From john.d.ament at gmail.com Sun Oct 1 09:48:07 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Sun, 01 Oct 2017 13:48:07 +0000 Subject: [keycloak-user] Overriding Cookie Paths In-Reply-To: References: Message-ID: Ping? I've written up some thoughts, and willing to raise a PR against https://issues.jboss.org/browse/KEYCLOAK-5582 John On Wed, Sep 6, 2017 at 7:24 PM John D. Ament wrote: > Hi, > > I noticed in OAuthRequestAuthenticator that the cookie path being set is > to null. From what I can tell, this means in most containers if my first > release is to /foo/bar/baz/bar that the path saved to the cookie is > "/foo/bar/baz". This is typically not an issue, however I have a legacy > app I'm trying to integrate with Keycloak, so the cookie state is very > important. By setting the path to a low level when I later access > /foo/home.xhtml it causes the cookie to not get populated (which causes a > 400 bad request later on). > > I'm wondering, does it make sense to add something to KeycloakDeployment > that lists the cookie path, defaulting to null if its not set. > > John > From rsoares at redhat.com Sun Oct 1 17:09:51 2017 From: rsoares at redhat.com (Rafael T. C. Soares) Date: Sun, 1 Oct 2017 18:09:51 -0300 Subject: [keycloak-user] Good presentation to understand UMA spec Message-ID: I've found a very good (and funny) presentation slides explaining how UMA spec works... https://www.slideshare.net/Identiverse/introducing-uma-20-cis-2017 It's really a good reference if you are wants to understand how UMA works! Would be nice have that presentation referenced on Keycloak's Authorization Services guide pages [1] [1] http://www.keycloak.org/docs/3.3/authorization_services/topics/overview/terminology.html -- Rafael T. C. Soares Solution Architect Red Hat Brazil rsoares at redhat.com M: +55-71-99616-9145 T: +55-11-3529-6096 Twitter: @redhatnews | LinkedIn: linkedin.com/company/red-hat | Facebook: facebook.com/RedHatInc From kilaka at gmail.com Mon Oct 2 01:01:47 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 08:01:47 +0300 Subject: [keycloak-user] What should the endpoint be for a Keycloak IDP initiated SSO? Message-ID: Hi. I managed to run the saml-broker-authentication example . SP initiated SSO works OK. What should the IDP initiated SSO URL be? * I also posted the question in SO: https://stackoverflow.com/questions/46423301/what-should-the-endpoint-be-for-a-keycloak-idp-initiated-sso Thanks. From kilaka at gmail.com Mon Oct 2 01:06:08 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 08:06:08 +0300 Subject: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? Message-ID: Hi. In Keycloak's account-linking documentation, there's a code snippet: KeycloakSecurityContext session = (KeycloakSecurityContext) httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName()). Why would the KeycloakSecurityContext be set in the httpServletRequest? Where does this code should run? In what context? Thanks. * Also posted the question in SO: https://stackoverflow.com/questions/46409356/how-do-i-get-keycloaksecuritycontext-to-be-set-in-the-httpservletrequest-in-keyc From kilaka at gmail.com Mon Oct 2 01:08:30 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 08:08:30 +0300 Subject: [keycloak-user] How to connect to Keycloak as SP without defining a client? Message-ID: Hi. Running the saml-broker-authentication example , a client was configured on the SP realm (saml-broker-authentication-realm). See screencap below. In the example, the authentication is done using javascript keycloak library (using openid). *Is there a way to initiate a login (sso) to an IDP through Keycloak as SP without the need to authenticate the client?* In pingfederate there is an option to call the SP without authentication. Example: https:///sp/startSSO.ping?PartnerIdpId=&TargetResource= [image: enter image description here] * Also posted the question in SO: https://stackoverflow.com/ questions/46420512/how-to-connect-to-keycloak-as-sp- without-defining-a-client Thanks. From kilaka at gmail.com Mon Oct 2 01:11:31 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 08:11:31 +0300 Subject: [keycloak-user] How to deploy a keycloak's SPI project using the Keycloak Deployer (/deploy)? Message-ID: In Keycloak's documentation , it's stated that in order to deploy the provider, I can copy your provider jar to the Keycloak deploy/ directory, your provider will automatically be deployed. I'm indeed searching for a simple copy-paste way to deploy a provider without CLI nor through maven. The problem is that I can't find any /deploy folder in keycloak's server :( Below is the result for searching files/folders with the word deploy. *Any idea how to simply deploy the an SPI project into Keycloak?* Thanks. * Also posted the question in SO: https://stackoverflow.com/questions/46410244/how-to-deploy-a-keycloaks-spi-project-using-the-keycloak-deployer-deploy [image: enter image description here] From kilaka at gmail.com Mon Oct 2 01:21:55 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 08:21:55 +0300 Subject: [keycloak-user] How to bypass Keycloak login form and jump directly to the IDP login? Message-ID: Hi. I'm running the saml-broker-authentication example. The first thing that I see is in the UI is a user/pass for with an option to use a broker (image below). Is there a way to skip this form and go straight to the IDP? After clicking on one of the IDP's, I get a URL of the sort: http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication&code= I tried using the following url (without the code) directly but got an error. ( http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication ) *Any idea how to bypass Keycloak auth and directly go to the IDP through the SP(broker)?* Thanks. *UPDATE:* My TL found a static solution to put the IDP ID in the browser's authentication flow under the Identity Provider Redirector execution. BUT, We're trying to find a dynamic way to do it. Looked at the kc_idp_hint documentation but couldn't find a way to make the saml-broker-authentication example work with it :( * Posted the question also on SO: https://stackoverflow.com/questions/46390571/how-to-bypass-keycloak-login-form-and-jump-directly-to-the-idp-login [image: enter image description here] From hmlnarik at redhat.com Mon Oct 2 02:31:24 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 2 Oct 2017 08:31:24 +0200 Subject: [keycloak-user] Fwd: What should the endpoint be for a Keycloak IDP initiated SSO? In-Reply-To: References: Message-ID: See http://www.keycloak.org/docs/latest/server_admin/topics/clients/saml/idp-initiated-login.html: In the Settings tab for your client, you need to specify the IDP Initiated SSO URL Name. This is a simple string with no whitespace in it. After this you can reference your client at the following URL: root/auth/realms/{realm}/protocol/saml/clients/{url-name} --Hynek On Mon, Oct 2, 2017 at 7:01 AM, Alik Elzin wrote: > Hi. > > I managed to run the saml-broker-authentication example > > . > > SP initiated SSO works OK. > > What should the IDP initiated SSO URL be? > > * I also posted the question in SO: > https://stackoverflow.com/questions/46423301/what-should-the-endpoint-be-for-a-keycloak-idp-initiated-sso > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek -- --Hynek From herbert.muehlburger at bearingpoint.com Mon Oct 2 03:12:59 2017 From: herbert.muehlburger at bearingpoint.com (Muehlburger, Herbert) Date: Mon, 2 Oct 2017 07:12:59 +0000 Subject: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? In-Reply-To: References: Message-ID: <1506928379844.74907@bearingpoint.com> Hi, Given that request is an instance of HttpServletRequest you can access the security context like that KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) request.getUserPrincipal(); If there is a refresh tokena and you need access to that: RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) token.getAccount().getKeycloakSecurityContext(); If there is no refresh token and you only want to access the other token: KeycloakSecurityContext context = token.getAccount().getKeycloakSecurityContext(); Here is an example on how to get the access and id token: KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) request.getUserPrincipal(); RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) token.getAccount().getKeycloakSecurityContext(); String accessTokenPretty = JsonSerialization.writeValueAsPrettyString(session.getToken()); String idTokenPretty = JsonSerialization.writeValueAsPrettyString(session.getIdToken()); In order to also get the refresh token you can try the following: RefreshToken refreshToken; try { refreshToken = new JWSInput(session.getRefreshToken()).readJsonContent(RefreshToken.class); } catch (JWSInputException e) { throw new IOException(e); } String refreshTokenPretty = JsonSerialization.writeValueAsPrettyString(refreshToken); Hope this helps. Kind regards, Herbert Herbert M?hlburger Senior System Engineer T +43 316 8003 F +43 316 8003 1080 BearingPoint Technology GmbH Seering 6, Block B 8141 Premst?tten Austria herbert.muehlburger at bearingpoint.com www.bearingpoint.com ________________________________________ Von: keycloak-user-bounces at lists.jboss.org im Auftrag von Alik Elzin Gesendet: Montag, 02. Oktober 2017 07:06 An: keycloak-user at lists.jboss.org Cc: Ben.david at hpe.com Betreff: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? Hi. In Keycloak's account-linking documentation, there's a code snippet: KeycloakSecurityContext session = (KeycloakSecurityContext) httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName()). Why would the KeycloakSecurityContext be set in the httpServletRequest? Where does this code should run? In what context? Thanks. * Also posted the question in SO: https://stackoverflow.com/questions/46409356/how-do-i-get-keycloaksecuritycontext-to-be-set-in-the-httpservletrequest-in-keyc _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From james.mk.green at gmail.com Mon Oct 2 05:10:44 2017 From: james.mk.green at gmail.com (James Green) Date: Mon, 2 Oct 2017 10:10:44 +0100 Subject: [keycloak-user] spring-boot-2 - new artifact suggestion Message-ID: Hi, We have a problem in that we are trying to integrate future spring-boot-2 projects with Keycloak but there are binary compatibility problems. May I suggest someone adds a new spring-boot-2 adaptor so that compatibility with both can be maintained? Thanks, James From mstrukel at redhat.com Mon Oct 2 05:44:48 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 2 Oct 2017 11:44:48 +0200 Subject: [keycloak-user] How to deploy a keycloak's SPI project using the Keycloak Deployer (/deploy)? In-Reply-To: References: Message-ID: I think the proper location in this case is actually 'standalone/deployments'. You'll probably need to add jboss-deployment-structure.xml to your jar to declare dependencies on other modules. On Mon, Oct 2, 2017 at 7:11 AM, Alik Elzin wrote: > In Keycloak's documentation > >, > it's stated that in order to deploy the provider, I can > > copy your provider jar to the Keycloak deploy/ directory, your provider > will automatically be deployed. > > I'm indeed searching for a simple copy-paste way to deploy a provider > without CLI nor through maven. > > The problem is that I can't find any /deploy folder in keycloak's server :( > > Below is the result for searching files/folders with the word deploy. > > *Any idea how to simply deploy the an SPI project into Keycloak?* > > Thanks. > > * Also posted the question in SO: > https://stackoverflow.com/questions/46410244/how-to- > deploy-a-keycloaks-spi-project-using-the-keycloak-deployer-deploy > > [image: enter image description here] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kilaka at gmail.com Mon Oct 2 06:33:36 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 13:33:36 +0300 Subject: [keycloak-user] Fwd: What should the endpoint be for a Keycloak IDP initiated SSO? In-Reply-To: References: Message-ID: Than you Hynek, I still don't understand how to build the URL. Can you give an example of a full filled URL? Do you have a specific URL for the saml-broker-authentication example ? Thanks. On Mon, Oct 2, 2017 at 9:31 AM, Hynek Mlnarik wrote: > See http://www.keycloak.org/docs/latest/server_admin/topics/ > clients/saml/idp-initiated-login.html: > > In the Settings tab for your client, you need to specify the IDP > Initiated SSO URL Name. This is a simple string with no whitespace in > it. After this you can reference your client at the following URL: > root/auth/realms/{realm}/protocol/saml/clients/{url-name} > > --Hynek > > > On Mon, Oct 2, 2017 at 7:01 AM, Alik Elzin wrote: > > Hi. > > > > I managed to run the saml-broker-authentication example > > examples/broker/saml-broker-authentication> > > . > > > > SP initiated SSO works OK. > > > > What should the IDP initiated SSO URL be? > > > > * I also posted the question in SO: > > https://stackoverflow.com/questions/46423301/what- > should-the-endpoint-be-for-a-keycloak-idp-initiated-sso > > > > Thanks. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > > > -- > > --Hynek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kilaka at gmail.com Mon Oct 2 06:35:13 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 13:35:13 +0300 Subject: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? In-Reply-To: <1506928379844.74907@bearingpoint.com> References: <1506928379844.74907@bearingpoint.com> Message-ID: I'm missing the whole context here. Where does this code should run? In what context? On Mon, Oct 2, 2017 at 10:12 AM, Muehlburger, Herbert < herbert.muehlburger at bearingpoint.com> wrote: > Hi, > > Given that request is an instance of HttpServletRequest you can access the > security context like that > > KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) > request.getUserPrincipal(); > > If there is a refresh tokena and you need access to that: > > RefreshableKeycloakSecurityContext session = ( > RefreshableKeycloakSecurityContext) token.getAccount(). > getKeycloakSecurityContext(); > > If there is no refresh token and you only want to access the other token: > > KeycloakSecurityContext context = token.getAccount(). > getKeycloakSecurityContext(); > > Here is an example on how to get the access and id token: > > KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) > request.getUserPrincipal(); > RefreshableKeycloakSecurityContext session = ( > RefreshableKeycloakSecurityContext) token.getAccount(). > getKeycloakSecurityContext(); > > String accessTokenPretty = JsonSerialization.writeValueAsPrettyString( > session.getToken()); > String idTokenPretty = JsonSerialization.writeValueAsPrettyString( > session.getIdToken()); > > In order to also get the refresh token you can try the following: > > RefreshToken refreshToken; > try { > refreshToken = new JWSInput(session.getRefreshToken()). > readJsonContent(RefreshToken.class); > } catch (JWSInputException e) { > throw new IOException(e); > } > String refreshTokenPretty = JsonSerialization. > writeValueAsPrettyString(refreshToken); > > Hope this helps. > > Kind regards, > Herbert > > > Herbert M?hlburger > Senior System Engineer > > > > T +43 316 8003 > F +43 316 8003 1080 > > BearingPoint Technology GmbH > Seering 6, Block B > 8141 Premst?tten > Austria > > herbert.muehlburger at bearingpoint.com > www.bearingpoint.com > > ________________________________________ > Von: keycloak-user-bounces at lists.jboss.org jboss.org> im Auftrag von Alik Elzin > Gesendet: Montag, 02. Oktober 2017 07:06 > An: keycloak-user at lists.jboss.org > Cc: Ben.david at hpe.com > Betreff: [keycloak-user] How do I get KeycloakSecurityContext to be set in > the httpServletRequest in Keycloak's account-linking doc? > > Hi. > > In Keycloak's account-linking > identity-brokering/account-linking.html> > documentation, > there's a code snippet: KeycloakSecurityContext session = > (KeycloakSecurityContext) > httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName()). > > Why would the KeycloakSecurityContext be set in the httpServletRequest? > Where does this code should run? In what context? > > Thanks. > > * Also posted the question in SO: > https://stackoverflow.com/questions/46409356/how-do-i- > get-keycloaksecuritycontext-to-be-set-in-the-httpservletrequest-in-keyc > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > ________________________________ > BearingPoint Technology GmbH > Sitz: Premst?tten bei Graz > Firmenbuchgericht: Landesgericht f?r ZRS Graz > Firmenbuchnummer: FN 44354b > > > The information in this email is confidential and may be legally > privileged. If you are not the intended recipient of this message, any > review, disclosure, copying, distribution, retention, or any action taken > or omitted to be taken in reliance on it is prohibited and may be unlawful. > If you are not the intended recipient, please reply to or forward a copy of > this message to the sender and delete the message, any attachments, and any > copies thereof from your system. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kilaka at gmail.com Mon Oct 2 06:43:25 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 13:43:25 +0300 Subject: [keycloak-user] How to deploy a keycloak's SPI project using the Keycloak Deployer (/deploy)? In-Reply-To: References: Message-ID: Dependent on what other modules? How do I know what? Is there a sample provider project with the `jboss-deployment-structure.xml` file? On Mon, Oct 2, 2017 at 12:44 PM, Marko Strukelj wrote: > I think the proper location in this case is actually > 'standalone/deployments'. > > You'll probably need to add jboss-deployment-structure.xml to your jar to > declare dependencies on other modules. > > On Mon, Oct 2, 2017 at 7:11 AM, Alik Elzin wrote: > >> In Keycloak's documentation >> > providers.html>, >> it's stated that in order to deploy the provider, I can >> >> copy your provider jar to the Keycloak deploy/ directory, your provider >> will automatically be deployed. >> >> I'm indeed searching for a simple copy-paste way to deploy a provider >> without CLI nor through maven. >> >> The problem is that I can't find any /deploy folder in keycloak's server >> :( >> >> Below is the result for searching files/folders with the word deploy. >> >> *Any idea how to simply deploy the an SPI project into Keycloak?* >> >> Thanks. >> >> * Also posted the question in SO: >> https://stackoverflow.com/questions/46410244/how-to-deploy- >> a-keycloaks-spi-project-using-the-keycloak-deployer-deploy >> >> [image: enter image description here] > e6.png> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From hmlnarik at redhat.com Mon Oct 2 06:54:00 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 2 Oct 2017 12:54:00 +0200 Subject: [keycloak-user] Fwd: What should the endpoint be for a Keycloak IDP initiated SSO? In-Reply-To: References: Message-ID: You cannot use saml-broker-authentication demo application for this purpose since it is an OIDC application, and IDP-initiated SSO is not supported in OIDC. The saml-broker-authentication example shows how to broker a SAML IdP - SAML is used for communication between the brokering IdP and brokered IdP. If you want to use IDP-initiated SSO, you need a SAML client. In that client's configuration, you would get the IDP Initiated SSO URL Name field to fill in. On Mon, Oct 2, 2017 at 12:33 PM, Alik Elzin wrote: > Than you Hynek, > I still don't understand how to build the URL. > Can you give an example of a full filled URL? > Do you have a specific URL for the saml-broker-authentication example? > Thanks. > > > On Mon, Oct 2, 2017 at 9:31 AM, Hynek Mlnarik wrote: >> >> See >> http://www.keycloak.org/docs/latest/server_admin/topics/clients/saml/idp-initiated-login.html: >> >> In the Settings tab for your client, you need to specify the IDP >> Initiated SSO URL Name. This is a simple string with no whitespace in >> it. After this you can reference your client at the following URL: >> root/auth/realms/{realm}/protocol/saml/clients/{url-name} >> >> --Hynek >> >> >> On Mon, Oct 2, 2017 at 7:01 AM, Alik Elzin wrote: >> > Hi. >> > >> > I managed to run the saml-broker-authentication example >> > >> > >> > . >> > >> > SP initiated SSO works OK. >> > >> > What should the IDP initiated SSO URL be? >> > >> > * I also posted the question in SO: >> > >> > https://stackoverflow.com/questions/46423301/what-should-the-endpoint-be-for-a-keycloak-idp-initiated-sso >> > >> > Thanks. