Feature Request
by Sushil Singh
Hi,
As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes
ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also.
https://issues.jboss.org/browse/KEYCLOAK-11300
Thanks,
Sushil Pratap Singh
6 years, 8 months
Keycloak Offline User Sessions and Online User Sessions
by Nagendra Darla
Hello Keycloak experts,
We have below challenges in out project where we are building User Access
Management using Keycloak.
1. *Offline User Sessions:* When a Offline token is used from two
different machines, There is only one Session that will be created and
session will have the IP address of the machine from where the User Session
is first created. Because of this we cannot suspect any suspicious activity
by hackers. Should n't we create different sessions even though same
offline token is used from different machines.
2. *Why there is no separate REST end point to get only Online User
Sessions: *Below REST end point returns all the User Sessions ie., both
Offline and Online User Sessions.
GET /{realm}/clients/{id}/user-sessions
You help is much appreciated !
Thank you,
Nagendra Darla
6 years, 8 months
resource ids
by Corentin Dupont
Hi guys,
I discovered that you can provide your own id when creating resources:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{*"_id": "123-456"*, "type": "test", "name":"test",
"scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'
This is very practical for synchronizing the resources with my own database.
After some investigation, I found:
- the ID should be unique
- the name should be unique
Is that correct? The resource type is not used in the unicity.
In my application database, resources with different types are stored in
different collections, so two resources with different types *can* have the
same ID.
How do you suggest to solve this in Keycloak? Providing a keycloak ID of
the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not
collide.
Cheers
6 years, 8 months
Keycloak does not found SPI User Storage provider
by Alfonso Vidal García
Good morning,
I have configured a Spring Boot project with connection to Keycloak, and also I want to install a Custom SPI User Provider external to Keycloak.
I did all the steps to do the Provider and ProviderFactory, and also the file in META-INF/services, and when I try to deploy on Wildfly to connect with Keycloak, fails,
12:52:26,079 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "focusoc-0.0.1-SNAPSHOT.jar"
at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)>
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)>
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)>
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)>
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader]
at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)>
at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)>
at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)>
... 8 more
Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)>
... 10 more
12:52:26,081 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 8) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "focusoc-0.0.1-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\"
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]
Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}}
12:52:26,082 ERROR [org.jboss.as.server] (management-handler-thread - 8) WFLYSRV0021: Deploy of deployment "focusoc-0.0.1-SNAPSHOT.jar" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\"
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]
Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}}
I try to search in all internet about solutions about that, and I am blocked, so If you could tell if anything is missing.
Thank you. Alfonso Vidal.
P Please consider the environment before printing this e-mail.
6 years, 9 months
Keycloack Multi -Tenancy question
by Litom Segal
We are considering using Keycloack in a multi-tenant fashion.
Each of our customer's account has its own users, and applications
installed, and we also provide services API's consumed by various clients.
We will have a large number of tenants.
I found an open issue from 2017 that mentions that Keycloak may have some
scalability issues with a large number of realms.
https://issues.jboss.org/browse/KEYCLOAK-4593
And also this thread from 2016,
https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html,
that states that "Keycloak was not designed to support multi-tenancy
directly."..."In that regards we have never tested with high amounts of
realms as we expect there to be few realms (up to 10 most likely)."
I was wonder if there was any progress on the multi-tenancy use case, and
are there any best practices on how to setup Keycloack to support it.
On the other hand, is there any other approach to handle our use-case?
Thanks,
Litom
--
Litom Segal
Software Engineer
T: +972-74-700-4097
<https://www.linkedin.com/company/164748> <https://twitter.com/liveperson>
<https://www.facebook.com/liveperson/?ref=bookmarks>
Our mission is to make life easier by transforming how people communicate
with brands. <https://liveperson.docsend.com/view/drieh2u>
--
This message may contain confidential and/or privileged information.
If
you are not the addressee or authorized to receive this on behalf of the
addressee you must not use, copy, disclose or take action based on this
message or any information herein.
If you have received this message in
error, please advise the sender immediately by reply email and delete this
message. Thank you.
6 years, 9 months
Account Management Rest API
by Corentin Dupont
Hello,
I wanted know the status of the new account Console and API (see
message copied bellow)?
I have an application developed in ReactJS, which is using Keycloak
account pages generated by Keycloak (4.4.0).
I would like to add additional elements to the account page, that are
not controlled by Keycloak.
Notably, I need to access the Redux store and make some HTTP requests
to an eternal API.
What do you suggest? I was thinking to re-do completely the account
pages with React, and retrieve the data from Keycloak using API.
However I'm not sure the account management API is ready on Keycloak side.
Thanks
Corentin
Stan Silvert wrote on Mon Apr 15 12:32:07 EDT 2019:
Right now this API is in development and subject to change at any time.
