September 2019 - keycloak-user - Jboss List Archives

How to configure my client for use ADMIN REST API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'

by Christophe Lehingue

Hello, how to configure a client so that the user can use the user removal API? [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sd... Whenever I try to call this request REST => I get the following error message: "resulted in a 401/403 Unauthorized`" Can you help me ? Thank you

6 years, 4 months

4
4
0 / 0

Feature Request

by Sushil Singh

Hi, As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also. https://issues.jboss.org/browse/KEYCLOAK-11300 Thanks, Sushil Pratap Singh

6 years, 4 months

2
2
0 / 0

Keycloak Offline User Sessions and Online User Sessions

by Nagendra Darla

Hello Keycloak experts, We have below challenges in out project where we are building User Access Management using Keycloak. 1. *Offline User Sessions:* When a Offline token is used from two different machines, There is only one Session that will be created and session will have the IP address of the machine from where the User Session is first created. Because of this we cannot suspect any suspicious activity by hackers. Should n't we create different sessions even though same offline token is used from different machines. 2. *Why there is no separate REST end point to get only Online User Sessions: *Below REST end point returns all the User Sessions ie., both Offline and Online User Sessions. GET /{realm}/clients/{id}/user-sessions You help is much appreciated ! Thank you, Nagendra Darla

6 years, 5 months

1
1
0 / 0

resource ids

by Corentin Dupont

Hi guys, I discovered that you can provide your own id when creating resources: curl -X POST " http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d '{*"_id": "123-456"*, "type": "test", "name":"test", "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", "ownerManagedAccess": true}' This is very practical for synchronizing the resources with my own database. After some investigation, I found: - the ID should be unique - the name should be unique Is that correct? The resource type is not used in the unicity. In my application database, resources with different types are stored in different collections, so two resources with different types *can* have the same ID. How do you suggest to solve this in Keycloak? Providing a keycloak ID of the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not collide. Cheers

6 years, 5 months

3
10
0 / 0

Keycloak does not found SPI User Storage provider

by Alfonso Vidal García

Good morning, I have configured a Spring Boot project with connection to Keycloak, and also I want to install a Custom SPI User Provider external to Keycloak. I did all the steps to do the Provider and ProviderFactory, and also the file in META-INF/services, and when I try to deploy on Wildfly to connect with Keycloak, fails, 12:52:26,079 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "focusoc-0.0.1-SNAPSHOT.jar" at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)> at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)> at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)> at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)> at java.base/java.lang.Thread.run(Thread.java:834) Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader] at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)> at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)> at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)> ... 8 more Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)> ... 10 more 12:52:26,081 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 8) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "focusoc-0.0.1-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\" Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader] Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}} 12:52:26,082 ERROR [org.jboss.as.server] (management-handler-thread - 8) WFLYSRV0021: Deploy of deployment "focusoc-0.0.1-SNAPSHOT.jar" was rolled back with the following failure message: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\" Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader] Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}} I try to search in all internet about solutions about that, and I am blocked, so If you could tell if anything is missing. Thank you. Alfonso Vidal. P Please consider the environment before printing this e-mail.

6 years, 5 months

2
3
0 / 0

Keycloack Multi -Tenancy question

by Litom Segal

We are considering using Keycloack in a multi-tenant fashion. Each of our customer's account has its own users, and applications installed, and we also provide services API's consumed by various clients. We will have a large number of tenants. I found an open issue from 2017 that mentions that Keycloak may have some scalability issues with a large number of realms. https://issues.jboss.org/browse/KEYCLOAK-4593 And also this thread from 2016, https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html, that states that "Keycloak was not designed to support multi-tenancy directly."..."In that regards we have never tested with high amounts of realms as we expect there to be few realms (up to 10 most likely)." I was wonder if there was any progress on the multi-tenancy use case, and are there any best practices on how to setup Keycloack to support it. On the other hand, is there any other approach to handle our use-case? Thanks, Litom -- Litom Segal Software Engineer T: +972-74-700-4097 <https://www.linkedin.com/company/164748> <https://twitter.com/liveperson> <https://www.facebook.com/liveperson/?ref=bookmarks> Our mission is to make life easier by transforming how people communicate with brands. <https://liveperson.docsend.com/view/drieh2u> -- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this on behalf of the addressee you must not use, copy, disclose or take action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Thank you.

6 years, 5 months

4
6
0 / 0

Account Management Rest API

by Corentin Dupont

Hello, I wanted know the status of the new account Console and API (see message copied bellow)? I have an application developed in ReactJS, which is using Keycloak account pages generated by Keycloak (4.4.0). I would like to add additional elements to the account page, that are not controlled by Keycloak. Notably, I need to access the Redux store and make some HTTP requests to an eternal API. What do you suggest? I was thinking to re-do completely the account pages with React, and retrieve the data from Keycloak using API. However I'm not sure the account management API is ready on Keycloak side. Thanks Corentin Stan Silvert wrote on Mon Apr 15 12:32:07 EDT 2019: Right now this API is in development and subject to change at any time. We are hoping to have it completed in the next few months. Also, we are working on a new Account Console that will use PatternFly 4 and React. It will be easy to extend, so you can add your own pages. It will work better on mobile devices. And of course, you will be able to change it around with different themes and such. So building your own console from this new Account Console might be a better option than building the whole thing from scratch. If you are interested, the code is here along with a readme that tells how to build and run. It's very much a work in progress:https://github.com/keycloak/keycloak/tree/master/themes/src/main... I still need to document how to create extensions, so let me know if you are interested in that. Stan On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote: >* Hi guys, *>* I'd like more information about the AccountRestService class *>* (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>) *>>* 1. I noticed that there are still a couple of TODO (such as Identity *>* Providers management), is there a roadmap for the development of this *>* missing features? *>* 2. Are these API public or for internal use only? I'd like to use them *>* to implement a custom Account Management page for my application. *>* 3. How stable are they? How likely is it that they will change or *>* disappear in the (near) future? *>>* Thanky you. *>* Best regards *>>* -- *>>* GABRIELE RABBIOSI *>>* BeePMN Software Engineer *>>

6 years, 5 months

3
5
0 / 0

multiple reset credentials flows

by Arnault BESNARD

Hi, We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario. Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case. What is the best way to solve our issue? Thanks in advance, Arnault

6 years, 6 months

1
2
0 / 0

oidc token_type: "bearer" vs "Bearer"

by Christophe de Vienne

Hi everyone, While (unsuccessfully) attempting to connect a oidc service provider, I found out that the token_type set by keycloak is "bearer", while my service provider expects "Bearer". Digging the specifications it seems that "Bearer" is the right token_type (see https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse and https://tools.ietf.org/html/rfc6750#section-6.1.1). Should we consider this a keycloak bug? Would a PR fixing this be accepted? Cheers, Christophe

6 years, 6 months

2
1
0 / 0

Storing and using refresh tokens

by Marius Bozem

Hey everyone, I am working on using refresh tokens to get new access token when the old one expires. For that I would like to know the best practices regarding: - What is a secure and easy way of implementing the use of refresh tokens? In more detail, these are the questions I have: - How and where to store refresh tokens? We plan on storing them in our back end service. A user would then have a session with our service that would be used to get the refresh token for them. - Where and how will the use of the refresh token be triggered? At some point the access token will expire, should the front end then make a request to the back end to get a new token? - In this front end & back end setup how do you deal with the user having multiple tabs of the application open or using multiple browsers? Thanks in advance, Marius

6 years, 6 months

1
0
0 / 0

keycloak theming - Realm name instead of logo in login page

by Wilfried Anuzet

Hello all, I just have a little question about theming keycloak. I copy the default theme folder and modify a bit the css and logo to make a custom login page. After I import the newly created theme I apply it and it works well for the master Realm, but when I apply this theme to another Realm I've the Realm name that appears on the login page instead of my logo. How can I make my logo appears instead of the realm name ? Is it something to configure in keycloak ? or a property to change in the theme.properties ? Bests regards. Wilfried Anuzet

6 years, 6 months

2
1
2 / 0

Keycloak does not found Provider Factory

by Alfonso Vidal García

I have configured a Spring Boot project with connection to Keycloak, and also I want to install a Custom SPI User Provider external to Keycloak. I did all the steps to do the Provider and ProviderFactory, and also the file in META-INF/services, and now Wildfly fails with, 14:20:43,656 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "focusoc-0.0.1-SNAPSHOT.jar" at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183) at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737) at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699) at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557) at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: java.util.ServiceConfigurationError: org.keycloak.storage.UserStorageProviderFactory: Provider gcs.fds.focusoc.keycloak.spi.LoginStorageProviderFactory not found at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:588) at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1211) at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1220) at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1264) at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1299) at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1384) at org.keycloak.keycloak-services@7.0.0//org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60) at org.keycloak.keycloak-services@7.0.0//org.keycloak.provider.ProviderManager.load(ProviderManager.java:92) at org.keycloak.keycloak-services@7.0.0//org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:214) at org.keycloak.keycloak-services@7.0.0//org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:115) at org.keycloak.keycloak-services@7.0.0//org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.keycloak-wildfly-server-subsystem@7.0.0//org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:55) at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176) ... 8 more 14:20:43,657 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "focusoc-0.0.1-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\" Caused by: java.util.ServiceConfigurationError: org.keycloak.storage.UserStorageProviderFactory: Provider gcs.fds.focusoc.keycloak.spi.LoginStorageProviderFactory not found"}} 14:20:43,658 ERROR [org.jboss.as.server] (management-handler-thread - 4) WFLYSRV0021: Deploy of deployment "focusoc-0.0.1-SNAPSHOT.jar" was rolled back with the following failure message: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\" Caused by: java.util.ServiceConfigurationError: org.keycloak.storage.UserStorageProviderFactory: Provider gcs.fds.focusoc.keycloak.spi.LoginStorageProviderFactory not found"}} Anyone knows what it is happening? P Please consider the environment before printing this e-mail.

6 years, 6 months

1
0
0 / 0

Token Exchange

by James Mitchell

Where should I look for the code for token exchange? I am getting an invalid token error for one particular identity provider, and wI want to see what sort of logic the code uses to decide whether to validate and swap tokens. I have my code working ok for a standard Google oauth provider, so I have already fixed issues with users not being enabled when I try to exchange tokens, and making sure I have a valid userinfo url. My suspicion is I have an error with the userinfo url - which is not a standard oidc endpoint, but it is returning a 200 OK status when I hit it by hand with the access token. Thanks, James ---- *James Mitchell* Developer e: jamesm(a)suitebox.com w: www.suitebox.com *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ

6 years, 6 months

1
1
0 / 0

Keycloak 404s and issues after 4.3.0 upgrade/restore

by Nathan McGinnis

Hi, I am running the Keycloak 4.3.0 docker image in standalone mode with a PostgreSQL 10.4 backend. In attempt to migrate this system to one of our Kubernetes clusters, I took a backup of the keycloak database and restored it to the new instance. Starting a newer version of keycloak (I've tried 4.8, 5.x, 6.x all with the same issue) which connects to the newly restored DB runs the liquibase scripts successfully and all appears well in the startup logs. When I navigate to my instance in the browser I can login to the master realm using my existing credentials, however selecting any realm (or any link after that) results in a 404. I see the URL is malformed which is why I get the 404: https://keycloak.example.com/auth/admin/master/console/#/realms//clients Notice the "realms//clients" part. If you correct this URL manually the page spins/loads until Keycloak's transaction reaper kills the request. I have attached the full startup log. Has anyone ran into this before or possibly have any insight/suggestions? Thank you!

6 years, 6 months

1
0
0 / 0

User admin on master not found

by Henning Waack

Hi. Using KC 5.0.0 (migrated from 4.x, long running since then), we suddenly have the problem that we cannot login with the "admin" user to the master realm. Using another master user, when listing all users in the console we do not see the admin user. Searching for the admin user explicitly, the user is listed. Clicking on the user results in a 404. The user is also listed in the database table USER_ENTITY and just looks fine to me. No entry is shown in the server.log (with log level DEBUG). Any ideas? Thanks & greetings Henning -- Henning Waack | IT Consultant codecentric AG | Hochstraße 11 <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> | <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>42697 Solingen <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> |Deutschland <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

6 years, 6 months

1
0
0 / 0

Support for OpenID Connect Federation 1.0

by Paul Templeman

Hi Just wondering if there are any plans for Keycloak to support OpenID Connect Federation 1.0? See https://openid.net/2019/06/25/openid-connect-federation-progress/ Regards Paul

6 years, 6 months

1
0
0 / 0

Re: [keycloak-user] Sign in with Apple?

by Hans Zandbelt

On Thu, Sep 26, 2019 at 6:01 PM <keycloak-user-request(a)lists.jboss.org> wrote: > it to start the process, goes to Apple's server and authenticates but then > when it redirects back to Keycloak, Apple uses a POST request to send back > the state and code instead of a GET. It looks like the OIDC provider only > supports GET ( > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... > < > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>) > is there any way around this without creating a custom provider? > That looks like a configuration issue then. Sign in with Apple does support the regular response mode using query parameters for the "code" response type. Hans. -- hans.zandbelt(a)zmartzone.eu ZmartZone IAM - www.zmartzone.eu

6 years, 6 months

1
0
0 / 0

HS256 Shared Secret

by Sam Lewis

How do you retrieve and HS256 shared secret?