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> >> --Hynek >> >> >> -- >> >> --Hynek >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- --Hynek From phillip.johnsen at tomra.com Mon Oct 2 07:06:30 2017 From: phillip.johnsen at tomra.com (Phillip Johnsen) Date: Mon, 2 Oct 2017 11:06:30 +0000 Subject: [keycloak-user] Running a pre-release? Message-ID: Does anyone have any hints about possibly running a CR version or even directly off the master branch? The migration docs says the following: Migration from a candidate release (CR) to a Final release is not supported. We do however recommend that you test migration for a CR so we can resolve any potential issues before the Final is released. Which in reality answers my question, but is it really impossible in theory? I'm not too familiar with Keycloak yet, so any hints about possible consequences and / or tricks would be great. To elaborate more about my actual need; we're developing a product that has a hard requirement on the recently merged Paypal integration: https://github.com/keycloak/keycloak/pull/4449 We have utmost respect for recent changes not beeing added and stressed into future releases, so we want to double check if there's anything we can to do run Keycloak with those changes even though a final version including Paypal hasn't been published yet. We do acknowledge we're taking some risk by possibly running a pre-release, though that might be worth it for us, as long as we don't create a massive challenge for ourselfs down the road. Any hints or thoughts would be much appreciated! Thanks, Phillip From herbert.muehlburger at bearingpoint.com Mon Oct 2 07:08:20 2017 From: herbert.muehlburger at bearingpoint.com (Muehlburger, Herbert) Date: Mon, 2 Oct 2017 11:08:20 +0000 Subject: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? In-Reply-To: References: <1506928379844.74907@bearingpoint.com>, Message-ID: <1506942500633.45542@bearingpoint.com> Hi,? The context is an example implementation of a Spring Boot App Controller method like the following: @GetMapping("/products") public String getProducts(HttpServletRequest request, Model model) throws IOException { KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) request.getUserPrincipal(); RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) token.getAccount().getKeycloakSecurityContext(); KeycloakSecurityContext context = token.getAccount().getKeycloakSecurityContext(); String accessTokenPretty = JsonSerialization.writeValueAsPrettyString(session.getToken()); String idTokenPretty = JsonSerialization.writeValueAsPrettyString(session.getIdToken()); RefreshToken refreshToken; try { refreshToken = new JWSInput(session.getRefreshToken()).readJsonContent(RefreshToken.class); } catch (JWSInputException e) { throw new IOException(e); } String refreshTokenPretty = JsonSerialization.writeValueAsPrettyString(refreshToken); model.addAttribute("idToken", idTokenPretty); model.addAttribute("accessToken", accessTokenPretty); model.addAttribute("refreshToken", refreshTokenPretty); model.addAttribute("products", productService.getProducts()); return "products"; } ?Kind regards, Herbert? ________________________________ Von: Alik Elzin Gesendet: Montag, 02. Oktober 2017 12:35 An: Muehlburger, Herbert Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? I'm missing the whole context here. Where does this code should run? In what context? On Mon, Oct 2, 2017 at 10:12 AM, Muehlburger, Herbert > wrote: Hi, Given that request is an instance of HttpServletRequest you can access the security context like that KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) request.getUserPrincipal(); If there is a refresh tokena and you need access to that: RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) token.getAccount().getKeycloakSecurityContext(); If there is no refresh token and you only want to access the other token: KeycloakSecurityContext context = token.getAccount().getKeycloakSecurityContext(); Here is an example on how to get the access and id token: KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) request.getUserPrincipal(); RefreshableKeycloakSecurityContext session = (RefreshableKeycloakSecurityContext) token.getAccount().getKeycloakSecurityContext(); String accessTokenPretty = JsonSerialization.writeValueAsPrettyString(session.getToken()); String idTokenPretty = JsonSerialization.writeValueAsPrettyString(session.getIdToken()); In order to also get the refresh token you can try the following: RefreshToken refreshToken; try { refreshToken = new JWSInput(session.getRefreshToken()).readJsonContent(RefreshToken.class); } catch (JWSInputException e) { throw new IOException(e); } String refreshTokenPretty = JsonSerialization.writeValueAsPrettyString(refreshToken); Hope this helps. Kind regards, Herbert Herbert M?hlburger Senior System Engineer T +43 316 8003 F +43 316 8003 1080 BearingPoint Technology GmbH Seering 6, Block B 8141 Premst?tten Austria herbert.muehlburger at bearingpoint.com www.bearingpoint.com ________________________________________ Von: keycloak-user-bounces at lists.jboss.org > im Auftrag von Alik Elzin > Gesendet: Montag, 02. Oktober 2017 07:06 An: keycloak-user at lists.jboss.org Cc: Ben.david at hpe.com Betreff: [keycloak-user] How do I get KeycloakSecurityContext to be set in the httpServletRequest in Keycloak's account-linking doc? Hi. In Keycloak's account-linking documentation, there's a code snippet: KeycloakSecurityContext session = (KeycloakSecurityContext) httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName()). Why would the KeycloakSecurityContext be set in the httpServletRequest? Where does this code should run? In what context? Thanks. * Also posted the question in SO: https://stackoverflow.com/questions/46409356/how-do-i-get-keycloaksecuritycontext-to-be-set-in-the-httpservletrequest-in-keyc _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From kilaka at gmail.com Mon Oct 2 07:09:07 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 14:09:07 +0300 Subject: [keycloak-user] Fwd: What should the endpoint be for a Keycloak IDP initiated SSO? In-Reply-To: References: Message-ID: Do you know of a Keycloak example that supports idp-initiated sso? On Mon, Oct 2, 2017 at 1:54 PM, Hynek Mlnarik wrote: > You cannot use saml-broker-authentication demo application for this > purpose since it is an OIDC application, and IDP-initiated SSO is not > supported in OIDC. The saml-broker-authentication example shows how to > broker a SAML IdP - SAML is used for communication between the > brokering IdP and brokered IdP. If you want to use IDP-initiated SSO, > you need a SAML client. In that client's configuration, you would get > the IDP Initiated SSO URL Name field to fill in. > > On Mon, Oct 2, 2017 at 12:33 PM, Alik Elzin wrote: > > Than you Hynek, > > I still don't understand how to build the URL. > > Can you give an example of a full filled URL? > > Do you have a specific URL for the saml-broker-authentication example? > > Thanks. > > > > > > On Mon, Oct 2, 2017 at 9:31 AM, Hynek Mlnarik > wrote: > >> > >> See > >> http://www.keycloak.org/docs/latest/server_admin/topics/ > clients/saml/idp-initiated-login.html: > >> > >> In the Settings tab for your client, you need to specify the IDP > >> Initiated SSO URL Name. This is a simple string with no whitespace in > >> it. After this you can reference your client at the following URL: > >> root/auth/realms/{realm}/protocol/saml/clients/{url-name} > >> > >> --Hynek > >> > >> > >> On Mon, Oct 2, 2017 at 7:01 AM, Alik Elzin wrote: > >> > Hi. > >> > > >> > I managed to run the saml-broker-authentication example > >> > > >> > examples/broker/saml-broker-authentication> > >> > . > >> > > >> > SP initiated SSO works OK. > >> > > >> > What should the IDP initiated SSO URL be? > >> > > >> > * I also posted the question in SO: > >> > > >> > https://stackoverflow.com/questions/46423301/what- > should-the-endpoint-be-for-a-keycloak-idp-initiated-sso > >> > > >> > Thanks. > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > >> -- > >> > >> --Hynek > >> > >> > >> -- > >> > >> --Hynek > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > --Hynek > From hmlnarik at redhat.com Mon Oct 2 07:40:09 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 2 Oct 2017 13:40:09 +0200 Subject: [keycloak-user] Fwd: What should the endpoint be for a Keycloak IDP initiated SSO? In-Reply-To: References: Message-ID: Any SAML application, e.g. https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-profile-saml-jee-jsp. --Hynek On Mon, Oct 2, 2017 at 1:09 PM, Alik Elzin wrote: > Do you know of a Keycloak example that supports idp-initiated sso? > > On Mon, Oct 2, 2017 at 1:54 PM, Hynek Mlnarik wrote: >> >> You cannot use saml-broker-authentication demo application for this >> purpose since it is an OIDC application, and IDP-initiated SSO is not >> supported in OIDC. The saml-broker-authentication example shows how to >> broker a SAML IdP - SAML is used for communication between the >> brokering IdP and brokered IdP. If you want to use IDP-initiated SSO, >> you need a SAML client. In that client's configuration, you would get >> the IDP Initiated SSO URL Name field to fill in. >> >> On Mon, Oct 2, 2017 at 12:33 PM, Alik Elzin wrote: >> > Than you Hynek, >> > I still don't understand how to build the URL. >> > Can you give an example of a full filled URL? >> > Do you have a specific URL for the saml-broker-authentication example? >> > Thanks. >> > >> > >> > On Mon, Oct 2, 2017 at 9:31 AM, Hynek Mlnarik >> > wrote: >> >> >> >> See >> >> >> >> http://www.keycloak.org/docs/latest/server_admin/topics/clients/saml/idp-initiated-login.html: >> >> >> >> In the Settings tab for your client, you need to specify the IDP >> >> Initiated SSO URL Name. This is a simple string with no whitespace in >> >> it. After this you can reference your client at the following URL: >> >> root/auth/realms/{realm}/protocol/saml/clients/{url-name} >> >> >> >> --Hynek >> >> >> >> >> >> On Mon, Oct 2, 2017 at 7:01 AM, Alik Elzin wrote: >> >> > Hi. >> >> > >> >> > I managed to run the saml-broker-authentication example >> >> > >> >> > >> >> > >> >> > . >> >> > >> >> > SP initiated SSO works OK. >> >> > >> >> > What should the IDP initiated SSO URL be? >> >> > >> >> > * I also posted the question in SO: >> >> > >> >> > >> >> > https://stackoverflow.com/questions/46423301/what-should-the-endpoint-be-for-a-keycloak-idp-initiated-sso >> >> > >> >> > Thanks. >> >> > _______________________________________________ >> >> > keycloak-user mailing list >> >> > keycloak-user at lists.jboss.org >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> -- >> >> >> >> --Hynek >> >> >> >> >> >> -- >> >> >> >> --Hynek >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> >> >> >> -- >> >> --Hynek > > -- --Hynek From mstrukel at redhat.com Mon Oct 2 09:53:13 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 2 Oct 2017 15:53:13 +0200 Subject: [keycloak-user] How to deploy a keycloak's SPI project using the Keycloak Deployer (/deploy)? In-Reply-To: References: Message-ID: It depends on what SPIs you implement. Just open Keycloak project in an IDE, and search for jboss-deployment-structure.xml. You'll find examples under 'examples' directory. On Mon, Oct 2, 2017 at 12:43 PM, Alik Elzin wrote: > Dependent on what other modules? How do I know what? > Is there a sample provider project with the `jboss-deployment-structure.xml` > file? > > > On Mon, Oct 2, 2017 at 12:44 PM, Marko Strukelj > wrote: > >> I think the proper location in this case is actually >> 'standalone/deployments'. >> >> You'll probably need to add jboss-deployment-structure.xml to your jar to >> declare dependencies on other modules. >> >> On Mon, Oct 2, 2017 at 7:11 AM, Alik Elzin wrote: >> >>> In Keycloak's documentation >>> >> providers.html>, >>> it's stated that in order to deploy the provider, I can >>> >>> copy your provider jar to the Keycloak deploy/ directory, your provider >>> will automatically be deployed. >>> >>> I'm indeed searching for a simple copy-paste way to deploy a provider >>> without CLI nor through maven. >>> >>> The problem is that I can't find any /deploy folder in keycloak's server >>> :( >>> >>> Below is the result for searching files/folders with the word deploy. >>> >>> *Any idea how to simply deploy the an SPI project into Keycloak?* >>> >>> Thanks. >>> >>> * Also posted the question in SO: >>> https://stackoverflow.com/questions/46410244/how-to-deploy-a >>> -keycloaks-spi-project-using-the-keycloak-deployer-deploy >>> >>> [image: enter image description here] >> e6.png> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From kilaka at gmail.com Mon Oct 2 11:03:04 2017 From: kilaka at gmail.com (Alik Elzin) Date: Mon, 2 Oct 2017 18:03:04 +0300 Subject: [keycloak-user] How to deploy a keycloak's SPI project using the Keycloak Deployer (/deploy)? In-Reply-To: References: Message-ID: No file named `jboss-deployment-structure.xml` in all keycloak quickstarts and examples :( On Mon, Oct 2, 2017 at 4:53 PM, Marko Strukelj wrote: > It depends on what SPIs you implement. Just open Keycloak project in an > IDE, and search for jboss-deployment-structure.xml. You'll find examples > under 'examples' directory. > > On Mon, Oct 2, 2017 at 12:43 PM, Alik Elzin wrote: > >> Dependent on what other modules? How do I know what? >> Is there a sample provider project with the ` >> jboss-deployment-structure.xml` file? >> >> >> On Mon, Oct 2, 2017 at 12:44 PM, Marko Strukelj >> wrote: >> >>> I think the proper location in this case is actually >>> 'standalone/deployments'. >>> >>> You'll probably need to add jboss-deployment-structure.xml to your jar >>> to declare dependencies on other modules. >>> >>> On Mon, Oct 2, 2017 at 7:11 AM, Alik Elzin wrote: >>> >>>> In Keycloak's documentation >>>> >>> providers.html>, >>>> it's stated that in order to deploy the provider, I can >>>> >>>> copy your provider jar to the Keycloak deploy/ directory, your provider >>>> will automatically be deployed. >>>> >>>> I'm indeed searching for a simple copy-paste way to deploy a provider >>>> without CLI nor through maven. >>>> >>>> The problem is that I can't find any /deploy folder in keycloak's >>>> server :( >>>> >>>> Below is the result for searching files/folders with the word deploy. >>>> >>>> *Any idea how to simply deploy the an SPI project into Keycloak?* >>>> >>>> Thanks. >>>> >>>> * Also posted the question in SO: >>>> https://stackoverflow.com/questions/46410244/how-to-deploy-a >>>> -keycloaks-spi-project-using-the-keycloak-deployer-deploy >>>> >>>> [image: enter image description here] >>> e6.png> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From mstrukel at redhat.com Mon Oct 2 11:07:04 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 2 Oct 2017 17:07:04 +0200 Subject: [keycloak-user] How to deploy a keycloak's SPI project using the Keycloak Deployer (/deploy)? In-Reply-To: References: Message-ID: https://github.com/keycloak/keycloak/blob/master/examples/multi-tenant/src/main/webapp/WEB-INF/jboss-deployment-structure.xml On Mon, Oct 2, 2017 at 5:03 PM, Alik Elzin wrote: > No file named `jboss-deployment-structure.xml` in all keycloak > quickstarts and examples :( > > On Mon, Oct 2, 2017 at 4:53 PM, Marko Strukelj > wrote: > >> It depends on what SPIs you implement. Just open Keycloak project in an >> IDE, and search for jboss-deployment-structure.xml. You'll find examples >> under 'examples' directory. >> >> On Mon, Oct 2, 2017 at 12:43 PM, Alik Elzin wrote: >> >>> Dependent on what other modules? How do I know what? >>> Is there a sample provider project with the ` >>> jboss-deployment-structure.xml` file? >>> >>> >>> On Mon, Oct 2, 2017 at 12:44 PM, Marko Strukelj >>> wrote: >>> >>>> I think the proper location in this case is actually >>>> 'standalone/deployments'. >>>> >>>> You'll probably need to add jboss-deployment-structure.xml to your jar >>>> to declare dependencies on other modules. >>>> >>>> On Mon, Oct 2, 2017 at 7:11 AM, Alik Elzin wrote: >>>> >>>>> In Keycloak's documentation >>>>> >>>> providers.html>, >>>>> it's stated that in order to deploy the provider, I can >>>>> >>>>> copy your provider jar to the Keycloak deploy/ directory, your provider >>>>> will automatically be deployed. >>>>> >>>>> I'm indeed searching for a simple copy-paste way to deploy a provider >>>>> without CLI nor through maven. >>>>> >>>>> The problem is that I can't find any /deploy folder in keycloak's >>>>> server :( >>>>> >>>>> Below is the result for searching files/folders with the word deploy. >>>>> >>>>> *Any idea how to simply deploy the an SPI project into Keycloak?* >>>>> >>>>> Thanks. >>>>> >>>>> * Also posted the question in SO: >>>>> https://stackoverflow.com/questions/46410244/how-to-deploy-a >>>>> -keycloaks-spi-project-using-the-keycloak-deployer-deploy >>>>> >>>>> [image: enter image description here] >>>> e6.png> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From mposolda at redhat.com Tue Oct 3 02:22:25 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 3 Oct 2017 08:22:25 +0200 Subject: [keycloak-user] OTP Policy updates not reflects in Google Authenticator In-Reply-To: <15ed2d35a59-c0c-c297@webjas-vaa118.srv.aolmail.net> References: <15ed2d35a59-c0c-c297@webjas-vaa118.srv.aolmail.net> Message-ID: <9633a5ac-8007-26bd-3698-5e77af786803@redhat.com> I am not sure if we check the current OTP policy of user and take it into account instead of the default realm OTP policy. For password, we are doing it (password hashing algorithm is saved together with user's password. When realm password hashing policy is changed, then user's password is still verified against the old algorithm during first authentication of that user after the realm policy is changed. And then password is updated in DB with the new algorithm). Feel free to create JIRA with steps to reproduce. I think we can improve for OTP and ask user to configure new OTP after the change. Not sure if this should be configurable or not, I can see some potential security implications of it. Marek On 30/09/17 14:47, forums.akurathi at gmail.com wrote: > Dear all, > > We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working. > > A sequence of steps : > > 1) create realm, create user > 2) enable OTP > 3) login with the newly created user > 4) system asks you to configure OTP > 5) update OTP policy such as number of digits from 6 to 8 > 6) try login again > 7) system asks you to enter OTP but authentication fails > > We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails. > > Your response is highly appreciated !!! > > Thanks in advance > > Regards > Krishna Kumar Akurathi > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From teatimej at gmail.com Tue Oct 3 18:43:22 2017 From: teatimej at gmail.com (Michael Mok) Date: Wed, 4 Oct 2017 06:43:22 +0800 Subject: [keycloak-user] Undeclared namespace prefix "dsig" - still a problem in keycloak 3.3.0 CR2. In-Reply-To: References: Message-ID: Thanks for looking into this again. I have created new issue as suggested. https://issues.jboss.org/browse/KEYCLOAK-5581 Best Regards Michael Mok On 29 September 2017 at 06:12, Michael Mok wrote: > Hi there > > In regards to issuee 4818 (https://issues.jboss.org/browse/KEYCLOAK-4818), > we are still encountering issue with recognising dsig. > > 06:54:51,265 WARN [org.keycloak.saml.common] (default task-110) XML > External Entity switches are not supported. You may get XML injection > vulnerabilities. > 09:19:31,939 ERROR [io.undertow.request] (default task-245) UT005023: > Exception handling request to /auth/realms/demo/login-actions/first-broker-login: > org.jboss.resteasy.spi.UnhandledExcept > ion: java.lang.RuntimeException: java.lang.RuntimeException: > com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "dsig" > at [row,col {unknown-source}]: [1,914] > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx > ception(ExceptionHandler.java:78) > at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc > eptionHandler.java:222) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException > (SynchronousDispatcher.java:179) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:422) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:213) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi > spatcher.service(ServletContainerDispatcher.java:228) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se > rvletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d > oFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.d > oFilter(KeycloakSessionServletFilter.java:90) > > From asrafalianwarali.shaikh at gi-de.com Wed Oct 4 01:29:18 2017 From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali) Date: Wed, 4 Oct 2017 05:29:18 +0000 Subject: [keycloak-user] Improvement required in password policy evaluation In-Reply-To: <84ba1790-5fa1-8c8f-7f6b-f5b82e2d8bd8@merit.unu.edu> References: <8930fe05c0a94eafbbf8d7b12962a936@gi-de.com> <84ba1790-5fa1-8c8f-7f6b-f5b82e2d8bd8@merit.unu.edu> Message-ID: <1e2cd5a36f654a799139db01abab030d@gi-de.com> Hello, Thanks for having the same opinion about this. And is there any plan when and how this can be achieved, or is there any way to customize it. If yes , how ? Regards, Asraf Shaikh -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of mj Sent: Thursday, September 28, 2017 12:29 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Improvement required in password policy evaluation Oh YES. We 100% agree with this. It would even be nicer if all requirements would be displayed by default, each requirement with: - a red cross if not yet satisfied - a green checkmark when satisfied So you would see red crosses turning into green checkmarks, while composing the password, as each requirement is fullfilled. Since you have to provide the new password twice, you could even have a requirement that 'both password have to match', with a red cross, until they match. MJ On 09/28/2017 07:29 AM, Shaikh Asrafali Anwarali wrote: > Hello, > > > > The Keycloak shows PASSWORD construction rule one at a time when it fail to adhere to it. > > > > For example : > > Applied password policy are : > > 