We are hoping to have it completed in the next few months.
Also, we are working on a new Account Console that will use PatternFly 4
and React. It will be easy to extend, so you can add your own pages.
It will work better on mobile devices. And of course, you will be able
to change it around with different themes and such.
So building your own console from this new Account Console might be a
better option than building the whole thing from scratch.
If you are interested, the code is here along with a readme that tells
how to build and run. It's very much a work in
progress:https://github.com/keycloak/keycloak/tree/master/themes/src/main...
I still need to document how to create extensions, so let me know if you
are interested in that.
Stan
On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote:
>* Hi guys,
*>* I'd like more information about the AccountRestService class
*>* (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
<https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>)
*>>* 1. I noticed that there are still a couple of TODO (such as Identity
*>* Providers management), is there a roadmap for the development of this
*>* missing features?
*>* 2. Are these API public or for internal use only? I'd like to use them
*>* to implement a custom Account Management page for my application.
*>* 3. How stable are they? How likely is it that they will change or
*>* disappear in the (near) future?
*>>* Thanky you.
*>* Best regards
*>>* --
*>>* GABRIELE RABBIOSI
*>>* BeePMN Software Engineer
*>>
6 years, 9 months
multiple reset credentials flows
by Arnault BESNARD
Hi,
We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.
Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.
What is the best way to solve our issue?
Thanks in advance,
Arnault
6 years, 9 months
Storing and using refresh tokens
by Marius Bozem
Hey everyone,
I am working on using refresh tokens to get new access token when the old
one expires.
For that I would like to know the best practices regarding:
- What is a secure and easy way of implementing the use of refresh tokens?
In more detail, these are the questions I have:
- How and where to store refresh tokens? We plan on storing them in our
back end service. A user would then have a session with our service that
would be used to get the refresh token for them.
- Where and how will the use of the refresh token be triggered? At some
point the access token will expire, should the front end then make a
request to the back end to get a new token?
- In this front end & back end setup how do you deal with the user having
multiple tabs of the application open or using multiple browsers?
Thanks in advance,
Marius
6 years, 9 months
keycloak theming - Realm name instead of logo in login page
by Wilfried Anuzet
Hello all,
I just have a little question about theming keycloak.
I copy the default theme folder and modify a bit the css and logo to make a
custom login page.
After I import the newly created theme I apply it and it works well for the
master Realm, but when I apply this theme to another Realm I've the Realm
name that appears on the login page instead of my logo.
How can I make my logo appears instead of the realm name ?
Is it something to configure in keycloak ? or a property to change in the
theme.properties ?
Bests regards.
Wilfried Anuzet
6 years, 9 months
Keycloak does not found Provider Factory
by Alfonso Vidal García
I have configured a Spring Boot project with connection to Keycloak, and also I want to install a Custom SPI User Provider external to Keycloak.
I did all the steps to do the Provider and ProviderFactory, and also the file in META-INF/services, and now Wildfly fails with,
14:20:43,656 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "focusoc-0.0.1-SNAPSHOT.jar"
at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.util.ServiceConfigurationError: org.keycloak.storage.UserStorageProviderFactory: Provider gcs.fds.focusoc.keycloak.spi.LoginStorageProviderFactory not found
at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:588)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1211)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1220)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1264)
at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1299)
at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1384)
at org.keycloak.keycloak-services@7.0.0//org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at org.keycloak.keycloak-services@7.0.0//org.keycloak.provider.ProviderManager.load(ProviderManager.java:92)
at org.keycloak.keycloak-services@7.0.0//org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:214)
at org.keycloak.keycloak-services@7.0.0//org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:115)
at org.keycloak.keycloak-services@7.0.0//org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.keycloak-wildfly-server-subsystem@7.0.0//org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:55)
at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)
... 8 more
14:20:43,657 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "focusoc-0.0.1-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\"
Caused by: java.util.ServiceConfigurationError: org.keycloak.storage.UserStorageProviderFactory: Provider gcs.fds.focusoc.keycloak.spi.LoginStorageProviderFactory not found"}}
14:20:43,658 ERROR [org.jboss.as.server] (management-handler-thread - 4) WFLYSRV0021: Deploy of deployment "focusoc-0.0.1-SNAPSHOT.jar" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\"
Caused by: java.util.ServiceConfigurationError: org.keycloak.storage.UserStorageProviderFactory: Provider gcs.fds.focusoc.keycloak.spi.LoginStorageProviderFactory not found"}}
Anyone knows what it is happening?
P Please consider the environment before printing this e-mail.
6 years, 9 months
Token Exchange
by James Mitchell
Where should I look for the code for token exchange?
I am getting an invalid token error for one particular identity provider,
and wI want to see what sort of logic the code uses to decide whether to
validate and swap tokens.