6 years, 6 months

4
5
0 / 0

Authenticator flows alternative processing - Keycloak 4.8.3

by Cliff MAURY

Hello, We have to implement an authenticator flow to handle the following scenarios : - EITHER user fills in the login form, he/she can be log into the app (Username Password Form) - OR users click on a new link 'First connection ?' on the login page, he/she sould be redirected to a flow with 'Choose User' and 'Send Email Validation' (custom authentificator). Here is the configuration of the custom browser flow : - Cookie : ALTERNATIVE - Custom Browser : ALTERNATIVE - Custom Username Password : REQUIRED - First Connection : ALTERNATIVE - Choose User : REQUIRED - Send Validation Email (custom authentificator) : REQUIRED We tried to override UsernamePasswordForm:action() (in a custom new class) in order to do context.attempted() and so ignore this step and go into the First Connection flow (ie display the "Choose User" Form) but it doesn't work at this time. We are lost into DefaultAuthenticationFlow (processFlow(), processAction()...) especially with processResult() (case ATTEMPTED) that throws an AuthenticationFlowException when execution is REQUIRED (line 278 / keycloak 4.8.3.Final) Does someone see what we can do please ? Regards, Cliff MAURY

6 years, 6 months

1
0
0 / 0

User roles are not updated when the user is already created

by Mehdi Bechiri

Hey there, This is related to KEYCLOAK-8690<https://issues.jboss.org/browse/KEYCLOAK-8690>. We are a few having some issues with regards to SSO, notably about the non-update of user roles when something is updated on the IdP side. Basically, when we set SSO up, at first login we go through the first broker login flow, which creates the user in the db and gives this user all the roles he should have depending on the mapping we created, in our case “Claim to role” mappers. In our case, each role in keycloak has a corresponding Azure AD group, where we manage all of our users and where our IAM strategy sits. Our problem begins when we update the groups on AAD. When we remove the user from a particular group, the role in keycloak is removed at the next login. Which is expected. But when we had this user in a new group, we expect the corresponding role to be added at the next login. Which is not the case. For me it is a strange behavior to allow remove but disallow add. Our workaround today – which is not sustainable on the long run – is to delete the user prior updating him in AAD with new group, so that each time he will go through the first broker login flow and gets the right roles. The Jira mentioned above is about that, and you reply that it is not a bug and therefore, it doesn’t need to fixed. Which we disagree on. Or maybe there is something in keycloak configuration that I’ve missed ? Could you expand on the rationale behind the logic ? Regards, Mehdi Bechiri Ops Lead +33.6.15.03.63.73 [Logo] Rue Adrien-Lachenal 20 » 1207 Genève » Switzerland komgo.io<http://www.komgo.io/> » LinkedIn<https://www.linkedin.com/company/komgo/> » Twitter<https://twitter.com/iokomgo>

6 years, 6 months

1
0
0 / 0

OIDC / SAML client access restriction

by Steeve C

Hi, I'm looking for a way to restrict user access to a given OIDC (and / or SAML) client for a given realm. I've tried to configure it using OIDC "Authorization" feature by modifying the "Default policy" JS code to: ``` $evaluation.deny(); ``` But without success, users are still able to connect to the client. I've also tried to create a client role, but even if the user doesn't have this role he can login to the application. Can you confirm me that it is possible to restrict user login access to given user(s) / group(s) at the IdP level (keycloak) without modifying the client (like without checking which role the user have)? If it's possible, then could you explain me which process should I use? (it's not very clear to me at the moment). Thanks, Steeve

6 years, 6 months

2
2
0 / 0

Sign in with Apple?

by Jeffrey Sambells

Is there a way to configure Sign In with Apple using the existing Keycloak tools or does it require a custom identity provider? Thanks, Jeffrey

6 years, 6 months

3
3
0 / 0

Admin console: Custom roles

by Pavel Micka

Hi, We hit the following issue: in our system, we need to have users, who are allowed to manage users, but not to delete them from the system (they may just disable them, so we still have the user object available for other parts of the system). The issue is that Keycloak does not have a role for this particular task - whoever has manage-users, can also perform the delete. Is there any way to extend the default KC behavior and add a role requirement for the given REST endpoint? Our idea was to introduce a role delete-users, that will be required for this operation (either as a replacement for manage users for this endpoint, or as additional pre-requisite). Or is there some other way to achieve this? Thanks, Pavel We also looked at fine-grained permissions, but those do not seem to support this scenario.

6 years, 6 months

1
0
0 / 0

Link directly to the Registration page

by Stuart

Hi all, Is it possible to send users directly to the 'register' page, instead of going via the login page first? I've tried pasting the 'register' link, but I get errors if I've not visited the login page first. (I guess because if the tab_id parameter). Thanks, Stuart.

6 years, 6 months

2
5
0 / 0

register new user; redirect to specific client url

by John Norris

I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results. Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email. This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak. What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user. So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app? I realise that I could set a default role. But I really want a way of telling keycloak to go to a specific URL after a new user registration is completed. Regards,

6 years, 6 months

3
7
0 / 0

get new access and refresh token with java

by Achraf Dely

Hello, I want to get new refresh token and access token when the access token expire with java can you help me please.

6 years, 6 months

1
0
0 / 0

refresh token in keycloak

by John Norris

Hello, I am trying to use a refresh token from keycloak. Little unsure as to what is supposed to happen. Am I supposed to receive another access token after the original expires? Anyway, I can use the original access token via curl and receive data from my application. But when It try to get a new access token using my refresh token, $ curl -v --data "grant_type=refresh_token&client_id=bikes-app&refresh_token=$RTOKEN" https://mint191:8080/auth/realms/SpringBootKeycloak/protocol/openid-conne... * Trying 127.0.1.1... * TCP_NODELAY set * Connected to mint191 (127.0.1.1) port 8080 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number $ echo $RTOKEN eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzOWE1MjY3ZC03NDI1LTQwNmUtOTAxYi0wYWI5Mjc2NjJkMzkifQ.eyJqdGkiOiIyNjJlMGViZS1hODIwLTRjZGEtYjAxZC1hMmE2ZGFjNTYwNjYiLCJleHAiOjE1Njk0MDYwMDQsIm5iZiI6MCwiaWF0IjoxNTY5NDA0MjA0LCJpc3MiOiJodHRwOi8vbWludDE5MTo4MDgwL2F1dGgvcmVhbG1zL1NwcmluZ0Jvb3RLZXljbG9hayIsImF1ZCI6Imh0dHA6Ly9taW50MTkxOjgwODAvYXV0aC9yZWFsbXMvU3ByaW5nQm9vdEtleWNsb2FrIiwic3ViIjoiMDQxN2YxNTQtNGQ4MS00Yjg2LTk4MjctZTQxMzg4N2Q3NGNkIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImJpa2VzLWFwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjlhZDRmNTUyLTAwMDItNGY5ZS05ZGFlLTE4MmI4MjkxNTBlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.WoX78QkWZX5AwYBKTy4I8H0ia0O1IR5A8dS93p6bzqg I get the original token with RESULT=`curl -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=user1&grant_type=password&client_id=bikes-app&password=123456' http://mint191:8080/auth/realms/SpringBootKeycloak/protocol/openid-connec... and then get the token and refresh token variables. Regards, John

6 years, 6 months

1
0
0 / 0

Single-Realm installation, start page, less deep links?

by Felix Schäfer

Hello, I’m looking for some pointers regarding a few irks we still have with our Keycloak installation. Our Keycloak currently is a frontend for our LDAP and the place our users can change their password, emails, and so on. As this realm, i.e. the realm managing and fronting the LDAP, will ever be the only one, is there a way to change the / (root) link to go to that realm or its login page instead of showing the default start page? Furthermore, the /auth/realms/some-realm part of the URL feels kinda redundant, any way I can just remove it, and be it with a rewriting rule in our reverse proxy? Thanks, Felix

6 years, 6 months

2
3
0 / 0

Re: [keycloak-user] Map group attributes to users

by i need to know how to add new attribute to user with keycloak admin rest api

I want to add custom attribute to user with java admin rest api can you help me please or give me exemple.thanks. Sent from Mail for Windows 10

6 years, 6 months

2
1
0 / 0

web.xml constraints question

by Turner, George

First, I using the adapters in a WildFly server. I am using a web application configuration. All works well, but for a possible "nuisance" I am seeing in the logging, that may just be because I have TRACE logging turned on. My web.xml has two security constraints, but only one has a user role constraint, thus the "unprotected" resources should be entirely ignored by the Keycloak processing: <security-constraint> <web-resource-collection> <web-resource-name>unprotected</web-resource-name> <url-pattern>/shortcut.ico</url-pattern> <url-pattern>/features/*</url-pattern> <url-pattern>/plugins/*</url-pattern> <url-pattern>/registerForClock/*</url-pattern> <url-pattern>/registerForCallbacks/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>PremiereClientAccessRole</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> My issue is I simply had too many problems with the websocket paths (register*) and so exclude them until I can get more time to work them. I also have to exclude the features and plugins paths, as those are accessed by a Java Web Start JNLP application, that simply cannot pass any kind of OAuth credentials, I can only make it pass a JSESSIONID query parameter. When that occurs, I get this output: 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.elytron.ElytronSessionTokenStore] (default task-8) Account was not in session, returning null 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) there was no code 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) redirecting to auth server 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) callback uri: https://ispace.space.smil:8443/premiereclient/plugins/org.eclipse.equinox... 2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) Sending redirect to login page: https://iskeycloak:8443/auth/realms/ispace/protocol/openid-connect/auth?r... 2019-09-25 05:49:05,657 INFO [io.undertow.request.dump] (default task-8) ----------------------------REQUEST--------------------------- URI=/premiereclient/plugins/org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar characterEncoding=null contentLength=-1 contentType=[application/x-java-archive] header=Accept=text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 header=Cache-Control=no-cache header=accept-encoding=pack200-gzip,gzip header=UA-Java-Version=1.8.0_221 header=Pragma=no-cache header=User-Agent=JNLP/1.7.0 javaws/11.221.2.11 (<internal>) Java/1.8.0_221 header=If-Modified-Since=Tue, 24 Sep 2019 23:11:52 GMT header=Connection=keep-alive header=content-type=application/x-java-archive header=Host=ispace.space.smil:8443 locale=[] method=HEAD parameter=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX protocol=HTTP/1.1 queryString=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX remoteAddr=tlsdorl9166lg3.us.lmco.com/172.22.1.138:2503 remoteHost=tlsdorl9166lg3.us.lmco.com scheme=https host=ispace.space.smil:8443 serverPort=8443 isSecure=true --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=Content-Length=0 header=Date=Wed, 25 Sep 2019 05:49:05 GMT status=200 It "says", it is sending a redirect, but there is no Location parameters in the RESPONSE, so it just downloads the jar and everything works fine, but it is "disconcerting" that it is "attempting", even though that URL is excluded per the security constraints. In the case of the websocket paths, something similar occurs: 2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-7) Evaluating request for path [https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc...] 2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) adminRequest https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc... 2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) --> authenticate() 2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try bearer 2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try query paramter auth 2019-09-25 05:49:25,700 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try basic auth 2019-09-25 05:49:25,700 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-7) NOT_ATTEMPTED: Treating as bearer only 2019-09-25 05:49:25,702 INFO [io.undertow.request.dump] (default task-7) ----------------------------REQUEST--------------------------- URI=/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773 characterEncoding=null contentLength=-1 contentType=null cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX header=Connection=upgrade header=Sec-WebSocket-Version=13 header=Sec-WebSocket-Key=06K18ImuBoSwY85ku2AtMA== header=Origin=https://ispace.space.smil header=Upgrade=websocket header=Cookie=$Version="1" header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil" header=Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil" header=Host=ispace.space.smil:8443 locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=/172.22.1.138:2525 remoteHost=tlsdorl9166lg3.us.lmco.com scheme=https host=ispace.space.smil:8443 serverPort=8443 isSecure=true --------------------------RESPONSE-------------------------- contentLength=-1 contentType=null cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; domain=null; path=/premiereclient header=Connection=Upgrade header=Set-Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; path=/premiereclient header=Sec-WebSocket-Location=wss://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773 header=Origin=https://ispace.space.smil header=Upgrade=WebSocket header=Sec-WebSocket-Accept=J5354J166p8qV08GoBhXAN6ZRjY= header=Date=Wed, 25 Sep 2019 05:49:25 GMT status=101 You can notice, the status is 101, so the upgrade succeeded, and all works fine, but once again, it is "disconcerting" that the adapters are doing anything at all, in an excluded URL. I get the same logging if I do not exclude the paths, but then I get a 401 and the upgrade fails. Please advise if you can give me something to try. I would like to not have to exclude either of these resources, but unfortunately there is zero ability for me to integrate Web Start in any way that I can find, so I can only hope to fix the websocket resources. Thanks Gene

