Keycloak - Supported Database Versions - PostgreSQL
by Townsley, Eric L
Hi,
What versions of Postgres does Keycloak support?
Thanks
Eric
Please consider the environment before printing this email and any attachments.
This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
5 years, 4 months
Unable to change login theme to other than base
by Ana maria Jordan
Dear all.
We are testing Keycloak as SAML2 gateway to some both external and internal
systems we are to integrate with. We downloaded and configured Keycloak
server (standalone) version 6.0.1, created a new realm, and for the initial
tests add some clients running on Tomcat.
We are able to authenticate to those clients via SAML2 protocol, but the
problem is that I would like to configure the login page for them to be the
one provided by the corresponding realm theme, and get only the base
theme’s login page.
Did I misunderstand the documentation (3.6 Theme Selector -> “By default
the theme configured for the realm is used […]”)? Could any of you figure
out what I am doing wrong?
Many thanks in advance for the help. Best regards.
5 years, 4 months
OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined
by Iommi Underwood
Hi,
I am currently setting up Cloudflare access with a generic openID provider as an access login method with Keycloak.
The configuration is complete from both ends, however when I test from cloudflare, after the authentication is done I see the error "OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined".
From a trace that I took on the keycloak server, I see that the server is authenticating the user and responding back, but cloudflare is still displaying this error.
Below is the TCP stream between client (cloudflare) and server (keycloak):
******************* START STREAM *******************
GET /auth/realms/[**SUPRESSED**]/protocol/openid-connect/auth?client_id=cloudflare-access&redirect_uri=https%3A%2F%2F[**SUPRESSED**].cloudflareaccess.com%2Fcdn-cgi%2Faccess%2Fcallback&response_type=code&state=b59047eb1016be0d59b306a2c35b74d9323864549c7d7ae2c78775e890b4c04c.JTdCJTIyaG9zdG5hbWUlMjIlM0ElMjJ4Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGJTIyJTJDJTIyYXVkJTIyJTNBJTIyJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjJiZGY3ZmY5Ni1kNzg4LTRmZGUtYWE1Ny1hNmFmOTZkOWM0ZmUlMjIlMkMlMjJpc0VudFNldHVwJTIyJTNBZmFsc2UlMkMlMjJpc0lEUFRlc3QlMjIlM0F0cnVlJTJDJTIybm9uY2UlMjIlM0ElMjJjNWhPRTZFN3dIMHo0WTdGJTIyJTdE&scope=openid+email+profile HTTP/1.1
Host: keycloak.[**SUPRESSED**].io:8180
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Referer: https://dash.cloudflare.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: AUTH_SESSION_ID=dc1416f0-fc39-457d-80fd-48daa16db16b; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJqdGkiOiI3ZDI4YWQ0ZS0zN2U1LTRkMWEtOWZkNS0zYzQ1YjQ2MzQzNzAiLCJleHAiOjE1NjY5MzI2NDYsIm5iZiI6MCwiaWF0IjoxNTY2ODk2NjQ2LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsueGNhbGliZXIuaW86ODE4MC9hdXRoL3JlYWxtcy9YQ2FsaWJlciIsInN1YiI6ImU5NDA3OWJhLTNhNzUtNDc1ZS1hM2MyLWFiZTIyMjY4MWFiYSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImRjMTQxNmYwLWZjMzktNDU3ZC04MGZkLTQ4ZGFhMTZkYjE2YiIsInN0YXRlX2NoZWNrZXIiOiJTeDJOSEZoc1lSUDk2TFF5S3RiZDNINVc3UzhKSXdqX3BLcE1ZSEFiNWhBIn0.zHM0hLg96gEPGTdaBjX0KSaZ4hGoETTKc-efvfqni90; KEYCLOAK_SESSION=[**SUPRESSED**]/e94079ba-3a75-475e-a3c2-abe222681aba/dc1416f0-fc39-457d-80fd-48daa16db16b; _ga=GA1.2.424301711.1560267296; __cfduid=d23d08383e8ff667abef204b0821031e01562311327; __zlcmid=tPiP7fQJt3UNtf; _gid=GA1.2.1095447441.1566802604
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, max-age=0
