected to keycloak only in case login is required. But since the webpage is configured as check-sso, keycloak knows it doesn't require authentication and hence doesn't redirect the user to a login page. The iframe is used anyway because keycloak adapter is aware of the fact that user is not logged in (he lost the session), however, it just clears the tokens and set the adapter to authenticated = false state (in case of check-sso option). If I understand correctly, you want to reauthenticate user in case he loses his session. You can do that in two ways. Set the onLoad option to loginRequired or use onAuthLogout callback as I suggested in the last response. It could look something like that (I haven't tested it): keycloak.onAuthLogout = function() { keycloak.login(); } On Mon, Aug 26, 2019 at 9:07 PM Mohsin Ilyas <Mohsin_981(a)hotmail.com> wrote: > But don’t you think if the sso session is valid then the user would > continue to use the website so the iframe shouldn’t be connected again if > the connection was broken? As I’ve seen that the check-sso would use iframe > in a hidden request but if it is not working as expected than what is the > use of that. > > > ------------------------------ > *From:* Michal Hajas <mhajas(a)redhat.com> > *Sent:* Monday, August 26, 2019 1:21:09 PM > *To:* keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org> > *Cc:* Mohsin Ilyas <mohsin_981(a)hotmail.com> > *Subject:* Re: [keycloak-user] check-sso not working as expected with > iframe > > Hello Moshin, > > this is actually the way check-sso should work. From docs: > check-sso will only authenticate the client if the user is already > logged-in, if the user is not logged-in the browser will be redirected back > to the application and remain unauthenticated. > > When you logout in the second tab, the tab with check-sso actually detects > you are logged out, however, it does nothing because it is not supposed to. > You can check it by catching onAuthLogout event. See > https://www.keycloak.org/docs/latest/securing_apps/index.html#callback-ev... > . > > Best regards, > Michal > > On Wed, Aug 21, 2019 at 8:34 PM Mohsin Ilyas <mohsin_981(a)hotmail.com> > wrote: > >> Missed the code in original email >> >> >> const keycloak = Keycloak('/keycloak.json'); >> keycloak.init({onLoad: ‘check-sso'}) >> .success(authenticated => { >> if (authenticated) { >> //do something >> } >> }) >> .error(error => { >> console.log(error) >> }); >> >> ________________________________ >> From: Mohsin Ilyas >> Sent: Wednesday, August 21, 2019 11:29 PM >> To: keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org> >> Subject: check-sso not working as expected with iframe >> >> >> Hi, >> >> Below is my simple logic in my application to re-establish connection >> with keycloak when a page is reloaded. However, the iframe doesn’t seem to >> work well with ‘check-sso’. Because, I have opened the application in one >> tab and in other tab I have opened keycloak but when I logout of keycloak >> my application doesn’t get logout, however, if I use ‘login-required’ the >> application logs out simultaneously with keycloak. Can someone take a look, >> or help me with this? (P.s: I have tried to set checkIframLogin: true in >> the init options but it doesn’t work for me) >> >> Thanks. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >

6 years, 7 months

1
0
0 / 0

REST api and the Admin Client Java Wrapper

by Chris Smith

I'm trying to use the REST java api. My maven dependencies <dependencies> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-admin-client</artifactId> <version>7.0.0-SNAPSHOT</version> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-client</artifactId> <version>3.8.1.Final</version> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-jackson2-provider</artifactId> <version>3.8.1.Final</version> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-multipart-provider</artifactId> <version>3.8.1.Final</version> </dependency> </dependencies> I can create a keycloak instance and get a RealmRepresentation. The RealmRepresentation looks like I expect it should, matching what I see in the KC console. When I try to get users or federated users, a null is returned. Here is a code snip Keycloak keycloak = Keycloak.getInstance( serverUrl, realmName, username, password, clientId); RealmResource realmsResource = keycloak.realm("fms-sso"); RealmRepresentation realm = realmsResource.toRepresentation(); List<UserRepresentation> userRepresentations = realm.getFederatedUsers(); userRepresentations.stream().forEach(this::printUser); userRepresentations = realm.getUsers(); userRepresentations.stream().forEach(this::printUser); realm.getFederatedUsers(); and realm.getUsers() both return null, not even an empty list. Is there something required before getting the users from a RealmRepresenetation?

6 years, 7 months

2
2
0 / 0

Incorrect redirect_uri in Authorization Code Flow

by Julián D. Zorzenón

Hi, I'm trying to setup a public client in Keycloak 6.0.1 to make an Authorization Code Flow to work but it fails on the post after the redirect. 1. I've create the following client in the realm "test": client id => keycloak-java-form-example enabled => on client protocol => openid-connect access type => public standard flow enabled => on valid redirect uris => http://localhost:9090/* 2. Manually created a user. 3. Created a simple app. When you go to http://localhost:9090/ it redirects to: https://keycloak.server:8443/auth/realms/test/protocol/openid-connect/aut... 4. I log in in the form and get the response on the endpoint http://localhost:9090/cb with a code (for example: 337f8ec8-dbdd-4965-b538-e5a4fbfff6b4.4cb543a8-1585-4bd0-b174-031288cf3032.cf57276c-98a9-48d3-b460-c678af3f8eb2). 5. I make the following POST request: POST https://keycloak.server:8443/auth/realms/test/protocol/openid-connect/token grant_type=authorization_code client_id=keycloak-java-form-example code=337f8ec8-dbdd-4965-b538-e5a4fbfff6b4.4cb543a8-1585-4bd0-b174-031288cf3032.cf57276c-98a9-48d3-b460-c678af3f8eb2 redirect_uri=http%3A%2F%2Flocalhost%3A9090%2Fcb The response is: 400 {"error":"invalid_grant","error_description":"Incorrect redirect_uri"} I'm not sure what I'm missing. Thanks

6 years, 7 months

2
2
0 / 0

The 'SAML Metadata IDPSSODescriptor' entry does not appear in the format option on the Keycloak SAML Client Installation tab.

by jiojiojijo fjafajfdsojo

Hello, I'm using Keycloak 4.8.3.Final now, and I'm trying to move to the Keycloak 6.0.1. The Keycloak 6.0.1 works fine without any problems, but I have a problem with the SAML client I set up to log in to the AWS web console. The documentation on how to work with Keycloak and AWS tells me to download metadata by selecting the 'SAML Metadata IDPSSODescriptor' item on the Keycloak Installation tab. - https://blog.scandiweb.com/article/sign-in-to-amazon-aws-using-saml-proto... But I couldn't find 'SAML Metadata IDPSSODescriptor' format option in the Keycloak Installation above 4.8.3 version. Only when I installed 4.8.3 I was able to see 'SAML Metadata IDPSSODescriptor' format option. Below is a screenshot showing the 'SAML Metadata IDPSSODescriptor' format option in the Keycloak 4.8.3.Final. This is good without any problem. [image: Screen Shot 2019-08-25 at 11.43.50 PM.png] But please see the screenshot of Keycloak 6.0.1 below. I couldn't find the SAML Metadata IDPSSODescriptor 'format option in that Keycloak 6.0.1. [image: Screen Shot 2019-08-25 at 11.45.58 PM.png] I made both versions of the Keycloak client setup the same but it works like this. I repeated the installation several times and got the same result. How has metadata been changed in the next version of Keycloak 4.8.3.Final? Please let me know if there is anything I can refer to. Thanks.

6 years, 7 months

1
0
0 / 0

Problem: ORA-00001: Unique Constraint Error by Ldap group in group

by Pühringer Stefan

Hallo! We are currently evaluate the keycloak version 6.0.1 , but we ran in an error while sync ldap groups in groups. My teststructure in ldap is: Testgroup (Top Level Group) -> Subgroup (Part of Testgroup) User 1 (Part of Subgroup) At the sync process we get following error: Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: Unique Constraint (KEYCLOAK.SIBLING_NAMES) verletzt at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:494) at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:446) at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:1054) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:623) at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:252) at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:612) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:226) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:59) at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:910) at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1119) at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3780) at oracle.jdbc.driver.T4CPreparedStatement.executeInternal(T4CPreparedStatement.java:1343) at oracle.jdbc.driver.OraclePreparedStatement.executeLargeUpdate(OraclePreparedStatement.java:3865) at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3845) at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(OraclePreparedStatementWrapper.java:1061) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:175) ... 97 more Caused by: Error : 1, Position : 0, Sql = insert into KEYCLOAK_GROUP (NAME, PARENT_GROUP, REALM_ID, ID) values (:1 , :2 , :3 , :4 ), OriginalSql = insert into KEYCLOAK_GROUP (NAME, PARENT_GROUP, REALM_ID, ID) values (?, ?, ?, ?), Error Msg = ORA-00001: Unique Constraint (KEYCLOAK.SIBLING_NAMES) verletzt at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:498) ... 113 more Does someone have the same problem or a solution (i found this related and closed issue: https://issues.jboss.org/browse/KEYCLOAK-5405 )? Thanks! Stefan

6 years, 7 months

1
0
0 / 0

Logout after password change

by Himalaya Gupta

Hi, Can you please let me know if there is a setting to make the user logout of the session post password change, so that the user is forced to re-login using the new password? Thanks Scenario: 1. Login to Keycloak 2. Click on Account info. It redirects to " https://localhost:8080/auth/realms/testrealm/account/password <https://localhost:8100/auth/realms/deepikanew/account/password>" 3. On the password tab, change the password and click save 4. "Your password has been updated" message appears 5. The user is still on the same page We would require a logout to happen post successful password change. -- Best regards, Himalaya Gupta

6 years, 7 months

2
2
0 / 0

Query on high availability- HA of Keycloak docker

by vijay

Hi All, For development my setup has two keycloak containers on single VM along with postgres sql. I am following the document mentioned https://github.com/jboss-dockerfiles/keycloak/tree/master/server . I am starting the keycloak and keycloak2 docker containers with docker run -p 8080:8080 --name keycloak --link postgres:postgres -e JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -v $HOME/docker/volumes/keycloak:/tmp -d jboss/keycloak docker run -p 8081:8080 --name keycloak2 --link postgres:postgres -e JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -v $HOME/docker/volumes/keycloak2:/tmp -d jboss/keycloak In the server logs of both keycloak containers I see below error logs - 19:02:01,596 WARN [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.keycloak-server.war" is using a private module ("org.kie") which may be changed or removed in future versions without notice. 19:02:02,181 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 60) MSC000001: Failed to start service org.wildfly.clustering.jgroups.channel.ee: org.jboss.msc.service.StartException in service org.wildfly.clustering.jgroups.channel.ee: java.lang.IllegalStateException: java.lang.IllegalArgumentException: Either the 4 configuration properties starting with 'connection_' or the datasource_jndi_name must be set at org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70) at org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.IllegalStateException: java.lang.IllegalArgumentException: Either the 4 configuration properties starting with 'connection_' or the datasource_jndi_name must be set at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:116) at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:58) at org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:67) ... 7 more Caused by: java.lang.IllegalArgumentException: Either the 4 configuration properties starting with 'connection_' or the datasource_jndi_name must be set at org.jgroups.protocols.JDBC_PING.verifyConfigurationParameters(JDBC_PING.java:421) at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:102) at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:847) at org.jgroups.stack.ProtocolStack.init(ProtocolStack.java:837) at org.jgroups.JChannel.<init>(JChannel.java:200) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:116) at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:96) ... 9 more Any hint will be helpful. Thanks, Vijay