6 years, 6 months

1
0
0 / 0

Add LDAP as external IdP

by Ajinkya Thakare

Hi all, Is there any way to add LDAP as an external IdP in keycloak? Any tools or libraries that can provide the IdP services over the top of LDAP? Thanks in advance for the help. Regards, Ajinkya Thakare

6 years, 6 months

1
0
0 / 0

Specifying LDAP/AD domain in login/token endpoint

by Ajinkya Thakare

Hi all, I have a multi-tenant SSO use-case where a set of application can be used by multiple organizations with their owns LDAP/AD configurations. I am trying to secure those applications using Keycloak and pretty much successful in doing so by adding individual organization’s LDAP configs in User Federation tab. However, I observed that for authentication from LDAPs, keycloak goes through all the LDAP configs added one by one, either by the order of their addition in Keycloak or by the priorities set in configuration, to check for the user credential until desired username and password matches. This is causing two main issues – 1. If same username is part of two organizations, it causes failure even when correct credentials belonging in a later LDAP are passed to the login/token API. Keycloak finds the same username in the first LDAP and sees the password is different and hence returns failure. 2. Keycloak does not provide failover for LDAPs. Thus, if one of the LDAP servers is down, authentication from all the successive LDAPs will fail. Can we instead have a solution where user can specify his/her organization’s domain along with the username, so that keycloak points directly to that particular LDAP config and not look into other LDAPs. This will solve both of the above problems. For example, we have same username ‘ajinkya.thakare’ in two organization’s domains ‘company1’ and ‘company2’. On the login page, if user can provide ‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for company2 only. Here issue 1 is solved since the credentials for ‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence not causing any failure for correct credentials from company2. Issue 2 is also solved since LDAP server for company 1 may be down sometimes, but we are not concerned with that anymore and hence enabling failover for LDAPs. Please let me know if this can be already achieved by any means. Or if there is any workaround for the same. Regards, Ajinkya Thakare

6 years, 6 months

1
0
0 / 0

add custom attribute with admin rest api

by Achraf Dely

hello, i need to create protocol mapper in order to map custom attribute to a user with keycloak admin rest api (java).can you give me exemple or guide.and think you.

6 years, 6 months

1
0
0 / 0

Execution Flow

by Stuart

Hi All, I'm a little confused with configuring alternative execution flows. I currently have the follow configured. Cookie Username Password Form TOTP Configured? <- Alternative OTP Form <- Optional No, SMS then <- Alternative SMS Auth <- Optional As you can guess, I want SMS auth to trigger if OTP is not configured. At the moment it seem that if OTP isn't configured, the OTP Form is skipped and authentication is successful and SMS is skipped. Is there a way to tell keycloak the if OTP is not configured then the 'TOTP Configured?' execution flow has failed, so the 'No, SMS then' execution flow is actioned? Thanks, Stuart.

6 years, 6 months

1
0
0 / 0

Obtaining JWT of a User

by İlhan Subaşı

As admin of a Keycloak server, can I obtain access-token of a particular user without knowing his password? Unfortunately impersonation doesn't help me because it does not contain neither his id nor his username.

6 years, 6 months

1
0
0 / 0

Unable to set relative redirect URIs

by Guy Marom

Hello, If I understand the docs correctly defining a client like this should work: [image: image.png] For me it doesn't, unless I actually set the Root URL to the domain name. Using Keycloak 4.6.0 Thanks

6 years, 6 months

1
0
0 / 0

Keycloak RBAC for nginx reverse proxy

by Popov, Viktor

Hello! May I ask you to have a look at my keycloak-related question on stackoverflow, please? https://stackoverflow.com/questions/58063550/keycloak-rbac-for-nginx-reve... Thanks for considering my request. Victor, DevOps engineer at [cid:61ACFA88.01D1E263.19330B3F.29CC3840_csseditor]

6 years, 6 months

1
0
0 / 0

Support multiple authentication in a single war

by Kavis Pandey

Hi, We have JSP+Servlet application (running on wildfly-10) that is configured with Keycloak using keycloak-wildfly adapter. We have used multi-tenancy feature of Keycloak and create the Keycloak Deployment object during runtime by implementing KeycloakConfigResolver. That works fine. Now we have a requirement where our application needs to fall-back to FORM based authentication instead of Keycloak based on certain conditions. So basically we need to support multiple authentication mechanisms during runtime (BASIC + KEYCLOAK) Is it possible ? Thanks in advance, Kavis

6 years, 6 months

1
0
0 / 0

Password Policy Question

by Dmitriy

Is there a way to customize password from within a realm? For example, if i have some users that have O365 accounts linked in keycloak with external IDP & have their own password rotation policies. I do not want to prompt such users to change the password. While keycloak manages accounts for those users that do not have O365 account & I would like to enforce policy in those instances. Any ideas would be appreciated. Thank you

6 years, 6 months

1
0
0 / 0

Creating a Keycloak Admin Client without a Password

by Chris Smith

Use case * The realm is federated with Active Directory * An end user creates him or herself using the standard out of the box kc self-service support * The only app they access is an web app for completing their registration. * This web app server (Tomcat) is running as a Active Directory Domain Admin. * This active directory Domain Admin is also a Realm Admin in Keycloak * All the info needed about the end user to complete their registration is available as odic claims and values entered by the user in the web app * The web app uses the Keycloak Admin Client to complete the user setup. * The Keycloak Admin Client is currently instantiated with an embedded the userid and password for the Realm Admin I really do not like having the AD Domain Admin user and password embedded in the web app. The same AD Admin user is configured into the KC AD LDAP/Kerberos federation with a Kerberos keytab file. Can the Keycloak Admin Client be instantiated from the AD Domain Admin running the Web App? Any AD experts have any recommendation about what are the minimum AD admin rights needed for the ad User running the Web App server and AD LDAP/Kerberos federation?

6 years, 6 months

1
0
0 / 0

Share resource with Direct Access Grants Enabled OFF

by Nicola Messina

i've read the documentation, this point in detail https://www.keycloak.org/docs/latest/authorization_services/index.html#ot... If i set Direct Access Grants Enabled to ON, i can get the access token and i can use this token to SHARE the resource, tried this with postman and everything goes well, but if i set the Direct Access Grants Enabled to OFF, i cant get the token to authorize the share request. What i'm missing ? How i can get the token to authorize the share request? What part of documentation i need to check? Thanks in advance, for any help. Nicola

6 years, 6 months

1
0
0 / 0

Updating an email address of an account

by Manuel Baumann

Hi all I am new to this list but have some experience with Keycloak and am looking for a solution of the following problem: Let's assume there is a user account with email and password and he/she also uses that account to login and then access our application. Now we want to allow the user to modify its email address. I saw this use case implemented in other products. There it would send an email to the old address to verify the change (this step is not required in our case) and then send an email to the new email address with a verification link. Only when the link in the second email is clicked, the email is updated. What I managed to do so far is to update a users email, setting it to not verified and triggering the "send-verify-email" action all via admin REST interface. However my approach has the con that the entered email address is updated on the user whether it was verified or not, which makes a user who did not finish the email update (by verifying it) unable to login with the currently active credentials (email, password) anymore since the email was updated. Hopefully there is another way to achieve that and any hints are appreciated. Best regards Manuel

6 years, 6 months

1
0
0 / 0

OpenID Connect Dynamic Client Registration - Grant Types

by Buddhika Karunatilleke

Hi all, I'm using the dynamic client registration endpoint with openid-connect built-in provider. However, when I'm creating a client by selecting only "client-credentials" grant type, Keycloak creates the client with both "authorization-code" and "client-credentials" grant types. *Request: * curl -H"Authorization: Bearer XXX ' https://XXX.com/auth/realms/Test/clients-registrations/openid-connect' -d '{ "clientId": "test-client-1", "grant_types":[*"client_credentials"*] }' -v *Grant types in the response from Keycloak:* "grant_types":[*"authorization_code"*,"client_credentials","refresh_token"] Can someone help me understand as to why Keycloak adds the "authorization-code" grant type in addition to the provided grant type which is "client-credentials"? Thanks and regards, Buddhika.

6 years, 6 months

1
0
0 / 0

Custom GET parameters in the registration page

by İlhan Subaşı

Is it possible to have custom GET parameters in the url of the registration page? I wrote a JavaScript to auto fill a field in the registration page that gets its value from the GET url. My issue is that when I add a custom parameter to the url Keycloak redirects the registration page to the same page without my custom parameter, as a result I cannot autofill the form field from the url.

6 years, 6 months

1
0
0 / 0

Plain-text vault

by Hynek Mlnarik

Recently, vault capability has been introduced recently in Keycloak (master) with an out-of-the-box implementation that is basically providing secrets in the same format as if mounting secrets volume within Kubernetes [1]. Now there have been considerations regarding name and storage layout which I would like to gather feedback on. The questions are the following ones. Both have arguments for the current implementation explained below: 1. Is there any better way of storing the credentials? 2. Is there a better name for the OOTB implementation? Storage layout: The aim: The plain text vault implementation respects realm to prevent leaking a secret used in one vault into another realm. The implementation also accounts for Kubernetes secret keys naming restrictions [1] which are only consisting of alphanumeric characters, ‘-’, ‘_’ or ‘.’. Note that forward slash is not among allowed characters. Since the vault adheres to the same format as provided by Kubernetes secrets volume, it also limits the file possible names for easy usage. While kubernetes support exposing the secret keys as files in various subdirectories of the mount directory, the default way of providing secrets is via flat file structure (no subdirectories). To achieve structure where secret would be looked up in a file with a given key within a realm directory (i.e. realm_name/secret_key), every secret would have to be accompanied with "path" specification which is not particularly user friendly. Having kubernetes secrets per realm and mounting them into separate directories could be an option, however that limits the ability to easily add a new realm because the Pod definition would need to change with every new realm to incorporate the new volume, and the whole deployment restarted to reflect the changes. Alternatively, secrets for all realms could be mounted into a single directory and "path" would be defined for every secret as described above - but that is error-prone as well. Thus the implementation where realm name and secret key would be separated by a single underscore, and to prevent ambiguity, every underscore within the either realm name and secret keys would be doubled. In other words, to get secret called "some-secret" or "other_secret" from vault from within realm called "realm-1" or "other_realm", the files would be called "realm-1_some-secret" and "other__realm_other__secret", respectively. This is clearly readable in the former case but may be error-prone in the latter. Name: The SPI name was chosen to be "plaintext" since the secrets are stored openly in the files. Perhaps there is a better name? "kubernetes"? Any other suggestion or +1 or -1 with arguments to the alternatives are welcome. I would love to hear your opinion on the two questions. [Apologies for cross-posting, this can gain valuable feedback from both devs and users though] --Hynek [1] https://kubernetes.io/docs/concepts/configuration/secret/

6 years, 6 months

3
2
0 / 0

Automatic Client registration: Assign roles to service account

by Pavel Micka

Hello, We are currently trying to use client registration policy, so our services can register themselves in Keycloak. The registration itself works perfectly, but we have one (big) issue: we do not know, how to assign roles to the associated service account in the ClientRepresentation (as without roles for the client, the registration is a bit useless for us). Is there any way, how to assign roles (client roles of other services in our case) to service account during automatic registration? Or do we need an admin account to do that. Thanks, Pavel

6 years, 6 months

2
1
0 / 0

Re: [keycloak-user] How to create a Validation Flow to Registration Form using Authentication SPI?

by Celso Agra

Hi Cezary, Unfortunately, I didn't get any progress in this flow. So I decided to create a separated service to store some info about of my users. My webservice receives a request with some data about user, such as name, documents, password, etc... Part of this information is sent to Keycloak, and some of it, is is stored in my app. The registration flows procceds normally (send confirmation e-mail and so on), but registration and updates are made by my app. Kind regards, Celso Agra Em qua, 18 de set de 2019 às 08:22, Cezary Skura <cskura(a)mobiquityinc.com> escreveu: > Good afternoon Sir, > > Did You solve your problem with registration flow (validate the username). > > Kind regards > Cezary Skura > -- --- *Celso Agra*

