[keycloak-user] Installing keycloak behind IIS to secure a WildFly app

I had success installing keycloak locally and securing a local WildFly application running locally. I log in, WildFly hands me off to keycloak and Keycloak passes me back and the app kicks off. However when I run outside of the local network I can have WildFly pass me to Keycloak but after I provide valid credentials I do not get passed back. I'm running behind IIS and use URL rerouting (https externally to http internally). I've installed SSL for IIS but have not installed keycloak to run using SSL. Is it required that keycloak run under its own SSL configuration (instead of using the SSL I installed for IIS?). If so can I use the same certificate I installed for IIS? And does my WildFly app need to run under its own SSL setup in order for Keycloak to be able to handshake with it? This is new territory for me so I apologize if my questions don't make sense. But if anyone has this scenario I would appreciate knowing which path I should be going down. Thanks. Steve -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of keycloak-user-request(a)lists.jboss.org Sent: Friday, April 7, 2017 6:38 AM To: keycloak-user(a)lists.jboss.org Subject: keycloak-user Digest, Vol 40, Issue 10 Send keycloak-user mailing list submissions to keycloak-user(a)lists.jboss.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.jboss.org/mailman/listinfo/keycloak-user or, via email, send a message with subject or body 'help' to keycloak-user-request(a)lists.jboss.org You can reach the person managing the list at keycloak-user-owner(a)lists.jboss.org When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..." Today's Topics: 1. How to mock LDAP user login with expired password (Adrian Madaras) 2. 401 for spring security adapter + spring boot + long session (Aritz Maeztu) 3. Using the nodejs-connect adapter without a logout route (Jonathan Little) 4. Creating group mappers for ldap (Sumit Das) 5. Re: [EXTERNAL] Re: Overriding AssertionConsumerServiceURL in (Jacobs, Michael) 6. Parametric Client Configuration (matteo restelli) 7. (no subject) (JiJesH V U) ---------------------------------------------------------------------- Message: 1 Date: Thu, 6 Apr 2017 14:17:51 +0000 (UTC) From: Adrian Madaras <madaras_adrian(a)yahoo.com&gt; Subject: [keycloak-user] How to mock LDAP user login with expired password To: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Message-ID: <835449372.1172754.1491488271883(a)mail.yahoo.com&gt; Content-Type: text/plain; charset=UTF-8 Hi everyone, I know that showing a message if the user's password is expired is a security breach but I need this for my development purposes. I've manage to implement this in the LDAPStorageProvider.java using Thread.local and then sending the appropriate message to the front end in the AbstractUsernameFormAuthenticator.java class. Everything is fine and dandy but I want to write an integration test to check if everything works as it should. The problem is I don't know how to mock a LDAP user that has an expired password. I've search google but no answer. Can someone help me? Thanks, Adrian ------------------------------ Message: 2 Date: Thu, 6 Apr 2017 18:22:43 +0200 From: Aritz Maeztu <amaeztu(a)tesicnor.com&gt; Subject: [keycloak-user] 401 for spring security adapter + spring boot + long session To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Message-ID: <91ce51df-90bf-f9f7-e0ce-30e6013baf8b(a)tesicnor.com&gt; Content-Type: text/plain; charset=windows-1252; format=flowed I have an application where I want its users to be able to keep logged in during long time (about one year before the session ends). I'm using Spring Boot + Spring security and the keycloak Spring security adapter (2.5.4 final). The keycloak server is 2.2.1. What I've done: Set up the realm to permit long lived sessions: Session Idle: 365 days Session max: 365 days Offline session idle: 30 days Access token lifespan: 1 Minute Lifespan for implicit flow: 365 days Then, in my application (single server and single keycloak client, confidential access type) I set up this environment variable: server.session-timeout: 525600 Then in my front-end I've got AngularJs integrated, works as a Single page application and performs some routing without refreshing the whole page. My problem: When I leave the application idle (for around 30 minutes), after performing some request to any rest endpoint, I get 401 code. The application works again when I press F5 and refresh the page. The problem is only related when I access the REST endpoints while I don't request the whole page again. Am I missing something? -- Aritz Maeztu Ota?o Departamento Desarrollo de Software <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. ------------------------------ Message: 3 Date: Thu, 6 Apr 2017 11:49:34 -0700 From: Jonathan Little <rationull(a)gmail.com&gt; Subject: [keycloak-user] Using the nodejs-connect adapter without a logout route To: keycloak-user(a)lists.jboss.org Message-ID: <CALLLnfX_3w3NLNNxpsvpXmD3fupday9+-KvyOKnroyhewgqsdw(a)mail.gmail.com&gt; Content-Type: text/plain; charset=UTF-8 The nodejs-connect adapter's middleware() function includes