6 years, 7 months

2
1
0 / 0

Getting error while doing HA in docker

by vijay

Hi, I am getting the below error message while setting up two containers in single host. Followed this document to setup - https://www.keycloak.org/2019/04/keycloak-cluster-setup.html 19:37:43,485 ERROR [org.jgroups.protocols.JDBC_PING] (thread-9,ejb,568064445f53) JGRP000138: Error reading JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 47 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:225) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:197) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:124) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386) at org.jgroups.protocols.FILE_PING.down(FILE_PING.java:119) at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:408) at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:324) at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:358) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) 19:37:43,487 ERROR [org.jgroups.protocols.JDBC_PING] (thread-9,ejb,568064445f53) JGRP000145: Error updating JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 13 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:120) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.jgroups.protocols.JDBC_PING.delete(JDBC_PING.java:339) at org.jgroups.protocols.JDBC_PING.writeToDB(JDBC_PING.java:142) at org.jgroups.protocols.JDBC_PING.write(JDBC_PING.java:125) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:128) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386) at org.jgroups.protocols.FILE_PING.down(FILE_PING.java:119) at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:408) at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:324) at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:358) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) 19:38:21,918 ERROR [org.jgroups.protocols.JDBC_PING] (thread-10,ejb,568064445f53) JGRP000138: Error reading JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 47 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:225) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:197) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:124) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386) at org.jgroups.protocols.FILE_PING.down(FILE_PING.java:119) at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:408) at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:324) at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:358) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) 19:38:21,922 ERROR [org.jgroups.protocols.JDBC_PING] (thread-10,ejb,568064445f53) JGRP000145: Error updating JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 13 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:120) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.jgroups.protocols.JDBC_PING.delete(JDBC_PING.java:339) at org.jgroups.protocols.JDBC_PING.writeToDB(JDBC_PING.java:142) at org.jgroups.protocols.JDBC_PING.write(JDBC_PING.java:125) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:128) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386)

6 years, 7 months

2
1
0 / 0

check-sso not working as expected with iframe

by Mohsin Ilyas

Hi, Below is my simple logic in my application to re-establish connection with keycloak when a page is reloaded. However, the iframe doesn’t seem to work well with ‘check-sso’. Because, I have opened the application in one tab and in other tab I have opened keycloak but when I logout of keycloak my application doesn’t get logout, however, if I use ‘login-required’ the application logs out simultaneously with keycloak. Can someone take a look, or help me with this? (P.s: I have tried to set checkIframLogin: true in the init options but it doesn’t work for me) Thanks.

6 years, 7 months

3
2
0 / 0

Hiding the Login elements when we know that the user must Register

by Andrew Braae

Summary ------- We would like to improve the Keycloak experience for our new users by removing all of the the Login elements (Email, Password, Remember me, Forgot password, Login button) on the left hand side of the Keycloak page, when we know that the user does not have an account in Keycloak already. We would also like to pre-populate the Email field on the register page with the user's email. The thing that makes of these appear possible in our scenario is that the user arrives at the Keycloak protected page via an invite link that contains their email address. Are these possible? How can we go about it? More details --------- We'd like to make the Keycloak experience simpler/more obvious for new users. In our scenario: - we know the users email address, e.g. fred(a)gmail.com (it's in our own application database) - we have emailed the user a link to a Keycloak-protected invite page - we allow Google, LinkedIn and email/password signin on the realm Here are the current usability problems that we are seeing when the new users follow their invite link. 1) Keycloak invites the user to enter their email and password to Log in. However since we know their email, we could tell in advance that Login will not work if they are not a Keycloak user already - they will have to register. This is confusing to some subset of them, and they contact us saying e.g. "it looks like I need a password, can you send it to me?". (They don't think to click Register). 2) If they do click Register, then Keycloak allows them to enter any email address. However, only fred(a)gmail.com will do, since that is who the invite is for. Users rightfully feel confused/peeved that they have to type in their email address, when they just clicked through from an email in that same email account. Any assistance gratefully appreciated.

6 years, 7 months

2
1
0 / 0

High Availability, Active Directory LDAPS and Keycloak AD Federation

by Chris Smith

When my LDAPS url = ldaps://ad-dc-01.xxx-apps.com My connection is successful and my bind DN and credential successfully authenticate When my LDAPS url = ldaps://xxx-apps.com My connection is successful but my bind DN and credential do not successfully authenticate. The AD forest has 2 domain controllers, ad-dc-01 and ad-dc-02. What is the proper LDAPS url for high availability AD federation?

6 years, 7 months

1
0
0 / 0

IdentityBroker SAML transient NameID-Format

by keycloak＠phoefer.at

Hi, I'm using Keycloak for IdentityBrokering with an external SAML-Identity-Provider Unfortunately the external SAML Provider only supports transient NameID <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">vyT0gx7o0uo3MtklFqAXRg1Lmy9HuKZBYB6My5jzU7E=</NameID> ... </Subject When I log-in through the external IDP Kecloak generates a local user and links it with this (temporaty) Broker-ID. If I log-in again later, another different temporary user is generated. Is there a possibility to a) use some SAML-Attributes as brokerID (because they include a "unique" ExternalUser-ID) - so only one keycloak account is created for one external user or b) do not create a internal keycloak user at all Or maybe you have another good idea for handling the issue without ending up with thousands of KC-users ;-) Thanks for help

6 years, 7 months

2
1
0 / 0

Group LDAP Storage Mapper

by Travis De Silva

Hi, Isn't there any way to update the USER_GROUP_MEMBERSHIP table when an LDAP group mapper period sync runs? As per a comment from @Marek Posolda <mposolda(a)redhat.com> in this Jira comment https://issues.jboss.org/browse/KEYCLOAK-4918 and also by going over the code in https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main... line 596, looks like Keycloak will upgrade the LDAP group membership only when the group mapper is created initially when synced. All other subsequent calls are not updating the table. Any idea why this condition is there? Cheers Travis

6 years, 7 months

2
1
0 / 0

Keycloak HTTP 2

by Hammad Haqqani

Hi Folks, Once we enabled http2 on our website it broke our Keycloak authentication. Do we need to upgrade our setup or there any setting we need to enable please let me know. Current version : keycloak-2.5.1.Final Hammad Haqqani Devops Engineer [Xome_Logo_Email]<http://www.xome.com/> This e-mail communication and any attachments may contain confidential, copyrighted, and legally privileged information for use solely by the designated recipients to which this e-mail is addressed. If you are not the intended recipient, you are hereby notified that you have received this communication in error, and that any review, disclosure, dissemination, distribution, or copying of this message or its contents is prohibited and may be subject to governing laws protecting its disclosure. If you have received this communication in error, please notify Xome immediately by e-mail at postmaster(a)xome.com and destroy all copies of this communication and any attachments.

6 years, 7 months

2
3
0 / 0

jboss-cli.sh CLI script setup of subsystem=undertow FAILs at "javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication"?

by PGNet Dev

I'm setting up keycloak (8.0.0/head, atm) for ops behind an ssl terminating proxy. In "standalone.xml" I want to change, <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/> to, <server name="default-server"> <http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" /> <https-listener name="https" socket-binding="https" enable-http2="true" security-realm="UndertowRealm" /> I'd like to do this with scripting CLI, eventually for orchestrated deployment. checking mgmt access, open/display of gui /opt/keycloak/bin/jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --gui works fine -- I can read all my controller's data/props/etc. I've created a script/batch input file cat /tmp/https.cli /subsystem=undertow/server=default-server/http-listener=default/:list-clear /subsystem=undertow/server=default-server/https-listener=https/:list-clear /subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=socket-binding,value=http):write-attribute(name=enable-http2,value=true):write-attribute(name=proxy-address-forwarding,value=false) /subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=socket-binding,value=https):write-attribute(name=enable-http2,value=true):write-attribute(name=security-realm,value=UndertowRealm) but exec of cli, with that^ input, fails /opt/keycloak/bin/jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --file=/etc/keycloak/https-setup.cli \ Failed to connect to the controller: Unable to authenticate against controller at 10.0.0.1:9990: Authentication failed: all available authentication mechanisms failed: DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication in 'standalone.xml', the auth mech IS defined, ... <sasl> <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" s <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> >> <mechanism mechanism-name="DIGEST-MD5"> <mechanism-realm realm-name="ApplicationRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" se <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> >> <mechanism mechanism-name="DIGEST-MD5"> <mechanism-realm realm-name="ManagementRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> ... WHY is that mech being rejected? Where are the allowed/available auth "mechanism-name" listed/documented? And, ideally, their usage?

6 years, 7 months

1
1
0 / 0

Fwd: how to connect to a mysql database.

by Hugo Cosme (GMAIL)

Hi class, how are you? I have some difficulties getting keycloak to connect to a mysql database, I am not sure which files I must edit in order for the connection to happen. I'm using version 6.0.1, and I'm doing it via Docker ... Has anyone done anything like this? Or do you know which files to edit?

6 years, 7 months

4
3
0 / 0

KeyCloak performance.

by Дима Жданов

Hi. I try to understand Keycloak performance. Where can I find any performance report?

6 years, 7 months

3
2
0 / 0

gatekeeper: cannot download big files

by A. Ilchinger

Hello, in our setup we secure a service via keycloak and access its web frontend through a gatekeeper proxy. Access is done from two locations: 1) Inside the same network. 2) From an offsite location While the first works fine, the latter has problems. Authenticating and the access itself work fine, but retrieving large files from the web application (we encountered this with a 16MB javascript file) fails. The file is downloaded incomplete. We checked the network. Connections speed is fine, there are no other proxies or firewalls in between. So from all our investigation it looks like gatekeeper is the pint of failure (logs look unsuspicious though). Do you have any hints or ideas what else we could try? Are there maybe some config options to try out?