I have my code working ok for a standard Google oauth provider, so I have
already fixed issues with users not being enabled when I try to exchange
tokens, and making sure I have a valid userinfo url.
My suspicion is I have an error with the userinfo url - which is not a
standard oidc endpoint, but it is returning a 200 OK status when I hit it
by hand with the access token.
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
6 years, 9 months
Keycloak 404s and issues after 4.3.0 upgrade/restore
by Nathan McGinnis
Hi,
I am running the Keycloak 4.3.0 docker image in standalone mode with
a PostgreSQL 10.4 backend. In attempt to migrate this system to one of our
Kubernetes clusters, I took a backup of the keycloak database and restored
it to the new instance. Starting a newer version of keycloak (I've tried
4.8, 5.x, 6.x all with the same issue) which connects to the newly restored
DB runs the liquibase scripts successfully and all appears well in the
startup logs.
When I navigate to my instance in the browser I can login to the master
realm using my existing credentials, however selecting any realm (or any
link after that) results in a 404. I see the URL is malformed which is why
I get the 404:
https://keycloak.example.com/auth/admin/master/console/#/realms//clients
Notice the "realms//clients" part. If you correct this URL manually the
page spins/loads until Keycloak's transaction reaper kills the request.
I have attached the full startup log. Has anyone ran into this before or
possibly have any insight/suggestions?
Thank you!
6 years, 9 months
Authenticator flows alternative processing - Keycloak 4.8.3
by Cliff MAURY
Hello,
We have to implement an authenticator flow to handle the following
scenarios :
- EITHER user fills in the login form, he/she can be log into the app
(Username Password Form)
- OR users click on a new link 'First connection ?' on the login page,
he/she sould be redirected to a flow with 'Choose User' and 'Send Email
Validation' (custom authentificator).
Here is the configuration of the custom browser flow :
- Cookie : ALTERNATIVE
- Custom Browser : ALTERNATIVE
- Custom Username Password : REQUIRED
- First Connection : ALTERNATIVE
- Choose User : REQUIRED
- Send Validation Email (custom authentificator) : REQUIRED
We tried to override UsernamePasswordForm:action() (in a custom new class)
in order to do context.attempted() and so ignore this step and go into the
First Connection flow (ie display the "Choose User" Form) but it doesn't
work at this time.
We are lost into DefaultAuthenticationFlow (processFlow(),
processAction()...) especially with processResult() (case ATTEMPTED) that
throws an AuthenticationFlowException when execution is REQUIRED (line 278
/ keycloak 4.8.3.Final)
Does someone see what we can do please ?
Regards,
Cliff MAURY
6 years, 9 months
User roles are not updated when the user is already created
by Mehdi Bechiri
Hey there,
This is related to KEYCLOAK-8690<https://issues.jboss.org/browse/KEYCLOAK-8690>. We are a few having some issues with regards to SSO, notably about the non-update of user roles when something is updated on the IdP side.
Basically, when we set SSO up, at first login we go through the first broker login flow, which creates the user in the db and gives this user all the roles he should have depending on the mapping we created, in our case “Claim to role” mappers.
In our case, each role in keycloak has a corresponding Azure AD group, where we manage all of our users and where our IAM strategy sits.
Our problem begins when we update the groups on AAD. When we remove the user from a particular group, the role in keycloak is removed at the next login. Which is expected.
But when we had this user in a new group, we expect the corresponding role to be added at the next login. Which is not the case.
For me it is a strange behavior to allow remove but disallow add.
Our workaround today – which is not sustainable on the long run – is to delete the user prior updating him in AAD with new group, so that each time he will go through the first broker login flow and gets the right roles.
The Jira mentioned above is about that, and you reply that it is not a bug and therefore, it doesn’t need to fixed. Which we disagree on.
Or maybe there is something in keycloak configuration that I’ve missed ?
Could you expand on the rationale behind the logic ?
Regards,
Mehdi Bechiri
Ops Lead
+33.6.15.03.63.73
[Logo]
Rue Adrien-Lachenal 20 » 1207 Genève » Switzerland
komgo.io<http://www.komgo.io/> » LinkedIn<https://www.linkedin.com/company/komgo/> » Twitter<https://twitter.com/iokomgo>
6 years, 9 months
OIDC / SAML client access restriction
by Steeve C
Hi,
I'm looking for a way to restrict user access to a given OIDC (and / or
SAML) client for a given realm. I've tried to configure it using OIDC
"Authorization" feature by modifying the "Default policy" JS code to:
```
$evaluation.deny();
```
But without success, users are still able to connect to the client.
I've also tried to create a client role, but even if the user doesn't have
this role he can login to the application.
Can you confirm me that it is possible to restrict user login access to
given user(s) / group(s) at the IdP level (keycloak) without modifying the
client (like without checking which role the user have)?