6 years, 6 months

1
0
0 / 0

support for local user account

by Alex Rozenberg

Hello, Does Keycloak support authentication of local Windows users (not part of LDAP or Active Directory)? Thank you in advance, Alex Rozenberg

6 years, 6 months

1
0
0 / 0

Gatekeeper failing to proxy a redirect link

by Nick Powers

I am using keycloak and gatekeeper to authenticate my web app against Google. Everything seems to work fine, with regular links, but if I redirect the user to a page within my web app gatekeeper exposes the internal URL rather than proxying the data. I'm using the following to redirect the user, via PHP: < ?php header("Location: https://commentcontext.com/protected/dashboard"); ?> But instead of being sent through gatekeeper to that URL it tries to send the user to https://webapp/protected/dashboard which is the internal URL of my webapp and of course webapp doesn't resolve in DNS so it fails. Why is this happening? Is it a known issue? Is there a workaround? Thanks!!! Nick

6 years, 6 months

1
0
0 / 0

app-authz-photoz: error 403

by Alex Rozenberg

Hello, I'm new to Keycloak and trying to follow the example in the keycloak-quickstarts: app-authz-photoz I've got photoz-html5-client and restful-api built using the instruction in the Readme file. After I login using the specified credentials (alice or admin) I get error 403: You can not access or perform the requested operation on this resource Profile page does not display the name and I cannot create albums. Any clues or tips are greatly appreciated. Thank you in advance, Alex Rozenberg Project Engineer, Software [RA_Logo_Left_Bug_4C] arozenb(a)ra.rockwell.com<mailto:arozenb@ra.rockwell.com>

6 years, 6 months

2
2
0 / 0

silentCheckSsoRedirectUri

by Christophe Lehingue

Hello, I use keycloak and it works fine. I have a question about "on login: check-sso (plugin: js)". Is there a way to prevent the page from loading 2 times in a row? I tried with the silentCheckSsoRedirectUri var initOptions = { responseMode: 'query', flow: 'standard', checkLoginIframe: true, onLoad: 'check-sso', silentCheckSsoRedirectUri: 'https: //www.mapage/identityserver-sample-silent.html' }; But it does not seem to work (certainly that I do it wrong). Can you help me ? Regards, Christophe ====== IN FRENCH ============================= BOnjour, J'utilise keycloak et cela fonctionne correctement. J'ai une question concernant "on login: check-sso (pluging : js) ". Y' a t'il une possibilité d'empêcher la page de se charger 2 fois de suite ? J'ai essayé avec le silentCheckSsoRedirectUri var initOptions = { responseMode: 'query', flow: 'standard', checkLoginIframe: true, onLoad: 'check-sso', silentCheckSsoRedirectUri: ' https://www.mapage/identityserver-sample-silent.html' }; Mais ça n'a pas l'air de fonctionner (certainement que je m'y prends mal). Pouvez-vous m'aider ? Cordialement, Christophe

6 years, 6 months

2
8
0 / 0

Resource sharing using Keycloak

by Vishnu Prakash

Hi, I am new to keycloak. I am trying to do resources sharing using Permission Management feature in Protection API. The resource server is accessed from a public client app(keycloak public client). But using the token issued to the client app, I am not able to do resource sharing from my resource server. It is throwing following error. {"error":"invalid_clientId","error_description":"Client application [CALL-CENTER-UI] is not registered as a resource server."} Please find my code below, PermissionTicketRepresentation permissionTicketRepresentation = new PermissionTicketRepresentation(); permissionTicketRepresentation.setRequester( "5cb1f43c-d28c-457f-9491-b358f63a8362"); permissionTicketRepresentation.setRequesterName("vishnu"); permissionTicketRepresentation.setOwner("albin"); permissionTicketRepresentation.setResource( "0fb7bfe1-78de-46eb-9e75-4632a67d1afb"); permissionTicketRepresentation.setResourceName("Pro-02-05091019"); permissionTicketRepresentation.setScope("project:view"); permissionTicketRepresentation.setScopeName("project:view"); permissionTicketRepresentation.setGranted(true); AuthzClient.create().protection(token).permission().create(permissionTicketRepresentation); Is to possible to share resources between users without using “Keycloak account app”. Any help will be appreciated. Thanks & Regards, Vishnu Prakash

6 years, 6 months

1
0
0 / 0

Redirect to URI with fragments after successful login

by Yang Yang

Hello, Could you help to tell how I can be redirected to the original URI directly after successful login with Keycloak? When an application (e.g. https://www.mysite.com/myapplication/) is protected by Keycloak, I can access URI with fragment (e.g. https://www.mysite.com/myapplication/abc#12345/zxcdf) after I have successfully logged in. If I try to access the URI before logged in, I will be redirect to the login page for authentication, as expected, but then, after I submit my credentials successfully, I will be redirected to the URI without fragment (https://www.mysite.com/myapplication/abc). Is it possible for me to be redirected to the original URI with fragment after login? What should I do to get that? Thanks, Yang

6 years, 6 months

1
0
0 / 0

gatekeeper - refresh access token on every access

by Julien Goux

Hello, I'm using gatekeeper behind a nginx server. Gatekeeper's logs are pretty obvious until my first access token expired (5 min lifetime). After this period, it seems that gatekeeper is refreshing the token on every access. Here are the logs for *3 * accesses after the first access token has expired, I have the same log for every further access : 1.5687944022004497e+09 info accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40312", "email": "julien.goux(a)live.fr"} 1.5687944022271063e+09 info injecting the refreshed access token cookie {"client_ip": "127.0.0.1:40312", "cookie_name": "kc-access", "email": " julien.goux(a)live.fr ", "refresh_expires_in": 1800, "expires_in": 299.772897193} 1.5687944027145464e+09 info accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40318", "email": " julien.goux(a)live.fr "} 1.5687944027320542e+09 info injecting the refreshed access token cookie {"client_ip": "127.0.0.1:40318", "cookie_name": "kc-access", "email": " julien.goux(a)live.fr ", "refresh_expires_in": 1800, "expires_in": 299.26794899} 1.568794442552826e+09 info accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40328", "email": " julien.goux(a)live.fr "} 1.568794442570195e+09 info injecting the refreshed access token cookie {"client_ip": "127.0.0.1:40328", "cookie_name": "kc-access", "email": " julien.goux(a)live.fr ", "refresh_expires_in": 1800, "expires_in": 299.429808309} Why does gatekeeper keeps refreshing the access token on every access instead of deliverying a new one for 5 min ? Thanks for your help.

6 years, 6 months

1
1
0 / 0

Keycloak client adapter and OWASP recommendations

by Luca Cherubin

Hello, I was checking the OWASP recommendations on how to store a JWT token in the client <https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet...> and they basically suggest this approach: 1. Store the token using the browser *sessionStorage* container. 2. Add it as a *Bearer* with JavaScript when calling services. 3. Add fingerprint <https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet...> information to the token. For the fingerprint, here is how they suggest to implement that: [The fingerprint is...] - A random string that will be generated during the authentication phase and will be included into the token and also send to the client as an hardened cookie (flags: HttpOnly + Secure <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_Http...> + SameSite <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies> + cookie prefixes <https://googlechrome.github.io/samples/cookie-prefixes/>). - A SHA256 hash of the random string will be stored in the token (instead of the raw value) in order to prevent that any XSS issue allow the attacker to read the random string value and set the expected cookie. I would like to understand if this kind of approach is doable using keycloak and if it would make sense to implement this anyway. For what concern storing the token, would create a single Keycloak instance on the page and share it as a global object a totally bad practice? If it is what approach should I use? Thank Luca

6 years, 6 months

1
0
0 / 0

Keycloak Share a resource with other User

by Nicola

Hi, i'm new to keycloak, i'm watching the *photoz uma example*, in this example a user can *create *a resource and then *share *with other user, i'm interested to this feature. Checking in the JavaDOC i've found that from a PermissionResource i can create a *PermissionTicketRepresentation*, where i can set the resource, the scope, the owner and the requester of the resource, i've tried this, but i get /{"error":"not_authorised","error_description":"permissions for [3707be30-6e85-4d48-92c9-afaf0750eaec] can be only created by the owner"}/ so, how can i do this via code? kind regards -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 6 months

3
4
0 / 0

Support multiple authentication mechanism in a single war

by Kavis Pandey

Hi, We have JSP+Servlet application (running on wildfly-10) that is configured with Keycloak using keycloak-wildfly adapter. We have used multi-tenancy feature of Keycloak and create the Keycloak Deployment object during runtime by implementing KeycloakConfigResolver. That works fine. Now we have a requirement where our application needs to fall-back to FORM based authentication instead of Keycloak based on certain conditions. So basically we need to support multiple authentication mechanisms during runtime (BASIC + KEYCLOAK) Is it possible ? Thanks in advance, Kavis

6 years, 6 months

1
0
0 / 0

Display only external identity providers on login page (no login passwd fields)

by Sylvere RICHARD

Hi, i was trying to configure keycloak so that only the external identity providers are displayed on the login page for a given realm. I do not want to display the login / passwords fields and ideally this authentication mode based on login/password should be deactivated. Is there any way to achieve this? Thanks S.

6 years, 6 months

3
2
0 / 0

Re: [keycloak-user] [EXTERNAL] Specifying LDAP/AD domain in token endpoint

by Ajinkya Thakare

Hi team, Can someone update on this please? Regards, Ajinkya Thakare On 9/10/19, 4:33 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Ajinkya Thakare" <keycloak-user-bounces(a)lists.jboss.org on behalf of Ajinkya.Thakare(a)veritas.com> wrote: Hi team, Is there anyway for the user to specify which LDAP/AD domain to point to while logging in, i.e. while using the token endpoint? The scenario is for a multi-tenant environment, where the same username can be a part of multiple LDAP/AD domains but with different authorization roles setup in each. Here we don’t want our Keycloak instance to sequentially check into every LDAP/AD configuration added, like it does now, but rather check for validating the credentials in only specified domain. Also, if there are different passwords in different domains for same username, the Keycloak instance returns invalid credential error if the user provides the password for a later LDAP/AD config. In this case, an ability to specify the domain will really be helpful. Example: Suppose username ‘athakare’ is a part of two different domains – ‘domain1’ & ‘domain2’, with different passwords, it would be easier if the user can specify something like ‘athakare@domain1’ as his username while logging in. Please let me know if this is already possible in any way using Keycloak. Thanks! Regards, Ajinkya Thakare _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

6 years, 6 months

1
0
0 / 0

multi-valued user attributes: status of the feature?

by Matthieu Huin

Hello, I was looking for a way to display multi-valued user attributes in a custom accounts theme and stumbled upon this old thread: https://lists.jboss.org/pipermail/keycloak-user/2018-January/012801.html Is there any update on this? Has anybody found a workaround for this? I wish I could help or take that task over but my Java is extremely rusty... -- Matthieu Huin Senior Software Developper Red Hat <https://www.redhat.com> <https://red.ht/sig>

6 years, 6 months

1
0
0 / 0

A newly added Hardcoded Role mapper ignores users that have already logged in before

by EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)

Hello, In our project, we use the "Hardcoded role" mapper within a configured Identity Provider (also a Keycloak instance, in our case the same but a different realm) to describe that each user logging in via Keycloak shall be given a certain role. This works perfectly if the mapper is configured before the first login of the user. The configured role is granted to the (cloned) user when he logs in the first time via Keycloak. But when another "Hardcoded role" mapper is added to configure another role, then the user is not given the other role when he logs in. Only new users logging in the first time get both roles assigned. Is this on purpose or a bug? Mit freundlichen Grüßen / Best regards Frank Thiele Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> external.Frank.Thiele(a)bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic

6 years, 6 months

1
0
0 / 0

app-authz-photoz: error 403

by Alex Rozenberg

Hello, I'm new to Keycloak and trying to follow the example in the keycloak-quickstarts: app-authz-photoz I've built and deployed photoz-html5-client and restful-api using the instruction in the Readme file. After I login using the specified credentials (alice or admin) I get error 403: You can not access or perform the requested operation on this resource Profile page does not display the name and I cannot create albums. Any clues or tips are greatly appreciated. Thank you in advance, Alex Rozenberg