Set-Cookie: AUTH_SESSION_ID=3aae7e12-8755-412f-b565-a65c9b756f9a; Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJjaWQiOiJjbG91ZGZsYXJlLWFjY2VzcyIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8veGNhbGliZXIuY2xvdWRmbGFyZWFjY2Vzcy5jb20vY2RuLWNnaS9hY2Nlc3MvY2FsbGJhY2siLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLnhjYWxpYmVyLmlvOjgxODAvYXV0aC9yZWFsbXMvWENhbGliZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly94Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbS9jZG4tY2dpL2FjY2Vzcy9jYWxsYmFjayIsInN0YXRlIjoiYjU5MDQ3ZWIxMDE2YmUwZDU5YjMwNmEyYzM1Yjc0ZDkzMjM4NjQ1NDljN2Q3YWUyYzc4Nzc1ZTg5MGI0YzA0Yy5KVGRDSlRJeWFHOXpkRzVoYldVbE1qSWxNMEVsTWpKNFkyRnNhV0psY2k1amJHOTFaR1pzWVhKbFlXTmpaWE56TG1OdmJTVXlNaVV5UXlVeU1uSmxaR2x5WldOMFZWSk1KVEl5SlROQkpUSXlKVEpHSlRJeUpUSkRKVEl5WVhWa0pUSXlKVE5CSlRJeUpUSXlKVEpESlRJeWFXUndTV1FsTWpJbE0wRWxNakppWkdZM1ptWTVOaTFrTnpnNExUUm1aR1V0WVdFMU55MWhObUZtT1Raa09XTTBabVVsTWpJbE1rTWxNakpwYzBWdWRGTmxkSFZ3SlRJeUpUTkJabUZzYzJVbE1rTWxNakpwYzBsRVVGUmxjM1FsTWpJbE0wRjBjblZsSlRKREpUSXlibTl1WTJVbE1qSWxNMEVsTWpKak5XaFBSVFpGTjNkSU1IbzBXVGRHSlRJeUpUZEUifX0.nRE_5ul_l3S9FA8-mN23OzZUGGSYN_khFaQ4HSxeuWM; Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Date: Tue, 27 Aug 2019 09:05:11 GMT
Connection: keep-alive
X-Robots-Tag: none
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 3013
Content-Language: en
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">;
<html xmlns="http://www.w3.org/1999/xhtml"; class="login-pf">
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="robots" content="noindex, nofollow">
<meta name="viewport" content="width=device-width,initial-scale=1"/>
<title>Log in to [**SUPRESSED**]</title>
<link rel="icon" href="/auth/resources/5.0.0/login/keycloak/img/favicon.ico" />
<link href="/auth/resources/5.0.0/login/keycloak/node_modules/patternfly/dist/css/patternfly.css" rel="stylesheet" />
<link href="/auth/resources/5.0.0/login/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css" rel="stylesheet" />
<link href="/auth/resources/5.0.0/login/keycloak/lib/zocial/zocial.css" rel="stylesheet" />
<link href="/auth/resources/5.0.0/login/keycloak/css/login.css" rel="stylesheet" />
</head>
<body class="">
<div class="login-pf-page">
<div id="kc-header" class="login-pf-page-header">
<div id="kc-header-wrapper" class=""><div class="kc-logo-text"><span>[**SUPRESSED**]</span></div></div>
</div>
<div class="card-pf ">
<header class="login-pf-header">
<h1 id="kc-page-title"> Log In
</h1>
</header>
<div id="kc-content">
<div id="kc-content-wrapper">
<div id="kc-form" >
<div id="kc-form-wrapper" >
<form id="kc-form-login" onsubmit="login.disabled = true; return true;" action="http://keycloak.[**SUPRESSED**].io:8180/auth/realms/[**SUPRESSED**]/login..."; method="post">
<div class="form-group">
<label for="username" class="control-label">Username or email</label>
<input tabindex="1" id="username" class="form-control" name="username" value="" type="text" autofocus autocomplete="off" />
</div>
<div class="form-group">
<label for="password" class="control-label">Password</label>
<input tabindex="2" id="password" class="form-control" name="password" type="password" autocomplete="off" />
</div>
<div class="form-group login-pf-settings">
<div id="kc-form-options">
</div>
<div class="">
</div>
</div>
<div id="kc-form-buttons" class="form-group">
<input tabindex="4" class="btn btn-primary btn-block btn-lg" name="login" id="kc-login" type="submit" value="Log In"/>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
POST /auth/realms/[**SUPRESSED**]/login-actions/authenticate?session_code=f3NG2Rjv0G4ymg2pQqwGMvrxu_rXJXtmZnDCZgsPkb4&execution=07ebd6fc-53e0-4fae-a6dd-5e32b9cf1b73&client_id=cloudflare-access&tab_id=IAnjjExJu-4 HTTP/1.1
Host: keycloak.[**SUPRESSED**].io:8180
Connection: keep-alive
Content-Length: 30
Cache-Control: max-age=0
Origin: http://keycloak.[**SUPRESSED**].io:8180
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://keycloak.[**SUPRESSED**].io:8180/auth/realms/[**SUPRESSED**]/proto...