6 years, 7 months

2
1
0 / 0

SPI For CAS Ticket Proxy

by ext.jose.luis.anton＠altia.es

Good morning, I am working with keycloak 5.0.0 and I'd need to make Keycloak act as Proxy ticket service and proxy ticket validation as parto f the implementation of CAS 2.0 Is there any SPI that I can consume or do I need to implement it? Thanks in advance. Best regards

6 years, 7 months

2
1
0 / 0

Using urn:ietf:wg:oauth:2.0:oob

by Frans van Niekerk

I am investigating the possibility to obtain the authorisation code from another channel to hopefully remove the need to have the user log into keycloak from a redirect the client initiated. It does seem like section 2.4.5 Redirect URLs (specifically the use of urn:ietf:wg:oauth:2.0:oob) allows for this. Where in Keycloak can the the authorisation token be obtained in this case? Can it be requested via API from another trusted application? Is it possible for a user to setup consent beforehand, then when the client asks for authorisation it is returned immediately instead of waiting for user interaction?

6 years, 7 months

2
1
0 / 0

Disabling HTTPS Requirement

by Carrington Ellis

Reference: https://issues.jboss.org/browse/KEYCLOAK-9889 The reverse proxy in use has HTTPS enabled, “X-Forward-Proto along” with all it’s variants are set. Additionally I have enabled “PROXY_ADDRESS_FORWARDING” by setting this to true and “KEYCLOAK_ALWAYS_HTTPS” to false, yet attempting to access the Administration Console, I’m met with “We’re sorry: HTTPS required”. Despite having a HTTPS Proxy, the necessary headers set, Address Forwarding enabled, and Always HTTPS disabled, I’m still unable to access my Administration Console. I’ve linked a reference to the bug which is eerie similar to the same thing I’m experiencing currently, except that report was filled back on Version 5.0, and we are currently on 6.0, with 8.0 right on the horizon. Is there something missing here to disable this HTTPS check that appears to not function properly? If reverse proxying IS unsupported (which it shouldn’t be by any means), then this should be explicitly written in the documentation to prevent anyone from further attempting applying TLS in this manner.

6 years, 7 months

2
1
0 / 0

mvn build of keycloak/6.0.1, with tests DISabled -- fails at tests ... missing flag? or bug?

by PGNet Dev

building keycloak release6, git checkout 6.0.1 git log | head commit 217e2ee4721c069bb977e40fd9a03dc08e2d42a9 Author: keycloak-bot <keycloak.bot(a)gmail.com> Date: Wed Apr 24 06:22:09 2019 +0000 Set version to 6.0.1 commit 65326ce16af0901824ebd5635b1f6e9acbea1e66 Author: Hynek Mlnarik <hmlnarik(a)redhat.com> Date: Mon Mar 11 09:48:10 2019 +0100 with java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (IcedTea 3.13.0) (build 1.8.0_222-b10 suse-lp151.333.1-x86_64) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) mvn -version Maven home: /usr/share/java/maven Java version: 1.8.0_222, vendor: IcedTea, runtime: /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "5.2.9-25.g71d4424-default", arch: "amd64", family: "unix" git --version git version 2.23.0 build exec with tests intended to be DISabled, mvn \ --errors \ --activate-profiles distribution \ -Dmaven.test.skip=true \ clean \ install FAILs -- at tests: "Failure to find org.keycloak.testsuite:integration-arquillian-tests-base", in more detail, ... [INFO] Tests .............................................. SUCCESS [ 0.208 s] [INFO] Base TestSuite ..................................... SUCCESS [ 24.875 s] [INFO] Other Tests Modules ................................ SUCCESS [ 0.036 s] [INFO] Adapter Tests ...................................... SUCCESS [ 0.035 s] [INFO] Adapter Tests - JBoss .............................. SUCCESS [ 0.034 s] [INFO] Adapter Tests - Karaf .............................. SUCCESS [ 0.034 s] [INFO] Adapter Tests - WAS ................................ SUCCESS [ 0.034 s] [INFO] Adapter Tests - WLS ................................ SUCCESS [ 0.034 s] [INFO] SSSD tests ......................................... FAILURE [ 0.305 s] [INFO] integration-arquillian-tests-springboot ............ SKIPPED [INFO] Keycloak AS7 / JBoss EAP 6 Adapter Distros ......... SKIPPED [INFO] Distribution Parent ................................ SKIPPED [INFO] Keycloak Distribution Licenses Common .............. SKIPPED [INFO] Keycloak Distribution Maven Plugins Parent ......... SKIPPED [INFO] Keycloak Licenses Processor Maven Plugin ........... SKIPPED [INFO] Keycloak AS7 / JBoss EAP 6 Modules ................. SKIPPED [INFO] Keycloak JBoss EAP 6 Adapter Distro ................ SKIPPED [INFO] Keycloak AS7 Adapter Distro ........................ SKIPPED [INFO] Keycloak OSGI Features ............................. SKIPPED [INFO] Keycloak OSGI JAAS Realm Configuration ............. SKIPPED [INFO] Keycloak Fuse Adapter Distro ....................... SKIPPED [INFO] Keycloak JS Adapter Distribution ................... SKIPPED [INFO] Keycloak OSGI Integration .......................... SKIPPED [INFO] Feature Pack Builds ................................ SKIPPED [INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED [INFO] Adapters Distribution Parent ....................... SKIPPED [INFO] Keycloak Adapter Overlay Distribution .............. SKIPPED [INFO] Keycloak Tomcat 6 Adapter Distro ................... SKIPPED [INFO] Keycloak Tomcat 7 Adapter Distro ................... SKIPPED [INFO] Keycloak Tomcat 8 Adapter Distro ................... SKIPPED [INFO] Keycloak Jetty 9.2.x Adapter Distro ................ SKIPPED [INFO] Keycloak Jetty 9.3.x Adapter Distro ................ SKIPPED [INFO] Keycloak Jetty 9.4.x Adapter Distro ................ SKIPPED [INFO] Keycloak Wildfly 8 Modules ......................... SKIPPED [INFO] Keycloak Wildfly 8 Adapter Distro .................. SKIPPED [INFO] Keycloak Wildfly 8 Adapter ......................... SKIPPED [INFO] Keycloak JS Adapter NPM Distribution ............... SKIPPED [INFO] Keycloak SAML Wildfly Modules ...................... SKIPPED [INFO] Keycloak SAML Wildfly Adapter Distro ............... SKIPPED [INFO] Keycloak Wildfly SAML Adapter ...................... SKIPPED [INFO] Keycloak SAML AS7 / JBoss EAP 6 Adapter Distros .... SKIPPED [INFO] Keycloak SAML AS7 / JBoss EAP 6 Modules ............ SKIPPED [INFO] Keycloak SAML JBoss EAP 6 Adapter Distro ........... SKIPPED [INFO] Keycloak SAML AS7 Adapter Distro ................... SKIPPED [INFO] Keycloak SAML Jetty 9.2.x Adapter Distro ........... SKIPPED [INFO] Keycloak SAML Jetty 9.3.x Adapter Distro ........... SKIPPED [INFO] Keycloak SAML Jetty 9.4.x Adapter Distro ........... SKIPPED [INFO] Keycloak SAML Tomcat 6 Adapter Distro .............. SKIPPED [INFO] Keycloak SAML Tomcat 7 Adapter Distro .............. SKIPPED [INFO] Keycloak SAML Tomcat 8 Adapter Distro .............. SKIPPED [INFO] SAML Adapters Distribution Parent .................. SKIPPED [INFO] Keycloak Feature Pack: Server ...................... SKIPPED [INFO] Keycloak Server Distribution ....................... SKIPPED [INFO] Keycloak Server Overlay Distribution ............... SKIPPED [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 03:19 min [INFO] Finished at: 2019-08-21T14:09:52-07:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal on project integration-arquillian-tests-sssd: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-tests-sssd:jar:6.0.1: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project integration-arquillian-tests-sssd: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-tests-sssd:jar:6.0.1: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:269) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147) at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.apache.maven.project.DependencyResolutionException: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-tests-sssd:jar:6.0.1: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:209) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147) at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.eclipse.aether.resolution.DependencyResolutionException: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:352) at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:202) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147) at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve (DefaultArtifactResolver.java:423) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts (DefaultArtifactResolver.java:225) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:335) at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:202) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147) at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.newException (DefaultUpdateCheckManager.java:219) at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.checkArtifact (DefaultUpdateCheckManager.java:192) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.gatherDownloads (DefaultArtifactResolver.java:564) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads (DefaultArtifactResolver.java:482) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve (DefaultArtifactResolver.java:400) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts (DefaultArtifactResolver.java:225) at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:335) at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:202) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243) at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147) at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) [ERROR] [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionExce... [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn <goals> -rf :integration-arquillian-tests-sssd At this stage, my goal is just a successful full dist, release build -- without tests. What 'mvn' flags fully DISable _all_ tests -- &/or specifically, the "arquillian" test suite?