6 years, 6 months

1
0
0 / 0

Encoded URL does not work as redirect_uri

by Edgar Vonk - INFO

Hi, I wondered: was there an update on this issue? I think we run into a similar issue when running the OWASP ZAP tool (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) on our Keycloak-enabled website. ZAP fires the following HTTP GET request on Keycloak: https://our-website.org/auth/realms/our-realm/protocol/openid-connect/aut...<https://our-website.org/auth/realms/our-realm/protocol/openid-connect/aut... &response_type=code&scope=openid&state=fd5a7f52433549218b76af0671956b8b&code_challenge=sSKuLzTeCeLEMXuaKVbp_ReHqYeTiI1LpTdzI6fdY7g&code_challenge_method=S256> Which results in a 500 HTTP response from Keycloak resulting in a medium-level security vulnerability according to ZAP: "Potential Format String Error. The script closed the connection on a /%s” (https://www.owasp.org/index.php/Format_string_attack)' Any suggestions on how to fix or work around this? In the Keycloak logs: 2019-09-16 10:07:20,286 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.IllegalArgumentException: Invalid URL syntax: Malformed escape pair at index 3: ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s at org.keycloak.protocol.oidc.utils.RedirectUtils.normalizeUrl(RedirectUtils.java:185) at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:83) at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:52) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri(AuthorizationEndpoint.java:371) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:120) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:108) at sun.reflect.GeneratedMethodAccessor573.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)

6 years, 6 months

1
1
0 / 0

API Gateway association

by Sylvain Malnuit

Hi, I want to associate Keycloak with an open source API Gateway. Have you any feedback? (Easy and level of integration, support of token revocation,...) Thxs, Sylvain

6 years, 6 months

1
0
0 / 0

Fwd: Metadata import error Keycloak V 7.0.0 - the file cannot be imported. Please verify the file

by abhijeet chauhan

Hi, I am trying to import SAML metadata while creating the Identity provider in Keycloak V7.0.0 and getting the error "Error the file cannot be imported. Please verify the file". Its two node standalone cluster deployed on docker . However importing same metadata from url working fine . Also I have local setup of keycloak (standalone) V7.0.0 and I can import the same metadata on that. Attaching the screenshot of error. Thanks, Vj

6 years, 6 months

1
0
0 / 0

keycloak docker image from minikube

by John Norris

Hi, I am trying to run keycloak from within minikube. This is minikube 1.31 running on Windows. Minikube is running a VM via Virtual Box. Here is my yaml file apiVersion: apps/v1 kind: Deployment metadata: name: keycloak labels: app: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: containers: - name: keycloak image: jboss/keycloak env: - name: KEYCLOAK_USER value: "admin" - name: KEYCLOAK_PASSWORD value: "123456" ports: - containerPort: 8080 I have run other images and they work. But keycloak is killing minikube. So ... > kubectl get pods NAME READY STATUS RESTARTS AGE bikes-594d566c6d-65pdp 1/1 Running 0 14m bikes-594d566c6d-klbhw 1/1 Running 0 14m bikes-594d566c6d-qqppz 1/1 Running 0 14m keycloak-66d55fcc58-5ssj9 0/1 ContainerCreating 0 5m50s Several minutes later > kubectl get pods Unable to connect to the server: http2: server sent GOAWAY and closed the connection; LastStreamID=69, ErrCode=NO_ERROR, debug="" > minikube status host: Running kubelet: Running apiserver: Error kubectl: Correctly Configured: pointing to minikube-vm at 192.168.99.101 If I run keubctl logs keycloak-66d55fcc58-5ssj9 then there are no errors though the last entry is [0m [0m17:43:03,402 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 63) Node name: keycloak-66d55fcc58-5ssj9, Site name: null *** JBossAS process (128) received KILL signal *** So I am not sure if the problem is from keycloak or from minikube. can anyone help? Regards, John

6 years, 6 months

2
1
0 / 0

SAML Identity broker audience restriction condition checking

by Georgi Matev

A couple of questions: 1. Is there a way to disable the audience restriction checking in SAML identity brokering? We have a use case where we have a SAML IdP that is able to accept requests from multiple URLs and we are trying to use it to federate access to several SPs backed by different Keycloak instances. Unfortunately the IdP is not able to change the AudienceRestriction attribute dynamically. If there is a way to disable the check in Keycloak that will unblock us. 1. Somewhat related, can a Keycloak SP process an assertion with an audience restriction that has multiple values? The problem at https://access.redhat.com/solutions/4177341 (can’t see the solution) seems to imply that there is an issue. Would test it myself but do not have a convenient way to set this up. Thanks, -Georgi

6 years, 6 months

1
0
0 / 0

Testing realm-mangement fine grain access control

by M Foster

Hello, I am testing Keycloak for deployment and one of the scenarios for adoption is the ability for some users to manage their own group membership. I've read through the Server Admin guide and it says that this functionality only available in a Technical Preview state. I've enabled the tech preview mode and have enabled Permissions for a group and now see the default scope names that appear under Groups > testgroup > Permissions (view, manage, view-membership, view-members, manage-members, manage-membership), which are part of the realm-management Authorization section. This also creates a group resource "group.resource.<goup_UUID>. I've created a User Policy for a single user and then attached that policy to the Keycloak created permission "manage.membership.permission.group.<group_UUID>" as well as the "group.resource.<group_UUID>. I've also assigned this test admin user the query-groups, query-users, and view-users realm-management client role, so in theory if this user logs into the realm admin console, they should see Groups and Users and be able to select a user and join them to the group in the realm on which I enabled permssions and set the policy. This all works, except the last bit: the "join" button is not visible in the group tab of a user that I'd like to add to my test group. Additionally, I can't manage the settings of any of the users. I have all six permissions assigned to that User Policy, but still no go. Any ideas what piece I'm missing? Thanks.

6 years, 6 months

1
1
0 / 0

Metadata import error Keycloak V 7.0.0 - the file cannot be imported. Please verify the file

by vijay

Hi, I am trying to import SAML metadata while creating the Identity provider in Keycloak V7.0.0 and getting the error "Error the file cannot be imported. Please verify the file". Its two node standalone cluster deployed on docker . However importing same metadata from url working fine . Also I have local setup of keycloak (standalone) V7.0.0 and I can import the same metadata on that. Attaching the screenshot of error. Thanks, Vj

6 years, 6 months

1
0
0 / 0

CORS issue - missing "allow origin" headers

by Louis JOHANET

Hi, We are currently facing the following issue : calling a protected client with AJAX fails with the following message : Access to XMLHttpRequest at 'http://localhost:8081/auth/realms/my_realm/protocol/openid-connect/auth?r...' (redirected from 'http://localhost:8080/my_client') from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Now this client uses the Java adapter, and does have a proper Web Origin (e.g. http://localhost:8080), which is indeed found in the access token. The keycloak.json also has enable-cors set to true. Indeed Keycloak's response is missing Access-Control-Allow-Origin headers. Adding Web Origins in the client configuration has no effect on the returned headers. I believe we need to add such headers in the Apache configuration, but I am surprised that this case did not come up in the docs since any client without a valid session receiving an AJAX request will cause the problem above, due to the 302 Redirect to Keycloak. Have you ever come across this issue ? Best regards, Louis Johanet

6 years, 6 months

1
0
0 / 0

Remove kcinit and text-based authentication flows

by Stian Thorgersen

kcinit and it's associated text-based authentication flows adds quite a bit of complexity. It was never fully completed and we don't have capacity to complete it. Text-based authentication flows are also not really all that useful. There are other better approaches to authenticate devices without a web browser, and when there is a web browser that should be used rather than cli. I propose we remove both kcinit as well as the text-based authentication flows. We also need to revert KeycloakInstalled to how it was prior to this was added as it is currently fairly broken.

6 years, 6 months

1
0
0 / 0

keycloak.js: updateToken creates invalid url

by Weber, Wolfgang

Hi! Our customer uses our application (running with Keycloak 6.0.1) with multiple tabs open. We recognized that there's a scenario where keycloak.js generates invalid urls in updateToken method where parameter refresh_token is undefined: "postData": { "mimeType": "application/x-www-form-urlencoded", "text": "grant_type=refresh_token&refresh_token=undefined&client_id=r6-ui", .... }) We can reproduce this behaviour on our customers environment with: * enable SSO * with a Kerberos plugin for automatic login * open multiple tabs from within tab 1 * refresh tab 1 or wait for session timeout So it look like, that we can manage it in the multi tab scenario, to call clearToken while a updateToken request is processed. Is there anything we can do to overcome this issue? Kind regards, Wolfgang  { "startedDateTime": "2019-08-27T15:12:12.434Z", "time": 5.363002419471741, "request": { "method": "POST", "url": "http://host/auth/realms/R6/protocol/openid-connect/token", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Origin", "value": "http://host" }, { "name": "Accept-Encoding", "value": "gzip, deflate" }, { "name": "Host", "value": "host" }, { "name": "Accept-Language", "value": "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" }, { "name": "Content-type", "value": "application/x-www-form-urlencoded" }, { "name": "Accept", "value": "*/*" }, { "name": "Referer", "value": "http://host/r6-ui/client/index" }, { "name": "Cookie", "value": "AUTH_SESSION_ID=73fa22f1-b574-4714-abe1-42fce5f900db.dev-06; KEYCLOAK_IDENTITY=..." }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "64" } ], "queryString": [], "cookies": [ { "name": "AUTH_SESSION_ID", "value": "73fa22f1-b574-4714-abe1-42fce5f900db.dev-06", "expires": null, "httpOnly": false, "secure": false }, { "name": "KEYCLOAK_IDENTITY", "value": "....", "expires": null, "httpOnly": false, "secure": false }, { "name": "KEYCLOAK_SESSION", "value": "R6/a5f78b44-bcaa-4b88-bd48-298c57a8f9f2/73fa22f1-b574-4714-abe1-42fce5f900db", "expires": null, "httpOnly": false, "secure": false } ], "headersSize": 1310, "bodySize": 64, "postData": { "mimeType": "application/x-www-form-urlencoded", "text": "grant_type=refresh_token&refresh_token=undefined&client_id=r6-ui", "params": [ { "name": "grant_type", "value": "refresh_token" }, { "name": "refresh_token", "value": "undefined" }, { "name": "client_id", "value": "r6-ui" } ] } }, "response": { "status": 400, "statusText": "Bad Request", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Pragma", "value": "no-cache" }, { "name": "Date", "value": "Tue, 27 Aug 2019 15:10:40 GMT" }, { "name": "Server", "value": "Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Access-Control-Allow-Origin", "value": "http://host" }, { "name": "Access-Control-Expose-Headers", "value": "Access-Control-Allow-Methods" }, { "name": "Cache-Control", "value": "no-store" }, { "name": "Access-Control-Allow-Credentials", "value": "true" }, { "name": "Connection", "value": "close" }, { "name": "Content-Length", "value": "69" } ], "cookies": [], "content": { "size": 69, "mimeType": "application/json", "compression": 0 }, "redirectURL": "", "headersSize": 395, "bodySize": 69, "_transferSize": 464 }, "cache": {}, "timings": { "blocked": 1.3490057005882263, "dns": -1, "ssl": -1, "connect": -1, "send": 0.07300000000000001, "wait": 3.2689990525245665, "receive": 0.6719976663589478, "_blocked_queueing": 1.0850057005882263 }, "serverIPAddress": "10.1.85.183", "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "exec", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1812461 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1812565 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792930 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1794553 } ], "parent": { "description": "postMessage", "callFrames": [ { "functionName": "", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 109, "columnNumber": 25 }, { "functionName": "checkCookie", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 31, "columnNumber": 20 }, { "functionName": "req.onreadystatechange", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 61, "columnNumber": 28 } ], "parent": { "description": "XMLHttpRequest.send", "callFrames": [ { "functionName": "checkState", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 69, "columnNumber": 16 }, { "functionName": "receiveMessage", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 108, "columnNumber": 8 } ], "parent": { "description": "postMessage", "callFrames": [ { "functionName": "checkLoginIframe", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1795110 }, { "functionName": "Keycloak.kc.updateToken", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1812527 }, { "functionName": "R6AuthenticationHolderImpl.updateToken", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1061095 }, { "functionName": "R6SessionHandlerImpl.check", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1287472 }, { "functionName": "R6SessionHandlerImpl.updateTimeout", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1287221 }, { "functionName": "R6SessionInterceptor.response", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1286496 }, { "functionName": "response", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1285688 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176239 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176524 }, { "functionName": "$digest", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1187078 }, { "functionName": "$apply", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1189842 }, { "functionName": "done", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1143003 }, { "functionName": "completeRequest", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1147207 }, { "functionName": "xhr.onload", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1148651 } ], "parent": { "description": "load", "callFrames": [ { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1148435 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1145310 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1145529 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176239 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176524 }, { "functionName": "$digest", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1187078 }, { "functionName": "$apply", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1189842 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1062210 }, { "functionName": "invoke", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1076174 }, { "functionName": "doBootstrap", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1062104 }, { "functionName": "bootstrap", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1062580 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 160729 }, { "functionName": "mightThrow", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 223677 }, { "functionName": "process", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224305 } ], "parent": { "description": "setTimeout", "callFrames": [ { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224612 }, { "functionName": "fire", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 221268 }, { "functionName": "add", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 221726 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224812 }, { "functionName": "Deferred", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 225492 }, { "functionName": "then", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224663 }, { "functionName": "jQuery.fn.ready", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 226629 }, { "functionName": "jQuery.fn.init", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 218206 }, { "functionName": "jQuery", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 180073 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 160702 }, { "functionName": "tryCatcher", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 104913 }, { "functionName": "Promise._settlePromiseFromHandler", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 66489 }, { "functionName": "Promise._settlePromise", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 67772 }, { "functionName": "Promise._settlePromise0", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 68812 }, { "functionName": "Promise._settlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 70495 }, { "functionName": "Promise._fulfill", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 69308 }, { "functionName": "PromiseArray._resolve", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 75658 }, { "functionName": "PromiseArray._promiseFulfilled", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 76061 }, { "functionName": "Promise._settlePromise", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 67955 }, { "functionName": "Promise._settlePromise0", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 68812 }, { "functionName": "Promise._settlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 70495 }, { "functionName": "Async._drainQueue", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 3975 }, { "functionName": "Async._drainQueues", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 4040 }, { "functionName": "Async.drainQueues", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1696 } ], "parent": { "description": "Promise.then", "callFrames": [ { "functionName": "schedule", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 89929 }, { "functionName": "Async._queueTick", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 4229 }, { "functionName": "AsyncSettlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 2010 }, { "functionName": "util.hasDevTools.Async.settlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 3577 }, { "functionName": "Promise._fulfill", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 69332 }, { "functionName": "Promise._resolveCallback", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 64681 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 65941 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792677 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1802938 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792930 }, { "functionName": "authSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1787381 }, { "functionName": "req.onreadystatechange", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1788403 } ], "parent": { "description": "XMLHttpRequest.send", "callFrames": [ { "functionName": "processCallback", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1788608 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1806366 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792930 }, { "functionName": "iframe.onload", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1793899 } ], "parent": { "description": "load", "callFrames": [ { "functionName": "setupCheckLoginIframe", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1793572 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1806323 }, { "functionName": "success", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1793103 }, { "functionName": "Keycloak.kc.init", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1806139 }, { "functionName": "", "scriptId": "505", "url": "http://host/r6-ui/client/index", "lineNumber": 139, "columnNumber": 17 } ] } } } } } } } } } }, "_priority": "High", "_resourceType": "xhr", "connection": "6236", "pageref": "page_6" }, ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.