If it's possible, then could you explain me which process should I use?
(it's not very clear to me at the moment).
Thanks,
Steeve
6 years, 9 months
Sign in with Apple?
by Jeffrey Sambells
Is there a way to configure Sign In with Apple using the existing Keycloak tools or does it require a custom identity provider?
Thanks,
Jeffrey
6 years, 9 months
Admin console: Custom roles
by Pavel Micka
Hi,
We hit the following issue: in our system, we need to have users, who are allowed to manage users, but not to delete them from the system (they may just disable them, so we still have the user object available for other parts of the system).
The issue is that Keycloak does not have a role for this particular task - whoever has manage-users, can also perform the delete. Is there any way to extend the default KC behavior and add a role requirement for the given REST endpoint? Our idea was to introduce a role delete-users, that will be required for this operation (either as a replacement for manage users for this endpoint, or as additional pre-requisite).
Or is there some other way to achieve this?
Thanks,
Pavel
We also looked at fine-grained permissions, but those do not seem to support this scenario.
6 years, 9 months
Link directly to the Registration page
by Stuart
Hi all,
Is it possible to send users directly to the 'register' page, instead of
going via the login page first?
I've tried pasting the 'register' link, but I get errors if I've not
visited the login page first. (I guess because if the tab_id parameter).
Thanks,
Stuart.
6 years, 9 months
register new user; redirect to specific client url
by John Norris
I have an app secured by keycloak. Going to a secured page brings up a keycloak login page and the correct user/password gives the expected results.
Within the client, I have switched on user registation. So now the login page shows a register link, which displays another keycloak page allowing the user to register with name, username, email.
This "works" in that the user is added to the keycloak user database. But the application displays the error page because a role is not mapped to that user in keycloak.
What I would like to happen is to be able to add the new user to the apps own user database, associate a role with the user, perhaps do some verification of the user.
So I don't really know what keycloak is sending back to the app except that it eventually leads to /error. Is there a way to tell keycloak after a new registration contact this url where things can happen within the app?
I realise that I could set a default role. But I really want a way of telling keycloak to go to a specific URL after a new user registration is completed.
Regards,
6 years, 9 months
refresh token in keycloak
by John Norris
Hello,
I am trying to use a refresh token from keycloak. Little unsure as to what is supposed to happen. Am I supposed to receive another access token after the original expires?
Anyway, I can use the original access token via curl and receive data from my application. But when It try to get a new access token using my refresh token,
$ curl -v --data "grant_type=refresh_token&client_id=bikes-app&refresh_token=$RTOKEN" https://mint191:8080/auth/realms/SpringBootKeycloak/protocol/openid-conne...
* Trying 127.0.1.1...
* TCP_NODELAY set
* Connected to mint191 (127.0.1.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
$ echo $RTOKEN
eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzOWE1MjY3ZC03NDI1LTQwNmUtOTAxYi0wYWI5Mjc2NjJkMzkifQ.eyJqdGkiOiIyNjJlMGViZS1hODIwLTRjZGEtYjAxZC1hMmE2ZGFjNTYwNjYiLCJleHAiOjE1Njk0MDYwMDQsIm5iZiI6MCwiaWF0IjoxNTY5NDA0MjA0LCJpc3MiOiJodHRwOi8vbWludDE5MTo4MDgwL2F1dGgvcmVhbG1zL1NwcmluZ0Jvb3RLZXljbG9hayIsImF1ZCI6Imh0dHA6Ly9taW50MTkxOjgwODAvYXV0aC9yZWFsbXMvU3ByaW5nQm9vdEtleWNsb2FrIiwic3ViIjoiMDQxN2YxNTQtNGQ4MS00Yjg2LTk4MjctZTQxMzg4N2Q3NGNkIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImJpa2VzLWFwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjlhZDRmNTUyLTAwMDItNGY5ZS05ZGFlLTE4MmI4MjkxNTBlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.WoX78QkWZX5AwYBKTy4I8H0ia0O1IR5A8dS93p6bzqg
I get the original token with
RESULT=`curl -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=user1&grant_type=password&client_id=bikes-app&password=123456' http://mint191:8080/auth/realms/SpringBootKeycloak/protocol/openid-connec...
and then get the token and refresh token variables.
Regards,
John
6 years, 9 months
Single-Realm installation, start page, less deep links?
by Felix Schäfer
Hello,
I’m looking for some pointers regarding a few irks we still have with our Keycloak installation. Our Keycloak currently is a frontend for our LDAP and the place our users can change their password, emails, and so on.
As this realm, i.e. the realm managing and fronting the LDAP, will ever be the only one, is there a way to change the / (root) link to go to that realm or its login page instead of showing the default start page? Furthermore, the /auth/realms/some-realm part of the URL feels kinda redundant, any way I can just remove it, and be it with a rewriting rule in our reverse proxy?