6 years, 7 months

2
2
0 / 0

Pure OAuth2.0 provider

by bob sheknowdas

Can keycloak handle a pure OAuth2.0 identity provider? I know that an OIDC-IDP can be used as an external identity provider. But what about providers, that dont support identity tokens but only access tokens? Does anyone have any experience with that? Best regards Bob

6 years, 7 months

2
1
0 / 0

Java Adapter - Claim body removes content

by Felipe Roca

Hi Guys, I was creating a small PEP for a third party service API using the keycloak authorization service. My idea was to check whether an user is allowed to perform certain operation based on some body parameters, but it turns out that the body claim left the body content unsusable for the proxy application. What do you think? Is this a bug or an expected behavior? For a better understanding, here you can find my configuration file and controller class. I am using keycloak-spring-boot-starter and keycloak-authz-client version 6.0.0 maven modules but I tried also with 6.0.1 and same results. keycloak.realm=spring-boot-quickstart keycloak.auth-server-url=http://example.local/keycloak/auth keycloak.ssl-required=external keycloak.resource=app keycloak.bearer-only=true keycloak.credentials.secret=c23a55c0-0c96-4e28-8922-c47f918c2102 keycloak.securityConstraints[0].authRoles[0]=user keycloak.securityConstraints[0].securityCollections[0].name=protected keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/version keycloak.securityConstraints[0].securityCollections[0].patterns[1]=/admin/* keycloak.securityConstraints[0].securityCollections[0].patterns[2]=/v1/* keycloak.securityConstraints[0].securityCollections[0].patterns[3]=/v2/* keycloak.policy-enforcer-config.enforcement-mode=ENFORCING keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.uri]={request.relativePath} keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.fiware-service]={request.header['service']} keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.fiware-servicepath]={request.header['servicepath']} keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.id]={request.body['/id']} @RestController public class ProxyController { @Value("${proxy.schema}") private Stringschema; @Value("${proxy.host}") private Stringhost; @Value("${proxy.port}") private int port; private RestTemplaterestTemplate; @Autowired public ProxyController() { restTemplate =new RestTemplate(); restTemplate.setRequestFactory(new HttpComponentsClientHttpRequestFactory()); restTemplate.setErrorHandler(new BlankResponseErrorHandler()); } @RequestMapping(value ="/login", produces ="application/json", method =POST) public ResponseEntity<Login> login(@RequestBody Login login) { return ResponseEntity.ok().body(login); } @RequestMapping(value ="/**", produces ="application/json", method = {GET,DELETE,HEAD,OPTIONS}) public ResponseEntity<String> proxyRequestWithoutBody(HttpMethod method, HttpServletRequest request)throws URISyntaxException { return restTemplate.exchange(buildUri(request), method,new HttpEntity<String>(copyHeaders(request)), String.class); } @RequestMapping(value ="/**", produces ="application/json", method = {POST,PUT,PATCH}) public ResponseEntity<String> proxyRequest(@RequestBody String body, HttpMethod method, HttpServletRequest request)throws URISyntaxException { return restTemplate.exchange(buildUri(request), method,new HttpEntity<>(body, copyHeaders(request)), String.class); } private URI buildUri(HttpServletRequest request)throws URISyntaxException { return new URI(schema,null,host,port, request.getRequestURI(), request.getQueryString(),null); } private HttpHeaders copyHeaders(HttpServletRequest request) { HttpHeaders httpHeaders =new HttpHeaders(); for (String headerName : Collections.list(request.getHeaderNames())) { if (!headerName.equals("host")) httpHeaders.add(headerName, request.getHeader(headerName)); } return httpHeaders; } } Thank you in advance, Best regards, Felipe -- Felipe Roca Blaya Software Engineer - HOP Ubiquitous S.L. www.hopu.eu <http://www.hopu.eu> C/Luis Buñuel 6 30562, Ceutí, Murcia. Spain - logo_hop <http://www.hopu.eu/> - face <https://www.facebook.com/hopubiquitous/> Twitter <https://twitter.com/HOPUbiquitous> google <https://plus.google.com/+HOPUbiquitousCeut%C3%AD?hl=es> vimeo <https://vimeo.com/hopu> linkedin <https://www.linkedin.com/company-beta/3810080/>

6 years, 7 months

2
1
0 / 0

UMA and large resource sets

by Asbjørn Dyhrberg Thegler

Hello there, I am implementing a Node.js resource server and I currently struggle with figuring out how to let a user list all their resources from a specifict resource set. For example, a user can GET /activities and get all their own activities, but not other users. I am not certain of how to create a UMA permission ticket for that request, since don't already know the IDs of the users activities. Further, the user could have access to other users activities through resource sharing. This list is potentially very large, (as in thousands of IDs), and I don't imagine putting that large a JWT in a header is a good idea either. What is the recommended way to handle this? I am wondering if I should let the resource server itself query KeyCloak for a list of IDs for all its own activities and activities shared with the user - but I can't seem to figure out what API endpoint that lets me do this in KeyCloak 6.0.1, since the Entitlement API has been deprecated. Thanks for your help, I really enjoy working with KeyCloak so far. :) Regards, Asbjørn

6 years, 7 months

2
2
0 / 0

Is there clear x509 configuration in a domain clustered environment using external DB

by JTK

I've stood up a stand-alone version to use x509 and with the help off this list I was able to get it working, but the configuration documentation is not clear for setting it up in a domain clustered environment. For example ssl-realm is added to standalone.xml to get it to work in conjunction with the https-listener and browser flow, but in the clustered domain setup, you don't configure domain.xml with the additional ssl-realm information. i.e. <security-realm name="ssl-realm"> <server-identities> <ssl> <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="mypass"/> </ssl> </server-identities> <authentication> <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="mypass"/> </authentication> & <https-listener name="https" socket-binding="https" security-realm="ssl-realm" enabled-protocols="TLSv1.2" verify-client="REQUESTED" enable-http2="true"/> I did add that information to the host.xml and even the host-master.xml file, but I'm not getting prompted for my cert. This is what I'm running to launch KeyCloak with the debug setup for SSL,handshake /opt/keycloak/bin/domain.sh --host-config=host-master.xml -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=10.10.10.7 -Djboss.bind.address=10.10.10.7 -Djboss.bind.address.private=10.10.10.7 -Djboss.https.port=443 -Djboss.tx.node.id=dev-master -Djboss.node.name=dev-master -Djava.security.egd=file:/dev/./urandom -Djavax.net.debug=ssl,handshake I also have this enabled in domain.xml <logger category="org.keycloak.authentication.authenticators.x509"> <level name="TRACE"/> </logger> <logger category="org.keycloak.services.x509"> <level name="TRACE"/> </logger> Do I need to enable debug for console below in domain.xml to get more detailed info? Right now it's set to INFO <console-handler name="CONSOLE"> <level name="DEBUG"/> I have the Root CA and the intermediate loaded for the x509 cert which I am presenting. I've double checked the Browser Flow, which is setup just like the working standalone. I just want to make sure there isn't something else I'm missing because there seems to be a lack of clarity from the standalone setup vs the domain clustered setup. For now, I'm using just the master node, to ensure I'm not hitting the slave node when testing. Thanks

6 years, 7 months

1
0
0 / 0

Per-client authorization

by Chris Boot

Hi all, I'm trying to restrict which OIDC clients users can login to based on roles or group membership. I can't believe this isn't something built-into Keycloak yet, but it seems that way. I had previously experimented with per-client Authorization settings, applying policies to Resources. I could have sworn this worked at some point, but it doesn't now. AIUI it seems to require the use of the Keycloak Gatekeeper or other Keycloak-specific code, so it's not going to work for most of my applications. As far as I can tell, the only way to make this work is using a custom authentication flow: https://stackoverflow.com/a/54384513/9531301 Is this indeed the only way to make this work? Is there a way of stopping such clients from being shown on the Account Management => Applications screen without globally removing the offline_access role for all users? Thanks, Chris -- Chris Boot bootc(a)boo.tc

6 years, 7 months

1
1
0 / 0

IS there is Keycloak REST API for users

by Shiva Prasad Thagadur Prakash

Hi Guys, Does keycloak have user REST API like it has keycloak admin REST API? If so, is there a documentation for user REST API? For example, can a user himself change or reset his password via REST API instead of doing it through the UI? Eagerly waiting to hear from you. Thanks, Shiva

6 years, 7 months

3
3
0 / 0

IdP Initiated SSO

by Chris Stephens

Hello, Thanks for the great product. We have set up several instances of keycloak as the SP utilizing SP-Initiated SSO to external IdPs. Everything in that process is going smoothly. We have an external IdP that wants us to use IdP-initiated SSO to connect to their IdP. The current client protocol is openid-connect. We are using keycloak 5.0. 1. Is it possible for a keycloak service provider client using the openid-connect protocol to perform IdP-initiated SSO. I believe we have to set the client up using the saml protocol. Is this correct? 1a. If it is not possible, are there any workarounds that I can use? My app is using an openid-connect public client. How can I use IdP-initiated SSO in this scenario 2. We need to provide the IdP the public key used to sign the assertions. Are the keys used to sign the assertions located in the keycloak admin console > realm settings > keys > Providers tab? Thanks, Christopher Stephens Software Engineer | EdLogics chris.stephens(a)edlogics.com

6 years, 7 months

2
1
0 / 0

Keycloak "SSSD" user federation option doesn't shows up on the drop down menu

by Miroslav Beranič

Hi all, I have same problems as described in an existing JIRA: https://issues.jboss.org/browse/KEYCLOAK-8095 I have followed suggested documentation located at: https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd With differences: - I do not use docker - using standalone computer node - I use DNS, so I did not update /etc/hosts file - I run as root user ( I've tried both - with dedicated user also, same result ) ( in file /etc/sssd/sssd.conf I have : [ifp] allowed_uids = root ) [root@sso keycloak-8.0.0-SNAPSHOT]# sssctl user-checks admin -s keycloak user: admin action: acct service: keycloak SSSD nss user lookup result: - user name: admin - user id: 804200000 - group id: 804200000 - gecos: Administrator - home directory: /home/admin - shell: /bin/bash SSSD InfoPipe user lookup result: - name: admin - uidNumber: 804200000 - gidNumber: 804200000 - gecos: Administrator - homeDirectory: /home/admin - loginShell: /bin/bash - sn: Administrator testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - Is there any additional validation test I can run, to validate server setup? Kind Regards, Miroslav -- Miroslav Beranič MIBESIS miroslav.beranic(a)mibesis.si https://www.mibesis.si

6 years, 7 months

1
1
0 / 0

Help getting External token to Internal Token Exchange right

by Leandro Del Sole

Hello, I've been struggling to get the https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to... working. First, I tried on version 3.4, the first version to have this feature. In my company, we're slowly updating our version of Keycloak, it is a bit old. After some tries, I changed Keycloak version to 6.0.1 because I think it will be easier for me get support from you. I got same error in both versions. Below is described the scenario in 6.0.1: Well, I want to get an external token, minted by another realm of my own keycloak "connect", and exchange it to an internal token, of another realm of my keycloak "emm". To enable this feature and others as test, I included in standalone.conf: JAVA_OPTS="$JAVA_OPTS -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile=preview -Dkeycloak.profile.feature.scripts=enabled" This enabled the Permission tab as expected. However, after opening it, when I click in "Permissions Enabled" to change the switch from off to on, the message pops up "*Error!* An unexpected server error has occurred" This happens in both Permissions tab, in client edit and IDP edit. In the server log: > 17:07:48,338 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-5) Uncaught server error: java.lang.NullPointerException > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer(MgmtPermissions.java:263) > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.findOrCreateResourceServer(MgmtPermissions.java:242) > at > org.keycloak.services.resources.admin.permissions.ClientPermissions.initialize(ClientPermissions.java:95) > at > org.keycloak.services.resources.admin.permissions.ClientPermissions.setPermissionsEnabled(ClientPermissions.java:198) > at > org.keycloak.services.resources.admin.ClientResource.setManagementPermissionsEnabled(ClientResource.java:658) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) .... it continues, but has no other cause or information on the stack. In version 3.4.2, the stack is: > 16:43:34,740 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-28) Uncaught server error: java.lang.NullPointerException > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer(MgmtPermissions.java:262) ... I tried to run a curl to make the exchange and the error is the same as above. Additionally, I tried is to make the exchange with a Google IDP as in https://www.mathieupassenaud.fr/token-exchange-keycloak/, using the Google OAuth Playground. Same error again. I hope someone can help me or point a resource, like a tutorial that covers all steps and they work properly. Best Regards and thank you in advance, Leandro Del Sole