6 years, 6 months

1
0
0 / 0

Re: [keycloak-user] [keycloak-dev] Unable to connect to an external datasource for a protocol mapper

by Thomas Darimont

Hi Thomas, I think a more suitable list for this kind of questions is the keycloak-users Mailinglist. I think in your case you can reduce your example to a single ejb-jar deployment. Furthermore you can refer to a datasource configured in Wildfly via JNDI instead of providing your own datasource via persistence.xml. See: https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc... The trick to get a custom EntityManager injected into a component is to turn the component into an EJB and access it via JNDI, e.g.: ... @Stateless @Local public class UserRepository { @PersistenceContext(unitName = "UserPU") protected EntityManager entityManager; public Object getData() { // implement your query return entityManager != null ? "data" : null; } } Then you can use JNDI to lookup the bean in your custom ProtocolMapper, e.g.: private UserRepository getUserRepository() { try { String moduleName = new File(getClass().getProtectionDomain().getCodeSource().getLocation().getFile()).getName().replaceAll("\\.jar$", ""); String jndiName = String.format("java:global/%s/%s", moduleName, UserRepository.class.getSimpleName()); return (UserRepository) new InitialContext().lookup(jndiName); } catch (NamingException e) { throw new RuntimeException(e); } } With those changes I could run your example: https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc... See: https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc... Cheers, Thomas On Wed, 11 Sep 2019 at 20:47, Thomas <tlann(a)technoeclectic.com> wrote: > I'm a little inexperienced when it comes to Java EE. So let me apoligize > because I'm guessing this will be a small setup mistake. I've setup > databases for applications but I'm having a really tough time with > connecting to for a Keycloak module. The database exists separate from > Keycloak's user db and a LDAP/AD because other services for our application > need to access the claims database through rabbitmq and rest services. > > I'm able to setup a datasource in Wildfly and verify it can connect to the > database. So I know the connection info is good. The module successfully > deploys to Keycloak. When the Protocol Mapper is ran, I only try checking > the nullity of the EntityManager that should be injected as well as one > that gets created from the PU by hand. The injected em is null and the one > created on a spot throws an exception about being unable to find the > persistence.xml file. > > What are some good troubleshooting techniques for developing in Keycloak? > Is it more appropriate to turn up the hibernate logger in Keycloak or > Wildfly? > > Could someone take a look at an exmple give me some advice? > A code example is at https://github.com/tlann/tokenEnhancer.git > > The deployment log and exception are as follows > > Thanks, > Thomas > > 17:06:51,406 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-4) WFLYSRV0027: Starting deployment of > "token-enhancer-ear-1.0.0-SNAPSHOT.ear" (runtime-name: > "token-enhancer-ear-1.0.0-SNAPSHOT.ear") > 17:06:51,493 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-2) WFLYSRV0207: Starting subdeployment (runtime-name: > "com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar") > 17:06:51,497 INFO [org.jboss.as.jpa] (MSC service thread 1-4) WFLYJPA0002: > Read persistence.xml for UserPU > 17:06:51,514 INFO [org.jboss.as.jpa] (MSC service thread 1-4) WFLYJPA0002: > Read persistence.xml for UserPU > 17:06:51,539 WARN [org.jboss.as.dependency.private] (MSC service thread > 1-1) WFLYSRV0018: Deployment > "deployment.token-enhancer-ear-1.0.0-SNAPSHOT.ear.com > .example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar" > is using a private module ("org.keycloak.keycloak-services") which may be > changed or removed in future versions without notice. > 17:06:51,553 WARN [org.jboss.as.dependency.private] (MSC service thread > 1-4) WFLYSRV0018: Deployment > "deployment.token-enhancer-ear-1.0.0-SNAPSHOT.ear" is using a private > module ("org.keycloak.keycloak-services") which may be changed or removed > in future versions without notice. > 17:06:51,555 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 81) > WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service > > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear/com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar#UserPU' > 17:06:51,555 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 81) HHH000204: Processing PersistenceUnitInfo > [ > name: UserPU > ...] > 17:06:51,575 INFO [org.jboss.weld.deployer] (MSC service thread 1-3) > WFLYWELD0003: Processing weld deployment > token-enhancer-ear-1.0.0-SNAPSHOT.ear > 17:06:51,599 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 82) > WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear#UserPU' > 17:06:51,599 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 82) HHH000204: Processing PersistenceUnitInfo > [ > name: UserPU > ...] > 17:06:51,643 INFO > > [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] > (MSC service thread 1-3) Deploying Keycloak provider: > com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar > 17:06:51,678 WARN [org.keycloak.services] (MSC service thread 1-3) > KC-SERVICES0047: oidc-token-enhancer-mapper > (business.KeycloakTokenEnhancer) is implementing the internal SPI > protocol-mapper. This SPI is internal and may change without notice > 17:06:51,701 INFO [org.jboss.weld.deployer] (MSC service thread 1-3) > WFLYWELD0003: Processing weld deployment > com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar > 17:06:51,779 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 81) > WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service > > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear/com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar#UserPU' > 17:06:51,780 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 81) HHH000400: Using dialect: > org.hibernate.dialect.PostgreSQL95Dialect > 17:06:51,797 INFO > [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] > (ServerService Thread Pool -- 81) HHH000424: Disabling contextual LOB > creation as createClob() method threw error : > java.lang.reflect.InvocationTargetException > 17:06:51,797 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService > Thread Pool -- 81) HHH000270: Type registration [java.util.UUID] overrides > previous : org.hibernate.type.UUIDBinaryType@3e14892a > 17:06:51,801 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 81) Envers integration enabled? : true > 17:06:51,820 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,820 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,821 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,821 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,854 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 82) > WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear#UserPU' > 17:06:51,855 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 82) HHH000400: Using dialect: > org.hibernate.dialect.PostgreSQL95Dialect > 17:06:51,868 INFO > [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] > (ServerService Thread Pool -- 82) HHH000424: Disabling contextual LOB > creation as createClob() method threw error : > java.lang.reflect.InvocationTargetException > 17:06:51,869 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService > Thread Pool -- 82) HHH000270: Type registration [java.util.UUID] overrides > previous : org.hibernate.type.UUIDBinaryType@3e14892a > 17:06:51,873 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 82) Envers integration enabled? : true > 17:06:51,882 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,882 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,882 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,883 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,982 INFO [io.smallrye.metrics] (MSC service thread 1-1) > MicroProfile: Metrics activated > 17:06:52,273 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) > WFLYSRV0010: Deployed "token-enhancer-ear-1.0.0-SNAPSHOT.ear" (runtime-name > : "token-enhancer-ear-1.0.0-SNAPSHOT.ear") > 17:07:15,373 INFO [stdout] (default task-16) > ++++++++++++++++++++++++++++++++ > 17:07:15,380 INFO [stdout] (default task-16) entityManager is null > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-16) Uncaught server error: > javax.persistence.PersistenceException: No Persistence provider for > EntityManager named UserPU > at > > javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:85) > at > > javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:54) > at > > business.KeycloakTokenEnhancer.transformAccessToken(KeycloakTokenEnhancer.java:43) > at > > org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:553) > at > > org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:411) > at > > org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:712) > at > > org.keycloak.services.resources.admin.ClientScopeEvaluateResource.generateToken(ClientScopeEvaluateResource.java:206) > at > > org.keycloak.services.resources.admin.ClientScopeEvaluateResource.generateExampleAccessToken(ClientScopeEvaluateResource.java:178) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370) > at > > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440) > at > > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) > at > > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) > at > > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) > at > > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) > at > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) > at > > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) > at > > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) > at java.lang.Thread.run(Thread.java:748) > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

6 years, 6 months

1
0
0 / 0

Re: [keycloak-user] Gatekeeper issue, should I repost or no? I don't want to troll!

by Nick Powers

See reply, my previous response only went to Bruno. On Wed, Sep 11, 2019 at 2:50 PM Nick Powers <sshscp(a)gmail.com> wrote: > Thanks for your response Bruno! I understand that this is a community > mailing list and not a support mailing list. I appreciate the help I do > get from here and understand that everyone is busy. I'm not sure what > steps are involved to file a Jira, or even what a Jira is LOL. > > I guess I'll give it some more time before re-posting. It's not a > straightforward question and I know Gatekeeper users are a subset of > Keycloak users. I really like Keycloak and the benefits it provides and > hope I can continue using it. > > Thanks to all the community members here. You are a great group of people! > > Nick > > On Wed, Sep 11, 2019 at 1:49 PM Bruno Oliveira <bruno(a)abstractj.org> > wrote: > >> Hi Nick, I'm very sorry if my answer didn't help you at all, but your >> issue requires further investigation. Please keep in mind that this is >> a community mailing list, not a support mailing list, we we love to >> help, but at the same time we also have other tasks in our plate. >> >> Whether or not you should repost, troll or anything else. The answer >> is: it's up to you, I don't think anybody will be upset or pissed off. >> That's one of the joys of open source, the freedom. >> >> As soon as I have the time to investigate your issue, I will be more >> than happy to attempt to answer your question, but I don't have an ETA >> for this. >> >> If you would like to, feel free to file a Jira, mark as a bug and we >> can do a proper triage. >> >> On Wed, Sep 11, 2019 at 4:40 PM Nick Powers <sshscp(a)gmail.com> wrote: >> > >> > I posted a message last Saturday entitled "Gatekeeper failing to proxy >> for >> > redirect". I did receive a response the following Monday (Thanks >> Bruno!) >> > asking for some more detail, which I replied to shortly after I received >> > his email but I have not received any replies since then. >> > >> > My question now is should I repost it if I do not receive any more >> > responses? I don't want to troll but there is really not anywhere else >> I >> > can ask about this. If I cannot find an answer here, then I guess I >> won't >> > find an answer and thus will not be able to continue using >> > Keycloak/Gatekeeper. :( >> > >> > Can someone please advise what I should do? I don't want to piss anyone >> > off in this group by reposting. I have been helped in the past with >> this >> > group and I value the members and I know they are under no obligation >> but, >> > I don't know where else I should turn. Are there any other resources >> for >> > Keycloak/gatekeeper questions? If I should repost here, then how often >> do >> > you suggest? I don't want to upset anyone. >> > >> > Thanks >> > >> > Nick >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> - abstractj >> >