Thanks,
Felix
6 years, 9 months
Re: [keycloak-user] Map group attributes to users
by i need to know how to add new attribute to user with keycloak admin rest api
I want to add custom attribute to user with java admin rest api can you help me please or give me exemple.thanks.
Sent from Mail for Windows 10
6 years, 9 months
web.xml constraints question
by Turner, George
First, I using the adapters in a WildFly server.
I am using a web application configuration.
All works well, but for a possible "nuisance" I am seeing in the logging, that may just be because I have TRACE logging turned on.
My web.xml has two security constraints, but only one has a user role constraint, thus the "unprotected" resources should be entirely ignored by the Keycloak processing:
<security-constraint>
<web-resource-collection>
<web-resource-name>unprotected</web-resource-name>
<url-pattern>/shortcut.ico</url-pattern>
<url-pattern>/features/*</url-pattern>
<url-pattern>/plugins/*</url-pattern>
<url-pattern>/registerForClock/*</url-pattern>
<url-pattern>/registerForCallbacks/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PremiereClientAccessRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
My issue is I simply had too many problems with the websocket paths (register*) and so exclude them until I can get more time to work them. I also have to exclude the features and plugins paths, as those are accessed by a Java Web Start JNLP application, that simply cannot pass any kind of OAuth credentials, I can only make it pass a JSESSIONID query parameter.
When that occurs, I get this output:
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.elytron.ElytronSessionTokenStore] (default task-8) Account was not in session, returning null
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) there was no code
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) redirecting to auth server
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) callback uri: https://ispace.space.smil:8443/premiereclient/plugins/org.eclipse.equinox...
2019-09-25 05:49:05,656 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-8) Sending redirect to login page: https://iskeycloak:8443/auth/realms/ispace/protocol/openid-connect/auth?r...
2019-09-25 05:49:05,657 INFO [io.undertow.request.dump] (default task-8)
----------------------------REQUEST---------------------------
URI=/premiereclient/plugins/org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar
characterEncoding=null
contentLength=-1
contentType=[application/x-java-archive]
header=Accept=text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
header=Cache-Control=no-cache
header=accept-encoding=pack200-gzip,gzip
header=UA-Java-Version=1.8.0_221
header=Pragma=no-cache
header=User-Agent=JNLP/1.7.0 javaws/11.221.2.11 (<internal>) Java/1.8.0_221
header=If-Modified-Since=Tue, 24 Sep 2019 23:11:52 GMT
header=Connection=keep-alive
header=content-type=application/x-java-archive
header=Host=ispace.space.smil:8443
locale=[]
method=HEAD
parameter=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
protocol=HTTP/1.1
queryString=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
remoteAddr=tlsdorl9166lg3.us.lmco.com/172.22.1.138:2503
remoteHost=tlsdorl9166lg3.us.lmco.com
scheme=https
host=ispace.space.smil:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=0
contentType=null
header=Connection=keep-alive
header=Content-Length=0
header=Date=Wed, 25 Sep 2019 05:49:05 GMT
status=200
It "says", it is sending a redirect, but there is no Location parameters in the RESPONSE, so it just downloads the jar and everything works fine, but it is "disconcerting" that it is "attempting", even though that URL is excluded per the security constraints.
In the case of the websocket paths, something similar occurs:
2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-7) Evaluating request for path [https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc...]
2019-09-25 05:49:25,699 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-7) adminRequest https://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc...
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) --> authenticate()
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try bearer
2019-09-25 05:49:25,699 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try query paramter auth
2019-09-25 05:49:25,700 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-7) try basic auth
2019-09-25 05:49:25,700 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-7) NOT_ATTEMPTED: Treating as bearer only
2019-09-25 05:49:25,702 INFO [io.undertow.request.dump] (default task-7)
----------------------------REQUEST---------------------------
URI=/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
characterEncoding=null
contentLength=-1
contentType=null
cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX
header=Connection=upgrade
header=Sec-WebSocket-Version=13
header=Sec-WebSocket-Key=06K18ImuBoSwY85ku2AtMA==
header=Origin=https://ispace.space.smil
header=Upgrade=websocket
header=Cookie=$Version="1"
header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil"
header=Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db
header=Cookie=JSESSIONID="hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX";$Path="/premiereclient";$Domain=".ispace.space.smil"
header=Host=ispace.space.smil:8443
locale=[]
method=GET
protocol=HTTP/1.1
queryString=
remoteAddr=/172.22.1.138:2525
remoteHost=tlsdorl9166lg3.us.lmco.com
scheme=https
host=ispace.space.smil:8443
serverPort=8443
isSecure=true
--------------------------RESPONSE--------------------------
contentLength=-1
contentType=null
cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; domain=null; path=/premiereclient
header=Connection=Upgrade
header=Set-Cookie=JSESSIONID=hSSQKI3rhbSZpBucCG9pgfSVJ3_boi6QBComJIzX.db; path=/premiereclient
header=Sec-WebSocket-Location=wss://ispace.space.smil:8443/premiereclient/registerForCallbacks/9c84cc61-45df-4c9b-8687-3da7b5d35773
header=Origin=https://ispace.space.smil
header=Upgrade=WebSocket
header=Sec-WebSocket-Accept=J5354J166p8qV08GoBhXAN6ZRjY=
header=Date=Wed, 25 Sep 2019 05:49:25 GMT
status=101
You can notice, the status is 101, so the upgrade succeeded, and all works fine, but once again, it is "disconcerting" that the adapters are doing anything at all, in an excluded URL.