6 years, 7 months

1
1
0 / 0

Keycloak ERROR: ailed to add user 'xxx' to realm 'xxx': user with username exists

by Hossein Doutaghy

Hi, We are seeing the following errors in the server.log of those keycloak servers that use a database that had been already initialized before and already has all the tables. As far as I know, these errors are expected as the realm and user already exist in the database. We do not want to forward these errors to our logging server, so is there a way to remove/disable these logs? 06:19:46,301 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 59) SQL Error: 1062, SQLState: 23000 06:19:46,302 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 59) (conn=58) Duplicate entry 'master-admin' for key 'UK_RU8TT6T700S9V50BU18WS5HA6' 06:19:46,353 ERROR [org.keycloak.services] (ServerService Thread Pool -- 59) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists Thanks, Moe Doutaghy

6 years, 7 months

1
0
0 / 0

Keycloak adapter in Wildfly domain mode

by No Reply (Conta de Teste)

Hello, I am using wildfly 10.1.0.Final as Domain Controller with 2 slaves. I have found documentation about installing keycloak adapter just in standalone mode. Anyone has documentation with steps to install it at domain mode? When I try to deploy an application, I receive this message: UT010039: Unknown authentication mechanism KEYCLOAK"}, Thanks for your response.

6 years, 7 months

1
0
0 / 0

Alternative authentication systems: SPI, token exchange. or IDP?

by Aaron Harnly

Hi all, I'd like your thoughts on the best way to integrate, in an adequately decoupled way, "alternative" login systems with Keycloak. Background: We are building or have built support for alternative authentication mechanisms, including the LTI standard for education technology single-sign-on, QR code-based login for young students, simple "autologin" buttons for demo accounts, and other alternative login methods for very young students. We see three obvious options for implementing these: 1. Authentication SPI (ie build a custom authenticator flow and package it into Keycloak) 2. Token exchange (ie the upstream system performs its authentication, then does token exchange to obtain a token for the target user, placing it into a Keycloak cookie) 3. IDP, ie the upstream system performs its authentication, then acts as an IDP to Keycloak via SAML or Oauth Currently we've done pathway #2, which is relatively decoupled, requiring a single POST from the authenticator to Keycloak. But we don't love that we have to (as we understand it) place the token into a Keycloak cookie, which feels like we're diving into Keycloak internals. #1 (Authentication SPI) seems reasonable, but couples very tightly to Keycloak, and requires that it be built in Java, which not all of our teams prefer, and couples development and deployment with Keycloak. I'd love to hear about experiences from people who have built Authentication SPIs, though. #3, building a wholly separate authenticator which uses SAML or Oauth to establish Keycloak sessions, is very decoupled, but requires incorporating Oauth or SAML libraries and keeping them all up to date, which is sort of why we've invested in Keycloak to begin with :) Any thoughts? -Aaron

6 years, 7 months

1
0
0 / 0

Access tokens in Queue based systems

by Pavel Micka

Hello everyone, We are using Keycloak (OIDC) in our system and it has proven to be a great solution for http based communication. But we have slight issue with figuring out how to correctly pass the access tokens through queues. The point is that we have a partially a streaming system and we want to make sure that if an attacker manages to send the messages to Rabbit, the messages will not be authorized by clients. That is the theory. We can send the access tokens through the queue... but the messages may rot in the queue for quite some time (our SLA is in hours), so that would mean long validity of the token (and that may cause issues in case the token is somehow leaked). Better option would be to have a long validity token, but scope it to the content of the message. But you know...streaming application... there can be thousands of messages a second. And that may cause big scalability issues when bombarding keycloak for each and every message in the system. Is there some better approach with OIDC? Or should I look on some additional non-KC solution? Thanks! Pavel

6 years, 7 months

2
3
0 / 0

Using nginx as a reverse proxy for Keycloak 6.0.1 on a port other than 443

by Jannis Warnat

Hi all, I cannot get Keycloak 6.0.1 to work behind nginx as a reverse proxy for TLS termination with nginx listening on a port other than 443 (I try to configure it to use 8443). Here is what I did: - Set up nginx and Keycloak 6.0.1 in a user-defined Docker network (using docker-compose, see below for details) with self-signed certificates for localhost. - Environment variable PROXY_ADDRESS_FORWARDING is set to true for the Keycloak container. - Nginx listens for SSL connections on port 8443 and forwards to keycloak:8080 while adding x-forwarded headers. - According to the documentation (https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...), I added the following to standalone-ha.xml: [...] <http-listener name="default" socket-binding="http" *redirect-socket="proxy-https"*proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/> [...] *<socket-binding name="proxy-https" port="8443"/>* [...] Yet when I check URL https://localhost:8443/auth/realms/master/.well-known/openid-configuration the URLs listed assume https standard port instead of 8443 for the listed endpoints, e.g. authorization_endpoint "https://localhost/auth/realms/master/protocol/openid-connect/auth" etc. I would expect authorization_endpoint "https://localhost:8443/auth/realms/master/protocol/openid-connect/auth" I put a minimal example on GitHub, the issue is reproducible like this: git clone https://github.com/janniswarnat/keycloak-minimal-example.git cd keycloak-minimal-example docker-compose up -d curl --insecure https://localhost:8443/auth/realms/master/.well-known/openid-configuration | jq Do I miss anything obvious? Thanks in advance and best regards Jannis -- Jannis Warnat ------------------------------ Research Associate User-Centered Ubiquitous Computing Fraunhofer Institute for Applied Information Technology FIT Schloss Birlinghoven, 53754 Sankt Augustin, GERMANY Phone:(+49) 2241 / 14 3673 Email: jannis.warnat(a)fit.fraunhofer.de ------------------------------ http://www.fit.fraunhofer.de/en http://www.fit.fraunhofer.de/en/fb/ucc/ubiquitous.html ------------------------------

6 years, 7 months

1
0
0 / 0

Permission request with no resources

by Corentin Dupont

Hi all, I find strange a little thing in the permissions API. If I request permissions with some resources in my client, it works well: $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H "Authorization: Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#gateways:view&response_mode=permissions" The response is: [{"scopes":["gateways:update","gateways:view","gateways:delete"],"rsid":"gateway-GW1","rsname":"GW1"}] However, If I request permissions when there is no resources at all in my client: [{"scopes":["gateways:view"]}] Why not the empty list? Thanks a lot and good vacations! Corentin

6 years, 7 months

2
1
0 / 0

Violation in Password Change Form results in System Error using a user defined jpa storage provider

by Andreas Sättler

Hello, we are using a user defined storage provider for our application postgres db defined as ejb similar to https://github.com/keycloak/keycloak-quickstarts/tree/latest/user-storage.... <https://github.com/keycloak/keycloak-quickstarts/tree/latest/user-storage...> On the other hand we want to use keycloaks's password update forms including password policy configured in keycloak. The policies are checked in the upgradeCredential method and in case of violation a ModelException is thrown. But unfortunately the exception is caught as javax.ejb.EJBTransactionRolledbackException in org.keycloak.services.resources.account.AccountFormService#processPasswordUpdate: 2019-08-14 17:16:54,973 ERROR [org.keycloak.services] (default task-2) KC-SERVICES0065: Failed to update Password: javax.ejb.EJBTransactionRolledbackException: invalidPasswordMinLengthMessage at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:203) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:364) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) at org.wildfly.security.elytron-private@1.8.0.Final//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:618) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation@1.5.2.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) at org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) at deployment.keycloak-ofbiz-provider-ear.ear.keycloak-ofbiz-provider.jar//com.zyres.keycloak.storage.OFBizUserStorageProvider$$$view2.updateCredential(Unknown Source) at org.keycloak.keycloak-services@6.0.1//org.keycloak.credential.UserCredentialStoreManager.updateCredential(UserCredentialStoreManager.java:168) at org.keycloak.keycloak-services@6.0.1//org.keycloak.services.resources.account.AccountFormService.processPasswordUpdate(AccountFormService.java:577) ... Caused by: org.keycloak.models.ModelException: invalidPasswordMinLengthMessage at deployment.keycloak-ofbiz-provider-ear.ear.keycloak-ofbiz-provider.jar//com.zyres.keycloak.storage.OFBizUserStorageProvider.updateCredential(OFBizUserStorageProvider.java:256) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ... Therefore the account password change form results in a system error instead of a model validation. Do you have any suggestions how to avoid this or is i a bug ? (we are using keycloak server 6.0.1) Kind regards Andreas

6 years, 7 months

1
0
0 / 0

External users federation

by Doh A. Ouattara

Hello We are dealing with a dozen of external third-party applications developed by different software vendors. We do not have access to their authentication scheme or application servers. Is there a way to use Keycloak so that a user will use only one account/password to authenticate with Keycloak, then Keycloak will make a second authentication on behalf the user to the third-party application using the user credentials (mapped) and redirect the user into the target application? To be short, can keycloak behave like a password manager or password vault for external applications? Is there a way to solve our problem with keycloak? Kind regards --- Doh Ouattara