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: AUTH_SESSION_ID=3aae7e12-8755-412f-b565-a65c9b756f9a; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJjaWQiOiJjbG91ZGZsYXJlLWFjY2VzcyIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHBzOi8veGNhbGliZXIuY2xvdWRmbGFyZWFjY2Vzcy5jb20vY2RuLWNnaS9hY2Nlc3MvY2FsbGJhY2siLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLnhjYWxpYmVyLmlvOjgxODAvYXV0aC9yZWFsbXMvWENhbGliZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly94Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbS9jZG4tY2dpL2FjY2Vzcy9jYWxsYmFjayIsInN0YXRlIjoiYjU5MDQ3ZWIxMDE2YmUwZDU5YjMwNmEyYzM1Yjc0ZDkzMjM4NjQ1NDljN2Q3YWUyYzc4Nzc1ZTg5MGI0YzA0Yy5KVGRDSlRJeWFHOXpkRzVoYldVbE1qSWxNMEVsTWpKNFkyRnNhV0psY2k1amJHOTFaR1pzWVhKbFlXTmpaWE56TG1OdmJTVXlNaVV5UXlVeU1uSmxaR2x5WldOMFZWSk1KVEl5SlROQkpUSXlKVEpHSlRJeUpUSkRKVEl5WVhWa0pUSXlKVE5CSlRJeUpUSXlKVEpESlRJeWFXUndTV1FsTWpJbE0wRWxNakppWkdZM1ptWTVOaTFrTnpnNExUUm1aR1V0WVdFMU55MWhObUZtT1Raa09XTTBabVVsTWpJbE1rTWxNakpwYzBWdWRGTmxkSFZ3SlRJeUpUTkJabUZzYzJVbE1rTWxNakpwYzBsRVVGUmxjM1FsTWpJbE0wRjBjblZsSlRKREpUSXlibTl1WTJVbE1qSWxNMEVsTWpKak5XaFBSVFpGTjNkSU1IbzBXVGRHSlRJeUpUZEUifX0.nRE_5ul_l3S9FA8-mN23OzZUGGSYN_khFaQ4HSxeuWM; _ga=GA1.2.424301711.1560267296; __cfduid=d23d08383e8ff667abef204b0821031e01562311327; __zlcmid=tPiP7fQJt3UNtf; _gid=GA1.2.1095447441.1566802604
username=[**SUPRESSED**]&password=[**SUPRESSED**]HTTP/1.1 302 Found
Connection: keep-alive
Cache-Control: no-store, must-revalidate, max-age=0
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3Yzk0NGUzMi0zZTk2LTRmNjctOGJkMC1jZDUwN2QzNTkxZTcifQ.eyJqdGkiOiI5ZDEyY2Y2NS00MzRlLTQ3ZjItODAyYi01MTFiMDFmZjVkMTUiLCJleHAiOjE1NjY5MzI3MTYsIm5iZiI6MCwiaWF0IjoxNTY2ODk2NzE2LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsueGNhbGliZXIuaW86ODE4MC9hdXRoL3JlYWxtcy9YQ2FsaWJlciIsInN1YiI6ImU5NDA3OWJhLTNhNzUtNDc1ZS1hM2MyLWFiZTIyMjY4MWFiYSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjNhYWU3ZTEyLTg3NTUtNDEyZi1iNTY1LWE2NWM5Yjc1NmY5YSIsInN0YXRlX2NoZWNrZXIiOiJOQ3M2LVR2T0JPaVg3VWIyUzM3NldvV3piOF91M1pVUXY1ODVOVU5mV2pBIn0.BOFLzvv6qXrMopCHd6uas0g_ywNDHskE3WRvwwS2oWY; Version=1; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=[**SUPRESSED**]/e94079ba-3a75-475e-a3c2-abe222681aba/3aae7e12-8755-412f-b565-a65c9b756f9a; Version=1; Expires=Tue, 27-Aug-2019 19:05:16 GMT; Max-Age=36000; Path=/auth/realms/[**SUPRESSED**]/
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/[**SUPRESSED**]/; HttpOnly
P3P: CP="This is not a P3P policy!"