I get the same logging if I do not exclude the paths, but then I get a 401 and the upgrade fails.
Please advise if you can give me something to try.
I would like to not have to exclude either of these resources, but unfortunately there is zero ability for me to integrate Web Start in any way that I can find, so I can only hope to fix the websocket resources.
Thanks
Gene
6 years, 9 months
Add LDAP as external IdP
by Ajinkya Thakare
Hi all,
Is there any way to add LDAP as an external IdP in keycloak? Any tools or libraries that can provide the IdP services over the top of LDAP?
Thanks in advance for the help.
Regards,
Ajinkya Thakare
6 years, 9 months
Specifying LDAP/AD domain in login/token endpoint
by Ajinkya Thakare
Hi all,
I have a multi-tenant SSO use-case where a set of application can be used by multiple organizations with their owns LDAP/AD configurations. I am trying to secure those applications using Keycloak and pretty much successful in doing so by adding individual organization’s LDAP configs in User Federation tab.
However, I observed that for authentication from LDAPs, keycloak goes through all the LDAP configs added one by one, either by the order of their addition in Keycloak or by the priorities set in configuration, to check for the user credential until desired username and password matches. This is causing two main issues –
1. If same username is part of two organizations, it causes failure even when correct credentials belonging in a later LDAP are passed to the login/token API. Keycloak finds the same username in the first LDAP and sees the password is different and hence returns failure.
2. Keycloak does not provide failover for LDAPs. Thus, if one of the LDAP servers is down, authentication from all the successive LDAPs will fail.
Can we instead have a solution where user can specify his/her organization’s domain along with the username, so that keycloak points directly to that particular LDAP config and not look into other LDAPs. This will solve both of the above problems.
For example, we have same username ‘ajinkya.thakare’ in two organization’s domains ‘company1’ and ‘company2’. On the login page, if user can provide ‘ajinkya.thakare@company2’, keycloak should point to the LDAP config for company2 only. Here issue 1 is solved since the credentials for ‘ajinkya.thakare’ in company1’s domain are not checked anytime and hence not causing any failure for correct credentials from company2. Issue 2 is also solved since LDAP server for company 1 may be down sometimes, but we are not concerned with that anymore and hence enabling failover for LDAPs.
Please let me know if this can be already achieved by any means. Or if there is any workaround for the same.
Regards,
Ajinkya Thakare
6 years, 9 months
add custom attribute with admin rest api
by Achraf Dely
hello,
i need to create protocol mapper in order to map custom attribute to a user
with keycloak admin rest api (java).can you give me exemple or guide.and
think you.
6 years, 9 months
Execution Flow
by Stuart
Hi All,
I'm a little confused with configuring alternative execution flows.
I currently have the follow configured.
Cookie
Username Password Form
TOTP Configured? <- Alternative
OTP Form <- Optional
No, SMS then <- Alternative
SMS Auth <- Optional
As you can guess, I want SMS auth to trigger if OTP is not configured.
At the moment it seem that if OTP isn't configured, the OTP Form is skipped
and authentication is successful and SMS is skipped. Is there a way to
tell keycloak the if OTP is not configured then the 'TOTP Configured?'
execution flow has failed, so the 'No, SMS then' execution flow is actioned?
Thanks,
Stuart.
6 years, 9 months
Obtaining JWT of a User
by İlhan Subaşı
As admin of a Keycloak server, can I obtain access-token of a particular
user without knowing his password? Unfortunately impersonation doesn't
help me because it does not contain neither his id nor his username.
6 years, 9 months
Unable to set relative redirect URIs
by Guy Marom
Hello,
If I understand the docs correctly defining a client like this should work:
[image: image.png]
For me it doesn't, unless I actually set the Root URL to the domain name.