6 years, 7 months

1
0
0 / 0

Keycloak configuration on AWS for a large scale

by Ferdous Shibly

Hi, I am trying to configure Keycloak 6.0.1 on AWS. I need to configure multi AZ Keycloak cluster for almost seven million active users (growing everyday). Currently I am using standalone HA with PostgreSQL (RDS). When I am trying to import all the users from LDAP, the cluster stopped working. Here are the errors I am getting, 2019-08-08 11:35:21,645 ERROR [org.infinispan.interceptors.impl.InvocationContextInterceptor] (timeout-thread--p11-t1) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredEvents]: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 76 from keycloak1 at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2019-08-08 11:35:32,684 ERROR [org.infinispan.interceptors.impl.InvocationContextInterceptor] (timeout-thread--p11-t1) ISPN000136: Error executing command RemoveCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 81 from keycloak1 at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2019-08-08 11:36:14,107 ERROR [org.infinispan.interceptors.impl.InvocationContextInterceptor] (timeout-thread--p11-t1) ISPN000136: Error executing command RemoveExpiredCommand, writing keys [5d57dd8d-79e0-4ab9-9d8b-60fc570ec8b2]: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 85 from keycloak1 at org.infinispan.remoting.transport.impl.SingleTargetRequest.onTimeout(SingleTargetRequest.java:65) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 2019-08-08 11:56:34,720 FATAL [org.infinispan.CLUSTER] (transport-thread--p13-t2) [Context=sessions] ISPN000313: Lost data because of abrupt leavers [keycloak1] 2019-08-08 11:56:34,721 INFO [org.infinispan.CLUSTER] (transport-thread--p13-t2) [Context=sessions] ISPN100008: Updating cache members list [keycloak2], topology id 6 2019-08-08 11:56:34,739 FATAL [org.infinispan.CLUSTER] (transport-thread--p13-t2) [Context=clientSessions] ISPN000313: Lost data because of abrupt leavers [keycloak1] 2019-08-08 11:56:34,740 INFO [org.infinispan.CLUSTER] (transport-thread--p13-t2) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak2], topology id 6 2019-08-08 11:56:34,744 WARN [org.infinispan.CLUSTER] (transport-thread--p13-t2) [Context=work] ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [keycloak1], lost members are [keycloak1], stable members are [keycloak2, keycloak2] at java.lang.Thread.run(Thread.java:748) Here is the jgroup configuration <subsystem xmlns="urn:jboss:domain:jgroups:6.0"> <channels default="ee"> <channel name="ee" stack="tcp" cluster="ejb"/> </channels> <stacks> <stack name="tcp"> <transport type="TCP" socket-binding="jgroups-tcp"/> <protocol type="JDBC_PING"/> <jdbc-protocol type="JDBC_PING" data-source="KeycloakDS"> <property name="initialize_sql"> CREATE TABLE IF NOT EXISTS jgroupsping ( own_addr VARCHAR(200) NOT NULL, cluster_name VARCHAR(200) NOT NULL, ping_data BYTEA DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name) ) </property> </jdbc-protocol> <protocol type="MERGE3"/> <protocol type="FD_SOCK"/> <protocol type="FD_ALL"/> <protocol type="VERIFY_SUSPECT"/> <protocol type="pbcast.NAKACK2"/> <protocol type="UNICAST3"/> <protocol type="pbcast.STABLE"/> <protocol type="pbcast.GMS"> <property name="join_timeout"> 60000 </property> <property name="print_local_addr"> true </property> <property name="print_physical_addrs"> true </property> </protocol> <protocol type="MFC"/> <protocol type="FRAG2"/> </stack> </stacks> > </subsystem> Any help would be appreciated. Cheers Ferdous Shibly

6 years, 7 months

1
0
0 / 0

DBusException: "Failed to connect to bus ""Failed to auth""

by Miroslav Beranič

Hi, I am trying to integrate FreeIPA with Keycloak ( same issue with 6.0.0 and 8.0.0-SNAPSHOT, following line numbers are from master/8.0.0-SNAPSHOT ). I have issue with User Federation - SSSD Provider being DISABLED. I run on OpenJDK 8 and Fedora 31. I run WildFly in Standalone mode, with logging set to DEBUG. In log server.log error message is written: "org.freedesktop.dbus.exceptions.DBusException: "Failed to connect to bus ""Failed to auth"". This is from: org/freedesktop/dbus/Transport.java:811 throw new IOException(getString("errorAuth")); and org/freedesktop/dbus/DBusConnection.java:306 throw new DBusException(getString("connectionFailure") + IOe.getMessage()); I guess this error message is not the most correct one ( or meaningful ). Origin of the error is from: org/freedesktop/dbus/Transport.java:488 ==> org.freedesktop.dbus.Transport.SASL#auth, where username "root" is encoded with stupidlyEncode(username); ( as I am on JVM8, com.sun.security.auth.module.UnixSystem is not found ). I get back "COMMAND_REJECTED" and as a result "state = FAILED" ( org/freedesktop/dbus/Transport.java:548 ). I am able to execute dbus commands: [root@sso ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.Ping string:PING Creating home directory for keycloak. method return time=1565779939.956922 sender=:1.259 -> destination=:1.3491 serial=22 reply_serial=2 string "PONG" [root@sso ~]# echo $? 0 [root@sso ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:admin method return time=1565537226.470653 sender=:1.87 -> destination=:1.104 serial=12 reply_serial=2 array [ string "trust admins" string "admins" ] [root@sso ~]# echo $? 0 This terminal commands were pointed out as " self test of well configured system ", but all of this commands work, WildFly/Keycloak on the other hand rejects SSSD discovery. Is it possible I am missing some SELinux setting? Is there a way to test and get to this failure without WildFly -- by using terminal commands, that I could pinpoint what is the problem. I was working after steps presented by "Christian Heimes - Identity management, single sign-on and certificates with FreeIPA" and "scott poore's blog / How to setup Keycloak". What am I missing? Is there some test I can run from Keycloak source, to check beforehand, what is wrong? Thanks a lot. Kind Regards, Miroslav

6 years, 7 months

1
0
0 / 0

Keycloak json logs

by Vucomir Ianculov

Hi, i'm using keyclock server running docker and i want to enable json log format to stdout if i execute following commands when keycloak is started it will work /subsystem=logging/json-formatter=json:add(exception-output-type=formatted, pretty-print=false, meta-data={label=value}) /subsystem=logging/console-handler=CONSOLE:write-attribute(name=named-formatter, value=json) but i want this to be done autmatacly on docker image start, i tryed adding a custom scipt .cli but it dose not work. dose enyone know who can i do this automaticly ? Thanks. Kind Regards, Vucomir Ianculov E-Mail: [ mailto:vukomir@ianculov.ro | vukomir(a)ianculov.ro ] Phone: (+40) 722 - 690 - 514 [ http://ro.linkedin.com/in/vukomir | ] [ http://www.xing.com/profile/Vucomir_Ianculov ]

6 years, 7 months

1
0
0 / 0

Could not modify attribute for DN

by Benjamin Sher

Help! I am using AWS Simple AD. I have my users federated no problem. I can change the password of a user inside the realm no problem. If I impersonate a user or do a password reset and attempt to change the password as the user I receive the "Could not modify attribute for DN [CN=........] Any thoughts?

6 years, 7 months

1
0
0 / 0

Error fromIndex < 0 making no sense

by Sébastien Minne

Hi Guys, I'm getting this wired error message from keycloak. I'm running two keycloak instance on the same host, one is fien and the second one is getting me this : Caused by: java.lang.IndexOutOfBoundsException: fromIndex < 0: -1 Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at java.util.BitSet.nextClearBit(BitSet.java:744) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.initializer.InitializerState.getNextUnfinishedSegmentFromIndex(InitializerState.java:102) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.initializer.InitializerState.updateLowestUnfinishedSegment(InitializerState.java:98) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.initializer.InitializerState.markSegmentFinished(InitializerState.java:94) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoadingImpl(InfinispanCacheInitializer.java:187) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoading(InfinispanCacheInitializer.java:108) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:41) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:317) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:306) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:298) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$500(InfinispanUserSessionProviderFactory.java:68) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.lambda$onEvent$0(InfinispanUserSessionProviderFactory.java:127) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithTimeout(KeycloakModelUtils.java:267) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:121) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:69) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:170) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152) Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] ... 31 more Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] I've already lost a bunch of hours trying things around but can't figure out what's wrong Any piece of advice would be more than welcome Sébastien

6 years, 7 months

1
0
0 / 0

Prevent users from changing email address when email is used as username

by Ales Fuchs

Hello, We are using Keycloak version 4.8.3 and in our setting we have the option "Email as username" switched on and "Edit username" switched off. At the same time we need to let users to log in and change their name in the account console. Once the name and surname is editable, email can be changed too, which changes also the username. The input with email can be hidden, but whoever knows how Keycloak works can simply add this input and update the username. Does anyone have any idea how updating of username can be prevented? Best regards, Ales Fuchs

6 years, 7 months

3
7
0 / 0

Custom password hashing in user federation

by Simon Levermann

Hello, in our custom user database, we have passwords hashed by bcrypt (or argon2). As far as I can see we have 2 ways of verifying these passwords: 1) Create a PasswordHashProvider via SPI, and teach it how to use the hashing algorithms. 2) Include the hashing algorithms as a dependency of our UserProvider, and do it internally via implementing CredentialInputValidator. Which of these options is the recommended way to do this? Cheers, Simon

6 years, 7 months

1
0
0 / 0

Federation of Roles, Groups and Realms

by Simon Levermann

Hello, we have a user database in form of a license server, which we would like to use as a source of data for a Keycloak server. I've been able to find plenty of resources on how to map the *users* into Keycloak via SPI, but I haven't been able to find much on Roles, Groups and Realms. Are any (or all) of the three possible to achieve, or do we have to manage these manually? The problem is that we would like to have some logical separation of users into a realm (or a group) per customer, as well as mapping roles onto licenses for different products. Our current stab at a solution is an external synchronization service which periodically performs updates via the Keycloak Admin API, but if possible, we would like to get rid of this service and perform all the mappings inside Keycloak. Best regards, Simon Levermann

6 years, 7 months

2
3
0 / 0

Keycloak Plugin: How to retrieve list of synced users form Federated LDAP in EventListener

by Paul Edison

Hi, I’m trying to write a plugin for Keycloak that should work (“export”) with the data of users that get created. Currently writing it as a EventListerner Plugin that acts on adminEvents. If a user is created in Keycloak itself in the local store this works fine. With the event I get the "resourcePath=users/0958198e-7a5d-4fb3-9b1b-2481841bff3f" and with that I can access the user: > UserModel user = session.users().getUserById(<ID>, session.getContext().getRealm()); Thats fine – but with federation I got problems. In the event of synchronisation I don’t get this information. I only get the "resourcePath=user-storage/381a8a65-c425-487e-b14a-a1186fda5940/sync" How would I get the users form that info? Is there a way to get form the session the list of synced users form that ID? And in best case a list of new users and only updated users? Kind regards, Paul