1. specialChars > > 2. upperCase > > 3. passwordHistory > > 4. length > > 5. digits > > 6. notUsername > > 7. lowerCase > > > > If I set my password as "abcd" > > I get error message saying " there has to be special character" then I changed it to abcd@ > > After that I get message saying, there has to be 1 capital letter ... > It goes on and one till all the policy is satisfied > > > > There is a requirement that all failure reasons should be displayed at once or at least show the configures password rules somewhere on this screen. > > On page I have all the data available, like in realm.passwordPolicy - have all the configured password policy data. > > But not sure how messages can be formulated so that internationalization is also maintained. > > > > Is there any way by which it can be achieve? > > > > > > Regards, > > Asraf Shaikh > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From postmaster at lists.jboss.org Wed Oct 4 01:49:53 2017 From: postmaster at lists.jboss.org (MAILER-DAEMON) Date: Wed, 4 Oct 2017 11:19:53 +0530 Subject: [keycloak-user] Returned mail: see transcript for details Message-ID: <201710040549.v945ntwe030262@lists01.dmz-a.mwc.hst.phx2.redhat.com> The message could not be delivered From ddevaal at rovecom.nl Wed Oct 4 05:49:49 2017 From: ddevaal at rovecom.nl (Dennis de Vaal | Rovecom) Date: Wed, 4 Oct 2017 09:49:49 +0000 Subject: [keycloak-user] web-context admin console Message-ID: <7521286E-58DC-49A8-A1A3-1C86CCB910B9@rovecom.nl> When I curl -I http://test.domain.com/auth/admin I?m being redirected to http://test.domain.com/admin/master/console/ even though the web-context is set to /auth. Why is this? % curl -I http://test.domain.com/auth/admin HTTP/1.1 302 Found Content-Length: 0 Date: Wed, 04 Oct 2017 09:32:17 GMT Location: http://test.domain.com/admin/master/console/ Server: WildFly/10 X-Powered-By: Undertow/1 Content-Type: text/plain; charset=utf-8 I want to serve everything under /auth including the admin console. When I go to http://test.domain.com/auth/admin/master/console I?m getting 404?s, network errors etc. (index):12 GET http://test.domain.com/resources/2.5.5.final/admin/keycloak/lib/patternfly/css/patternfly.css net::ERR_ABORTED (index):13 GET http://test.domain.com/resources/2.5.5.final/admin/keycloak/lib/select2-3.4.1/select2.css net::ERR_ABORTED This path works though: http://test.domain.com/auth/resources/2.5.5.final/admin/keycloak/lib/select2-3.4.1/select2.css%20net::ERR_ABORTED Keycloak is behind a reverse proxy (traefik). We are using the option: PathPrefixStrip which basically removes /auth from every request. Is there a way to set the correct relative url in keycloak? Proxy forwarding is enabled in standalone.xml Regards, Dennis de Vaal ----------------------------- Rovecom Dennis de Vaal | Rovecom webontwikkelaar Elbe 2, 7908 HB Hoogeveen Postbus 2126, 7900 BC Hoogeveen 0528 22 35 35 Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. ----------------------------- From psilva at redhat.com Wed Oct 4 08:30:07 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 4 Oct 2017 09:30:07 -0300 Subject: [keycloak-user] Good presentation to understand UMA spec In-Reply-To: References: Message-ID: Yeah, that is a great and funny presentation from UMA guys. Good point about adding some references to our docs. Regards. Pedro Igor On Sun, Oct 1, 2017 at 6:09 PM, Rafael T. C. Soares wrote: > I've found a very good (and funny) presentation slides explaining how > UMA spec works... > > https://www.slideshare.net/Identiverse/introducing-uma-20-cis-2017 > > It's really a good reference if you are wants to understand how UMA > works! Would be nice have that presentation referenced on Keycloak's > Authorization Services guide pages [1] > > [1] > http://www.keycloak.org/docs/3.3/authorization_services/ > topics/overview/terminology.html > > > -- > Rafael T. C. Soares > Solution Architect > Red Hat Brazil > rsoares at redhat.com M: +55-71-99616-9145 T: +55-11-3529-6096 > Twitter: @redhatnews | LinkedIn: linkedin.com/company/red-hat | Facebook: > facebook.com/RedHatInc > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From anders.kabell.kristensen at systematic.com Wed Oct 4 08:47:52 2017 From: anders.kabell.kristensen at systematic.com (Anders KK) Date: Wed, 4 Oct 2017 05:47:52 -0700 (MST) Subject: [keycloak-user] Two browser tabs result in two access-/refresh tokens and accidental logout Message-ID: <1507121272796-0.post@n6.nabble.com> Hi guys, We run into an accidental logout when opening our application in a second tab in the browser. It seems that the second tab acquires its own access-/refresh token pair, however, the tabs share the session. Consequently, when the first tab needs to refresh its token, the refresh token is no longer valid, resulting in the first tab initiating a logout - and then the second tab only lives until token expiration, since refresh fails due to the first tab having ended the session. Looking into the js adapter code we got the impression that the tabs would share tokens through local storage - is this something we need to activate explicitly in the configuration? We have a setup with an Angular2 app making use of the Keycloak js adapter. We made use of the example provided with the 3.0.0 quickstarts, but modified the parameters for the init function: Thanks for the great effort put into Keycloak! Anders -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From schissdraeck at rmm.li Wed Oct 4 09:11:52 2017 From: schissdraeck at rmm.li (Michael Meier) Date: Wed, 4 Oct 2017 15:11:52 +0200 Subject: [keycloak-user] how to restrict saml authentication by group (or role) Message-ID: <3b2e5a8d-e9d9-b884-24a4-a745db4d7a8c@rmm.li> hi all In my configuration users are members of groups like, "nextcloud", "xmpp", "mail", which specifies what services they are allowed to use. That works pretty well, when using LDAP, since it seems that all ldap authentication clients to provide a filter string, so I can filter by string. Unfortunately it seems, like not all saml authentication clients (service providers) do support to filter by groups. So I'd like in keycloak to restrict which users are allowed to authenticate over what client. So I want for example, that only users which are members of the group nextcloud are able to authenticate over the nextcloud saml client in keycloak. So keycloak will just negate an authenticate request for a user which is not member of a certain group for certain clients. But I can't find a way to do that, neither over groups nor rolls. Can somebody point me into the right direction? thanks a lot Michael From celso.agra at gmail.com Wed Oct 4 09:45:42 2017 From: celso.agra at gmail.com (Celso Agra) Date: Wed, 4 Oct 2017 10:45:42 -0300 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username Message-ID: Hi all, I'm getting a strange behavior. My LDAP (openldap) is configured as writable in my User Federation. So, I can create user from my Keycloak, but when I change the username, the user disappear from my user's list. I check the LDAP and the user still there, with the 'old' username. So, is there some way to change the username without disappear from the keycloak user's list? This occurs because in my case, username as the same of email. So, If the user changes email, I have to change the username also. I'm using version 3.0.0.Final Best regards -- --- *Celso Agra* From alexander.sahler at brodos.de Wed Oct 4 10:26:07 2017 From: alexander.sahler at brodos.de (alexander.sahler at brodos.de) Date: Wed, 04 Oct 2017 16:26:07 +0200 Subject: [keycloak-user] PolicyEnforcer always requires all defined scopes as 'required' References: <59D4EF7F0200005600156E09@GWCL-GWIA-SERVER.brodosmit.de> Message-ID: <59D4EF7F0200005600156E09@GWCL-GWIA-SERVER.brodosmit.de> Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test at bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help! From alexander.sahler at brodos.de Wed Oct 4 11:10:14 2017 From: alexander.sahler at brodos.de (alexander.sahler at brodos.de) Date: Wed, 04 Oct 2017 17:10:14 +0200 Subject: [keycloak-user] PolicyEnforcer always requires all defined scopes as 'required' References: <59D4F9D60200005600156E66@GWCL-GWIA-SERVER.brodosmit.de> Message-ID: <59D4F9D60200005600156E66@GWCL-GWIA-SERVER.brodosmit.de> Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test?context) is configured for authorization * A resource (admin?ui) with associated scopes urn:test?project:article:view and urn:test?project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy?enforcer": {} in keycloak.json) * Two policies: ? Admin policy: type role, roles: admin (required) ? User policy: type role, roles: user * Two scope permissions bound to the resource admin?ui. ? Article Create Permission: resource: admin?ui, scopes: urn:test?project:article:create, policy: Admin policy, unanimous ? Admin UI View Permission: resource: admin?ui, scopes: urn:test?project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test?project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e?f2bf?485c?ad9e?9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test?context", "sub": "dccb9a67?5a45?4c15?bcee?3c1db26c16f0", "typ": "Bearer", "azp": "test?context", "auth_time": 0, "session_state": "6623b31b?9c5c?4e87?a882?21ab8d72c2a8", "acr": "1", "allowed?origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3?0ea4?4c96?b314?6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test at bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help! From alexander.sahler at brodos.de Wed Oct 4 11:20:44 2017 From: alexander.sahler at brodos.de (sahlex) Date: Wed, 4 Oct 2017 08:20:44 -0700 (MST) Subject: [keycloak-user] PolicyEnforcer always requires all defined scopes as 'required' Message-ID: <1507130444731-0.post@n6.nabble.com> Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test at bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help! -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From jasonspittel at yahoo.com Wed Oct 4 13:45:09 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Wed, 4 Oct 2017 17:45:09 +0000 (UTC) Subject: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application? References: <1717248303.1351458.1507139109449.ref@mail.yahoo.com> Message-ID: <1717248303.1351458.1507139109449@mail.yahoo.com> Does Keycloak, in SAML brokering mode, support the following scenario? 1. User logs into SP app 1. 2. User does not close browser but accesses SP app 2 (through Keycloak brokering).3. Will Keycloak recognize authentication that user has done for step 1? In this case the IdP Keycloak is brokering to is AzureAD. Thanks, Jason From betalb at gmail.com Wed Oct 4 14:41:05 2017 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Wed, 04 Oct 2017 18:41:05 +0000 Subject: [keycloak-user] OPENID Java Client In-Reply-To: References: Message-ID: Just found an email in archives that is still seem to be outstanding http://lists.jboss.org/pipermail/keycloak-user/2016-December/008544.html I was also searching for a clean way to obtain token using client credentials grant type and refresh it until it expired, I found bunch of classes in keycloak doing this stuff (i.e admin-cli) but haven't found anything in adapters, were there any updates in this area, I was not able to find Jira ticket that was referenced in email On Fri, Sep 29, 2017 at 8:39 PM ??????? ?????? wrote: > I was looking at keykloak examples for client credentials flow examples, > and it looks like the everything required is located in adapter-core > module, especially AdapterRSATokenVerifier and ServerRequest classes. > > But I wonder if it safe to use this module in terms of API stability and > documentation, or I should better stick to some 3rd party OpenID client, > that will do all the fancy things with token validation, key retrieval, > caching etc. > > Best Regards, > Vitalii > From hmlnarik at redhat.com Wed Oct 4 16:27:37 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 4 Oct 2017 22:27:37 +0200 Subject: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application? In-Reply-To: <1717248303.1351458.1507139109449@mail.yahoo.com> References: <1717248303.1351458.1507139109449.ref@mail.yahoo.com> <1717248303.1351458.1507139109449@mail.yahoo.com> Message-ID: Yes. Keycloak supports this scenario regardless of brokering - this is basic single sign on scenario. --Hynek On Wed, Oct 4, 2017 at 7:45 PM, Jason Spittel wrote: > Does Keycloak, in SAML brokering mode, support the following scenario? > 1. User logs into SP app 1. > 2. User does not close browser but accesses SP app 2 (through Keycloak brokering).3. Will Keycloak recognize authentication that user has done for step 1? > In this case the IdP Keycloak is brokering to is AzureAD. > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From eduard.matuszak at worldline.com Thu Oct 5 02:38:56 2017 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Thu, 5 Oct 2017 06:38:56 +0000 Subject: [keycloak-user] No events for Keycloak session timeouts? Message-ID: <61D077C6283D454FAFD06F6AC4AB74D725E8B6E7@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello Is there any chance to get informed about Keycloak-session timeouts? It seems that there is (up to now) no appropriate event-type in org.keycloak.events.EventType for this. Thanks for any help, Eduard Matuszak From alexander.sahler at brodos.de Thu Oct 5 02:47:47 2017 From: alexander.sahler at brodos.de (sahlex) Date: Wed, 4 Oct 2017 23:47:47 -0700 (MST) Subject: [keycloak-user] PolicyEnforcer always requires all defined scopes as 'required' Message-ID: <1507186067984-0.post@n6.nabble.com> Hi. I'm trying to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet request (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test at bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help! -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From anders.kabell.kristensen at systematic.com Thu Oct 5 03:07:32 2017 From: anders.kabell.kristensen at systematic.com (Anders Kabell Kristensen) Date: Thu, 5 Oct 2017 07:07:32 +0000 Subject: [keycloak-user] Two browser tabs result in two Message-ID: <46d4d91cb11d485ab4eba6192f7cddb8@dc1-exch001.systematicgroup.local> By the way, our parameters to the js init function were lost in the mailing list. It should have read: keycloakAuth.init({ onLoad: 'login-required', responseMode: 'fragment', flow: 'standard', checkLoginIframe: false}) Cheers, Anders Date: Wed, 4 Oct 2017 05:47:52 -0700 (MST) From: Anders KK Subject: [keycloak-user] Two browser tabs result in two access-/refresh tokens and accidental logout To: keycloak-user at lists.jboss.org Message-ID: <1507121272796-0.post at n6.nabble.com> Content-Type: text/plain; charset=us-ascii Hi guys, We run into an accidental logout when opening our application in a second tab in the browser. It seems that the second tab acquires its own access-/refresh token pair, however, the tabs share the session. Consequently, when the first tab needs to refresh its token, the refresh token is no longer valid, resulting in the first tab initiating a logout - and then the second tab only lives until token expiration, since refresh fails due to the first tab having ended the session. Looking into the js adapter code we got the impression that the tabs would share tokens through local storage - is this something we need to activate explicitly in the configuration? We have a setup with an Angular2 app making use of the Keycloak js adapter. We made use of the example provided with the 3.0.0 quickstarts, but modified the parameters for the init function: Thanks for the great effort put into Keycloak! Anders From gerhard.jansen at de.rhenus.com Thu Oct 5 03:26:03 2017 From: gerhard.jansen at de.rhenus.com (Jansen, Gerhard) Date: Thu, 5 Oct 2017 07:26:03 +0000 Subject: [keycloak-user] How to use two providers with same username in a realm/client Message-ID: Hello, in our application I us an application specific user-database for authentication and I can also authenticate users with their Active Directory credential (SPNEGO or username/password). Now we want to switch to Keycloak, but we can only use either a custom user-database provider or an Active Directory federation provider in a realm. SPNEGO works fine, but form-based login doesn't. Only the first federation provider is called. Maybe because login name for both providers is the same, even though neither userbase is imported. How can I authenticate a user with a second federation provider with same login name, after authentication with first provider fails. (Or do I even have to think in a completely different direction ?) Thanks in advance for any suggestions. Best regards, Gerhard Jansen From alexander.sahler at brodos.de Thu Oct 5 05:04:41 2017 From: alexander.sahler at brodos.de (alexander.sahler at brodos.de) Date: Thu, 05 Oct 2017 11:04:41 +0200 Subject: [keycloak-user] Antw: PolicyEnforcer always requires all defined scopes as 'required' In-Reply-To: <1507186067984-0.post@n6.nabble.com> References: <1507186067984-0.post@n6.nabble.com> Message-ID: <59D5F5A90200005600156FB8@GWCL-GWIA-SERVER.brodosmit.de> Hi. Some additional information: in log file (of application) the adapter tells: Authorization FAILED for path [PathConfig{name='Admin UI', type='urn:test-context:resources:default', path='/ui/*', scopes=[urn:testproject:article:view, urn:testproject:article:create], id='a9d034f3-0ea4-4c96-b314-6ce544bf01b8', enforcerMode='ENFORCING'}]. No enough permissions [[Permission {id=a9d034f3-0ea4-4c96-b314-6ce544bf01b8, name=Admin UI, scopes=[urn:testproject:article:view]}]]. Up-to date authorization evaluator gives (changed values in resource_access field) { "jti": "25c7f624-c1ab-4f01-83a0-f946e868c175", "exp": 1507194142, "nbf": 0, "iat": 1507193842, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "4ebc2e9e-9b22-47dd-ad83-46a7fa600264 ( tel:600264) ", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test at bla.de" } Best regards, Alexander >>> Hi. I'm trying to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet request (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test at bla.de" }I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help! -- Sent from: http://keycloak-user.88327.x6.nabble.com/ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From stephen at saasindustries.com Thu Oct 5 21:30:27 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Thu, 5 Oct 2017 18:30:27 -0700 Subject: [keycloak-user] user count Message-ID: Hey all, I have Keycloak 3.2.1.Final configured with a realm that has 13 users in it. When I call the API rest endpoint for GET /admin/realms/{realm}/users, I get 13 user "records" back as expected. However, when I call the API rest endpoint GET /admin/realms/{realm}/users/count for the same realm, I get the number 21 returned. I would have expected this to return the number 13 Has anyone else experienced this? Is there something that I am missing? Thanks Stephen From bruno at abstractj.org Thu Oct 5 22:46:46 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 06 Oct 2017 02:46:46 +0000 Subject: [keycloak-user] user count In-Reply-To: References: Message-ID: I just tried with 3.3.0.CR2, but could not find any issue. Would you mind to give it a try? On Thu, Oct 5, 2017 at 10:32 PM Stephen Henrie wrote: > Hey all, > > I have Keycloak 3.2.1.Final configured with a realm that has 13 users in > it. When I call the API rest endpoint for GET /admin/realms/{realm}/users, > I get 13 user "records" back as expected. However, when I call the API rest > endpoint GET /admin/realms/{realm}/users/count for the same realm, I get > the number 21 returned. > > I would have expected this to return the number 13 Has anyone else > experienced this? Is there something that I am missing? > > Thanks > Stephen > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stephen at saasindustries.com Fri Oct 6 01:45:29 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Thu, 5 Oct 2017 22:45:29 -0700 Subject: [keycloak-user] user count In-Reply-To: References: Message-ID: I think I just answered my own question.... It looks like the count api returns the total of the users and the service accounts which exist in the realm. This seems a little weird to me since it is not that easy identifying the difference between the two types of users in the json data. Not sure if it is intended to work this way or not. Regards, Stephen On Thu, Oct 5, 2017 at 7:46 PM, Bruno Oliveira wrote: > I just tried with 3.3.0.CR2, but could not find any issue. Would you mind > to give it a try? > > On Thu, Oct 5, 2017 at 10:32 PM Stephen Henrie > wrote: > >> Hey all, >> >> I have Keycloak 3.2.1.Final configured with a realm that has 13 users in >> it. When I call the API rest endpoint for GET /admin/realms/{realm}/users, >> I get 13 user "records" back as expected. However, when I call the API >> rest >> endpoint GET /admin/realms/{realm}/users/count for the same realm, I get >> the number 21 returned. >> >> I would have expected this to return the number 13 Has anyone else >> experienced this? Is there something that I am missing? >> >> Thanks >> Stephen >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From sthorger at redhat.com Fri Oct 6 03:51:41 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 06 Oct 2017 09:51:41 +0200 Subject: [keycloak-user] user