10:55 a.m.
Dear list,
I need to access static html views of our documentation server after
authenticating users using keycloak.
The html views are available at
http://documentation:8090/view/department1
http://documentation:8090/view/department2
http://documentation:8090/view/department3
...
My idea was to use the keycloak proxy as follows:
keycloak-proxy:8081 for department1
keycloak-proxy:8082 for department2
keycloak-proxy:8083 for department3
...
BUT I would like my users to see only keycloak_proxy:8081 not the
following path, while they get the information of the respective path. Can
I do this with keycloak proxy and which settings would I need?
In a next step I need to add a proxy for Internet users to access the
keycloak-proxy to hide even the "keycloak-proxy:PORT".
My current proxy_department1.json is this (obviously without any path
mappings):
-begin-----------------------------------------------------------------------
{
"target-url":"http://documentation:8090",
"bind-address":"0.0.0.0",
"http-port":"8081",
"applications":
[
{
"base-path":"/",
"adapter-config":
{
"realm": "Manuals",
"auth-server-url": "
http://keycloak-proxy:8080/auth";,
"ssl-required": "none",
"resource": "keycloak-proxy",
"credentials": {"secret": "1234"},
"use-resource-role-mappings": false,
"confidential-port": 0
},
"constraints":
[
{
"pattern":"*",
"roles-allowed":["manuals_user"]
},
{
"pattern":"/view/manuals/*",
"roles-allowed":["manuals_user"]
}
]
}
]
}
-end-----------------------------------------------------------------------
Thank you & kind regards
Kevin Walsh
IT Software Development | Documentation
Phone: +49 201 8676 932
Fax: +49 201 8676 49932
Mobil: +49 177 6664666
kevin_walsh(a)deichmann.com
Von: keycloak-user-request(a)lists.jboss.org
An: keycloak-user(a)lists.jboss.org
Datum: 24.01.2018 14:26
Betreff: keycloak-user Digest, Vol 49, Issue 49 <Virus checked>
Gesendet von: keycloak-user-bounces(a)lists.jboss.org
Send keycloak-user mailing list submissions to
keycloak-user(a)lists.jboss.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.jboss.org/mailman/listinfo/keycloak-user
or, via email, send a message with subject or body 'help' to
keycloak-user-request(a)lists.jboss.org
You can reach the person managing the list at
keycloak-user-owner(a)lists.jboss.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of keycloak-user digest..."
Today's Topics:
1. Re: Possibility to set new Provider in authentication flow
for non-unique usernames (Dominik Guhr)
2. Re: Validate User Credentials Without Creating a Session
(Marek Posolda)
3. Re: DB changes not refreshing on cluster nodes. (Marek Posolda)
4. Re: DB changes not refreshing on cluster nodes. (Angel Abella)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Jan 2018 12:52:58 +0100
From: Dominik Guhr <pinguwien(a)gmail.com>
Subject: Re: [keycloak-user] Possibility to set new Provider in
authentication flow for non-unique usernames
To: keycloak-user(a)lists.jboss.org
Message-ID: <43b5c623-a20c-0c17-fab3-bd7d19f126d7(a)gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
p.s. one provider uses Kerberos for Authentication, other does not.
Am 24.01.18 um 12:51 schrieb Dominik Guhr:
So, further investigation notes:
I think I should call the Provider like it's done here:
https://github.com/keycloak/keycloak/blob/master/examples/providers/user-...
in the create method, which allows me to call the corresponding
isValid(...) method of the required providers and only set the boolean
return value of validatePassword to false if the credentials doesn't
match in any of the providers.
But to call this for ldap-providers set by admin interface, I need two
things:
a) a Componentmodel.
Concrete Question: Anyone knows how to get the right ComponentModel
instance to use from my AuthenticationFlowContext of
AbstractUsernameFormAuthenticator.java? I've seen that it's possible to
get a List of ComponentModels by calling
context.getRealm().getComponents(), or by getComponent(String s), but I
don't know which String would be the valid parameter or which Model I
should take out of the List.
b) the lookup-path.
Concrete question 2: Anyone knows how to get it form the internally used
Factories or s.th.?
My Providers are 2 ldap directories which I want to iterate over for the
username.
Thanks in advance!
Best regards,
Dominik
Am 24.01.18 um 09:27 schrieb Dominik Guhr:
> Hi everyone,
>
> I'm implementing an authentication SPI execution on top of the
> "normal" username/password form of kc 3.4.3.Final. ->
>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
>
>
> Sadly, usernames are not unique atm, so I need to change the
> execution, so that it doesn't stop with "invalid credentials" for a
> user who was found in one Provider.
>
> Instead of giving the "invalid credentials"-error, I want my execution
> to first check all other providers for the same username, and then
> check the credentials against all matches. And just in case of no
> credentials matching, it should fail, or login a new session for this
> user when one is found in any of my (3) Providers, which are added by
> user federation feature (2 ADs, one by a custom user storage SPI).