6 years, 7 months

1
0
0 / 0

Audience claim in Keycloak access tokens

by Peemöller, Björn

Hi everyone, I have some questions about the audience claim in JWT and how they are handled in Keycloak, maybe someone can help me? During an upgrade of our Keycloak instances from 4.1.0 to 6.0.1, we discovered that the handling of the audience claim changed for at least the following scenario: - A technical (service) user obtains a token for the client clientA using the endpoint /realms/{realm-name}/protocol/openid-connect/token - In the scope mappings of client A, the client roles of client clientB are added Using Keycloak 4.1.0, the returned JWT contains ... "aud": "clientA", "azp": "clientA", ... while using Keycloak 6.0.1, the JWT contains ... "aud": "clientB", "azp": "clientA", ... While I understand that the second variant better allows to securely use the token also for client clientB, the token can no longer be used for the clientA if the client validates the token's audience, although the client was explicitly requested for clientA. The Keycloak documentation [1] says that the client for which the token is issued will not be contained in the audience of the access token but can be added using the hardcoded audience mapper, which indeed leads to the claims ... "aud": [ "clientA", "clientB", ], "azp": "clientA", ... Now my questions: What is the rationale behind this behavioral change from Keycloak 4.1.0 to Keycloak 6.0.1? Why is the client for which the token is issued not included in the access token's audience? I mean, finally, it is the client the token is requested for. Many thanks in advance, Björn [1]: https://www.keycloak.org/docs/latest/server_admin/#_audience Bei Berenberg hat der Schutz Ihrer Daten seit jeher höchste Priorität. Informationen zum Umgang mit personenbezogenen Daten finden Sie hier: https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundenin... Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen. Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info(a)berenberg.de. Unsere Hinweise zum Schutz personenbezogener Daten finden Sie unter https://www.berenberg.de/files/Rechtliche+Hinweise/DSGVO/DSGVO-Kundeninfo....

6 years, 7 months

2
2
0 / 0

difference between openid connect 1.0 and keycloak open id connect identity providers

by Madhu

Whats the benefit and advantage of using keycloak openid connect identity provider over the standard open id connect 1.0 provider, i dont seem much literature around this in the latest keycloak documents? The identity provider page /configurations too looks very same.. When should i use keycloak openid connect and when open id connect? RegardsMadhu

6 years, 7 months

1
0
0 / 0

Redirect secured by Keycloak client side apps to login page after idle timeout. Apps are behind app gateway

by Roman Ok

6 years, 7 months

1
0
0 / 0

extending SAML session with Azure ID via Keycloak

by Nijo Johny

Hi, Our Application setup details --------------------- Keycloak version: 3.3.0 Final Keycloak acts as Broker. Azure AD configured as identity provider over SAML. Problem statement: Not able to renew and extract new SAML assertion from Azure AD. Our app is secured using Keycloak over Open ID Connect with JWT token. We are leveraging Keycloak Identity Brokering to use Customer's Azure AD as the Identity Provider. Once user login, we need invoke customer API by sending SAML assertion issued by Azure AD. We can extract SAML issued by IDP from keycloak via GET /auth/realms/{realm}/broker/{provider_alias}/token HTTP/1.1. Keycloak is always returning same SAML assertion, one issued on login even if expired. Keycloak issues new JWT token to our app via refresh token exchange our side. But we need valid SAML assertion to call customer API. Is there a way to renew session with AD via keycloak? Passive SAML2 Auth request is what I found as a solution for this. Is this supported from Keycloak when it acts as a broker? Any help is appreciated. This e-Mail may contain proprietary and confidential information and is sent for the intended recipient(s) only. If by an addressing or transmission error this mail has been misdirected to you, you are requested to delete this mail immediately. You are also hereby notified that any use, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message, contents or its attachment other than by its intended recipient/s is strictly prohibited. Visit us at https://www.intellectdesign.com

6 years, 7 months

1
0
0 / 0

Regarding finding the source code link for few keycloak dependencies

by Shiva Prasad Thagadur Prakash

Hi Guys, I am unable to find the source code link for few of the keycloak dependencies. For example, PicketLink 2.5.5SP12. Is there a way we could find the source code link to the dependencies of keycloak? Thanks, Shiva

6 years, 7 months

1
0
0 / 0

Implementing Multi-tenancy through Keycloak

by Dhara Basida

Hi Team, We are currently planning to integrate our application with keycloak in order to achieve multi-tenancy. We have hierarchy like : 1) Super Admin : Who have access to eveything and will create tenant. 2) Tenant Admin : This admin can create their Members and one tenant admin cannot see the data of another tenant admin or Tenant. Also he could not able to see any details of Super Admin. 3) Members : Member are specific to Tenant. Member have rights to create their employees and roles which are applicable for their employees. But Member cannot see details of other Members or their Tenant Admin. 4) Employees : Employees are users who can only have view permissions for role applicable to them and manage their profile. He could not able to see any details of Member or Tenant. QUestions : I have created admin and tenant. I have link admin with Super Admin and Tenant Admin with Realm admin. For Member I linked it with Client but somehow I don't find the way to manage it. As I am not able to create Employees from member (Not able to get Add options for users and If I enable manage users or view users role from tenant admin than I can also see data of tenant which is wrong). Kindly provide the way to achieve these hierarchy. Thank you, Dhara Basida --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

6 years, 7 months

2
1
0 / 0

Running keycloak with azure web app for containers

by Neba Medard

Hello i have been trying to run keycloak in azure now with some problems Am running keycloak as a container in azure using web app for containers Am getting the keycloak image from docker hub and when i run the container and serve the page and then try to navigate to the administration console, it shows the page "we are sorry, invalid parameter:redirect_uri" Am not even able to reach the administration console Is there any configuration needed? Just to let you know i am a junior developer and am starting with keycloak Any help will be much appreciated

6 years, 7 months

2
1
0 / 0

Keycloak, Samba, and ldap password modify extended operation (RFC3062)

by Gary Kennedy

Someone has installed the smbk5pwd module into our ldap system used by our Keycloak instance. They wish to share the ldap service with another system that needs the samba password hash attributes. Unfortunately this means I now need keycloak to perform the ldap v3 password modify extended operation. I've hacked this into our current user federation provider (which apparently extends the in-built ldap one), by having the provider implement `CredentialInputUpdater`, and everything is working within the realms of our tests. What I am interested in, is if there is already usable work out there in having Keycloak use the password modify extended operation? and/or how other people have integrated similar requirements (ldap password modify extended operation, or samba/extra password hashes in ldap) - without extending too much of Keycloak (I was sooo close to removing our custom user federation provider) :p Cheers, Gary

6 years, 7 months

1
0
0 / 0

Alternative to Kerberos & Custom Use Case

by Aditya Bhole

Hi, Are there any other mechanisms in Keycloak apart from Kerberos which can establish something similar to a cross realm trust? Also, consider this use case: We have App A and App B. App A and App B may have different Keycloak instances or maybe in different realms of the same Keycloak instance. User logs into App A. He clicks on a button in App A which is supposed to take him to App B. The user now has a JWT when he logged into App A. Now App B knows that all the redirects are going to be from App A. So can App B verify the token through App A? Regards, Aditya

6 years, 7 months

2
3
0 / 0

Admin User Impersonation Restriction

by Prado, Renann

Hello. I'm currently doing a research to see if keycloak fits our use cases and the impersonation feature is important for the case when we want to do support and see what the users sees for some reason. Of course Impersonation is nice, yet it can be very risky if impersonation permission is given to wrong people. I was doing some tests (locally) and I found out that by having only the client roles of view view-users and impersonation, I was able to impersonate the admin user. I'm using docker to runs my tests, so basically I was able to impersonate the user that is created via the KEYCLOAK_USER and KEYCLOAK_PASSWORD environment variables. My question is: is it possible to restrict impersonation to certain users based on attributes, roles, or something else? Or is the impersonation always possible to be done on all the users within the realm as long as the user has permission to do impersonation? As I understand the master realm shouldn't be used for anything other than administration, correct? Then what would be the best way to "slice" your realms, per product (e.g. web app)? We also want to use keycloak to provide SSO for us, which I suppose only works in the realm level. So if we create one realm per application, then we cannot really do SSO. Thanks -- Best regards, *Renann Prado*

6 years, 7 months

1
0
0 / 0

Docker X509 Apache Cert Lookup Client Certificate Passthrough

by Johnson, Freddie [USA]

Team -- I'm currently having issues getting Keycloak to read the client certificate forwarded from proxy in HTTP header from Apache using Apache SPI Cert lookup. Instead, it reads the wildcard of the cert provided below in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile. However, if i use that common name of the wildcard and assign it to any user, Keycloak will log that user in even though that is not the user originally making the initial request to the proxy. In short, how do I force Keycloak running in a container to use the apache spi to retrieve cert credentials in header? I tried developer documentation by adding spi per https://www.keycloak.org/docs/latest/server_admin/index.html#client-certi... to both standalone.xml and deployment folder but it's as if Keycloak is not recognizing the configuration change in container after build. If I remove SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the proxy saying "downstream server expected client cert but none configured" so that option didn't work either. Details below: My apache reverse proxy is: <VirtualHost *:443> SSLEngine on SSLProxyEngine on SSLVerifyClient optional SSLVerifyDepth 4 SSLOptions +ExportCertData SSLProxyCheckPeerName off ProxyPreserveHost On SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt" SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem" SSLProxyMachineCertificateFile "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem" RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_CERT_CHAIN_4 "" ServerName sso.xxx.ninja ProxyPass / https://keycloak:8443/ ProxyPassReverse / https://keycloak:8443/ ProxyRequests Off RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Proto "https" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i" RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i" </VirtualHost> My Keycloak Dockerfile (abbreviated - sanitized): ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem" USER root RUN mkdir -p /etc/x509/https RUN mkdir -p /opt/xxx COPY "./certs/tls.crt" "/etc/x509/https" COPY "./certs/tls.key" "/etc/x509/https" COPY "./standalone.xml" "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <---- originally edited this file to hold apache spi COPY "./apache.xml" "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved apache spi for x509 here per online instructions COPY "./certs/ca-xxx-ninja.crt" "/opt" COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/" RUN keytool -noprompt -import -trustcacerts -alias root -file /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit RUN keytool -noprompt -import -trustcacerts -alias xxx -file /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit USER 1000 EXPOSE 8080 8443 Any guidance/ideas you can provide would much appreciated as I've been working it for a few days now and can't seem to get over this last hurdle. Respectfully, Freddie Lee Johnson, Jr.