6 years, 6 months

1
0
0 / 0

User cannot assign client Role to user with just

by robrecht anrijs

Hi keycloak users, We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a user with the roles 'manage-users' and 'view-users' on the client 'realm-management' cannot see the list of client roles any more. Because of that, the user cannot assing a specific client role to a group or a user. Screenshot: I[image: image.png] Is this a bug? Or is expected behaviour? As a workaround I added the role 'view-clients' to that user, but now the users sees to much. I only want to configure that user, so he can manage the roles for users & groups. Do I need to enahble the fine-grained permissions for that ( https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions) Thx for the answers, Kind regards, Robrecht

6 years, 6 months

3
3
0 / 0

Can we suppress email verification for a single login?

by Andrew Braae

We are inviting people to our system via email. When someone follows one of our invite links, we assume their email address is valid. So when they arrive at Keycloak, we don't want these people to be asked to do email verification. For them (only), we want Keycloak to behave as if "Verify email" was turned off for the realm. Is there some way to achieve this? Cheers, Andrew

6 years, 6 months

1
0
0 / 0

Gatekeeper issue, should I repost or no? I don't want to troll!

by Nick Powers

I posted a message last Saturday entitled "Gatekeeper failing to proxy for redirect". I did receive a response the following Monday (Thanks Bruno!) asking for some more detail, which I replied to shortly after I received his email but I have not received any replies since then. My question now is should I repost it if I do not receive any more responses? I don't want to troll but there is really not anywhere else I can ask about this. If I cannot find an answer here, then I guess I won't find an answer and thus will not be able to continue using Keycloak/Gatekeeper. :( Can someone please advise what I should do? I don't want to piss anyone off in this group by reposting. I have been helped in the past with this group and I value the members and I know they are under no obligation but, I don't know where else I should turn. Are there any other resources for Keycloak/gatekeeper questions? If I should repost here, then how often do you suggest? I don't want to upset anyone. Thanks Nick

6 years, 6 months

2
1
0 / 0

random issue with Keycloak 7 clustered and restarting keycloak

by Andrew Schmidt

We've recently setup Keycloak 7 in a clustered environment using multicast. (standalone-ha) Everything works great most of the time. But randomly, upon restarting Keycloak on one server, keycloak will not be able to find the other instance. We've called the servers keycloak01 and keycloak02. When the problem occurs, the flow goes something like this: Keycloak01 running Keycloak02 running Restart keycloak02 Keycloak2 reports: no members discovered after 3003 ms: creating cluster as first member Nothing in keycloak01 logs suggests it knows about keycloak02 anymore At this point keycloak02 can never talk to keycloak01 until keycloak01 is restarted. After restarting keycloak01, everything is fine again. Here are the keycloak01 logs when keycloak02 is restarting <keycloak02 stopping> 2019-09-11 15:09:22,008 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t3) [Context=loginFailures] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,008 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t14) [Context=actionTokens] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,010 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t12) [Context=offlineClientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,010 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t11) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t13) [Context=work] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=authenticationSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=offlineSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,012 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t9) [Context=sessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,012 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t3) [Context=client-mappings] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,056 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,060 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,060 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster <keycloak02 starting> 2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02] 2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster 2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02] 2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster 2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02] 2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster On a problematic restart keycloak01 logs are as follows: <keycloak02 stopping> 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t14) [Context=offlineClientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=work] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t9) [Context=loginFailures] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=offlineSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t13) [Context=authenticationSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t11) [Context=sessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=actionTokens] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:10:03,902 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t3) [Context=client-mappings] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:10:03,912 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,913 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,913 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,914 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,915 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,915 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster <keycloak02 starting> ... no more logs will show up and keycloak02 reports no members Notice the time between [Context=clientSessions] and [Context=client-mappings] is 20 seconds on this problematic restart vs the successful one. Anyone have any ideas?

6 years, 6 months

1
0
0 / 0

Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

by Or Harary

Hey, When I'm logged in as a user (grant_type=password), and I'm trying to request a permission ticket for a resource by its name, and I'm using the token endpoint and grant type "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well. But if I'm using a resource server token (from a login using client_credentials), and i'm trying to request permissions for a resource in another resource server, by the resource name, it results with the following error: { error: 'invalid_resource', error_description: 'Resource with id [my-resource-name] does not exist.' } When I'm requesting the resource with its ID, everything works as expected. In version 3.4 it worked well. I now checked it in version 6.0.1 and version 7.0.0 and it doesn't work and it seems to be because of this line: https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a409... Is this the expected behaviour or a bug? Thanks in advance, Or

6 years, 6 months

2
7
0 / 0

Re: [keycloak-user] Offline tokens - how to revoke a single token?

by Rivat Olivier

Best practise is to have offline token per user per app. In the realm setting, you can limit the number of refresh/offline tokens (by default one, when the this flag is activated) It is also up to the user to manage/store the current token in user for a specific app. Like this, you only have an handful of refresh/offline tokens to deal with (also one per device). Regards, Olivier Le 11/09/2019 à 11:18, Przemek Bielicki a écrit : > That would make sense for me if we could only have one offline token > per user per client. > If Keycloak allows to have multiple, why can't we revoke one by one? I > assume it's just a missing feature. > > Przemek > > On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat(a)janua.fr > <mailto:orivat@janua.fr>> wrote: > > Well, OfflineTokens are jwt tokens. So they always exist in the > context of a user and application. > Hence a token is always tied to this tuple (user/client) context. > > Revoking single token implies to delete on a per user basis. > > Regards, > > Olivier > > > Le 11/09/2019 à 11:00, Przemek Bielicki a écrit : >> Hi, >> >> afaik it's only possible to revoke all for given user / client: >> DELETE >> http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consen... >> <http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7...> >> >> I could not find REST API do revoke single tokens. Does it exist? >> >> Cheers, >> Przemek >> >> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat(a)janua.fr >> <mailto:orivat@janua.fr>> wrote: >> >> Hi, >> >> Have a look at following blog. With the admin UI or Self >> self-service >> you easily revoke offLine Sessions. >> http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/ >> >> You should also be able to do it with REST API, but I haven't >> had time >> to describe it. >> >> Regards, >> Olivier Rivat >> >> >> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit : >> > Hi, >> > >> > is it possible to revoke single offline token? How? >> > If not, do you consider adding such feature? >> > If not, why? Is there any specific reason why it's not >> possible to revoke >> > offline tokens one by one? >> > >> > Thanks, >> > Przemek Bielicki >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> <mailto:keycloak-user@lists.jboss.org> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>

6 years, 6 months

2
2
0 / 0

Empty username allowed in review profile config

by Kaspar Papli

Hey, I discovered that an empty username is allowed in the Update Account Information page which appears in the first broker login flow. I assume this is a bug? Steps to reproduce: 1. Setup Google as an identity provider. 2. Set Authentication Flows -> First Broker Login -> review profile config -> Actions -> Config -> Update Profile on First Login -> "on" 3. Attempt login with Google (with a Google account that is not yet connected to any Keycloak account). 4. After authentication with Google, in the Update Account Information page, delete the username i.e. set it to an empty string and submit. Expected result: An error is shown about the username being required. Actual result: Registration succeeds and an account is created with an empty username. Workaround: Create an account with an empty username like this. In that case, the next attempt at repeating this fails with "User with username already exists". Realm login settings in my configuration that might be relevant: - User registration: on - Email as username: off - Edit username: off - Forgot password: on - Remember me: on - Verify email: on - Login with email: on Keycloak version: 7.0.0 All the best, Kaspar

6 years, 6 months

1
0
0 / 0

Offline tokens - how to revoke a single token?

by Przemek Bielicki

Hi, is it possible to revoke single offline token? How? If not, do you consider adding such feature? If not, why? Is there any specific reason why it's not possible to revoke offline tokens one by one? Thanks, Przemek Bielicki

6 years, 6 months

2
2
0 / 0

Account registration with proprietary Masterdata

by Ratna Kamireddy

Hi, I want to know the best practise to follow in Keycloak or any OAuth server to sync keycloak users with the proprietary system. We are having a proprietary system (called MDM) that handle all the user / person / organisation / employer / employee information in microservice environment. We moved to keycloak for authentication & authorization across all microservices. And all the endpoints are secured by keycloak. And we never bothered about user registration. Now we have enabled user registration on keycloak.And now figuring out what is the best way to sync keycloak users after registration with the existing MDM. All our microservices can understand the users in MDM and not the users in keycloak as if they need more info about user it can interact with MDM. My first thought would be sending REST request to MDM from keycloak with the newly registered user information. Please share your experience if you guys already done it in your system. Regards Ratna

6 years, 6 months

3
2
0 / 0

update user attributes on every social login

by kkzxak47

Hi, Sorry I fail to provide enough info in the previous question, so here is the detail. Say I have implemented a new social login privider: public class WechatWorkIdentityProvider extends AbstractOAuth2IdentityProvider<WechatWorkProviderConfig> implements SocialIdentityProvider<WechatWorkProviderConfig> There are several attributes from this IdP need to be added to keycloak. So I added them in `BrokeredIdentityContext`, details: ``` @Override protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, JsonNode profile) { BrokeredIdentityContext identity = new BrokeredIdentityContext( (getJsonProperty(profile, "userid"))); identity.setUsername(getJsonProperty(profile, "userid").toLowerCase()); identity.setBrokerUserId(getJsonProperty(profile, "userid").toLowerCase()); identity.setModelUsername(getJsonProperty(profile, "userid").toLowerCase()); identity.setFirstName(getJsonProperty(profile, "email").split("@")[0].toLowerCase()); identity.setLastName(getJsonProperty(profile, "name")); identity.setEmail(getJsonProperty(profile, "email").toLowerCase()); identity.setUserAttribute(PROFILE_MOBILE, getJsonProperty(profile, "mobile")); identity.setUserAttribute(PROFILE_GENDER, getJsonProperty(profile, "gender")); identity.setUserAttribute(PROFILE_STATUS, getJsonProperty(profile, "status")); identity.setUserAttribute(PROFILE_ENABLE, getJsonProperty(profile, "enable")); identity.setIdpConfig(getConfig()); identity.setIdp(this); AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, profile, getConfig().getAlias()); return identity; } ``` New users will set and map mobile/gender... correctly, but old users already logged in with IdP will not receive custom attributes. My question is how can I make user attributes update everytime user login with the social IdP not matter it's old or new user? Is there another method that I need to override, or another API to call, or I have to modify keycloak source code? Thanks! Victor Z.

6 years, 6 months

1
0
0 / 0

Specifying LDAP/AD domain in token endpoint

by Ajinkya Thakare

Hi team, Is there anyway for the user to specify which LDAP/AD domain to point to while logging in, i.e. while using the token endpoint? The scenario is for a multi-tenant environment, where the same username can be a part of multiple LDAP/AD domains but with different authorization roles setup in each. Here we don’t want our Keycloak instance to sequentially check into every LDAP/AD configuration added, like it does now, but rather check for validating the credentials in only specified domain. Also, if there are different passwords in different domains for same username, the Keycloak instance returns invalid credential error if the user provides the password for a later LDAP/AD config. In this case, an ability to specify the domain will really be helpful. Example: Suppose username ‘athakare’ is a part of two different domains – ‘domain1’ & ‘domain2’, with different passwords, it would be easier if the user can specify something like ‘athakare@domain1’ as his username while logging in. Please let me know if this is already possible in any way using Keycloak. Thanks! Regards, Ajinkya Thakare

6 years, 6 months

1
0
0 / 0

Map arbitrary LDAP value to an Attribute

by Christophe de Vienne

Hi everyone, I need to copy a property of a parent organizational unit to a user attribute. >From what I understand, no existing ldap mapper is able to do that, which means I need to code my own ldap mapper (that would inherit AbstractLDAPStorageMapper). Is this the best way to achive this goal? Thanks in advance, Christophe

6 years, 6 months

1
1
0 / 0

How to update user attributes with each login, not just the first one?

by kkzxak47

Hi fellow keycloak users, It's been several months since I adopted keyclak as the SSO tool for my company, everything went smoothly with one little glitch. Currently we use a social login IdP as our main login method, we trust it unconditionally. But I find that custom user attributes from that IdP will not update in keycloak after the first login. And old users will not have these attributes at all. So I was wondering what can I do to make keycloak update user attributes on each and every login with the social IdP? Victor Z.