count In-Reply-To: References: Message-ID: <1507276301.3676.13@smtp.gmail.com> I would argue this is a bug. Could you create a JIRA please? On Fri, Oct 6, 2017 at 7:45 AM, Stephen Henrie wrote: > I think I just answered my own question.... It looks like the count > api > returns the total of the users and the service accounts which exist > in the > realm. This seems a little weird to me since it is not that easy > identifying the difference between the two types of users in the json > data. > > Not sure if it is intended to work this way or not. > > Regards, > Stephen > > On Thu, Oct 5, 2017 at 7:46 PM, Bruno Oliveira > wrote: > >> I just tried with 3.3.0.CR2, but could not find any issue. Would >> you mind >> to give it a try? >> >> On Thu, Oct 5, 2017 at 10:32 PM Stephen Henrie >> >> wrote: >> >>> Hey all, >>> >>> I have Keycloak 3.2.1.Final configured with a realm that has 13 >>> users in >>> it. When I call the API rest endpoint for GET >>> /admin/realms/{realm}/users, >>> I get 13 user "records" back as expected. However, when I call the >>> API >>> rest >>> endpoint GET /admin/realms/{realm}/users/count for the same realm, >>> I get >>> the number 21 returned. >>> >>> I would have expected this to return the number 13 Has anyone else >>> experienced this? Is there something that I am missing? >>> >>> Thanks >>> Stephen >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mvtongeren at link2control.nl Fri Oct 6 04:26:24 2017 From: mvtongeren at link2control.nl (Marcel van Tongeren) Date: Fri, 6 Oct 2017 08:26:24 +0000 Subject: [keycloak-user] How to silently getting a new access token on Implicit Flow Message-ID: Hi, I am working on an Aurelia SPA with Keycloak as the identity server. Since it is a web client, I'm using the Implicit variant of the OpenId Connect authorization flow. Authentication works fine, but I'm having a problem with getting a new access token, without interupting the workflow of the user. The documentation states that I can't use UpdateToken (because there is no refresh token in Implicit flow) and that I should redirect to the login page instead. Currently, I'm calling keycloak.login({prompt:'none'}) to do the redirect, but the problem is that you will lose all the data that the user entered on the current page, because it has the same effect as a full page refresh. Now, I had the impression that the hidden IFrame was supposed the handle this, but I get the feeling that it is not much help when using the Implicit flow...? There is plenty of documentation about initial authentication, but I couldn't find anything about 'refreshing' the access token when using the Implicit flow. Is there another way to do the redirect, maybe from the IFrame, so it is all handled behind the scenes? Btw, at first the IFrame wasn't created at all, because Aurelia fully replaces its root element, which happens to be the body element by default. After I configured Aurelia's root element to be a child div of the body element, the IFrame seems to be created correctly. Best regards, Marcel From William.Drescher at celum.com Fri Oct 6 05:58:15 2017 From: William.Drescher at celum.com (William Drescher [CELUM]) Date: Fri, 6 Oct 2017 09:58:15 +0000 Subject: [keycloak-user] Keycloak Logout hangs for exactly 5.00 seconds Message-ID: <3b9deb4701414b99b9ec92b0e37c9b04@celum.com> Hi there, We have the problem that when logging out, Keycloak hangs for exactly 5.00 seconds before it allows a redirect to login page. Any ideas as to what could be causing this? We have a Java application using the Vert.x OAuth2 and use the AccessToken logout which logs out over the RestApi, but the same thing happens with Java Keycloak library (also over rest) Would appreciate any tips for avenues of investigation, William Drescher From jw at blue-yonder.com Fri Oct 6 08:01:15 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Fri, 6 Oct 2017 14:01:15 +0200 Subject: [keycloak-user] customizable attribute mapper Message-ID: <968e3829-4a50-d2f9-73a2-c0780db0208a@blue-yonder.com> Hi, we are still evaluating keycloak vs. simplesamlphp. What we find quite convenient using simplesamlphp is this authentication processing attributealter possibility: https://simplesamlphp.org/docs/stable/core:authproc_attributealter Using this especially with the feature to be able to use regex pattern matching it is quite easy to combine/construct certain SAML attributes in the way the SP needs it. For example we could add a fixed top level domain to the IDPEmail Attribute, where the SP needs it in the syntax username at domain.tld instead of username as retrieved by our LDAP backend system. One real example from our current simplesamlphp configuration: 30 => array( ??? 'class' => 'core:AttributeAlter', ??? 'subject' => 'uid', ??? 'pattern' => '/([a-z]+)/', ??? 'replacement' => '\1 at domain.tld', ??? 'target' => 'IDPEmail', ), I could not find any similar feature within keycloak or did I just overseen it? Cheers Jonas From hmlnarik at redhat.com Fri Oct 6 08:22:33 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 6 Oct 2017 14:22:33 +0200 Subject: [keycloak-user] customizable attribute mapper In-Reply-To: <968e3829-4a50-d2f9-73a2-c0780db0208a@blue-yonder.com> References: <968e3829-4a50-d2f9-73a2-c0780db0208a@blue-yonder.com> Message-ID: It's not there yet. Similar functionality has already been requested in [1]. Could you please comment on your use expected case there and if interested, vote for it? Thanks --Hynek [1] https://issues.jboss.org/browse/KEYCLOAK-4781 On Fri, Oct 6, 2017 at 2:01 PM, Jonas Weismueller wrote: > Hi, > > we are still evaluating keycloak vs. simplesamlphp. > > What we find quite convenient using simplesamlphp is this authentication > processing attributealter possibility: > > https://simplesamlphp.org/docs/stable/core:authproc_attributealter > > Using this especially with the feature to be able to use regex pattern > matching it is quite easy to combine/construct certain SAML attributes > in the way the SP needs it. > > For example we could add a fixed top level domain to the IDPEmail > Attribute, where the SP needs it in the syntax username at domain.tld > instead of username as retrieved by our LDAP backend system. > > One real example from our current simplesamlphp configuration: > > 30 => array( > 'class' => 'core:AttributeAlter', > 'subject' => 'uid', > 'pattern' => '/([a-z]+)/', > 'replacement' => '\1 at domain.tld', > 'target' => 'IDPEmail', > ), > > > I could not find any similar feature within keycloak or did I just > overseen it? > > Cheers Jonas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From jasonspittel at yahoo.com Fri Oct 6 11:38:53 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Fri, 6 Oct 2017 15:38:53 +0000 (UTC) Subject: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application? References: <1400625401.2676107.1507304333726.ref@mail.yahoo.com> Message-ID: <1400625401.2676107.1507304333726@mail.yahoo.com> Even in the case that SP app from step 1 was not through Keycloak? -------------------------------------------- On Wed, 10/4/17, Hynek Mlnarik wrote: Subject: Re: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application? To: "Jason Spittel" Cc: "Keycloak-user" Received: Wednesday, October 4, 2017, 1:27 PM Yes. Keycloak supports this scenario regardless of brokering - this is basic single sign on scenario. --Hynek On Wed, Oct 4, 2017 at 7:45 PM, Jason Spittel wrote: > Does Keycloak, in SAML brokering mode, support the following scenario? > 1. User logs into SP app 1. > 2. User does not close browser but accesses SP app 2 (through Keycloak brokering).3. Will Keycloak recognize authentication that user has done for step 1? > In this case the IdP Keycloak is brokering to is AzureAD. > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From inofi at gmx.net Fri Oct 6 12:04:42 2017 From: inofi at gmx.net (Malte Finsterwalder) Date: Fri, 6 Oct 2017 18:04:42 +0200 Subject: [keycloak-user] Parameterizing keycloak.json? Message-ID: <36a1b155-6c53-054d-ccc7-a8de44a96638@gmx.net> Hi there, I set up a web application to use Keycloak. I added a keycloak.json file to configure the keycloak settings. In this file there is the auth-server-url and a path to a truststore. The keycloak.json file is packaged into the war file, of course. But I need to deploy the same war file to different servers, that should talk to different Keycloak-Servers. Is there a way to parameterize information in the keycloak.json file? Or can I configure overrides in a JBoss server? I know that I could configure the keycloak settings completely in the JBoss configuration, but I rather like the idea to have a config per app. Greetings, Malte From inofi at gmx.net Fri Oct 6 12:13:34 2017 From: inofi at gmx.net (Malte Finsterwalder) Date: Fri, 6 Oct 2017 18:13:34 +0200 Subject: [keycloak-user] Parameterizing keycloak.json? In-Reply-To: <36a1b155-6c53-054d-ccc7-a8de44a96638@gmx.net> References: <36a1b155-6c53-054d-ccc7-a8de44a96638@gmx.net> Message-ID: <30e8eb01-6d09-2b40-ff10-610abf9f7d82@gmx.net> I'm sorry, I missed it in the Documentation: "You can use ${??} enclosure for system property replacement. For example ${jboss.server.config.dir} would be replaced by /path/to/Keycloak. Replacement of environment variables is also supported via the env prefix, e.g. ${env.MY_ENVIRONMENT_VARIABLE}." RTFM! ;-) On 06.10.2017 18:04, Malte Finsterwalder wrote: > Hi there, > > I set up a web application to use Keycloak. > I added a keycloak.json file to configure the keycloak settings. > In this file there is the auth-server-url and a path to a truststore. > The keycloak.json file is packaged into the war file, of course. > But I need to deploy the same war file to different servers, that should > talk to different Keycloak-Servers. > > Is there a way to parameterize information in the keycloak.json file? Or > can I configure overrides in a JBoss server? > > I know that I could configure the keycloak settings completely in the > JBoss configuration, but I rather like the idea to have a config per app. > > Greetings, > Malte > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stephen at saasindustries.com Fri Oct 6 14:07:17 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Fri, 6 Oct 2017 11:07:17 -0700 Subject: [keycloak-user] user count In-Reply-To: <1507276301.3676.13@smtp.gmail.com> References: <1507276301.3676.13@smtp.gmail.com> Message-ID: Done https://issues.jboss.org/browse/KEYCLOAK-5660 On Fri, Oct 6, 2017 at 12:51 AM, Stian Thorgersen wrote: > I would argue this is a bug. Could you create a JIRA please? > > On Fri, Oct 6, 2017 at 7:45 AM, Stephen Henrie > wrote: > > I think I just answered my own question.... It looks like the count api > returns the total of the users and the service accounts which exist in the > realm. This seems a little weird to me since it is not that easy > identifying the difference between the two types of users in the json data. > Not sure if it is intended to work this way or not. Regards, Stephen On > Thu, Oct 5, 2017 at 7:46 PM, Bruno Oliveira wrote: > > I just tried with 3.3.0.CR2, but could not find any issue. Would you mind > to give it a try? On Thu, Oct 5, 2017 at 10:32 PM Stephen Henrie < > stephen at saasindustries.com> wrote: > > Hey all, I have Keycloak 3.2.1.Final configured with a realm that has 13 > users in it. When I call the API rest endpoint for GET > /admin/realms/{realm}/users, I get 13 user "records" back as expected. > However, when I call the API rest endpoint GET /admin/realms/{realm}/users/count > for the same realm, I get the number 21 returned. I would have expected > this to return the number 13 Has anyone else experienced this? Is there > something that I am missing? Thanks Stephen _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing > list keycloak-user at lists.jboss.org https://lists.jboss.org/ > mailman/listinfo/keycloak-user > > From hmlnarik at redhat.com Fri Oct 6 14:59:08 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 6 Oct 2017 20:59:08 +0200 Subject: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application? In-Reply-To: <1400625401.2676107.1507304333726@mail.yahoo.com> References: <1400625401.2676107.1507304333726.ref@mail.yahoo.com> <1400625401.2676107.1507304333726@mail.yahoo.com> Message-ID: If step 1 completely bypasses Keycloak, then the question is not whether Keycloak maintains the session for different clients but whether ADFS does. Brokering Keycloak acts just as any other client (a.k.a. relying party in ADFS) from perspective of ADFS. --Hynek On Fri, Oct 6, 2017 at 5:38 PM, Jason Spittel wrote: > Even in the case that SP app from step 1 was not through Keycloak? > > -------------------------------------------- > On Wed, 10/4/17, Hynek Mlnarik wrote: > > Subject: Re: [keycloak-user] Keycloak SAML Brokering, reusing login of another SAML application? > To: "Jason Spittel" > Cc: "Keycloak-user" > Received: Wednesday, October 4, 2017, 1:27 PM > > Yes. Keycloak supports this > scenario regardless of brokering - this is > basic single sign on scenario. > > --Hynek > > On > Wed, Oct 4, 2017 at 7:45 PM, Jason Spittel > wrote: > > Does Keycloak, in SAML brokering > mode, support the following scenario? > > > 1. User logs into SP app 1. > > 2. User > does not close browser but accesses SP app 2 (through > Keycloak brokering).3. Will Keycloak recognize > authentication that user has done for step 1? > > In this case the IdP Keycloak is brokering > to is AzureAD. > > Thanks, > > Jason > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > -- --Hynek From adrianmatei at gmail.com Mon Oct 9 03:55:25 2017 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 9 Oct 2017 09:55:25 +0200 Subject: [keycloak-user] UPDATE_PASSWORD won't go away for AD imported users... Message-ID: Hi Guys, We've imported some Users from AD and they now have UPDATE_PASSWORD action required, although this was not marked as *default_action*. The thing is that we cannot click that away as admins - on top of that the UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table... Any ideas? Would be very much appreciated... Best regards, Adrian From t.ruiten at rdmedia.com Mon Oct 9 06:30:27 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Mon, 9 Oct 2017 12:30:27 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: <4e622a0f-2fba-0ddd-185f-327cf0d14564@redhat.com> References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> <4e622a0f-2fba-0ddd-185f-327cf0d14564@redhat.com> Message-ID: I finally got around to testing this with TRACE logging and found out that I was looking in the wrong place: the 'Groups' -> 'User Groups' section of the dashboard. Only direct members of the group would be shown there. The groups for the user are showing correctly in the 'Groups' tab of the particular user in the 'Users' setting in my test realm. On 29 September 2017 at 16:56, Marek Posolda wrote: > Maybe if you can enable TRACE logging for the "org.keycloak.storage.ldap" > it may help. It shows the configuration at startup, but also it shows the > LDAP queries. Maybe this can show why the roles can't be retrieved. > > Marek > > > On 29/09/17 16:35, Tiemen Ruiten wrote: > > Marek, thanks for your answer. I had already tried that and it didn't > work. I set up an AD federation and a role mapper in a clean testing realm > with the same results. If you are interested, I can share the realm > configuration with you for reproducing. > > On 29 September 2017 at 15:06, Marek Posolda wrote: > >> In configuration of your LDAP Group mapper, you can select "User Roles >> Retrieve Strategy" to be "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . >> Then it should be possible to recursively retrieve the memberships, hence >> user will be treated as member of "access" group too. >> >> This is specific to Active Directory, but since you're using it, it >> should work fine. >> >> Marek >> >> On 28/09/17 10:28, Tiemen Ruiten wrote: >> >> Hm, I wrote this down the wrong way, apologies. What I meant to say was >> that the *access* groups don't have any members, which they should have >> from the user groups. Looks like my issue is >> https://issues.jboss.org/browse/KEYCLOAK-1797. Nested groups are quite >> common in Active Directory, it would be nice if this issue could receive >> some attention. >> >> >> On 28 September 2017 at 09:41, Marek Posolda wrote: >> >>> Not expected. It should work and our tests are passing. Looks like some >>> mis-configuration or something. We have an example in keycloak-examples >>> distribution called "ldap" . Here you can see some example how can LDAP >>> role be configured (no example for group-mapper yet, but it's quite similar >>> to role mapper) >>> >>> Marek >>> >>> >>> On 26/09/17 12:04, Tiemen Ruiten wrote: >>> >>>> Hello, >>>> >>>> I'm testing with the following setup: >>>> >>>> In our Active Directory, which is federated to Keycloak, we have a >>>> container with 'access' groups (groups that are used to give access to >>>> certain applications, akin to Keycloak roles) and a container for 'user' >>>> groups (eg. sales, it, marketing etc.). Users are always only direct >>>> members of a user group. The access groups can only have user groups as >>>> members, never users. >>>> >>>> In Keycloak, I have created two LDAP-group-mappers for both containers, >>>> but >>>> unfortunately, none of the user groups show any members. Is this >>>> expected? >>>> >>>> Using Keycloak 3.2.1 Final. >>>> >>>> >>> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> >> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > -- Tiemen Ruiten Systems Engineer R&D Media From mposolda at redhat.com Mon Oct 9 06:52:21 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 9 Oct 2017 12:52:21 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> <4e622a0f-2fba-0ddd-185f-327cf0d14564@redhat.com> Message-ID: <21e79089-9040-10fe-965e-321487938a62@redhat.com> I see. Are you ok with this or you also still need the proper stuff in the 'Groups' -> 'User Groups' ? Feel free to create a JIRA if yes and add the component "User Federation - LDAP" and the steps (The fact that you're using MSAD with the LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY MSAD extension). But I can't promise when exactly we do it, if ever... Marek On 09/10/17 12:30, Tiemen Ruiten wrote: > I finally got around to testing this with TRACE logging and found out > that I was looking in the wrong place: the 'Groups' -> 'User Groups' > section of the dashboard. Only direct members of the group would be > shown there. > > The groups for the user are showing correctly in the 'Groups' tab of > the particular user in the 'Users' setting in my test realm. > > On 29 September 2017 at 16:56, Marek Posolda > wrote: > > Maybe if you can enable TRACE logging for the > "org.keycloak.storage.ldap" it may help. It shows the > configuration at startup, but also it shows the LDAP queries. > Maybe this can show why the roles can't be retrieved. > > Marek > > > On 29/09/17 16:35, Tiemen Ruiten wrote: >> Marek, thanks for your answer. I had already tried that and it >> didn't work. I set up an AD federation and a role mapper in a >> clean testing realm with the same results. If you are interested, >> I can share the realm configuration with you for reproducing. >> >> On 29 September 2017 at 15:06, Marek Posolda > > wrote: >> >> In configuration of your LDAP Group mapper, you can select >> "User Roles Retrieve Strategy" to be >> "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" . Then it >> should be possible to recursively retrieve the memberships, >> hence user will be treated as member of "access" group too. >> >> This is specific to Active Directory, but since you're using >> it, it should work fine. >> >> Marek >> >> On 28/09/17 10:28, Tiemen Ruiten wrote: >>> Hm, I wrote this down the wrong way, apologies. What I meant >>> to say was that the /access/ groups don't have any members, >>> which they should have from the user groups. Looks like my >>> issue is https://issues.jboss.org/browse/KEYCLOAK-1797 >>> . Nested >>> groups are quite common in Active Directory, it would be >>> nice if this issue could receive some attention. >>> >>> >>> On 28 September 2017 at 09:41, Marek Posolda >>> > wrote: >>> >>> Not expected. It should work and our tests are passing. >>> Looks like some mis-configuration or something. We have >>> an example in keycloak-examples distribution called >>> "ldap" . Here you can see some example how can LDAP role >>> be configured (no example for group-mapper yet, but it's >>> quite similar to role mapper) >>> >>> Marek >>> >>> >>> On 26/09/17 12:04, Tiemen Ruiten wrote: >>> >>> Hello, >>> >>> I'm testing with the following setup: >>> >>> In our Active Directory, which is federated to >>> Keycloak, we have a >>> container with 'access' groups (groups that are used >>> to give access to >>> certain applications, akin to Keycloak roles) and a >>> container for 'user' >>> groups (eg. sales, it, marketing etc.). Users are >>> always only direct >>> members of a user group. The access groups can only >>> have user groups as >>> members, never users. >>> >>> In Keycloak, I have created two LDAP-group-mappers >>> for both containers, but >>> unfortunately, none of the user groups show any >>> members. Is this expected? >>> >>> Using Keycloak 3.2.1 