Location: https://[**SUPRESSED**].cloudflareaccess.com/cdn-cgi/access/callback?state=b59047eb1016be0d59b306a2c35b74d9323864549c7d7ae2c78775e890b4c04c.JTdCJTIyaG9zdG5hbWUlMjIlM0ElMjJ4Y2FsaWJlci5jbG91ZGZsYXJlYWNjZXNzLmNvbSUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGJTIyJTJDJTIyYXVkJTIyJTNBJTIyJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjJiZGY3ZmY5Ni1kNzg4LTRmZGUtYWE1Ny1hNmFmOTZkOWM0ZmUlMjIlMkMlMjJpc0VudFNldHVwJTIyJTNBZmFsc2UlMkMlMjJpc0lEUFRlc3QlMjIlM0F0cnVlJTJDJTIybm9uY2UlMjIlM0ElMjJjNWhPRTZFN3dIMHo0WTdGJTIyJTdE&session_state=3aae7e12-8755-412f-b565-a65c9b756f9a&code=af698d46-23a0-44e2-9832-71f5434ccf69.3aae7e12-8755-412f-b565-a65c9b756f9a.975d74ab-0c36-465e-bb38-32a0559eca73
Content-Length: 0
Date: Tue, 27 Aug 2019 09:05:16 GMT
******************* END STREAM *******************
Let me know if you have any further queries.
Regards,
Iommi
5 years, 4 months
Re: [keycloak-user] check-sso not working as expected with iframe
by Michal Hajas
Sorry, I am not sure I fully understand the question, if my answer is not
what you expected, please describe your issue properly with some steps to
reproduce and describe what behavior you expect or if you think this is a
bug, feel free to file an issue in our Jira.
If your webpage is configured as check-sso, it means you do not require
authentication (the page is visible also for users which are not
authenticated). If an authenticated user is logged out in a separate tab he
is redirected to keycloak only in case login is required. But since the
webpage is configured as check-sso, keycloak knows it doesn't require
authentication and hence doesn't redirect the user to a login page. The
iframe is used anyway because keycloak adapter is aware of the fact that
user is not logged in (he lost the session), however, it just clears the
tokens and set the adapter to authenticated = false state (in case of
check-sso option). If I understand correctly, you want to reauthenticate
user in case he loses his session. You can do that in two ways. Set the
onLoad option to loginRequired or use onAuthLogout callback as I suggested
in the last response. It could look something like that (I haven't tested
it):
keycloak.onAuthLogout = function() { keycloak.login(); }
On Mon, Aug 26, 2019 at 9:07 PM Mohsin Ilyas <Mohsin_981(a)hotmail.com> wrote:
> But don’t you think if the sso session is valid then the user would
> continue to use the website so the iframe shouldn’t be connected again if
> the connection was broken? As I’ve seen that the check-sso would use iframe
> in a hidden request but if it is not working as expected than what is the
> use of that.
>
>
> ------------------------------
> *From:* Michal Hajas <mhajas(a)redhat.com>
> *Sent:* Monday, August 26, 2019 1:21:09 PM
> *To:* keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>
> *Cc:* Mohsin Ilyas <mohsin_981(a)hotmail.com>
> *Subject:* Re: [keycloak-user] check-sso not working as expected with
> iframe
>
> Hello Moshin,
>
> this is actually the way check-sso should work. From docs:
> check-sso will only authenticate the client if the user is already
> logged-in, if the user is not logged-in the browser will be redirected back
> to the application and remain unauthenticated.
>
> When you logout in the second tab, the tab with check-sso actually detects
> you are logged out, however, it does nothing because it is not supposed to.
> You can check it by catching onAuthLogout event. See
> https://www.keycloak.org/docs/latest/securing_apps/index.html#callback-ev...
> .
>
> Best regards,
> Michal
>
> On Wed, Aug 21, 2019 at 8:34 PM Mohsin Ilyas <mohsin_981(a)hotmail.com>
> wrote:
>
>> Missed the code in original email
>>
>>
>> const keycloak = Keycloak('/keycloak.json');
>> keycloak.init({onLoad: ‘check-sso'})
>> .success(authenticated => {
>> if (authenticated) {
>> //do something
>> }
>> })
>> .error(error => {
>> console.log(error)
>> });
>>
>> ________________________________
>> From: Mohsin Ilyas
>> Sent: Wednesday, August 21, 2019 11:29 PM
>> To: keycloak-user(a)lists.jboss.org <keycloak-user(a)lists.jboss.org>
>> Subject: check-sso not working as expected with iframe
>>
>>
>> Hi,
>>
>> Below is my simple logic in my application to re-establish connection
>> with keycloak when a page is reloaded. However, the iframe doesn’t seem to
>> work well with ‘check-sso’. Because, I have opened the application in one
>> tab and in other tab I have opened keycloak but when I logout of keycloak
>> my application doesn’t get logout, however, if I use ‘login-required’ the
>> application logs out simultaneously with keycloak. Can someone take a look,
>> or help me with this? (P.s: I have tried to set checkIframLogin: true in
>> the init options but it doesn’t work for me)
>>
>> Thanks.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
5 years, 4 months
REST api and the Admin Client Java Wrapper
by Chris Smith
I'm trying to use the REST java api.