6 years, 6 months

1
0
0 / 0

Long user upload procedure

by Игорь Хесин

Asking for your help. We start docker image stand-alone Keycloack in openshift. We add new users using REST. But everything works very slowly. For 240000 users the uploads takes 24 hours. 1. Has anyone come across this? 2. How do you add and update users? Our server: CPU 4 4 GB. Our version of keyclock 7.3.1.GA. Thank you Igor

6 years, 6 months

2
1
0 / 0

Keycloak single logout is not working

by Hashem Ramadan

Hey, I am using keycloak as IdP server for the saml SSO, I am using spring boot application beside two more software docebo and channeltivity, The single sign-on is working, but while I am press sign out from docebo its not logging out, and in the same channeltivity it's not working. any leads to solve this? --

6 years, 6 months

1
0
0 / 0

Admin CLI - how to a a builtin protocol Mapper to a Client

by Bruce Smith

Hi I am trying to add the built-in protocol mapper "realm roles" to a client using the Admin CLI. I must have tried 500 syntactic combinations for the "--set" parameter; they all result in either no error (but no mapper added to the client), or a Java exception (com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token). Does anyone have an example that can be shared of successfully using the Admin CLI for this operation, please? Keycloak version is 6.0.1 Regards Bruce

6 years, 6 months

2
2
0 / 0

KeyCloak Client Credentials pass http header values

by Rohit Chowdhary

I want to connect two applications ClientApp, ResourceApp securely on behalf of a user via KeyCloak as the authorization server. User does a login into ClientApp and then ClientApp calls REST APIs on Resource App in the background. I have setup KeyCloak adjacent to ResourceApp and configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken and then calls APIs on the ResourceApp. In this Auth process, I want to communicate some information from ClientApp to ResourceApp via HTTP Headers, so that KeyCloak can add them into the JWT Access Token. (The reason I am trying this approach is that I will not need any user maintenance within the KeyCloak and ResourceApp). Questions: Am I trying to do something that is not possible or allowed in such security setup? Is there a better way to achieve without having to maintain Users and Roles in the KeyCloak server? I want KeyCloak to be just a mechanism to offload token generation and as a security mediator. Or Can I pass the header data from Auth request into the JWT token? I looked into the Client Mappers of KeyCloak, but since there is a redirect or forward within KeyCloak from Auth request to Get Token, the header values are getting lost.

6 years, 6 months

2
4
0 / 0

Assign Roles to an LDAP user in Read only mode

by Harish Tammireddygari

Hi, I am aware that if "Import users" is enabled, the users will be automatically imported from LDAP into Keycloak and I can go to a user's settings, and add roles to that user as needed. But in my case, I don't want the users to be imported automatically and get access to the application. I would like to restrict the access to a few LDAP users by manually adding/importing LDAP users and assign roles to them. I managed to create my own Rest endpoint to import the selected LDAP user into Keycloak DB as a local user by adding the Federation link and required LDAP attributes to the user. It is working fine. But the problem comes when I assign a client level role to this imported user. It throws "Read-only Mode" exception because "Import Users" is set to OFF in LDAP configuration. I tried the below code to grant the roles to the user which works only after the service. Is there a better way to assign the roles to an LDAP user? UserModel user = keycloakSession.userLocalStorage().getUserById(userId, realm); RoleModel roleModel = client.getRole(role.getName()); user.grantRole(roleModel); Thanks.

6 years, 6 months

1
0
0 / 0

best way to save Keystore and Truststore passwords in standalone.xml?

by Chris Smith

How can the Keystore and Truststore passwords be reasonably saved? Just having them in plaintext in standalone.xml seems like kind of a "bad thing". Keycloak is running as a specific Active directory user, so set standalone as only accessible to that user and Domain Admins?

6 years, 6 months

2
2
0 / 0

Can decrypt identified HS256 refresh token with RS256 public key with client credentials grant

by Eric Brown

Hello, At first I struggled to understand why pyJWT was raising an error when decoding a refresh token issued from keycloak using the client credentials grant. The specified error was : "The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret. " I now understand the issue: The refresh token identifies itself as being HS256 encrypted in header so pyjwt raise an error when I try to decrypt it with keycloak public key. The problem is that I am able to decrypt it with the public key when bypassing verification with verify=False to pyjwt.decode. The access token received are identified as RS256 and are fine. Pyjwt behavior with enabled verify is thuscorrect when preventing decode of HS256 tokens with public keys. The problem now seems to be this: Shouldn't it be impossible to decrypt the HS256 refresh token with the public key at all? So it might seem that the refresh tokens are incorrectly labelled as HS256 in header but at truly RS256. Thanks, Eric

6 years, 6 months

2
1
0 / 0

Gatekeeper failing to proxy for redirect or mobile! :(

by Nick Powers

I have Keycloak and Gatekeeper configured to use Google as an identity provider to front end my PHP application and most of the time it works great but sometimes it exposes my internal host (which Gatekeeper should be proxying for). If I login from my desktop(chrome) it works fine unless instead of clicking on a link my app tries to use a redirect header. i.e. my PHP example: header("Location: /protected/dashboard"); When that happens instead of redirecting to https://commentcontext.com/protected/dashboard, like it should, I see https://webapp/protected/dashboard in the URL field. This fails because there is no DNS for webapp. webapp is the name I use internally and it should never be exposed externally. Also, if I try to connect using my phone or tablet (both android) I get through the Google authentication fine but then it tries to send me to https://webapp/protected/dashboard, which again is a FAIL :( Why is Gatekeeper failing to proxy sessions when initiated via a redirect or when they come from mobile browser? Has anyone seen this behavior before? Any help anyone could provide on this issue would be greatly appreciated. Thanks, Nick

6 years, 6 months

2
2
0 / 0

Keycloak Gatekeeper configuration with SPA

by Yumna Ghazi

Hello everyone, I'm using Keycloak as an identity manager and since it also provides optional authorization, I decided to use it to suit my access control requirements as well. I have multiple microservices that I want to protect using Keycloak Gatekeeper like the configuration below but with separate Gatekeepers per service. --------- ----------- ----------- ------------ | UI | ---> | Proxy | ---> | GateK | ---> | Service | --------- ------------ ----------- ------------ | || | v -----------------------------------> Keycloak Aside from the CORS related issues this creates (KEYCLOAK-9099 <https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important issue that I'm struggling with. My UI already has keycloak js integrated with a public client specifically for itself, which I was using for login initially. Now that I want to use the Gatekeeper proxy, I want my login/token refresh to happen on the UI such that it would automatically generate the requisite cookies for Gatekeeper, because I want to disable redirection on Gatekeeper and send 401 directly in case of expired/bad/no token. a) Is my understanding correct and is this the correct approach? b) If so, how can I login via Keycloak directly or via Gatekeeper and get the required cookies (without some proxy-level hacking)? Right now I'm hovering between a couple of options, from using Kong oidc with some custom authorization to using Gatekeeper. Any help would be much appreciated. Thanks. Yumna

6 years, 6 months

2
1
0 / 0

Hello mailinglist

by Xander

Hello everybody, I just subscribed to this list and as a test, I wanted to give a friendly hello to everyone. Best regards, Xander -- The Idiot Company Met vriendelijke groet, With kind regards, Xander Smalbil THE IDIOT COMPANY Staalsteden 4-3A 7547 TA Enschede The Netherlands +31 (0)53 20 30 275 info(a)theidiotcompany.eu WWW.THEIDIOTCOMPANY.EU

6 years, 7 months

1
0
0 / 0

jboss-cli SSL access to keycloak Management interface usage, in Elytron 2-way SSL config, failing: "problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big" ?

by PGNet Dev

I'm setting up a new install of keycloak 7.0.0 for 2-way TLS Starting with a working http controller /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \ --controller=remote+http://10.0.0.1:9990 \ version JBoss Admin Command-line Interface JBOSS_HOME: /opt/keycloak Release: 9.0.2.Final Product: Keycloak 7.0.0 JAVA_HOME: /usr/lib64/jvm/java-11-openjdk java.version: 11.0.4 java.vm.vendor: Oracle Corporation java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664 os.name: Linux os.version: 5.2.11-26.gd6e8aab-default I configure JCEKS key-stores, and enable https for admin user access, /subsystem=elytron/key-store=twoWayKS:add(path=/etc/keycloak/keystore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks) /subsystem=elytron/key-store=twoWayTS:add(path=/etc/keycloak/truststore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={store=master-cs, alias=ks-pass}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS) /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true) batch /subsystem=undertow/server=default-server/http-listener=default:remove() /subsystem=undertow/server=default-server/https-listener=https:remove() /subsystem=undertow/server=default-server/https-listener=default:add(socket-binding=https,ssl-context=twoWaySSC,enable-http2=true) run-batch At this point, egrep "http-listener|https-listener" /usr/local/etc/keycloak/*/*/standalone.xml <https-listener name="default" socket-binding="https" ssl-context="twoWaySSC" enable-http2="true"/> and I can verify admin UI via http in browser has been disabled, http://10.0.0.1:8080/auth/admin "Unable to connect" and https is enabled, https://10.0.0.1:8443/auth/admin LOGIN is OK I still have http:// mgmt controller access at cmd-line /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \ --controller=remote+http://10.0.0.1:9990 \ version JBoss Admin Command-line Interface JBOSS_HOME: /opt/keycloak Release: 9.0.2.Final Product: Keycloak 7.0.0 JAVA_HOME: /usr/lib64/jvm/java-11-openjdk java.version: 11.0.4 java.vm.vendor: Oracle Corporation java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664 os.name: Linux os.version: 5.2.11-26.gd6e8aab-default Setup 2way SSL for the Management interface, batch /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm) /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC) /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https) /subsystem=elytron/client-ssl-context=twoWayCSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM) run-batch and verify *managment* UI https in browser, http://10.0.0.1:9990 REDIRECTS TO https://10.0.0.1:9993 and https://10.0.0.1:9993 LOGIN is OK works as expected. But, checking cmd-line https access, /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \ --controller=remote+https://10.0.0.1:9993 \ -Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jceks \ -Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.jceks \ -Djavax.net.ssl.trustStorePassword=keypass \ -Djavax.net.ssl.keyStorePassword=keypass \ version where, keytool -list -storetype jceks -storepass keypass -keystore ./keystore.client.jceks Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry client-keystore, Sep 6, 2019, PrivateKeyEntry, Certificate fingerprint (SHA-256): 1F:...:6F keytool -list -storetype jceks -storepass keypass -keystore ./truststore.client.jceks Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry client-keystore, Sep 6, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): 1F:...:6F fails with Failed to connect to the controller: Failed to resolve host '10.0.0.1': Failed to obtain SSLContext: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext): problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big. What's in my config, or missing from it, that's causing this error?

6 years, 7 months

2
2
0 / 0

Two clients to share tokens

by Yang Yang

Hello, Is it possible for two clients of the same realm share tokens? I am aware that when a user gets the token for a client, she will be redirected to get a new token when accessing another client. This is reasonable and necessary to stop attacks like CSRF, but if both of the two clients are trusted and registered on the same realm, we may be able to simplify the process. If possible, could you help to tell how to do it? Thanks, Yang

6 years, 7 months

2
1
0 / 0

Evaluation of RPT in admin console does not match Rest request result...

by Axel

Hello. Keycloak 6.0.1 and 7 Can anyone help me with understanding of evaluating RPT? Scenario: 2 Realm Roles - RoleA and RoleB 1 user with both realm roles 2 clients: clientA public (or confidential) with Scope=RoleA clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB When I go to clientB Authorization-Evaluate set Client = clientA set User = user choose Any resource with scope(s) Any scope. and see: { "jti": "7692f97f-3907-4e1b-a784-663c52f33bc7", "exp": 1567062109, "nbf": 0, "iat": 1567061809, "aud": "clientB", "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607", "typ": "Bearer", "azp": "clientA", "auth_time": 0, "session_state": "ff2e581c-0663-4b8c-9332-629b02c02729", "acr": "1", "realm_access": { "roles": [ "RoleA" ] }, "authorization": { "permissions": [ { "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139", "rsname": "Default Resource" } ] }, "scope": "email profile", "email_verified": false, "preferred_username": "user" } here I see that I have only RoleA (that is correct - I'm going through clientA) But when I make requests: curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d 'grant_type=password' ' http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token' grab access-token and curl -X POST \ http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \ -H "Authorization: Bearer access-token-from-first-curl" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=clientB" I get different jwt: { "jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2", "exp": 1567062641, "nbf": 0, "iat": 1567062341, "iss": "http://localhost:8280/auth/realms/TestRPT", "aud": "clientB", "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607", "typ": "Bearer", "azp": "clientA", "auth_time": 0, "session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e", "acr": "1", "realm_access": { "roles": [ "RoleB", "RoleA" ] }, "authorization": { "permissions": [ { "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139", "rsname": "Default Resource" } ] }, "scope": "email profile", "email_verified": false, "preferred_username": "user" } Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT request? Our main target is: when user goes through clientA to clientB, clientB should receive only those roles that the user has in clientA. We have many applications-clients and we want to limit some of them. How can we achieve this? Thanks in advance. Alexey Makarevich.

6 years, 7 months

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user September 2019