August 2019 - keycloak-user - Jboss List Archives

by Shiva Prasad Thagadur Prakash

Hi Guys, Does keycloak have user REST API like it has keycloak admin REST API? If so, is there a documentation for user REST API? For example, can a user himself change or reset his password via REST API instead of doing it through the UI? Eagerly waiting to hear from you. Thanks, Shiva

5 years, 4 months

3
3
0 / 0

IdP Initiated SSO

by Chris Stephens

Hello, Thanks for the great product. We have set up several instances of keycloak as the SP utilizing SP-Initiated SSO to external IdPs. Everything in that process is going smoothly. We have an external IdP that wants us to use IdP-initiated SSO to connect to their IdP. The current client protocol is openid-connect. We are using keycloak 5.0. 1. Is it possible for a keycloak service provider client using the openid-connect protocol to perform IdP-initiated SSO. I believe we have to set the client up using the saml protocol. Is this correct? 1a. If it is not possible, are there any workarounds that I can use? My app is using an openid-connect public client. How can I use IdP-initiated SSO in this scenario 2. We need to provide the IdP the public key used to sign the assertions. Are the keys used to sign the assertions located in the keycloak admin console > realm settings > keys > Providers tab? Thanks, Christopher Stephens Software Engineer | EdLogics chris.stephens(a)edlogics.com

5 years, 4 months

2
1
0 / 0

Keycloak "SSSD" user federation option doesn't shows up on the drop down menu

by Miroslav Beranič

Hi all, I have same problems as described in an existing JIRA: https://issues.jboss.org/browse/KEYCLOAK-8095 I have followed suggested documentation located at: https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd With differences: - I do not use docker - using standalone computer node - I use DNS, so I did not update /etc/hosts file - I run as root user ( I've tried both - with dedicated user also, same result ) ( in file /etc/sssd/sssd.conf I have : [ifp] allowed_uids = root ) [root@sso keycloak-8.0.0-SNAPSHOT]# sssctl user-checks admin -s keycloak user: admin action: acct service: keycloak SSSD nss user lookup result: - user name: admin - user id: 804200000 - group id: 804200000 - gecos: Administrator - home directory: /home/admin - shell: /bin/bash SSSD InfoPipe user lookup result: - name: admin - uidNumber: 804200000 - gidNumber: 804200000 - gecos: Administrator - homeDirectory: /home/admin - loginShell: /bin/bash - sn: Administrator testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - Is there any additional validation test I can run, to validate server setup? Kind Regards, Miroslav -- Miroslav Beranič MIBESIS miroslav.beranic(a)mibesis.si https://www.mibesis.si

5 years, 4 months

1
1
0 / 0

Help getting External token to Internal Token Exchange right

by Leandro Del Sole

Hello, I've been struggling to get the https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to... working. First, I tried on version 3.4, the first version to have this feature. In my company, we're slowly updating our version of Keycloak, it is a bit old. After some tries, I changed Keycloak version to 6.0.1 because I think it will be easier for me get support from you. I got same error in both versions. Below is described the scenario in 6.0.1: Well, I want to get an external token, minted by another realm of my own keycloak "connect", and exchange it to an internal token, of another realm of my keycloak "emm". To enable this feature and others as test, I included in standalone.conf: JAVA_OPTS="$JAVA_OPTS -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile=preview -Dkeycloak.profile.feature.scripts=enabled" This enabled the Permission tab as expected. However, after opening it, when I click in "Permissions Enabled" to change the switch from off to on, the message pops up "*Error!* An unexpected server error has occurred" This happens in both Permissions tab, in client edit and IDP edit. In the server log: > 17:07:48,338 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-5) Uncaught server error: java.lang.NullPointerException > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer(MgmtPermissions.java:263) > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.findOrCreateResourceServer(MgmtPermissions.java:242) > at > org.keycloak.services.resources.admin.permissions.ClientPermissions.initialize(ClientPermissions.java:95) > at > org.keycloak.services.resources.admin.permissions.ClientPermissions.setPermissionsEnabled(ClientPermissions.java:198) > at > org.keycloak.services.resources.admin.ClientResource.setManagementPermissionsEnabled(ClientResource.java:658) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) .... it continues, but has no other cause or information on the stack. In version 3.4.2, the stack is: > 16:43:34,740 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-28) Uncaught server error: java.lang.NullPointerException > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer(MgmtPermissions.java:262) ... I tried to run a curl to make the exchange and the error is the same as above. Additionally, I tried is to make the exchange with a Google IDP as in https://www.mathieupassenaud.fr/token-exchange-keycloak/, using the Google OAuth Playground. Same error again. I hope someone can help me or point a resource, like a tutorial that covers all steps and they work properly. Best Regards and thank you in advance, Leandro Del Sole

5 years, 4 months

1
1
0 / 0

Keycloak ERROR: ailed to add user 'xxx' to realm 'xxx': user with username exists

by Hossein Doutaghy

Hi, We are seeing the following errors in the server.log of those keycloak servers that use a database that had been already initialized before and already has all the tables. As far as I know, these errors are expected as the realm and user already exist in the database. We do not want to forward these errors to our logging server, so is there a way to remove/disable these logs? 06:19:46,301 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 59) SQL Error: 1062, SQLState: 23000 06:19:46,302 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 59) (conn=58) Duplicate entry 'master-admin' for key 'UK_RU8TT6T700S9V50BU18WS5HA6' 06:19:46,353 ERROR [org.keycloak.services] (ServerService Thread Pool -- 59) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists Thanks, Moe Doutaghy

5 years, 4 months

1
0
0 / 0

Keycloak adapter in Wildfly domain mode

by No Reply (Conta de Teste)

Hello, I am using wildfly 10.1.0.Final as Domain Controller with 2 slaves. I have found documentation about installing keycloak adapter just in standalone mode. Anyone has documentation with steps to install it at domain mode? When I try to deploy an application, I receive this message: UT010039: Unknown authentication mechanism KEYCLOAK"}, Thanks for your response.