>
> So I drilled it down to the method validatePassword(...) in
> AbstractUsernameFormAuthenticator.java ->
>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
> line 191, which I want to change accordingly. Sadly, I can't
find a
> method to get all Providers of the realm and check accordingly. The
> code I want to change is:
>
> if (password != null && !password.isEmpty() &&
>
context.getSession().userCredentialManager().isValid(context.getRealm(),
> user, credentials)) {
> ???????????? return true;
> ???????? } else {...}
>
> instead of just checking isValid() for one provider, which is what
> this does atm, I want to check all Providers. Like this pseudocode:
>
> if (password != null && !password.isEmpty() &&
>
context.getSession().userCredentialManager().isValid(context.getRealm(),
> user, credentials)) {
> ???????????? boolean isValid = false;
> ???????? List<Provider> realmProviders = context.getAllProviders();
> ???????? for(Provider provider : realmProviders){
> ???????????? isValid = provider.isValid(...);
> ???????? }
> ???????????? return isValid;
> ???????? } else {...}
> Could anyone perhaps give me a hint in how to achieve this? I haven't
> found a method yet to get all Providers and check for isValid in any
> of the given ones.
>
> Best regards,
> Dominik
>
> p.s. I created a stackoverflow question here:
>
https://stackoverflow.com/questions/48399622/keycloak-check-password-in-m...
> feel free to comment/answer there :)
------------------------------
Message: 2
Date: Wed, 24 Jan 2018 13:59:05 +0100
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] Validate User Credentials Without
Creating a Session
To: Scott Finlay <scott.finlay(a)sixt.com>,
"keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Message-ID: <97c207c9-6f96-bd7c-b37f-27449b0b033a(a)redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Scott,
it's not available OOTB, but you can add your own REST endpoint to
verify username/password. Or alternatively you can just do directGrant
login (OAuth2 Resource Owner Password Credentials Grant) and then logout
session.
Marek
On 23/01/18 09:49, Scott Finlay wrote:
Hi,
We're currently using Keycloak 2.5.5.Final, and in this version it's not
possible
to validate a user's credentials (username / password combination)
without
actually logging the user in which results in a session (and our
sessions are
long-
lived). Is there any new functionality introduced in the later versions
of
Keycloak
to validate the credentials without actually logging the user in?
Our use-case is that we have very long-lived tokens, but we want to
require the
user to re-enter his/her password in order to perform some certain
sensitive
tasks
such as changing the password or username.
If such functionality is not available, would it be possible to add
this?
Regards,
Scott
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------
Message: 3
Date: Wed, 24 Jan 2018 14:00:56 +0100
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] DB changes not refreshing on cluster
nodes.
To: Angel Abella <aabella(a)bkool.com>, keycloak-user(a)lists.jboss.org
Message-ID: <f29aac0f-e038-b725-9e81-68bfe0fb3f2d(a)redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
I guess your cluster is not correctly setup, hence the node doesn't
correctly propagate invalidation event to the other nodes and those
nodes still see the stale entries in their cache. See Keycloak
clustering documentation for more details how to setup/troubleshoot it.
Marek
On 23/01/18 13:01, Angel Abella wrote:
Hello list!
We are experiencing some problems with our standalone-ha setup of
Keycloak
2.4.0.
Everithing works as expectd except ehn a user changes a password or is
added or removed from a group. When this happens the node making the
change
is aware of it, but the other one does not until it is restarted.
Any idea of what is going on?
------------------------------
Message: 4
Date: Wed, 24 Jan 2018 14:16:14 +0100
From: Angel Abella <aabella(a)bkool.com>
Subject: Re: [keycloak-user] DB changes not refreshing on cluster
nodes.
To: Marek Posolda <mposolda(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Message-ID:
<CAAGXFYyqzqsR7Hs5+ZdOM2N5-VuPdurMdvsDx58LFrJg5Q8oow(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I've revised docs but everything seems to be ok.
I am attaching the configuration file just in case someone can see what
I'm
missing.
2018-01-24 14:00 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
I guess your cluster is not correctly setup, hence the node
doesn't
correctly propagate invalidation event to the other nodes and those
nodes
still see the stale entries in their cache. See Keycloak clustering
documentation for more details how to setup/troubleshoot it.
Marek
On 23/01/18 13:01, Angel Abella wrote:
> Hello list!
>
> We are experiencing some problems with our standalone-ha setup of
Keycloak
> 2.4.0.
> Everithing works as expectd except ehn a user changes a password or is
> added or removed from a group. When this happens the node making the
> change
> is aware of it, but the other one does not until it is restarted.
>
> Any idea of what is going on?
>
>
>
>
>
--
Angel Abella
*IT *
*BKOOL* *Connect* *| Sport*
mail: aabella(a)bkool.com
mob: +34 691 77 18 98
add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid
www.bkool.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone-ha.xml
Type: text/xml
Size: 30861 bytes
Desc: not available
Url :
http://lists.jboss.org/pipermail/keycloak-user/attachments/20180124/c4443...
------------------------------
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
End of keycloak-user Digest, Vol 49, Issue 49
*********************************************
2556
days inactive
2556
days old
0 comments
1 participants
participants (1)
-
kevin_walsh@deichmann.com