Using Keycloak 4.6.0
Thanks
6 years, 9 months
Support multiple authentication in a single war
by Kavis Pandey
Hi,
We have JSP+Servlet application (running on wildfly-10) that is
configured with Keycloak using keycloak-wildfly adapter. We have used
multi-tenancy feature of Keycloak and create the Keycloak Deployment
object during runtime by implementing KeycloakConfigResolver. That
works fine.
Now we have a requirement where our application needs to fall-back to
FORM based authentication instead of Keycloak based on certain
conditions. So basically we need to support multiple authentication
mechanisms during runtime (BASIC + KEYCLOAK)
Is it possible ?
Thanks in advance,
Kavis
6 years, 10 months
Password Policy Question
by Dmitriy
Is there a way to customize password from within a realm?
For example, if i have some users that have O365 accounts linked in
keycloak with external IDP & have their own password rotation policies. I
do not want to prompt such users to change the password. While keycloak
manages accounts for those users that do not have O365 account & I would
like to enforce policy in those instances.
Any ideas would be appreciated.
Thank you
6 years, 10 months
Creating a Keycloak Admin Client without a Password
by Chris Smith
Use case
* The realm is federated with Active Directory
* An end user creates him or herself using the standard out of the box kc self-service support
* The only app they access is an web app for completing their registration.
* This web app server (Tomcat) is running as a Active Directory Domain Admin.
* This active directory Domain Admin is also a Realm Admin in Keycloak
* All the info needed about the end user to complete their registration is available as odic claims and values entered by the user in the web app
* The web app uses the Keycloak Admin Client to complete the user setup.
* The Keycloak Admin Client is currently instantiated with an embedded the userid and password for the Realm Admin
I really do not like having the AD Domain Admin user and password embedded in the web app.
The same AD Admin user is configured into the KC AD LDAP/Kerberos federation with a Kerberos keytab file.
Can the Keycloak Admin Client be instantiated from the AD Domain Admin running the Web App?
Any AD experts have any recommendation about what are the minimum AD admin rights needed for the ad User running the Web App server and AD LDAP/Kerberos federation?
6 years, 10 months
Updating an email address of an account
by Manuel Baumann
Hi all
I am new to this list but have some experience with Keycloak and am
looking for a solution of the following problem:
Let's assume there is a user account with email and password and
he/she also uses that account to login and then access our
application.
Now we want to allow the user to modify its email address.
I saw this use case implemented in other products. There it would send
an email to the old address to verify the change (this step is not
required in our case) and then send an email to the new email address
with a verification link. Only when the link in the second email is
clicked, the email is updated.
What I managed to do so far is to update a users email, setting it to
not verified and triggering the "send-verify-email" action all via
admin REST interface.
However my approach has the con that the entered email address is
updated on the user whether it was verified or not, which makes a user
who did not finish the email update (by verifying it) unable to login
with the currently active credentials (email, password) anymore since
the email was updated.
Hopefully there is another way to achieve that and any hints are appreciated.
Best regards
Manuel
6 years, 10 months
OpenID Connect Dynamic Client Registration - Grant Types
by Buddhika Karunatilleke
Hi all,
I'm using the dynamic client registration endpoint with openid-connect
built-in provider. However, when I'm creating a client by selecting only
"client-credentials" grant type, Keycloak creates the client with both
"authorization-code" and "client-credentials" grant types.
*Request: *
curl -H"Authorization: Bearer XXX '
https://XXX.com/auth/realms/Test/clients-registrations/openid-connect' -d
'{ "clientId": "test-client-1", "grant_types":[*"client_credentials"*] }' -v
*Grant types in the response from Keycloak:*
"grant_types":[*"authorization_code"*,"client_credentials","refresh_token"]
Can someone help me understand as to why Keycloak adds the
"authorization-code" grant type in addition to the provided grant type
which is "client-credentials"?
Thanks and regards,
Buddhika.
6 years, 10 months
Custom GET parameters in the registration page
by İlhan Subaşı
Is it possible to have custom GET parameters in the url of the
registration page? I wrote a JavaScript to auto fill a field in the
registration page that gets its value from the GET url. My issue is that
when I add a custom parameter to the url Keycloak redirects the
registration page to the same page without my custom parameter, as a
result I cannot autofill the form field from the url.
6 years, 10 months
Plain-text vault
by Hynek Mlnarik
Recently, vault capability has been introduced recently in Keycloak
(master) with an out-of-the-box implementation that is basically providing
secrets in the same format as if mounting secrets volume within Kubernetes
[1]. Now there have been considerations regarding name and storage layout
which I would like to gather feedback on.
The questions are the following ones. Both have arguments for the current
implementation explained below:
1. Is there any better way of storing the credentials?
2. Is there a better name for the OOTB implementation?
Storage layout:
The aim: The plain text vault implementation respects realm to prevent
leaking a secret used in one vault into another realm. The implementation
also accounts for Kubernetes secret keys naming restrictions [1] which are
only consisting of alphanumeric characters, ‘-’, ‘_’ or ‘.’. Note that
forward slash is not among allowed characters.