Final. >>> >>> >>> >>> >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >> >> >> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media From mposolda at redhat.com Mon Oct 9 07:17:28 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 9 Oct 2017 13:17:28 +0200 Subject: [keycloak-user] Keycloak Logout hangs for exactly 5.00 seconds In-Reply-To: <3b9deb4701414b99b9ec92b0e37c9b04@celum.com> References: <3b9deb4701414b99b9ec92b0e37c9b04@celum.com> Message-ID: <131c3dda-f38f-0dc3-7b3e-f656d505c88c@redhat.com> Does it happen also if you use Keycloak based servlet application with Keycloak based adapter? Maybe some thread dumps might help to see when exactly it is blocked? Marek On 06/10/17 11:58, William Drescher [CELUM] wrote: > Hi there, > > We have the problem that when logging out, Keycloak hangs for exactly 5.00 seconds before it allows a redirect to login page. Any ideas as to what could be causing this? We have a Java application using the Vert.x OAuth2 and use the AccessToken logout which logs out over the RestApi, but the same thing happens with Java Keycloak library (also over rest) > > Would appreciate any tips for avenues of investigation, > > William Drescher > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Oct 9 07:27:19 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 9 Oct 2017 13:27:19 +0200 Subject: [keycloak-user] How to silently getting a new access token on Implicit Flow In-Reply-To: References: Message-ID: Hi, there is no token refresh with the implicit flow. The proper way is to always redirect to the Keycloak login screen, which will automatically authenticate you through SSO and redirect you back. Few tips: - There is callback "onTokenExpired" . See the bottom of the page http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/javascript-adapter.html . Maybe this can be used in your app to save the application state and then redirect to the login screen? - Maybe another approach is to use IFrames or custom XHR requests as you pointed. In Keycloak, we have the possibility to add custom REST endpoints, so you can possibly add something, which will let your app to decide if userSession is still valid or not and add some info back. Or you can just invoke the existing TokenIntrospection or UserInfo endpoints maybe? But that's just workaround and security is another concern here... - Do you really need implicit flow? Maybe standard flow is better choice as it allows you to refresh token in background automatically? Marek On 06/10/17 10:26, Marcel van Tongeren wrote: > Hi, > > I am working on an Aurelia SPA with Keycloak as the identity server. > Since it is a web client, I'm using the Implicit variant of the OpenId Connect authorization flow. > Authentication works fine, but I'm having a problem with getting a new access token, without interupting the workflow of the user. > The documentation states that I can't use UpdateToken (because there is no refresh token in Implicit flow) and that I should redirect to the login page instead. > > Currently, I'm calling keycloak.login({prompt:'none'}) to do the redirect, but the problem is that you will lose all the data that the user entered on the current page, because it has the same effect as a full page refresh. > Now, I had the impression that the hidden IFrame was supposed the handle this, but I get the feeling that it is not much help when using the Implicit flow...? > > There is plenty of documentation about initial authentication, but I couldn't find anything about 'refreshing' the access token when using the Implicit flow. > Is there another way to do the redirect, maybe from the IFrame, so it is all handled behind the scenes? > > Btw, at first the IFrame wasn't created at all, because Aurelia fully replaces its root element, which happens to be the body element by default. > After I configured Aurelia's root element to be a child div of the body element, the IFrame seems to be created correctly. > > Best regards, > > Marcel > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From t.ruiten at rdmedia.com Mon Oct 9 07:33:15 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Mon, 9 Oct 2017 13:33:15 +0200 Subject: [keycloak-user] can't resolve groups from multiple group mappers In-Reply-To: <21e79089-9040-10fe-965e-321487938a62@redhat.com> References: <43ae1784-d68d-ee05-0a28-434d5992c470@redhat.com> <4e622a0f-2fba-0ddd-185f-327cf0d14564@redhat.com> <21e79089-9040-10fe-965e-321487938a62@redhat.com> Message-ID: For me it's fine, I know now :) I guess it just confused me that it didn't show anything at all in User Groups. Maybe it could show groups as members as well, instead of only users? I'll create the JIRA. On 9 October 2017 at 12:52, Marek Posolda wrote: > I see. > > Are you ok with this or you also still need the proper stuff in the > 'Groups' -> 'User Groups' ? Feel free to create a JIRA if yes and add the > component "User Federation - LDAP" and the steps (The fact that you're > using MSAD with the LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY MSAD > extension). But I can't promise when exactly we do it, if ever... > > Marek > > > On 09/10/17 12:30, Tiemen Ruiten wrote: > > I finally got around to testing this with TRACE logging and found out that > I was looking in the wrong place: the 'Groups' -> 'User Groups' section of > the dashboard. Only direct members of the group would be shown there. > > The groups for the user are showing correctly in the 'Groups' tab of the > particular user in the 'Users' setting in my test realm. > > On 29 September 2017 at 16:56, Marek Posolda wrote: > >> Maybe if you can enable TRACE logging for the "org.keycloak.storage.ldap" >> it may help. It shows the configuration at startup, but also it shows the >> LDAP queries. Maybe this can show why the roles can't be retrieved. >> >> Marek >> >> >> On 29/09/17 16:35, Tiemen Ruiten wrote: >> >> Marek, thanks for your answer. I had already tried that and it didn't >> work. I set up an AD federation and a role mapper in a clean testing realm >> with the same results. If you are interested, I can share the realm >> configuration with you for reproducing. >> >> On 29 September 2017 at 15:06, Marek Posolda wrote: >> >>> In configuration of your LDAP Group mapper, you can select "User Roles >>> Retrieve Strategy" to be "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" >>> . Then it should be possible to recursively retrieve the memberships, hence >>> user will be treated as member of "access" group too. >>> >>> This is specific to Active Directory, but since you're using it, it >>> should work fine. >>> >>> Marek >>> >>> On 28/09/17 10:28, Tiemen Ruiten wrote: >>> >>> Hm, I wrote this down the wrong way, apologies. What I meant to say was >>> that the *access* groups don't have any members, which they should have >>> from the user groups. Looks like my issue is >>> https://issues.jboss.org/browse/KEYCLOAK-1797. Nested groups are quite >>> common in Active Directory, it would be nice if this issue could receive >>> some attention. >>> >>> >>> On 28 September 2017 at 09:41, Marek Posolda >>> wrote: >>> >>>> Not expected. It should work and our tests are passing. Looks like some >>>> mis-configuration or something. We have an example in keycloak-examples >>>> distribution called "ldap" . Here you can see some example how can LDAP >>>> role be configured (no example for group-mapper yet, but it's quite similar >>>> to role mapper) >>>> >>>> Marek >>>> >>>> >>>> On 26/09/17 12:04, Tiemen Ruiten wrote: >>>> >>>>> Hello, >>>>> >>>>> I'm testing with the following setup: >>>>> >>>>> In our Active Directory, which is federated to Keycloak, we have a >>>>> container with 'access' groups (groups that are used to give access to >>>>> certain applications, akin to Keycloak roles) and a container for >>>>> 'user' >>>>> groups (eg. sales, it, marketing etc.). Users are always only direct >>>>> members of a user group. The access groups can only have user groups as >>>>> members, never users. >>>>> >>>>> In Keycloak, I have created two LDAP-group-mappers for both >>>>> containers, but >>>>> unfortunately, none of the user groups show any members. Is this >>>>> expected? >>>>> >>>>> Using Keycloak 3.2.1 Final. >>>>> >>>>> >>>> >>> >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> >>> >>> >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> >> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > -- Tiemen Ruiten Systems Engineer R&D Media From t.ruiten at rdmedia.com Mon Oct 9 08:14:50 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Mon, 9 Oct 2017 14:14:50 +0200 Subject: [keycloak-user] simplesamlphp attribute is expected but missing Message-ID: Hello, I'm trying to authenticate Wordpress users with the help of the wp-saml-auth plugin and the simplesamlphp library. I'm not sure if this is an issue on the Keycloak side or on the PHP side, hopefully someone can point me in the right direction. The redirect from the Wordpress login page to Keycloak is going fine, so I login on the Keycloak page, but after the redirect back to Wordpress, I'm getting this error: "mail" attribute is expected, but missing, in SAML response. Attribute is used to fetch existing user by "email". Please contact your administrator. The user has an emailaddress and is coming from an AD federation. There is a a user-attribute-ldap-mapper is setup that maps the User Model Attribute 'email' to LDAP attribute 'mail'. I tried setting up a User Property mapper in the client that maps the property 'email' to SAML Attribute name 'email' (also tested with 'mail'), but it didn't make a difference in the error message. What am I missing? Does the application need to request the SAML-attributes explicitly? Is there a way to intercept the SAML-response in the browser? -- Tiemen Ruiten Systems Engineer R&D Media From hmlnarik at redhat.com Mon Oct 9 08:43:38 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 9 Oct 2017 14:43:38 +0200 Subject: [keycloak-user] simplesamlphp attribute is expected but missing In-Reply-To: References: Message-ID: Most likely you need to set up attribute mapper for the SAML client (Wordpress) in Keycloak [1]. That mapper would map the (Keycloak's) user e-mail into SAML attribute named "mail". If that does not help, check the contents SAML response via SAML Tracer or similar tool. --Hynek [1] http://www.keycloak.org/docs/latest/server_admin/topics/clients/protocol-mappers.html On Mon, Oct 9, 2017 at 2:14 PM, Tiemen Ruiten wrote: > Hello, > > I'm trying to authenticate Wordpress users with the help of the > wp-saml-auth > plugin and the simplesamlphp > library. I'm not sure if this is an issue on > the Keycloak side or on the PHP side, hopefully someone can point me in the > right direction. > > The redirect from the Wordpress login page to Keycloak is going fine, so I > login on the Keycloak page, but after the redirect back to Wordpress, I'm > getting this error: > > "mail" attribute is expected, but missing, in SAML response. Attribute is > used to fetch existing user by "email". Please contact your administrator. > > The user has an emailaddress and is coming from an AD federation. There is > a a user-attribute-ldap-mapper is setup that maps the User Model Attribute > 'email' to LDAP attribute 'mail'. I tried setting up a User Property mapper > in the client that maps the property 'email' to SAML Attribute name 'email' > (also tested with 'mail'), but it didn't make a difference in the error > message. > > What am I missing? Does the application need to request the SAML-attributes > explicitly? Is there a way to intercept the SAML-response in the browser? > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From inofi at gmx.net Mon Oct 9 09:10:48 2017 From: inofi at gmx.net (Malte Finsterwalder) Date: Mon, 9 Oct 2017 15:10:48 +0200 Subject: [keycloak-user] GSS-API: Checksum failed Message-ID: <7c0e30cf-7f13-9694-9345-ae5cb82e017c@gmx.net> Hi there, I try to connect my Keycloak Server to an Active Directory Server for SSO on Windows clients. I got it to work on one server which is accessible via HTTP. Now I built up a new server with RedHat SSO and made it accessible via HTTPS only with an SSL certificate from our own authority. When I try to connect this server to out Active Directory, I always get a "Checksum failed" Error Message (see stracktrace below). Which Checksum is failing? Is this a problem of the keytab file? Of the SSL communication? ...? Any ideas what's actually failing and what can cause this? Greetings, Malte java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68) at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:617) at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282) at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125) 17 lines skipped for [javax.servlet, sun., org.jboss, java.lang.reflect.Method] at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) 7 lines skipped for [sun.] at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125) ... 61 more Caused by: KrbException: Checksum failed 7 lines skipped for [sun.] ... 70 more Caused by: java.security.GeneralSecurityException: Checksum failed 4 lines skipped for [sun.] ... 76 more From mposolda at redhat.com Mon Oct 9 09:21:46 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 9 Oct 2017 15:21:46 +0200 Subject: [keycloak-user] UPDATE_PASSWORD won't go away for AD imported users... In-Reply-To: References: Message-ID: <36279840-a704-424e-e5a4-412770b06f0f@redhat.com> It's added by MSAD account controls mapper. The mapper see the state in which the MSAD account is (based on userAccountControls or pwdLastSet attributes) and once it requires updating the password, it is required from the Keycloak as well. Hence Keycloak adds the requiredAction UPDATE_PASSWORD to the user. What is the mode of your LDAP (WRITABLE, READ_ONLY or UNSYNCED)? In case that your MSAD is read-only, then removing the requiredAction likely doesn't work as MSAD can't be updated from Keycloak. Does Keycloak displays some error message in the admin console? Is it something in the log when you enable DEBUG logging for class org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper ? You can manually remove the mapper and then requiredAction shouldn't be present. However your users likely won't be able to login to the MSAD in case that their account is not in the proper state, which allows login (Mapper impl is supposed the catch the MSAD error message and handle it and convert to the Keycloak requiredAction). Marek On 09/10/17 09:55, Adrian Matei wrote: > Hi Guys, > > We've imported some Users from AD and they now have UPDATE_PASSWORD action > required, although this was not marked as *default_action*. The thing is > that we cannot click that away as admins - on top of that the > UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table... > > Any ideas? Would be very much appreciated... > > Best regards, > Adrian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Oct 9 09:32:52 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 9 Oct 2017 15:32:52 +0200 Subject: [keycloak-user] GSS-API: Checksum failed In-Reply-To: <7c0e30cf-7f13-9694-9345-ae5cb82e017c@gmx.net> References: <7c0e30cf-7f13-9694-9345-ae5cb82e017c@gmx.net> Message-ID: <946ef835-3dcb-0483-1d0c-a6b91a1949a5@redhat.com> This is some low-level Kerberos error. Typically it may be caused by the incorrect keytab as you pointed. Keytab doesn't use the correct principal. Or there are bad encryption type algorithms used in the /etc/krb5.conf file, which are not consistent with the keytab or not consistent with the server and client. Here some tip how can be checked if keytab is correct: https://stackoverflow.com/questions/8509087/checksum-failed-kerberos-spring-active-directory-2008 . Also it may help if you try HTTP on the new server too (just to nail down if it is really caused by the protocol http/https and not by some other misconfigurations). Also it's possible to enable some more logging to see the KErberos communication - see the "Troubleshooting" section of our Kerberos docs. Marek On 09/10/17 15:10, Malte Finsterwalder wrote: > Hi there, > > I try to connect my Keycloak Server to an Active Directory Server for > SSO on Windows clients. > I got it to work on one server which is accessible via HTTP. > > Now I built up a new server with RedHat SSO and made it accessible via > HTTPS only with an SSL certificate from our own authority. > When I try to connect this server to out Active Directory, I always get > a "Checksum failed" Error Message (see stracktrace below). > Which Checksum is failing? Is this a problem of the keytab file? Of the > SSL communication? ...? > > Any ideas what's actually failing and what can cause this? > > Greetings, > Malte > > > java.security.PrivilegedActionException: GSSException: Failure > unspecified at GSS-API level (Mechanism level: Checksum failed) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68) > at > org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:617) > at > org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282) > at > org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90) > at > org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191) > at > org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792) > at > org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) > at > org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125) > 17 lines skipped for [javax.servlet, sun., org.jboss, > java.lang.reflect.Method] > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Checksum failed) > 7 lines skipped for [sun.] > at > org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172) > at > org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135) > at > org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125) > ... 61 more > Caused by: KrbException: Checksum failed > 7 lines skipped for [sun.] > ... 70 more > Caused by: java.security.GeneralSecurityException: Checksum failed > 4 lines skipped for [sun.] > ... 76 more > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Oct 9 09:37:52 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 9 Oct 2017 15:37:52 +0200 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: References: Message-ID: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> We didn't try to test this use-case though. But it may work as long as things are configured correctly. Maybe I would re-create the LDAP provider with the "Username LDAP attribute" be set to "mail", but the "RDN LDAP Attribute" to "uid" . Is this the configuration you're using? If things still doesn't work, you can possibly create JIRA . Ideally with the details of the configuration of your LDAP provider, realm (whether 'username as email' is enabled etc) and how LDAP users looks like and how you expect them to look like after. Regards, Marek On 04/10/17 15:45, Celso Agra wrote: > Hi all, > > I'm getting a strange behavior. > > My LDAP (openldap) is configured as writable in my User Federation. So, I > can create user from my Keycloak, but when I change the username, the user > disappear from my user's list. > > I check the LDAP and the user still there, with the 'old' username. So, is > there some way to change the username without disappear from the keycloak > user's list? > > This occurs because in my case, username as the same of email. So, If the > user changes email, I have to change the username also. > > I'm using version 3.0.0.Final > > > Best regards From mehdi_cit at hotmail.com Mon Oct 9 09:54:13 2017 From: mehdi_cit at hotmail.com (Mehdi Mehdi) Date: Mon, 9 Oct 2017 13:54:13 +0000 Subject: [keycloak-user] How to only protect specific paths (SPA) Message-ID: Hello everyone and thank you for sharing keycloak with the community. I'm trying to use keycloak on my SPA (single page application with javascript in both front & back ends). I only want to password protect specific paths and not all paths. The problem is that once I do require login keycloak.init( {onLoad: 'login-required'})... on some "sensitive path" all the other paths become protected. I suspected that would happen because I did not find a function to suspend "requiring a login". Indeed, I did test this by going to the keycloak admin page and logged out the user (who was by then on a public/not-protected path). On my SPA the user got kikked out asking her for a password through keycloak even though she was on a 'public path'. In short, is there a way to instruct keycloak not to require a login. BTW, I'm only using keycloak on the front end right now.. Need to make it work before also using it on my API (back end). Thank you in advance for your feedback. From adrianmatei at gmail.com Mon Oct 9 10:44:00 2017 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 9 Oct 2017 16:44:00 +0200 Subject: [keycloak-user] UPDATE_PASSWORD won't go away for AD imported users... In-Reply-To: <36279840-a704-424e-e5a4-412770b06f0f@redhat.com> References: <36279840-a704-424e-e5a4-412770b06f0f@redhat.com> Message-ID: Hi Marek, Thank you for the extensive answer. Before I imported the users in Keycloak I moved them from a different OU, and half of them got marked with Upate_password flag and deactivated in AD (I am still wondering what caused that...) Once they've been corrected at the AD level the UPDATE_PASSWORD required action