5 years, 4 months

1
0
0 / 0

Alternative authentication systems: SPI, token exchange. or IDP?

by Aaron Harnly

Hi all, I'd like your thoughts on the best way to integrate, in an adequately decoupled way, "alternative" login systems with Keycloak. Background: We are building or have built support for alternative authentication mechanisms, including the LTI standard for education technology single-sign-on, QR code-based login for young students, simple "autologin" buttons for demo accounts, and other alternative login methods for very young students. We see three obvious options for implementing these: 1. Authentication SPI (ie build a custom authenticator flow and package it into Keycloak) 2. Token exchange (ie the upstream system performs its authentication, then does token exchange to obtain a token for the target user, placing it into a Keycloak cookie) 3. IDP, ie the upstream system performs its authentication, then acts as an IDP to Keycloak via SAML or Oauth Currently we've done pathway #2, which is relatively decoupled, requiring a single POST from the authenticator to Keycloak. But we don't love that we have to (as we understand it) place the token into a Keycloak cookie, which feels like we're diving into Keycloak internals. #1 (Authentication SPI) seems reasonable, but couples very tightly to Keycloak, and requires that it be built in Java, which not all of our teams prefer, and couples development and deployment with Keycloak. I'd love to hear about experiences from people who have built Authentication SPIs, though. #3, building a wholly separate authenticator which uses SAML or Oauth to establish Keycloak sessions, is very decoupled, but requires incorporating Oauth or SAML libraries and keeping them all up to date, which is sort of why we've invested in Keycloak to begin with :) Any thoughts? -Aaron

5 years, 4 months

1
0
0 / 0

Access tokens in Queue based systems

by Pavel Micka

Hello everyone, We are using Keycloak (OIDC) in our system and it has proven to be a great solution for http based communication. But we have slight issue with figuring out how to correctly pass the access tokens through queues. The point is that we have a partially a streaming system and we want to make sure that if an attacker manages to send the messages to Rabbit, the messages will not be authorized by clients. That is the theory. We can send the access tokens through the queue... but the messages may rot in the queue for quite some time (our SLA is in hours), so that would mean long validity of the token (and that may cause issues in case the token is somehow leaked). Better option would be to have a long validity token, but scope it to the content of the message. But you know...streaming application... there can be thousands of messages a second. And that may cause big scalability issues when bombarding keycloak for each and every message in the system. Is there some better approach with OIDC? Or should I look on some additional non-KC solution? Thanks! Pavel

5 years, 4 months

2
3
0 / 0

Using nginx as a reverse proxy for Keycloak 6.0.1 on a port other than 443

by Jannis Warnat

Hi all, I cannot get Keycloak 6.0.1 to work behind nginx as a reverse proxy for TLS termination with nginx listening on a port other than 443 (I try to configure it to use 8443). Here is what I did: - Set up nginx and Keycloak 6.0.1 in a user-defined Docker network (using docker-compose, see below for details) with self-signed certificates for localhost. - Environment variable PROXY_ADDRESS_FORWARDING is set to true for the Keycloak container. - Nginx listens for SSL connections on port 8443 and forwards to keycloak:8080 while adding x-forwarded headers. - According to the documentation (https://www.keycloak.org/docs/latest/server_installation/index.html#_sett...), I added the following to standalone-ha.xml: [...] <http-listener name="default" socket-binding="http" *redirect-socket="proxy-https"*proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/> [...] *<socket-binding name="proxy-https" port="8443"/>* [...] Yet when I check URL https://localhost:8443/auth/realms/master/.well-known/openid-configuration the URLs listed assume https standard port instead of 8443 for the listed endpoints, e.g. authorization_endpoint "https://localhost/auth/realms/master/protocol/openid-connect/auth" etc. I would expect authorization_endpoint "https://localhost:8443/auth/realms/master/protocol/openid-connect/auth" I put a minimal example on GitHub, the issue is reproducible like this: git clone https://github.com/janniswarnat/keycloak-minimal-example.git cd keycloak-minimal-example docker-compose up -d curl --insecure https://localhost:8443/auth/realms/master/.well-known/openid-configuration | jq Do I miss anything obvious? Thanks in advance and best regards Jannis -- Jannis Warnat ------------------------------ Research Associate User-Centered Ubiquitous Computing Fraunhofer Institute for Applied Information Technology FIT Schloss Birlinghoven, 53754 Sankt Augustin, GERMANY Phone:(+49) 2241 / 14 3673 Email: jannis.warnat(a)fit.fraunhofer.de ------------------------------ http://www.fit.fraunhofer.de/en http://www.fit.fraunhofer.de/en/fb/ucc/ubiquitous.html ------------------------------

5 years, 4 months

1
0
0 / 0

Permission request with no resources

by Corentin Dupont

Hi all, I find strange a little thing in the permissions API. If I request permissions with some resources in my client, it works well: $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H "Authorization: Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#gateways:view&response_mode=permissions" The response is: [{"scopes":["gateways:update","gateways:view","gateways:delete"],"rsid":"gateway-GW1","rsname":"GW1"}] However, If I request permissions when there is no resources at all in my client: [{"scopes":["gateways:view"]}] Why not the empty list? Thanks a lot and good vacations! Corentin

5 years, 4 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2019