Since the vault adheres to the same format as provided by Kubernetes
secrets volume, it also limits the file possible names for easy usage.
While kubernetes support exposing the secret keys as files in various
subdirectories of the mount directory, the default way of providing secrets
is via flat file structure (no subdirectories). To achieve structure where
secret would be looked up in a file with a given key within a realm
directory (i.e. realm_name/secret_key), every secret would have to be
accompanied with "path" specification which is not particularly user
friendly.
Having kubernetes secrets per realm and mounting them into separate
directories could be an option, however that limits the ability to easily
add a new realm because the Pod definition would need to change with every
new realm to incorporate the new volume, and the whole deployment restarted
to reflect the changes. Alternatively, secrets for all realms could be
mounted into a single directory and "path" would be defined for every
secret as described above - but that is error-prone as well.
Thus the implementation where realm name and secret key would be separated
by a single underscore, and to prevent ambiguity, every underscore within
the either realm name and secret keys would be doubled. In other words, to
get secret called "some-secret" or "other_secret" from vault from within
realm called "realm-1" or "other_realm", the files would be called
"realm-1_some-secret" and "other__realm_other__secret", respectively. This
is clearly readable in the former case but may be error-prone in the latter.
Name:
The SPI name was chosen to be "plaintext" since the secrets are stored
openly in the files. Perhaps there is a better name? "kubernetes"? Any
other suggestion or +1 or -1 with arguments to the alternatives are welcome.
I would love to hear your opinion on the two questions.
[Apologies for cross-posting, this can gain valuable feedback from both
devs and users though]
--Hynek
[1] https://kubernetes.io/docs/concepts/configuration/secret/
6 years, 10 months
Automatic Client registration: Assign roles to service account
by Pavel Micka
Hello,
We are currently trying to use client registration policy, so our services can register themselves in Keycloak. The registration itself works perfectly, but we have one (big) issue: we do not know, how to assign roles to the associated service account in the ClientRepresentation (as without roles for the client, the registration is a bit useless for us).
Is there any way, how to assign roles (client roles of other services in our case) to service account during automatic registration? Or do we need an admin account to do that.
Thanks,
Pavel
6 years, 10 months
Re: [keycloak-user] How to create a Validation Flow to Registration Form using Authentication SPI?
by Celso Agra
Hi Cezary,
Unfortunately, I didn't get any progress in this flow.
So I decided to create a separated service to store some info about of my
users.
My webservice receives a request with some data about user, such as name,
documents, password, etc... Part of this information is sent to Keycloak,
and some of it, is is stored in my app. The registration flows procceds
normally (send confirmation e-mail and so on), but registration and updates
are made by my app.
Kind regards,
Celso Agra
Em qua, 18 de set de 2019 às 08:22, Cezary Skura <cskura(a)mobiquityinc.com>
escreveu:
> Good afternoon Sir,
>
> Did You solve your problem with registration flow (validate the username).
>
> Kind regards
> Cezary Skura
>
--
---
*Celso Agra*
6 years, 10 months
support for local user account
by Alex Rozenberg
Hello,
Does Keycloak support authentication of local Windows users (not part of LDAP or Active Directory)?
Thank you in advance,
Alex Rozenberg
6 years, 10 months
Gatekeeper failing to proxy a redirect link
by Nick Powers
I am using keycloak and gatekeeper to authenticate my web app against
Google. Everything seems to work fine, with regular links, but if I
redirect the user to a page within my web app gatekeeper exposes the
internal URL rather than proxying the data.
I'm using the following to redirect the user, via PHP:
< ?php header("Location: https://commentcontext.com/protected/dashboard"); ?>
But instead of being sent through gatekeeper to that URL it tries to send
the user to https://webapp/protected/dashboard which is the internal URL of
my webapp and of course webapp doesn't resolve in DNS so it fails.
Why is this happening? Is it a known issue? Is there a workaround?
Thanks!!!
Nick
6 years, 10 months
app-authz-photoz: error 403
by Alex Rozenberg
Hello,
I'm new to Keycloak and trying to follow the example in the keycloak-quickstarts: app-authz-photoz
I've got photoz-html5-client and restful-api built using the instruction in the Readme file.
After I login using the specified credentials (alice or admin) I get error 403:
You can not access or perform the requested operation on this resource
Profile page does not display the name and I cannot create albums.
Any clues or tips are greatly appreciated.
Thank you in advance,
Alex Rozenberg
Project Engineer, Software
[RA_Logo_Left_Bug_4C]
arozenb(a)ra.rockwell.com<mailto:arozenb@ra.rockwell.com>
6 years, 10 months