was gone, in accordance with your explanation. Adrian On Mon, Oct 9, 2017 at 3:21 PM, Marek Posolda wrote: > It's added by MSAD account controls mapper. The mapper see the state in > which the MSAD account is (based on userAccountControls or pwdLastSet > attributes) and once it requires updating the password, it is required from > the Keycloak as well. Hence Keycloak adds the requiredAction > UPDATE_PASSWORD to the user. > > What is the mode of your LDAP (WRITABLE, READ_ONLY or UNSYNCED)? In case > that your MSAD is read-only, then removing the requiredAction likely > doesn't work as MSAD can't be updated from Keycloak. Does Keycloak displays > some error message in the admin console? Is it something in the log when > you enable DEBUG logging for class org.keycloak.storage.ldap.mappers.msad. > MSADUserAccountControlStorageMapper ? > > You can manually remove the mapper and then requiredAction shouldn't be > present. However your users likely won't be able to login to the MSAD in > case that their account is not in the proper state, which allows login > (Mapper impl is supposed the catch the MSAD error message and handle it and > convert to the Keycloak requiredAction). > > Marek > > > On 09/10/17 09:55, Adrian Matei wrote: > > Hi Guys, > > We've imported some Users from AD and they now have UPDATE_PASSWORD action > required, although this was not marked as *default_action*. The thing is > that we cannot click that away as admins - on top of that the > UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table... > > Any ideas? Would be very much appreciated... > > Best regards, > Adrian > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > From celso.agra at gmail.com Mon Oct 9 12:54:34 2017 From: celso.agra at gmail.com (Celso Agra) Date: Mon, 9 Oct 2017 13:54:34 -0300 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> References: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> Message-ID: Thanks for your answer, Marek! Here is some of my configs. In addition, I put the same values to username and e-mail. Here is my User Representation: > UserRepresentation user = new UserRepresentation(); > user.setUsername(email); > user.setFirstName(firstName; > user.setLastName(lastName); > user.setEnabled(true); > user.setEmail(email); Best regards, Celso Agra 2017-10-09 10:37 GMT-03:00 Marek Posolda : > We didn't try to test this use-case though. But it may work as long as > things are configured correctly. Maybe I would re-create the LDAP provider > with the "Username LDAP attribute" be set to "mail", but the "RDN LDAP > Attribute" to "uid" . Is this the configuration you're using? > > If things still doesn't work, you can possibly create JIRA . Ideally with > the details of the configuration of your LDAP provider, realm (whether > 'username as email' is enabled etc) and how LDAP users looks like and how > you expect them to look like after. > > Regards, > Marek > > > On 04/10/17 15:45, Celso Agra wrote: > >> Hi all, >> >> I'm getting a strange behavior. >> >> My LDAP (openldap) is configured as writable in my User Federation. So, I >> can create user from my Keycloak, but when I change the username, the user >> disappear from my user's list. >> >> I check the LDAP and the user still there, with the 'old' username. So, is >> there some way to change the username without disappear from the keycloak >> user's list? >> >> This occurs because in my case, username as the same of email. So, If the >> user changes email, I have to change the username also. >> >> I'm using version 3.0.0.Final >> >> >> Best regards >> > > > -- --- *Celso Agra* From K.Buler at adbglobal.com Tue Oct 10 05:06:48 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Tue, 10 Oct 2017 11:06:48 +0200 Subject: [keycloak-user] Can't login with certificate Message-ID: <24d9ce6b-60e6-672e-99d3-e95d8ae5a20f@adbglobal.com> Hi, when I try to login with certificate according to Keycloak's documentation instructions (http://www.keycloak.org/docs/latest/server_admin/topics/authentication/x509.html) I am getting this error: curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. I also checked the logs in DEBUG level and there is: 11:01:50,494 DEBUG [io.undertow.request.io] (default I/O-4) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:920) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1015) at io.undertow.protocols.ssl.UndertowSslConnection.closeAction(UndertowSslConnection.java:146) at org.xnio.Connection.close(Connection.java:132) at org.xnio.IoUtils.safeClose(IoUtils.java:134) at io.undertow.protocols.ssl.SslConduit$4$1.run(SslConduit.java:984) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575) ... 8 more I don't know what is wrong. Maybe someone of you had the same problem? Regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png] [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] From simonpayne58 at gmail.com Tue Oct 10 05:47:03 2017 From: simonpayne58 at gmail.com (Simon Payne) Date: Tue, 10 Oct 2017 10:47:03 +0100 Subject: [keycloak-user] health check Message-ID: does keycloak have any endpoints to check for operational health of running instance? which endpoint are we using for purpose of monitoring health from the load balancer? thanks Simon. From K.Buler at adbglobal.com Tue Oct 10 05:50:12 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Tue, 10 Oct 2017 11:50:12 +0200 Subject: [keycloak-user] Resolution for 99% of CORS's problems In-Reply-To: References: <1280275420.9581719.1506365038329@mail.yahoo.com> <35c30a6d-7666-d6d3-40f7-111290159b59@adbglobal.com> Message-ID: You have right Stian, IMO the best solution in Keycloak is '+', which permits origins of all redirects URIs. On 26.09.2017 15:17, Stian Thorgersen wrote: > For the record using '*' as web origin is really rather bad from a > security perspective and should ONLY be used in development/testing. > > On 26 September 2017 at 10:01, Karol Buler > wrote: > > I had exactly the same problem with "Access-Control-Allow-Origin" > and my > solution resolved this. Which version of KC do you have? I'm using > 3.2.1.Final for now and didn't check on other versions. > > In other hand what do you type into Web Origins? '*' or > 'https://135.112.123.183' ? > > > On 25.09.2017 20 :43, shimin q wrote: > > Thanks for posting your solution, Karol.? I have been having trouble > > with Keycloak CORS also.? I followed your suggestion: > > > > 1 - set client Web Origins > > 2 - in Keycloak.json, added "enable-cors": true > > > > /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ ?cat keycloak.json > > { > > ? ? ? "realm": "rtna", > > ? ? ? ? "realm-public-key": > > > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", > > ? ? ? ? ? "auth-server-url": "https://135.112.123.194:8666/auth > ", > > ? ? ? ? ? ? "ssl-required": "external", > > ? ? ? ? ? ? ? "resource": "main", > > ? ? ? ? ? ? ? ? "public-client": true, > > ? ? ? ? ? ? ? ? "enable-cors": true > > } > > > > I am still getting error: > > > > 135.112.123.183/:1 XMLHttpRequest > cannot load > > > https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token > . > > No 'Access-Control-Allow-Origin' header is present on the requested > > resource. Origin 'https://135.112.123.183' is therefore not allowed > > access. > > > > I also tried to add request header in > > ?/opt/sso/keycloak/standalone/configuration/standalone.xml, not > > working either. > > > >? ?* If standalone.xml has >? ? ?name="Access-Control-Allow-Origin" > >? ? ?header-name="Access-Control-Allow-Origin" header-value="*"/>: > > > > I get the error:(index):82 keycloakinit done...... > > > > (index):1 XMLHttpRequest cannot load > > > https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token > . > > The value of the 'Access-Control-Allow-Origin' header in the > response > > must not be the wildcard '*' when the request's credentials mode is > > 'include'. Origin 'https://135.112.123.183' is therefore not allowed > > access. The credentials mode of requests initiated by the > > XMLHttpRequest is controlled by the withCredentials attribute. > > > > Is there anything I am missing?? Any idea how to make it work > would be > > appreciated!! > > > > > > > > > > > > > > > > > > > > > > On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler > > > wrote: > > > > > > Hi, > > > > after huge amounts of hours of investigations I found the resolution > > for almost all problems with CORS. I decided that maybe I am not > alone > > with it, so here you go: > > > > 1. Go to admin console of Keycloak and set 'Web Origins' of your > > client to address of your application (or just * ). > > > > 2. In your application.properties (keycloak.json) set > keycloak.cors = > > true (don't know the name of this property in keycloak.json). > > > > 3. Thats it! Only 2 steps resolves almost all my problems with > CORS in > > our applications. > > > > Best regards, > > Karol > > > > [https://www.adbglobal.com/wp-content/uploads/adb.png > ] > > adbglobal.com > > > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png > ] > > > ? ? ? > [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png > ] > > > > > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png > ] > > > > > [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg > ] > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bruno at abstractj.org Tue Oct 10 06:24:56 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 10 Oct 2017 10:24:56 +0000 Subject: [keycloak-user] health check In-Reply-To: References: Message-ID: I don't think we have something like this at the moment. See: https://issues.jboss.org/browse/KEYCLOAK-1578 On Tue, Oct 10, 2017 at 6:52 AM Simon Payne wrote: > does keycloak have any endpoints to check for operational health of running > instance? > > which endpoint are we using for purpose of monitoring health from the load > balancer? > > > thanks > > Simon. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Tue Oct 10 08:08:17 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 10 Oct 2017 14:08:17 +0200 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: References: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> Message-ID: Thanks. I see it probably doesn't work as you have email as username and "uid" is used as both username attribute and RDN attribute. When you're changing email of user in Keycloak, it is trying to change "uid" in LDAP, but that's not allowed. I can imagine that things might work if you configure "mail" as "Username LDAP Attribute" and "uid" as "RDN LDAP Attribute", but you probably need to do some tricks with mappers and maybe implement your own LDAP mapper. If you don't manage to have this working, feel free to create JIRA. Marek On 09/10/17 18:54, Celso Agra wrote: > Thanks for your answer, Marek! > > Here is some of my configs. In addition, I put the same values to > username and e-mail. > > Here is my User Representation: > > UserRepresentation user = new UserRepresentation(); > user.setUsername(email); > user.setFirstName(firstName; > user.setLastName(lastName); > user.setEnabled(true); > user.setEmail(email); > > > Best regards, > > Celso Agra > > > 2017-10-09 10:37 GMT-03:00 Marek Posolda >: > > We didn't try to test this use-case though. But it may work as > long as things are configured correctly. Maybe I would re-create > the LDAP provider with the "Username LDAP attribute" be set to > "mail", but the "RDN LDAP Attribute" to "uid" . Is this the > configuration you're using? > > If things still doesn't work, you can possibly create JIRA . > Ideally with the details of the configuration of your LDAP > provider, realm (whether 'username as email' is enabled etc) and > how LDAP users looks like and how you expect them to look like after. > > Regards, > Marek > > > On 04/10/17 15:45, Celso Agra wrote: > > Hi all, > > I'm getting a strange behavior. > > My LDAP (openldap) is configured as writable in my User > Federation. So, I > can create user from my Keycloak, but when I change the > username, the user > disappear from my user's list. > > I check the LDAP and the user still there, with the 'old' > username. So, is > there some way to change the username without disappear from > the keycloak > user's list? > > This occurs because in my case, username as the same of email. > So, If the > user changes email, I have to change the username also. > > I'm using version 3.0.0.Final > > > Best regards > > > > > > > -- > --- > *Celso Agra* From mposolda at redhat.com Tue Oct 10 08:13:00 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 10 Oct 2017 14:13:00 +0200 Subject: [keycloak-user] How to only protect specific paths (SPA) In-Reply-To: References: Message-ID: Can't you "compute" value of the onLoad attribute based on the current path? I maybe not understand your usecase properly, so maybe not the best solution, just guessing... Marek On 09/10/17 15:54, Mehdi Mehdi wrote: > Hello everyone and thank you for sharing keycloak with the community. > > I'm trying to use keycloak on my SPA (single page application with javascript in both front & back ends). > > I only want to password protect specific paths and not all paths. The problem is that once I do require login > > keycloak.init( {onLoad: 'login-required'})... > on some "sensitive path" all the other paths become protected. I suspected that would happen because I did not find a function to suspend "requiring a login". > > Indeed, I did test this by going to the keycloak admin page and logged out the user (who was by then on a public/not-protected path). On my SPA the user got kikked out asking her for a password through keycloak even though she was on a 'public path'. > > In short, is there a way to instruct keycloak not to require a login. > > BTW, I'm only using keycloak on the front end right now.. Need to make it work before also using it on my API (back end). > > Thank you in advance for your feedback. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From lganga14 at gmail.com Tue Oct 10 09:28:41 2017 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Tue, 10 Oct 2017 18:58:41 +0530 Subject: [keycloak-user] Getting error Didn't find publicKey for specified kid Message-ID: Hi, We have migrated from keycloak 1.9 to 3.2 recently and we have our app deployed in wildfly 10. The keycloak.json file is configured with the bearer only client and we use angular js as front end. We get the below error while trying to call REST apis with the bearer token. *2017-10-10 13:20:04,644 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier] (default task-3) Didn't find publicKey for kid: ZYQgZN0Duih0dG81_cNfvZYUDG78bZJ6y3CyVzich88* *2017-10-10 13:20:04,644 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-3) Failed to verify token: org.keycloak.common.VerificationException: Didn't find publicKey for specified kid* * at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:47)* * at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)* * at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)* * at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)* * at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)* * at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)* Please help in resolving the error. Regards, Ganga Lakshmanasamy Virus-free. www.avg.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> From sumitdas66 at gmail.com Tue Oct 10 10:34:33 2017 From: sumitdas66 at gmail.com (Sumit Das) Date: Tue, 10 Oct 2017 20:04:33 +0530 Subject: [keycloak-user] Cannot pass idpHint option to Keycloak Message-ID: Hi ??I am using *IDP provider for authentication and trying to bypass the standard keycloak login screen *(so I need to go immediately to the IDP specific authorization screen). According to this documentation ( http://www.keycloak.org/docs/latest/server_admin/topics/identity-broker/suggested.html#_client_suggested_idp), *we can simply provide idpHint* for this. Though that doesn't work. Following is the piece of code:- *var keycloakAuth = new Keycloak('keycloak.json');* *keycloakAuth.createLoginUrl({idpHint: 'ad-oidc'});* It failed with:- *Unable to get property 'redirectUri' of undefined or null reference* As far as I understand that's because* adapter is not created yet*. So probably we need to pass this option sometimes later. But I am not sure where exactly am I supposed to do that. Your help and earliest response is awaited. *?Regards?* *Sumit Das* *Mobile No.- +91-9986872466 * From lynne.lawrence at macefusion.com Tue Oct 10 11:35:47 2017 From: lynne.lawrence at macefusion.com (Lynne Lawrence) Date: Tue, 10 Oct 2017 11:35:47 -0400 Subject: [keycloak-user] Use Keycloak 2.5 Tomcat Adapter with RH-SSO 7.1? Message-ID: I feel sure that this question has already been answered but I have searched and searched and cannot find it so please forgive me if I am being redundant. I am wondering: can the Keycloak 2.5 Tomcat adapter be used with the RH-SSO 7.1 server? Thanks, Lynne Lawrence -- Lynne Lawrence MACE | SNC lynne.lawrence at macefusion.com From stephen at saasindustries.com Tue Oct 10 12:00:10 2017 From: stephen at saasindustries.com (Stephen Henrie) Date: Tue, 10 Oct 2017 09:00:10 -0700 Subject: [keycloak-user] health check In-Reply-To: References: Message-ID: I am using this api endpoint for health check /auth/realms/chassi/.well-known/openid-configuration On Tue, Oct 10, 2017 at 3:24 AM, Bruno Oliveira wrote: > I don't think we have something like this at the moment. See: > https://issues.jboss.org/browse/KEYCLOAK-1578 > > On Tue, Oct 10, 2017 at 6:52 AM Simon Payne > wrote: > > > does keycloak have any endpoints to check for operational health of > running > > instance? > > > > which endpoint are we using for purpose of monitoring health from the > load > > balancer? > > > > > > thanks > > > > Simon. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From tobias.hinz at gmail.com Tue Oct 10 18:12:01 2017 From: tobias.hinz at gmail.com (Herrmann Hinz) Date: Wed, 11 Oct 2017 00:12:01 +0200 Subject: [keycloak-user] feature request: ldap protocol as authentication frontend Message-ID: hello all, afaik at the moment its not possible to authenticate against an keycloak installation via ldap/s protocol. is this correct? if so: any plans on integrating it? is there any work done already? would be very helpful to have this integrated into keycloak. would it even complete more. thanks for your answers in ahead, tobias From celso.agra at gmail.com Tue Oct 10 18:14:24 2017 From: celso.agra at gmail.com (Celso Agra) Date: Tue, 10 Oct 2017 19:14:24 -0300 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: References: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> Message-ID: I configured "mail" as "Username LDAP Attribute" and "uid" as "RDN LDAP Attribute" and set some configs on LDAP Mapper. but I got an error: Could not create user: org.keycloak.models.ModelException: RDN Attribute [uid] is not filled. Filled attributes: {mail=[], cn=[ ], sn=[ ], createTimestamp=[], modifyTimestamp=[]} maybe, change username could be a bad practice. Could be better if I set a special number on username, such as timestamp. This could solve my issue Thanks Marek 2017-10-10 9:08 GMT-03:00 Marek Posolda : > Thanks. > > I see it probably doesn't work as you have email as username and "uid" is > used as both username attribute and RDN attribute. When you're changing > email of user in Keycloak, it is trying to change "uid" in LDAP, but that's > not allowed. > > I can imagine that things might work if you configure "mail" as "Username > LDAP Attribute" and "uid" as "RDN LDAP Attribute", but you probably need to > do some tricks with mappers and maybe implement your own LDAP mapper. If > you don't manage to have this working, feel free to create JIRA. > > Marek > > > > On 09/10/17 18:54, Celso Agra wrote: > > Thanks for your answer, Marek! > > Here is some of my configs. In addition, I put the same values to username > and e-mail. > > Here is my User Representation: > >> UserRepresentation user = new UserRepresentation(); >> user.setUsername(email); >> user.setFirstName(firstName; >> user.setLastName(lastName); >> user.setEnabled(true); >> user.setEmail(email); > > > Best regards, > > Celso Agra > > > 2017-10-09 10:37 GMT-03:00 Marek Posolda : > >> We didn't try to test this use-case though. But it may work as long as >> things are configured correctly. Maybe I would re-create the LDAP provider >> with the "Username LDAP attribute" be set to "mail", but the "RDN LDAP >> Attribute" to "uid" . Is this the configuration you're using? >> >> If things still doesn't work, you can possibly create JIRA . Ideally with >> the details of the configuration of your LDAP provider, realm (whether >> 'username as email' is enabled etc) and how LDAP users looks like and how >> you expect them to look like after. >> >> Regards, >> Marek >> >> >> On 04/10/17 15:45, Celso Agra wrote: >> >>> Hi all, >>> >>> I'm getting a strange behavior. >>> >>> My LDAP (openldap) is configured as writable in my User Federation. So, I >>> can create user from my Keycloak, but when I change the username, the >>> user >>> disappear from my user's list. >>> >>> I check the LDAP and the user still there, with the 'old' username. So, >>> is >>> there some way to change the username without disappear from the keycloak >>> user's list? >>> >>> This occurs because in my case, username