My maven dependencies
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>7.0.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>3.8.1.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jackson2-provider</artifactId>
<version>3.8.1.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-multipart-provider</artifactId>
<version>3.8.1.Final</version>
</dependency>
</dependencies>
I can create a keycloak instance and get a RealmRepresentation. The RealmRepresentation looks like I expect it should, matching what I see in the KC console.
When I try to get users or federated users, a null is returned.
Here is a code snip
Keycloak keycloak = Keycloak.getInstance(
serverUrl,
realmName,
username,
password,
clientId);
RealmResource realmsResource = keycloak.realm("fms-sso");
RealmRepresentation realm = realmsResource.toRepresentation();
List<UserRepresentation> userRepresentations = realm.getFederatedUsers();
userRepresentations.stream().forEach(this::printUser);
userRepresentations = realm.getUsers();
userRepresentations.stream().forEach(this::printUser);
realm.getFederatedUsers();
and
realm.getUsers()
both return null, not even an empty list.
Is there something required before getting the users from a RealmRepresenetation?
5 years, 4 months
Incorrect redirect_uri in Authorization Code Flow
by Julián D. Zorzenón
Hi,
I'm trying to setup a public client in Keycloak 6.0.1 to make an
Authorization Code Flow to work but it fails on the post after the redirect.
1. I've create the following client in the realm "test":
client id => keycloak-java-form-example
enabled => on
client protocol => openid-connect
access type => public
standard flow enabled => on
valid redirect uris => http://localhost:9090/*
2. Manually created a user.
3. Created a simple app. When you go to http://localhost:9090/ it redirects
to:
https://keycloak.server:8443/auth/realms/test/protocol/openid-connect/aut...
4. I log in in the form and get the response on the endpoint
http://localhost:9090/cb with a code (for example:
337f8ec8-dbdd-4965-b538-e5a4fbfff6b4.4cb543a8-1585-4bd0-b174-031288cf3032.cf57276c-98a9-48d3-b460-c678af3f8eb2).
5. I make the following POST request:
POST
https://keycloak.server:8443/auth/realms/test/protocol/openid-connect/token
grant_type=authorization_code
client_id=keycloak-java-form-example
code=337f8ec8-dbdd-4965-b538-e5a4fbfff6b4.4cb543a8-1585-4bd0-b174-031288cf3032.cf57276c-98a9-48d3-b460-c678af3f8eb2
redirect_uri=http%3A%2F%2Flocalhost%3A9090%2Fcb
The response is:
400
{"error":"invalid_grant","error_description":"Incorrect redirect_uri"}
I'm not sure what I'm missing.
Thanks
5 years, 4 months
The 'SAML Metadata IDPSSODescriptor' entry does not appear in the format option on the Keycloak SAML Client Installation tab.
by jiojiojijo fjafajfdsojo
Hello,
I'm using Keycloak 4.8.3.Final now, and I'm trying to move to the Keycloak
6.0.1.
The Keycloak 6.0.1 works fine without any problems, but I have a problem
with the SAML client I set up to log in to the AWS web console.
The documentation on how to work with Keycloak and AWS tells me to download
metadata by selecting the 'SAML Metadata IDPSSODescriptor' item on the
Keycloak Installation tab.
-
https://blog.scandiweb.com/article/sign-in-to-amazon-aws-using-saml-proto...
But I couldn't find 'SAML Metadata IDPSSODescriptor' format option in the
Keycloak Installation above 4.8.3 version. Only when I installed 4.8.3 I
was able to see 'SAML Metadata IDPSSODescriptor' format option.
Below is a screenshot showing the 'SAML Metadata IDPSSODescriptor' format
option in the Keycloak 4.8.3.Final.
This is good without any problem.
[image: Screen Shot 2019-08-25 at 11.43.50 PM.png]
But please see the screenshot of Keycloak 6.0.1 below.