automatic setup of a logout route which redirects to the keycloak server to logout the authenticated user. The relative path to the logout route is customizable via the options object, but there is no specified way to opt out of the logout route. Looking at logout.js in the source I can see that passing something which will never resolve as equal to request.url would result in the logout route always being skipped, which is workable but is a hack. I'm looking at using this for a backend service which will not do user login/logout management at all but will only be doing checks for authorization details. I don't see a need for logout functionality on such a service. I can see three possibilities: 1) I'm looking at this the wrong way, and I actually do want logout functionality for some reason. 2) I'm looking at it the right way, and the aforementioned hack is the "normal" way to do it, but undocumented. 3) There's a feature request hiding here for a config option on middleware() to opt out of the logout middleware. (3) seems most plausible to me at this point but I don't want to jump into feature request mode with an incomplete understanding of the situation. Any opinions? ------------------------------ Message: 4 Date: Fri, 7 Apr 2017 00:38:12 +0530 From: Sumit Das <sumitdas66(a)gmail.com&gt; Subject: [keycloak-user] Creating group mappers for ldap To: keycloak-user(a)lists.jboss.org Message-ID: <CAOYE8NEM5NdMMpFRSyjGRUpDy5Pm+4wSSX7DkrnnLpFfFfeqDw(a)mail.gmail.com&gt; Content-Type: text/plain; charset=UTF-8 Hi We are using Keycloak 2.5.4. We are trying to create custom group mappers for ldap by creating a Myfactory.class which extends AbstractLdapStorageMapperFactory and tge implementation of the mapper as MyMapperLdapProvider which extends AbstractLdapStorageMapper. We have followed the documentation provided on the Keycloak for deployment of jar and implementation of the mapper. Once done in providers or deploy folder we do not see our custom mapper in the drop down of the mapper section of user federation provider. We are not sure whether we are following the right approach or right design to create the mapper. Please help us to indentify where we are doing wrong. Any suggestions or direction is highly appreciated. Regards Sumit ------------------------------ Message: 5 Date: Fri, 7 Apr 2017 00:34:05 +0000 From: "Jacobs, Michael" <Michael.Jacobs(a)nuance.com&gt; Subject: Re: [keycloak-user] [EXTERNAL] Re: Overriding AssertionConsumerServiceURL in To: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Message-ID: <BN6PR05MB2964114EDDF4239B0C29A99BF80C0(a)BN6PR05MB2964.namprd05.prod.outlook.com&gt; Content-Type: text/plain; charset="utf-8" I solved this by making my own identity provider SPI that extends from SAMLIdentityProvider, but adds this feature, taking the override from the standalone.xml I will try to do something similar with the Email Template SPI. From: Jacobs, Michael [mailto:michael_jacobs@nuance.com] Sent: Wednesday, April 05, 2017 8:32 AM To: Bill Burke <bburke(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [EXTERNAL] Re: [keycloak-user] Overriding AssertionConsumerServiceURL in So what you are saying is that Keycloak, acting as an SP, will send this URL to the IDp, but the IDp can choose not to use it, and just send responses to our F5? Also, re: the second part of my question, can anything be done about the password reset URL, to have those target our F5? Thanks for you help with this, MJ On Apr 5, 2017 8:01 AM, Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>> wrote: The SP can send ACS URL, this URL will only be used if it is validated against the Redirect URI patterns that are registered in the configuration of the client. Does that answer your question? On 4/4/17 6:07 PM, Jacobs, Michael wrote: _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail... ------------------------------ Message: 6 Date: Fri, 7 Apr 2017 12:24:01 +0200 From: matteo restelli <teoreste(a)gmail.com&gt; Subject: [keycloak-user] Parametric Client Configuration To: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Message-ID: <CABZhS3y4y55-fKbLktUBZUgKmOQ2=K6WdwzESgoBL_z9VQOg3g(a)mail.gmail.com&gt; Content-Type: text/plain; charset=UTF-8 Hi all, is it possible to make client urls parametric? I mean, is it possible to set environmental variables and reference them inside the client configuration panel? Thank you in advance, Matteo ------------------------------ Message: 7 Date: Fri, 7 Apr 2017 16:08:11 +0530 From: JiJesH V U <jijeshvu07(a)gmail.com&gt; Subject: [keycloak-user] (no subject) To: keycloak-user(a)lists.jboss.org Message-ID: <CAAbhGsASrH=xa5dUWh4X8XEC_5+ampbN-+nL=9iN-q0ECAmH6g(a)mail.gmail.com&gt; Content-Type: text/plain; charset=UTF-8 I have these 2 keycloak configurations for per app role mapping.I have configured the role per app and assigned to the user. When I remove a particular role from app1 it can login. This does not happen.What I'm doing wrong here. regards, jijesh v u mob: +91 9037329817 ------------------------------ _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user End of keycloak-user Digest, Vol 40, Issue 10 *********************************************