as the same of email. So, If the >>> user changes email, I have to change the username also. >>> >>> I'm using version 3.0.0.Final >>> >>> >>> Best regards >>> >> >> >> > > > -- > --- > *Celso Agra* > > > -- --- *Celso Agra* From mposolda at redhat.com Wed Oct 11 02:34:02 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 11 Oct 2017 08:34:02 +0200 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: References: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> Message-ID: <9e49ee73-c9c3-7e3e-e51c-278296bd3eb4@redhat.com> Yes, I was wondering that maybe you will see some error like this. And +1 to set some other non-changeable attribute as "uid" . I am sure that it's doable with custom LDAP mapper, which will add the value just during the registration time, but not update it later. Maybe the best is to use just the first part of the "initial" email as username. Something like: - User registers with john123 at email.com - Mapper will extract, just the first part of the email, so "john123" and use it as RDN of LDAP. So user in LDAP will be saved like "uid=john123,cn=users,dc=example,dc=com" - When email is changed to "john123-updated at email.cz", the UID will remain unchanged and will be still "uid=john123,cn=users,dc=example,dc=com" Maybe timestamp is useful as well, not sure. Marek Dne 11.10.2017 v 00:14 Celso Agra napsal(a): > I configured "mail" as "Username LDAP Attribute" and "uid" as "RDN > LDAP Attribute" and set some configs on LDAP Mapper. > but I got an error: > > Could not create user: org.keycloak.models.ModelException: RDN > Attribute [uid] is not filled. Filled attributes: {mail=[], cn=[ > ], sn=[ ], createTimestamp=[], modifyTimestamp=[]} > > > maybe, change username could be a bad practice. Could be better if I > set a special number on username, such as timestamp. This could solve > my issue > > Thanks Marek > > 2017-10-10 9:08 GMT-03:00 Marek Posolda >: > > Thanks. > > I see it probably doesn't work as you have email as username and > "uid" is used as both username attribute and RDN attribute. When > you're changing email of user in Keycloak, it is trying to change > "uid" in LDAP, but that's not allowed. > > I can imagine that things might work if you configure "mail" as > "Username LDAP Attribute" and "uid" as "RDN LDAP Attribute", but > you probably need to do some tricks with mappers and maybe > implement your own LDAP mapper. If you don't manage to have this > working, feel free to create JIRA. > > Marek > > > > On 09/10/17 18:54, Celso Agra wrote: >> Thanks for your answer, Marek! >> >> Here is some of my configs. In addition, I put the same values to >> username and e-mail. >> >> Here is my User Representation: >> >> UserRepresentation user = new UserRepresentation(); >> user.setUsername(email); >> user.setFirstName(firstName; >> user.setLastName(lastName); >> user.setEnabled(true); >> user.setEmail(email); >> >> >> Best regards, >> >> Celso Agra >> >> >> 2017-10-09 10:37 GMT-03:00 Marek Posolda > >: >> >> We didn't try to test this use-case though. But it may work >> as long as things are configured correctly. Maybe I would >> re-create the LDAP provider with the "Username LDAP >> attribute" be set to "mail", but the "RDN LDAP Attribute" to >> "uid" . Is this the configuration you're using? >> >> If things still doesn't work, you can possibly create JIRA . >> Ideally with the details of the configuration of your LDAP >> provider, realm (whether 'username as email' is enabled etc) >> and how LDAP users looks like and how you expect them to look >> like after. >> >> Regards, >> Marek >> >> >> On 04/10/17 15:45, Celso Agra wrote: >> >> Hi all, >> >> I'm getting a strange behavior. >> >> My LDAP (openldap) is configured as writable in my User >> Federation. So, I >> can create user from my Keycloak, but when I change the >> username, the user >> disappear from my user's list. >> >> I check the LDAP and the user still there, with the 'old' >> username. So, is >> there some way to change the username without disappear >> from the keycloak >> user's list? >> >> This occurs because in my case, username as the same of >> email. So, If the >> user changes email, I have to change the username also. >> >> I'm using version 3.0.0.Final >> >> >> Best regards >> >> >> >> >> >> >> -- >> --- >> *Celso Agra* > > > > > > -- > --- > *Celso Agra* From bruno at abstractj.org Wed Oct 11 08:26:28 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 11 Oct 2017 09:26:28 -0300 Subject: [keycloak-user] 405 on importing a realm In-Reply-To: References: Message-ID: <20171011122628.GA24376@abstractj.org> I'm moving this discussion to keycloak-user, the appropriate place to ask these questions. This should work: #!/bin/bash REALM="master" export TKN=$(curl -v -X POST "http://localhost:8080/auth/realms/$REALM/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=admin" \ -d 'password=admin' \ -d 'grant_type=password' \ -d 'client_id=admin-cli' | jq -r '.access_token') curl -v -X POST -H "Content-Type:application/json" -H "Authorization: Bearer $TKN" -d "@/path/of/your/realm/testrealm.json" http://localhost:8080/auth/admin/realms On 2017-10-11, Kishan Sagathiya wrote: > Hi, > I am getting '405 Method Not Allowed' on trying to create a realm using > keycloak's admin rest api. > > Following is the command that I am running > > > curl -H "Content-Type: application/json" -H "Authorization: bearer > $ACCESS_TOKEN" -d 'rep=$CONTENT_OF_THE_JSONFILE' -D- -X POST " > http://mykeycloakurl.com/auth/admin/realms/master" > > Is this the right way? > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev -- abstractj From mposolda at redhat.com Wed Oct 11 08:41:10 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 11 Oct 2017 14:41:10 +0200 Subject: [keycloak-user] feature request: ldap protocol as authentication frontend In-Reply-To: References: Message-ID: <943189ae-c09e-a816-ebdd-6ee8adb2f77f@redhat.com> We have support for LDAP. It's documented here [1] . Keycloak is able to lookup users from the LDAP and login users with their LDAP username/passwords + bunch of other things (Attribute mappings, role/group mappings, writable or read-only etc). Or did I misunderstood what usecase exactly you mean? [1] http://www.keycloak.org/docs/latest/server_admin/topics/user-federation/ldap.html Marek On 11/10/17 00:12, Herrmann Hinz wrote: > hello all, > > afaik at the moment its not possible to authenticate against an keycloak > installation via ldap/s protocol. is this correct? > > if so: any plans on integrating it? is there any work done already? > > would be very helpful to have this integrated into keycloak. would it even > complete more. > > thanks for your answers in ahead, > > tobias > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 11 08:45:03 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 11 Oct 2017 14:45:03 +0200 Subject: [keycloak-user] Cannot pass idpHint option to Keycloak In-Reply-To: References: Message-ID: <6730d02e-a85a-5562-330a-933ca2b8c6a4@redhat.com> We have the example in the workspace, which is using. It's not part of the official examples distribution and maybe doesn't work, but hopefully might still give you some more hints about how to use and init this stuff. Also see the docs for our javascript adapter in the official docs. Example is here: https://github.com/keycloak/keycloak/tree/master/examples/broker/twitter-authentication Marek On 10/10/17 16:34, Sumit Das wrote: > Hi > > ??I am using *IDP provider for authentication and trying to bypass the > standard keycloak login screen *(so I need to go immediately to the IDP > specific authorization screen). According to this documentation ( > http://www.keycloak.org/docs/latest/server_admin/topics/identity-broker/suggested.html#_client_suggested_idp), > *we can simply provide idpHint* for this. Though that doesn't work. > > Following is the piece of code:- > *var keycloakAuth = new Keycloak('keycloak.json');* > *keycloakAuth.createLoginUrl({idpHint: 'ad-oidc'});* > > It failed with:- > *Unable to get property 'redirectUri' of undefined or null reference* > > As far as I understand that's because* adapter is not created yet*. So > probably we need to pass this option sometimes later. But I am not sure > where exactly am I supposed to do that. > > Your help and earliest response is awaited. > > *?Regards?* > > *Sumit Das* > *Mobile No.- +91-9986872466 * > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tobias.hinz at gmail.com Wed Oct 11 08:49:20 2017 From: tobias.hinz at gmail.com (Herrmann Hinz) Date: Wed, 11 Oct 2017 14:49:20 +0200 Subject: [keycloak-user] feature request: ldap protocol as authentication frontend In-Reply-To: <943189ae-c09e-a816-ebdd-6ee8adb2f77f@redhat.com> References: <943189ae-c09e-a816-ebdd-6ee8adb2f77f@redhat.com> Message-ID: hallo marek, im talking about ldap as authentication protocol. atm available auth protocols are SAMl and OpenID (this one is used to authenticate against a docker registry as well afaik). my usecase is: - we have an internal ldap/ad server in the company - we want to be independent at a later stage of this - until then we want to setup keycloak as "man in the middle" (ldap proxy so to say) - we would like to enrich the user database on our keycloak with own technical users for ci/cd components like jenkins, nexus, u name it... - we would like to use keycloaks SSO posibilities - now: some cicd backends do not support SAML or OpenID - what if we could talk to keycloak via LDAP authentication protocol instead of using the one company AD (which does not know yet about the technical users) do you get my point? thanks, tobias -------------------------------- Tobias Herrmann Hinz mobil: 01522 1940 885 -------------------------------- On 11 October 2017 at 14:41, Marek Posolda wrote: > We have support for LDAP. It's documented here [1] . Keycloak is able to > lookup users from the LDAP and login users with their LDAP > username/passwords + bunch of other things (Attribute mappings, role/group > mappings, writable or read-only etc). > > Or did I misunderstood what usecase exactly you mean? > > [1] http://www.keycloak.org/docs/latest/server_admin/topics/user > -federation/ldap.html > > Marek > > > On 11/10/17 00:12, Herrmann Hinz wrote: > >> hello all, >> >> afaik at the moment its not possible to authenticate against an keycloak >> installation via ldap/s protocol. is this correct? >> >> if so: any plans on integrating it? is there any work done already? >> >> would be very helpful to have this integrated into keycloak. would it even >> complete more. >> >> thanks for your answers in ahead, >> >> tobias >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From mposolda at redhat.com Wed Oct 11 08:50:15 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 11 Oct 2017 14:50:15 +0200 Subject: [keycloak-user] Getting error Didn't find publicKey for specified kid In-Reply-To: References: Message-ID: Don't you have the public key hardcoded in the keycloak.json of your adapter file? Aka property "realm-public-key" ? It's recommended to remove it and adapter is supposed to download the public keys from the Keycloak server once it recognize that publicKey with unknown KID was sent to it. See our examples, for example: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/database-service/src/main/webapp/WEB-INF/keycloak.json Marek On 10/10/17 15:28, Ganga Lakshmanasamy wrote: > Hi, > > We have migrated from keycloak 1.9 to 3.2 recently and we have our app > deployed in wildfly 10. The keycloak.json file is configured with the > bearer only client and we use angular js as front end. We get the below > error while trying to call REST apis with the bearer token. > *2017-10-10 13:20:04,644 ERROR > [org.keycloak.adapters.rotation.AdapterRSATokenVerifier] (default task-3) > Didn't find publicKey for kid: ZYQgZN0Duih0dG81_cNfvZYUDG78bZJ6y3CyVzich88* > *2017-10-10 13:20:04,644 ERROR > [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-3) > Failed to verify token: org.keycloak.common.VerificationException: Didn't > find publicKey for specified kid* > * at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:47)* > * at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)* > * at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)* > * at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)* > * at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)* > * at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)* > > Please help in resolving the error. > > Regards, > Ganga Lakshmanasamy > > > Virus-free. > www.avg.com > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 11 08:59:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 11 Oct 2017 14:59:56 +0200 Subject: [keycloak-user] feature request: ldap protocol as authentication frontend In-Reply-To: References: <943189ae-c09e-a816-ebdd-6ee8adb2f77f@redhat.com> Message-ID: <914c3c48-f8a5-b2c3-1b65-e9ac1f3e4ce0@redhat.com> No, Keycloak itself doesn't talking with the applications through the LDAP protocol. I suggest to take a look at ApacheDS for this. It is written in Java and allows you to plug the "source" of identities like users etc. Maybe there is a way to connect it somehow to Keycloak DB and take users from there, but it will be lots of coding needed though. We are using ApacheDS in our testsuite, you can take a look for inspiration: https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#ldap-server Marek On 11/10/17 14:49, Herrmann Hinz wrote: > hallo marek, > > im talking about ldap as authentication protocol. > atm available auth protocols are SAMl and OpenID (this one is used to > authenticate against a docker registry as well afaik). > > my usecase is: > > - we have an internal ldap/ad server in the company > - we want to be independent at a later stage of this > - until then we want to setup keycloak as "man in the middle" (ldap > proxy so to say) > - we would like to enrich the user database on our keycloak with own > technical users for ci/cd components like jenkins, nexus, u name it... > - we would like to use keycloaks SSO posibilities > - now: some cicd backends do not support SAML or OpenID - what if we > could talk to keycloak via LDAP authentication protocol instead of > using the one company AD (which does not know yet about the technical > users) > > > do you get my point? > > thanks, > > tobias > > -------------------------------- > Tobias Herrmann Hinz > mobil: 01522 1940 885 > -------------------------------- > > > On 11 October 2017 at 14:41, Marek Posolda > wrote: > > We have support for LDAP. It's documented here [1] . Keycloak is > able to lookup users from the LDAP and login users with their LDAP > username/passwords + bunch of other things (Attribute mappings, > role/group mappings, writable or read-only etc). > > Or did I misunderstood what usecase exactly you mean? > > [1] > http://www.keycloak.org/docs/latest/server_admin/topics/user-federation/ldap.html > > > Marek > > > On 11/10/17 00:12, Herrmann Hinz wrote: > > hello all, > > afaik at the moment its not possible to authenticate against > an keycloak > installation via ldap/s protocol. is this correct? > > if so: any plans on integrating it? is there any work done > already? > > would be very helpful to have this integrated into keycloak. > would it even > complete more. > > thanks for your answers in ahead, > > tobias > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From Helin.Paulraj.consultant at sothebys.com Wed Oct 11 09:39:26 2017 From: Helin.Paulraj.consultant at sothebys.com (Paulraj, Helin) Date: Wed, 11 Oct 2017 13:39:26 +0000 Subject: [keycloak-user] Keycloak (opening new tab) issue Message-ID: Hi All, Clicking a link opens a new tab, but redirects the new tab to the homepage instead of displaying the link's content. Also keycloak token verification takes too long on this new tab. Sometimes the keycloak token refresh happens multiple times on the new tab, but never gets successful. I want the link's content to be displayed on the new tab instead of being redirected to the homepage. Has someone faced a similar issue and got it fixed? Thanks, Helin ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the postmaster at postmaster at sothebys.com. www.sothebys.com ********************************************************************** From tobias.hinz at gmail.com Wed Oct 11 14:06:47 2017 From: tobias.hinz at gmail.com (Herrmann Hinz) Date: Wed, 11 Oct 2017 20:06:47 +0200 Subject: [keycloak-user] feature request: ldap protocol as authentication frontend In-Reply-To: <914c3c48-f8a5-b2c3-1b65-e9ac1f3e4ce0@redhat.com> References: <943189ae-c09e-a816-ebdd-6ee8adb2f77f@redhat.com> <914c3c48-f8a5-b2c3-1b65-e9ac1f3e4ce0@redhat.com> Message-ID: okay thank you. what a pitty. like i said: feature-request ;D -------------------------------- Tobias Herrmann Hinz mobil: 01522 1940 885 -------------------------------- On 11 October 2017 at 14:59, Marek Posolda wrote: > No, Keycloak itself doesn't talking with the applications through the LDAP > protocol. > > I suggest to take a look at ApacheDS for this. It is written in Java and > allows you to plug the "source" of identities like users etc. Maybe there > is a way to connect it somehow to Keycloak DB and take users from there, > but it will be lots of coding needed though. We are using ApacheDS in our > testsuite, you can take a look for inspiration: > https://github.com/keycloak/keycloak/blob/master/misc/ > Testsuite.md#ldap-server > > Marek > > > > On 11/10/17 14:49, Herrmann Hinz wrote: > > hallo marek, > > im talking about ldap as authentication protocol. > atm available auth protocols are SAMl and OpenID (this one is used to > authenticate against a docker registry as well afaik). > > my usecase is: > > - we have an internal ldap/ad server in the company > - we want to be independent at a later stage of this > - until then we want to setup keycloak as "man in the middle" (ldap proxy > so to say) > - we would like to enrich the user database on our keycloak with own > technical users for ci/cd components like jenkins, nexus, u name it... > - we would like to use keycloaks SSO posibilities > - now: some cicd backends do not support SAML or OpenID - what if we could > talk to keycloak via LDAP authentication protocol instead of using the one > company AD (which does not know yet about the technical users) > > > do you get my point? > > thanks, > > tobias > > -------------------------------- > Tobias Herrmann Hinz > mobil: 01522 1940 885 <01522%201940885> > -------------------------------- > > > On 11 October 2017 at 14:41, Marek Posolda wrote: > >> We have support for LDAP. It's documented here [1] . Keycloak is able to >> lookup users from the LDAP and login users with their LDAP >> username/passwords + bunch of other things (Attribute mappings, role/group >> mappings, writable or read-only etc). >> >> Or did I misunderstood what usecase exactly you mean? >> >> [1] http://www.keycloak.org/docs/latest/server_admin/topics/user >> -federation/ldap.html >> >> Marek >> >> >> On 11/10/17 00:12, Herrmann Hinz wrote: >> >>> hello all, >>> >>> afaik at the moment its not possible to authenticate against an keycloak >>> installation via ldap/s protocol. is this correct? >>> >>> if so: any plans on integrating it? is there any work done already? >>> >>> would be very helpful to have this integrated into keycloak. would it >>> even >>> complete more. >>> >>> thanks for your answers in ahead, >>> >>> tobias >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > From pkboucher801 at gmail.com Wed Oct 11 15:00:57 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Wed, 11 Oct 2017 15:00:57 -0400 Subject: [keycloak-user] Cannot pass idpHint option to Keycloak In-Reply-To: <6730d02e-a85a-5562-330a-933ca2b8c6a4@redhat.com> References: <6730d02e-a85a-5562-330a-933ca2b8c6a4@redhat.com> Message-ID: <002101d342c3$45d8fa20$d18aee60$@gmail.com> We made it work with some tweaks to keycloak.js (lines 117-122 and 147-148 in the attached). -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Wednesday, October 11, 2017 8:45 AM To: Sumit Das ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Cannot pass idpHint option to Keycloak We have the example in the workspace, which is using. It's not part of the official examples distribution and maybe doesn't work, but hopefully might still give you some more hints about how to use and init this stuff. Also see the docs for our javascript adapter in the official docs. Example is here: https://github.com/keycloak/keycloak/tree/master/examples/broker/twitter-authentication Marek On 10/10/17 16:34, Sumit Das wrote: > Hi > > ??I am using *IDP provider for authentication and trying to bypass the > standard keycloak login screen *(so I need to go immediately to the IDP > specific authorization screen). According to this documentation ( > http://www.keycloak.org/docs/latest/server_admin/topics/identity-broker/suggested.html#_client_suggested_idp), > *we can simply provide idpHint* for this. Though that doesn't work. > > Following is the piece of code:- > *var keycloakAuth = new Keycloak('keycloak.json');* > *keycloakAuth.createLoginUrl({idpHint: 'ad-oidc'});* > > It failed with:- > *Unable to get property 'redirectUri' of undefined or null reference* > > As far as I understand that's because* adapter is not created yet*. So > probably we need to pass this option sometimes later. But I am not sure > where exactly am I supposed to do that. > > Your help and earliest response is awaited. > > *?Regards?