I couldn't find the SAML Metadata IDPSSODescriptor 'format option in that
Keycloak 6.0.1.
[image: Screen Shot 2019-08-25 at 11.45.58 PM.png]
I made both versions of the Keycloak client setup the same but it works
like this. I repeated the installation several times and got the same
result.
How has metadata been changed in the next version of Keycloak 4.8.3.Final?
Please let me know if there is anything I can refer to.
Thanks.
5 years, 4 months
Problem: ORA-00001: Unique Constraint Error by Ldap group in group
by Pühringer Stefan
Hallo!
We are currently evaluate the keycloak version 6.0.1 , but we ran in an error while sync ldap groups in groups.
My teststructure in ldap is:
Testgroup (Top Level Group)
-> Subgroup (Part of Testgroup)
User 1 (Part of Subgroup)
At the sync process we get following error:
Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: Unique Constraint (KEYCLOAK.SIBLING_NAMES) verletzt
at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:494)
at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:446)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:1054)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:623)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:252)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:612)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:226)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:59)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:910)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1119)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3780)
at oracle.jdbc.driver.T4CPreparedStatement.executeInternal(T4CPreparedStatement.java:1343)
at oracle.jdbc.driver.OraclePreparedStatement.executeLargeUpdate(OraclePreparedStatement.java:3865)
at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3845)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(OraclePreparedStatementWrapper.java:1061)
at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:175)
... 97 more
Caused by: Error : 1, Position : 0, Sql = insert into KEYCLOAK_GROUP (NAME, PARENT_GROUP, REALM_ID, ID) values (:1 , :2 , :3 , :4 ), OriginalSql = insert into KEYCLOAK_GROUP (NAME, PARENT_GROUP, REALM_ID, ID) values (?, ?, ?, ?), Error Msg = ORA-00001: Unique Constraint (KEYCLOAK.SIBLING_NAMES) verletzt
at oracle.jdbc.driver.T4CTTIoer11.processError(T4CTTIoer11.java:498)
... 113 more
Does someone have the same problem or a solution (i found this related and closed issue: https://issues.jboss.org/browse/KEYCLOAK-5405 )?
Thanks!
Stefan
5 years, 4 months
Query on high availability- HA of Keycloak docker
by vijay
Hi All,
For development my setup has two keycloak containers on single VM along
with postgres sql. I am following the document mentioned
https://github.com/jboss-dockerfiles/keycloak/tree/master/server .
I am starting the keycloak and keycloak2 docker containers with
docker run -p 8080:8080 --name keycloak --link postgres:postgres -e
JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING -e POSTGRES_DATABASE=keycloak -e
POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -v
$HOME/docker/volumes/keycloak:/tmp -d jboss/keycloak
docker run -p 8081:8080 --name keycloak2 --link postgres:postgres -e
JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING -e POSTGRES_DATABASE=keycloak -e
POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -v
$HOME/docker/volumes/keycloak2:/tmp -d jboss/keycloak
In the server logs of both keycloak containers I see below error logs -
19:02:01,596 WARN [org.jboss.as.dependency.private] (MSC service thread
1-1) WFLYSRV0018: Deployment "deployment.keycloak-server.war" is using a
private module ("org.kie") which may be changed or removed in future
versions without notice.
19:02:02,181 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 60) MSC000001: Failed to start service
org.wildfly.clustering.jgroups.channel.ee:
org.jboss.msc.service.StartException in service
org.wildfly.clustering.jgroups.channel.ee: java.lang.IllegalStateException:
java.lang.IllegalArgumentException: Either the 4 configuration properties
starting with 'connection_' or the datasource_jndi_name must be set
at
org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
at
org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.IllegalStateException:
java.lang.IllegalArgumentException: Either the 4 configuration properties
starting with 'connection_' or the datasource_jndi_name must be set
at
org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:116)
at
org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:58)
at
org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:67)
... 7 more
Caused by: java.lang.IllegalArgumentException: Either the 4 configuration
properties starting with 'connection_' or the datasource_jndi_name must be
set
at
org.jgroups.protocols.JDBC_PING.verifyConfigurationParameters(JDBC_PING.java:421)
at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:102)
at
org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:847)
at org.jgroups.stack.ProtocolStack.init(ProtocolStack.java:837)
at org.jgroups.JChannel.<init>(JChannel.java:200)
at
org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:116)
at
org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:96)
... 9 more
Any hint will be helpful.
Thanks,
Vijay
5 years, 4 months