6 years, 8 months

2
3
0 / 0

Docker X509 Apache Cert Lookup Client Certificate Passthrough

by Johnson, Freddie [USA]

Sebastian – Thanks for the awesome feedback. I’ll implement your suggestion. How would you recommend I activate the Apache SPI in the docker image? Should I add it to the standalone.xml and comment out the default provider or add it to the deployment URL as annotated in docker documentation: “To add a custom provider extend the Keycloak image and add the provider to the /opt/jboss/keycloak/standalone/deployments/ directory.” Does that count as a custom provider? Freddie From: Sebastian Laskawiec <slaskawi(a)redhat.com> Date: Thursday, August 8, 2019 at 12:18 AM To: "Johnson, Freddie [USA]" <Johnson_Freddie(a)bah.com> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> Subject: [External] Re: [keycloak-user] Docker X509 Apache Cert Lookup Client Certificate Passthrough The only thing I found a bit weird is that you create `/etc/x509/https` directory. Keycloak image has a small script that tries to grab a key and a certificate in that directory and import them [1]. But I see you're already doing that in `RUN keytool ...` commands. Perhaps you should either put tls.crt and tls.key there and rely on our script or do everything by yourself (but in that case, please remember about modifying configuration similarly to [2]). The last advice I can give to you is to append `-Djavax.net.debug=all` argument to ./standalone.sh. This way you can see, what certificates are being picked up and if the TLS handshake looks correct (although, the debugging is really time-consuming). [1] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Dd...> [2] https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5...<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jboss-2Dd...> On Thu, Aug 8, 2019 at 1:05 AM Johnson, Freddie [USA] <Johnson_Freddie(a)bah.com<mailto:Johnson_Freddie@bah.com>> wrote: Team -- I'm currently having issues getting Keycloak to read the client certificate forwarded from proxy in HTTP header from Apache using Apache SPI Cert lookup. Instead, it reads the wildcard of the cert provided below in the virtual host of *.xxx.ninja from SSLProxyMachineCertificateFile. However, if i use that common name of the wildcard and assign it to any user, Keycloak will log that user in even though that is not the user originally making the initial request to the proxy. In short, how do I force Keycloak running in a container to use the apache spi to retrieve cert credentials in header? I tried developer documentation by adding spi per https://www.keycloak.org/docs/latest/server_admin/index.html#client-certi...<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_doc...> to both standalone.xml and deployment folder but it's as if Keycloak is not recognizing the configuration change in container after build. If I remove SSLProxyMachineCertificateFile from Apache, Keycloak sends a message to the proxy saying "downstream ser! ver expected client cert but none configured" so that option didn't work either. Details below: My apache reverse proxy is: <VirtualHost *:443> SSLEngine on SSLProxyEngine on SSLVerifyClient optional SSLVerifyDepth 4 SSLOptions +ExportCertData SSLProxyCheckPeerName off ProxyPreserveHost On SSLProxyCACertificateFile "/usr/local/apache2/conf/ca-xxx-ninja.crt" SSLCACertificateFile "/usr/local/apache2/conf/xxx_authorities.pem" SSLProxyMachineCertificateFile "/usr/local/apache2/conf/proxy-wildcard-xxx-ninja.pem" RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_CERT_CHAIN_4 "" ServerName sso.xxx.ninja ProxyPass / https://keycloak:8443/<https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=D...> ProxyPassReverse / https://keycloak:8443/<https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak-3A8443_&d=D...> ProxyRequests Off RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Proto "https" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}i" RequestHeader set CERT_CHAIN "%{SSL_CLIENT_CERT_CHAIN_4}i" </VirtualHost> My Keycloak Dockerfile (abbreviated - sanitized): ENV "X509_CA_BUNDLE"="/opt/xxx/xxx_authorities.pem" USER root RUN mkdir -p /etc/x509/https RUN mkdir -p /opt/xxx COPY "./certs/tls.crt" "/etc/x509/https" COPY "./certs/tls.key" "/etc/x509/https" COPY "./standalone.xml" "/opt/jboss/keycloak/standalone/configuration/standalone.xml" <---- originally edited this file to hold apache spi COPY "./apache.xml" "/opt/jboss/keycloak/standalone/deployments/apache.xml" < ------- moved apache spi for x509 here per online instructions COPY "./certs/ca-xxx-ninja.crt" "/opt" COPY "./certs/xxx/xxx_authorities.pem" "/opt/xxx/" RUN keytool -noprompt -import -trustcacerts -alias root -file /opt/ca-xxx-ninja.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit RUN keytool -noprompt -import -trustcacerts -alias xxx -file /opt/xxx/xxx_authorities.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit USER 1000 EXPOSE 8080 8443 Any guidance/ideas you can provide would much appreciated as I've been working it for a few days now and can't seem to get over this last hurdle. Respectfully, Freddie Lee Johnson, Jr. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...>

6 years, 8 months

1
0
0 / 0

Disable sending the email about invalid login

by Katarzyna Sycz

Hello, I would like to ask if there is a possibility to disable sending the specific email via Keycloak. In this case, I would like to prevent sending the email informing about the invalid login (when users use the incorrect username or password). I didn't find any setting for that in the console and I didn't find the info about it in the docs. I would appreciate any help. Kind regards, Katarzyna Sycz

6 years, 8 months

1
0
0 / 0

Is quorum needed in Keycloak Standalone Clustered Configuration?

by Roman Ok

Sorry, i'm sending this again as my last post was posted without text for some unknown reason: Should an Keycloak deployments configured in Standalone Clustered Configuration have odd number of nodes to ensure quorum? It's stated that Keycloak is built on top of the WildFly application server and its sub-projects like Infinispan (for caching) and Hibernate (for persistence). Keycloak recommends to look in WildFly Documentation and High Availability Guide. If understood correctly Standalone Clustered Configuration allows session replication or transmission of SSO contexts around the cluster. I don't understand though if odd number of Keycloak nodes is required so that there will be quorum. Singleton subsystem states 10.1.3. Quorum Network partitions are particularly problematic for singleton services, since they can trigger multiple singleton providers for the same service to run at the same time. To defend against this scenario, a singleton policy may define a quorum that requires a minimum number of nodes to be present before a singleton provider election can take place. A typical deployment scenario uses a quorum of N/2 + 1, where N is the anticipated cluster size. This value can be updated at runtime, and will immediately affect any active singleton services. e.g. Is it somehow related to Keycloak and its Standalone Clustered Configuration?

6 years, 8 months

2
1
0 / 0

Latest version download link?

by Uumas

Is there a direct link to downlaod the latest version of keycloak? I'm trying to write a script for updating.

6 years, 8 months

1
0
0 / 0

UserStorageProvider.updateCredential to receive current password

by Steve Thomas

Hi there, I have a custom UserStorageProvider with updateCredential method being implemented. Everything works fine but for security reason, I need the current password to be passed to that method as well. What is the suggested way if I want to change the behavior of the processPasswordUpdate method of the AccountFormService? Or is there a SPI I can use? Is there an example somewhere online? Thank you in advance [http://images.logibec.com/Logibec121x57.png] Steve Thomas Analyste-programmeur Infrastructure de d?veloppement Programmer Analyst T +1-800-361-9659 | T +1 800 361-9659 Steve.Thomas(a)logibec.com www.logibec.com AVIS DE CONFIDENTIALIT? Le pr?sent courriel et les informations qu'il contient sont confidentiels et demeurent la propri?t? exclusive de Logibec. Ils ne peuvent ?tre diffus?s ? quiconque hormis les membres du personnel devant en prendre connaissance, et ce, sous condition de leur avoir inform? qu'ils sont la propri?t? de Logibec, sont confidentiels et ne peuvent ?tre partag?s ? un tiers sans une autorisation pr?alable ?crite de Logibec. Si vous n'?tes pas le destinataire vis?, veuillez en aviser imm?diatement l'?metteur et d?truire le contenu du courriel sans le communiquer ou le reproduire. CONFIDENTIALITY NOTICE This email and the information it contains contained herein are confidential and remain the exclusive property of Logibec. They may not be disseminated to anyone except the staff members who must be aware of it, provided that they have been informed that the documents are the property of Logibec, are confidential and can not be shared with a third party without the prior written authorization of Logibec. If you are not the intended recipient, please indicate it immediately and destroy the contents of the email without disclosing or reproducing it.

6 years, 8 months

2
1
0 / 0

Logout from identity provider is not propagated to Keycload clients

by SauliK

Hi, I have set up Keycloak with a SAML2 Identity Provider and I have a client application configured to authenticate against Keycloak using SAML2. If I logout from the application, the logout happens correctly using browser redirects and the user is logged out from the application, from Keycloak, and from the identity provider. But if I logout from the Identity provider, the provider sends a logout request to Keycloak but Keycloak does not send the logouts to the clients. I have checked the source code regarding this and in the second scenario Keycloak uses only the backchannel logout and does not even attempt to do the browser / frontchannel logout. In my case backchannel logout is not supported. In the source code I can see that in SamlService class (which is being invoked when I do the logout from the application) it uses either browser logout or backchannel logout https://github.com/keycloak/keycloak/blob/1ac51611d3c1dd7c9b6537430587fa4... But in the SamlEndpoint class (which is used when the identity provider sends the logout request to Keycloak) it only attempts the backchannel logout: https://github.com/keycloak/keycloak/blob/ca4e14fbfa76e5c909503bde9b0f4e2... Is this the way it's supposed to work or is Keycloak just missing this feature? Br, Sauli -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 8 months

1
0
0 / 0

Logout from identity provider is not propagated to Keycload clients

by SauliK

Hi, I have set up Keycloak with a SAML2 Identity Provider and I have a client application configured to authenticate against Keycloak using SAML2. If I logout from the application, the logout happens correctly using browser redirects and the user is logged out from the application, from Keycloak, and from the identity provider. But if I logout from the Identity provider, the provider sends a logout request to Keycloak but Keycloak does not send the logouts to the clients. I have checked the source code regarding this and in the second scenario Keycloak uses only the backchannel logout and does not even attempt to do the browser / frontchannel logout. In my case backchannel logout is not supported. In the source code I can see that in SamlService class (which is being invoked when I do the logout from the application) it uses either browser logout or backchannel logout https://github.com/keycloak/keycloak/blob/1ac51611d3c1dd7c9b6537430587fa4... But in the SamlEndpoint class (which is used when the identity provider sends the logout request to Keycloak) it only attempts the backchannel logout: https://github.com/keycloak/keycloak/blob/ca4e14fbfa76e5c909503bde9b0f4e2... Is this the way it's supposed to work or is Keycloak just missing this feature? Br, Sauli -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 8 months

1
0
0 / 0

Is quorum needed in Keycloak Standalone Clustered Configuration?

by Roman Ok

6 years, 8 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2019