* > > *Sumit Das* > *Mobile No.- +91-9986872466 * > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jayblanc at gmail.com Wed Oct 11 16:28:58 2017 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Wed, 11 Oct 2017 20:28:58 +0000 Subject: [keycloak-user] Authentication & Registration from Android application Message-ID: Hi all, In order to include keycloak in a android app, I'd like to know if somebody as a solution for this integration. We needs to handle authentication but also account creation from the android app (or ios). We use Ionic for the app to be available from web browser and native phone app. In the native app, authentication open a browser page from the native app but, as we could imagine, the authentication process is not able to go back to the native app... I know that it is possible to create a dedicated login page inside the app using the Direct Grant Access mechanism but I'd like to know if there is other solution (like an Intent but compatible with keycloak) ? Second and major problem for integration is that we'd like users to be able to start an account creation from the Android app directly. As I understand, only admin API allows to perform user creation so I imagine that I will have to create a dedicated 'proxy' webapp, acting as a keycloak admin and relying android app backend calls for real keycloak account creation... Is anybody have a more confortable solution avoiding developing such 'proxy' ? Thanks a lot for you support, best regards, Jerome. From teatimej at gmail.com Wed Oct 11 19:08:34 2017 From: teatimej at gmail.com (Michael Mok) Date: Thu, 12 Oct 2017 07:08:34 +0800 Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-4818) Undeclared namespace prefix "ds" Message-ID: Hi All For those who reported the issue with SAML2 missing dsig name space, I like to confirm that issue KEYCLOAK-4818 is still outstanding. It is still a problem in both 3.3.0 CR1 and 3.3.0 CR2. Best Regards Michael Mok From celso.agra at gmail.com Wed Oct 11 21:01:15 2017 From: celso.agra at gmail.com (Celso Agra) Date: Wed, 11 Oct 2017 22:01:15 -0300 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: <9e49ee73-c9c3-7e3e-e51c-278296bd3eb4@redhat.com> References: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> <9e49ee73-c9c3-7e3e-e51c-278296bd3eb4@redhat.com> Message-ID: There's a different kind of emails on my project, such as John at company01.br, and also another John from another company, such as John at company02.br. So... I solve that, using System.currentTimeMilis(); as username. This could be unique and non-changeable. Thanks again Marek! Best Regards, Celso Agra Em qua, 11 de out de 2017 ?s 03:34, Marek Posolda escreveu: > Yes, I was wondering that maybe you will see some error like this. And +1 > to set some other non-changeable attribute as "uid" . I am sure that it's > doable with custom LDAP mapper, which will add the value just during the > registration time, but not update it later. Maybe the best is to use just > the first part of the "initial" email as username. Something like: > > - User registers with john123 at email.com > - Mapper will extract, just the first part of the email, so "john123" and > use it as RDN of LDAP. So user in LDAP will be saved like > "uid=john123,cn=users,dc=example,dc=com" > - When email is changed to "john123-updated at email.cz" > , the UID will remain unchanged and will be > still "uid=john123,cn=users,dc=example,dc=com" > > Maybe timestamp is useful as well, not sure. > > Marek > > Dne 11.10.2017 v 00:14 Celso Agra napsal(a): > > I configured "mail" as "Username LDAP Attribute" and "uid" as "RDN LDAP > Attribute" and set some configs on LDAP Mapper. > but I got an error: > > Could not create user: org.keycloak.models.ModelException: RDN Attribute > [uid] is not filled. Filled attributes: {mail=[], cn=[ ], sn=[ ], > createTimestamp=[], modifyTimestamp=[]} > > > maybe, change username could be a bad practice. Could be better if I set a > special number on username, such as timestamp. This could solve my issue > > Thanks Marek > > 2017-10-10 9:08 GMT-03:00 Marek Posolda : > >> Thanks. >> >> I see it probably doesn't work as you have email as username and "uid" is >> used as both username attribute and RDN attribute. When you're changing >> email of user in Keycloak, it is trying to change "uid" in LDAP, but that's >> not allowed. >> >> I can imagine that things might work if you configure "mail" as "Username >> LDAP Attribute" and "uid" as "RDN LDAP Attribute", but you probably need to >> do some tricks with mappers and maybe implement your own LDAP mapper. If >> you don't manage to have this working, feel free to create JIRA. >> >> Marek >> >> >> >> On 09/10/17 18:54, Celso Agra wrote: >> >> Thanks for your answer, Marek! >> >> Here is some of my configs. In addition, I put the same values to >> username and e-mail. >> >> Here is my User Representation: >> >>> UserRepresentation user = new UserRepresentation(); >>> user.setUsername(email); >>> user.setFirstName(firstName; >>> user.setLastName(lastName); >>> user.setEnabled(true); >>> user.setEmail(email); >> >> >> Best regards, >> >> Celso Agra >> >> >> 2017-10-09 10:37 GMT-03:00 Marek Posolda : >> >>> We didn't try to test this use-case though. But it may work as long as >>> things are configured correctly. Maybe I would re-create the LDAP provider >>> with the "Username LDAP attribute" be set to "mail", but the "RDN LDAP >>> Attribute" to "uid" . Is this the configuration you're using? >>> >>> If things still doesn't work, you can possibly create JIRA . Ideally >>> with the details of the configuration of your LDAP provider, realm (whether >>> 'username as email' is enabled etc) and how LDAP users looks like and how >>> you expect them to look like after. >>> >>> Regards, >>> Marek >>> >>> >>> On 04/10/17 15:45, Celso Agra wrote: >>> >>>> Hi all, >>>> >>>> I'm getting a strange behavior. >>>> >>>> My LDAP (openldap) is configured as writable in my User Federation. So, >>>> I >>>> can create user from my Keycloak, but when I change the username, the >>>> user >>>> disappear from my user's list. >>>> >>>> I check the LDAP and the user still there, with the 'old' username. So, >>>> is >>>> there some way to change the username without disappear from the >>>> keycloak >>>> user's list? >>>> >>>> This occurs because in my case, username as the same of email. So, If >>>> the >>>> user changes email, I have to change the username also. >>>> >>>> I'm using version 3.0.0.Final >>>> >>>> >>>> Best regards >>>> >>> >>> >>> >> >> >> -- >> --- >> *Celso Agra* >> >> >> > > > -- > --- > *Celso Agra* > > > From ksagathi at redhat.com Thu Oct 12 00:04:20 2017 From: ksagathi at redhat.com (Kishan Sagathiya) Date: Thu, 12 Oct 2017 09:34:20 +0530 Subject: [keycloak-user] Fwd: 405 on importing a realm In-Reply-To: References: <20171011122628.GA24376@abstractj.org> Message-ID: ---------- Forwarded message ---------- From: Kishan Sagathiya Date: Thu, Oct 12, 2017 at 8:05 AM Subject: Re: 405 on importing a realm To: Bruno Oliveira The second curl results in a 502 bad gateway. Also take a note that I am not running on localhost, but on a remote server without https On Wed, Oct 11, 2017 at 5:56 PM, Bruno Oliveira wrote: > I'm moving this discussion to keycloak-user, the appropriate place to > ask these questions. This should work: > > #!/bin/bash > > REALM="master" > > export TKN=$(curl -v -X POST "http://localhost:8080/auth/re > alms/$REALM/protocol/openid-connect/token" \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d "username=admin" \ > -d 'password=admin' \ > -d 'grant_type=password' \ > -d 'client_id=admin-cli' | jq -r '.access_token') > > curl -v -X POST -H "Content-Type:application/json" -H "Authorization: > Bearer $TKN" -d "@/path/of/your/realm/testrealm.json" > http://localhost:8080/auth/admin/realms > > On 2017-10-11, Kishan Sagathiya wrote: > > Hi, > > I am getting '405 Method Not Allowed' on trying to create a realm using > > keycloak's admin rest api. > > > > Following is the command that I am running > > > > > > curl -H "Content-Type: application/json" -H "Authorization: bearer > > $ACCESS_TOKEN" -d 'rep=$CONTENT_OF_THE_JSONFILE' -D- -X POST " > > http://mykeycloakurl.com/auth/admin/realms/master" > > > > Is this the right way? > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > -- > > abstractj > From mehdi_cit at hotmail.com Thu Oct 12 02:04:42 2017 From: mehdi_cit at hotmail.com (Mehdi Mehdi) Date: Thu, 12 Oct 2017 06:04:42 +0000 Subject: [keycloak-user] How to only protect specific paths (SPA) In-Reply-To: References: , Message-ID: Thanks for your reply Marek, My problem is that after the user is logged in on path /#private and then after a while moves back to a public path /#public (meaning not requiring it to be logged in) . If the user is logged out (from the admin panel or simply due to timeout) that user would be required to go back and log in even though she 's on /#public. Since it's an SPA, Keycloak would always try to make sure the user is logged in and I did not find a way to stop keycloak from requiring that log in if I detect the user does not need login. It seems that once I invoke Keycloak.init().... I can no longer stop keycloak from enforcing the authentication! Thanks again, I hope I can find a solution. Been looking into the keycloak.js code to see if I can stop it but there's no clear way on how to do it. I could go and try to "hijack" 'isTokenExpired function' to make sure it always returns false if the user is on public path but I'm not sure it covers all scenarios since I do not know how keycloak works. The whole point for using Keycloak is not to spend time on this front in the first place .. and poking around with the keycloak.js code would be a hack anyway. Cheers~ ________________________________ De : Marek Posolda Envoy? : mardi 10 octobre 2017 12:13:00 ? : Mehdi Mehdi; keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] How to only protect specific paths (SPA) Can't you "compute" value of the onLoad attribute based on the current path? I maybe not understand your usecase properly, so maybe not the best solution, just guessing... Marek On 09/10/17 15:54, Mehdi Mehdi wrote: > Hello everyone and thank you for sharing keycloak with the community. > > I'm trying to use keycloak on my SPA (single page application with javascript in both front & back ends). > > I only want to password protect specific paths and not all paths. The problem is that once I do require login > > keycloak.init( {onLoad: 'login-required'})... > on some "sensitive path" all the other paths become protected. I suspected that would happen because I did not find a function to suspend "requiring a login". > > Indeed, I did test this by going to the keycloak admin page and logged out the user (who was by then on a public/not-protected path). On my SPA the user got kikked out asking her for a password through keycloak even though she was on a 'public path'. > > In short, is there a way to instruct keycloak not to require a login. > > BTW, I'm only using keycloak on the front end right now.. Need to make it work before also using it on my API (back end). > > Thank you in advance for your feedback. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Oct 12 02:54:30 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 12 Oct 2017 08:54:30 +0200 Subject: [keycloak-user] Users (related to LDAP) are gone when I change the username In-Reply-To: References: <4fbd0886-a5d1-945c-6a4e-e133d3448ab3@redhat.com> <9e49ee73-c9c3-7e3e-e51c-278296bd3eb4@redhat.com> Message-ID: Cool, that works as long as you're creating users just through our admin REST api. It might not work in some other cases (for example if you're doing self-registration of users) without some other tweaks in authenticators or mappers level. Anyway, cool that it's sorted for you :) Marek On 12/10/17 03:01, Celso Agra wrote: > There's a different kind of emails on my project, such as > John at company01.br , and also another John > from another company, such as John at company02.br > . > > So... I solve that, using System.currentTimeMilis(); as username. This > could be unique and non-changeable. > > Thanks again Marek! > > Best Regards, > > Celso Agra > > Em qua, 11 de out de 2017 ?s 03:34, Marek Posolda > escreveu: > > Yes, I was wondering that maybe you will see some error like this. > And +1 to set some other non-changeable attribute as "uid" . I am > sure that it's doable with custom LDAP mapper, which will add the > value just during the registration time, but not update it later. > Maybe the best is to use just the first part of the "initial" > email as username. Something like: > > - User registers with john123 at email.com > - Mapper will extract, just the first part of the email, so > "john123" and use it as RDN of LDAP. So user in LDAP will be saved > like "uid=john123,cn=users,dc=example,dc=com" > - When email is changed to "john123-updated at email.cz" > , the UID will remain unchanged > and will be still "uid=john123,cn=users,dc=example,dc=com" > > Maybe timestamp is useful as well, not sure. > > Marek > > Dne 11.10.2017 v 00:14 Celso Agra napsal(a): >> I configured "mail" as "Username LDAP Attribute" and "uid" as >> "RDN LDAP Attribute" and set some configs on LDAP Mapper. >> but I got an error: >> >> Could not create user: org.keycloak.models.ModelException: >> RDN Attribute [uid] is not filled. Filled attributes: >> {mail=[], cn=[ ], sn=[ ], createTimestamp=[], modifyTimestamp=[]} >> >> >> maybe, change username could be a bad practice. Could be better >> if I set a special number on username, such as timestamp. This >> could solve my issue >> >> Thanks Marek >> >> 2017-10-10 9:08 GMT-03:00 Marek Posolda > >: >> >> Thanks. >> >> I see it probably doesn't work as you have email as username >> and "uid" is used as both username attribute and RDN >> attribute. When you're changing email of user in Keycloak, it >> is trying to change "uid" in LDAP, but that's not allowed. >> >> I can imagine that things might work if you configure "mail" >> as "Username LDAP Attribute" and "uid" as "RDN LDAP >> Attribute", but you probably need to do some tricks with >> mappers and maybe implement your own LDAP mapper. If you >> don't manage to have this working, feel free to create JIRA. >> >> Marek >> >> >> >> On 09/10/17 18:54, Celso Agra wrote: >>> Thanks for your answer, Marek! >>> >>> Here is some of my configs. In addition, I put the same >>> values to username and e-mail. >>> >>> Here is my User Representation: >>> >>> UserRepresentation user = new UserRepresentation(); >>> user.setUsername(email); >>> user.setFirstName(firstName; >>> user.setLastName(lastName); >>> user.setEnabled(true); >>> user.setEmail(email); >>> >>> >>> Best regards, >>> >>> Celso Agra >>> >>> >>> 2017-10-09 10:37 GMT-03:00 Marek Posolda >>> >: >>> >>> We didn't try to test this use-case though. But it may >>> work as long as things are configured correctly. Maybe I >>> would re-create the LDAP provider with the "Username >>> LDAP attribute" be set to "mail", but the "RDN LDAP >>> Attribute" to "uid" . Is this the configuration you're >>> using? >>> >>> If things still doesn't work, you can possibly create >>> JIRA . Ideally with the details of the configuration of >>> your LDAP provider, realm (whether 'username as email' >>> is enabled etc) and how LDAP users looks like and how >>> you expect them to look like after. >>> >>> Regards, >>> Marek >>> >>> >>> On 04/10/17 15:45, Celso Agra wrote: >>> >>> Hi all, >>> >>> I'm getting a strange behavior. >>> >>> My LDAP (openldap) is configured as writable in my >>> User Federation. So, I >>> can create user from my Keycloak, but when I change >>> the username, the user >>> disappear from my user's list. >>> >>> I check the LDAP and the user still there, with the >>> 'old' username. So, is >>> there some way to change the username without >>> disappear from the keycloak >>> user's list? >>> >>> This occurs because in my case, username as the same >>> of email. So, If the >>> user changes email, I have to change the username also. >>> >>> I'm using version 3.0.0.Final >>> >>> >>> Best regards >>> >>> >>> >>> >>> >>> >>> -- >>> --- >>> *Celso Agra* >> >> >> >> >> >> -- >> --- >> *Celso Agra* > > From mvtongeren at link2control.nl Thu Oct 12 03:59:38 2017 From: mvtongeren at link2control.nl (Marcel van Tongeren) Date: Thu, 12 Oct 2017 07:59:38 +0000 Subject: [keycloak-user] How to only protect specific paths (SPA) Message-ID: Hi Mehdi Mehdi, If I'm correct, keycloak.init( {onLoad: 'login-required'}) should only be used for sites that are completely behind authentication/authorization. Check out other init options here: http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/javascript-adapter.html To protect only certain paths, you should probably configure the router in your SPA framework by adding some sort of 'authenticate' flag to the private routes. Then you can probably add an extra authentication step to your pipeline that checks that flag and if it is set, it should fire the keycloak.login() if the user is not authenticated yet. If it is not set, then the authentication step can skip the login, because it would be a public path. Good luck! Marcel From sblanc at redhat.com Thu Oct 12 04:16:05 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 12 Oct 2017 10:16:05 +0200 Subject: [keycloak-user] How to only protect specific paths (SPA) In-Reply-To: References: Message-ID: On Thu, Oct 12, 2017 at 9:59 AM, Marcel van Tongeren < mvtongeren at link2control.nl> wrote: > Hi Mehdi Mehdi, > > If I'm correct, keycloak.init( {onLoad: 'login-required'}) should only be > used for sites that are completely behind authentication/authorization. > Check out other init options here: http://www.keycloak.org/docs/ > latest/securing_apps/topics/oidc/javascript-adapter.html +1 , in your case "check-sso" should do the trick > > > To protect only certain paths, you should probably configure the router in > your SPA framework by adding some sort of 'authenticate' flag to the > private routes. > Then you can probably add an extra authentication step to your pipeline > that checks that flag and if it is set, it should fire the keycloak.login() > if the user is not authenticated yet. > If it is not set, then the authentication step can skip the login, because > it would be a public path. > > Good luck! > Marcel > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jfherouard.almerys at gmail.com Thu Oct 12 04:40:42 2017 From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=) Date: Thu, 12 Oct 2017 10:40:42 +0200 Subject: [keycloak-user] Authorization with service account Message-ID: Hi, In a client, I have service account and authorization enabled. When service account fetches all resources, authorizations applied. I would like a specific user policy rule for this user but "service-account-(client name)" is not suggested nor accepted by the user policy provider. Is there another way to do that ? In js but what is the uuid of a service user ? Is that a functionnal bug ? Thanks. From herbert.muehlburger at bearingpoint.com Thu Oct 12 05:36:43 2017 From: herbert.muehlburger at bearingpoint.com (Muehlburger, Herbert) Date: Thu, 12 Oct 2017 09:36:43 +0000 Subject: [keycloak-user] Token Claim Compression Message-ID: <1507801003331.25468@bearingpoint.com> Hi, does Keycloak compress the token claims before they are Base64 encoded, or do I have to handle compression by myself when I implement a custom claim? Best, Herbert ? ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From jfherouard.almerys at gmail.com Thu Oct 12 08:32:15 2017 From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=) Date: Thu, 12 Oct 2017 14:32:15 +0200 Subject: [keycloak-user] Authorization with service account In-Reply-To: References: Message-ID: I answer myslef, a js policy script to allow a service account : var context = $evaluation.getContext(); var identity = context.getIdentity(); var attributes = identity.getAttributes(); var username = attributes.getValue('preferred_username').asString(0); var clientId = attributes.getValue('clientId').asString(0); if (username === 'service-account-' + clientId) { $evaluation.grant(); } else { $evaluation.deny(); } 2017-10-12 10:40 GMT+02:00 Jean-Fran?ois HEROUARD < jfherouard.almerys at gmail.com>: > Hi, > > In a client, I have service account and authorization enabled. When > service account fetches all resources, authorizations applied. I would like > a specific user policy rule for this user but "service-account-(client > name)" is not suggested nor accepted by the user policy provider. > Is there another way to do that ? In js but what is the uuid of a service > user ? Is that a functionnal bug ? > > Thanks. > From pnalyvayko at agi.com Thu Oct 12 09:05:31 2017 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 12 Oct 2017 13:05:31 +0000 Subject: [keycloak-user] Can't login with certificate In-Reply-To: <24d9ce6b-60e6-672e-99d3-e95d8ae5a20f@adbglobal.com> References: <24d9ce6b-60e6-672e-99d3-e95d8ae5a20f@adbglobal.com> Message-ID: Hi Karol, Are you using curl and the direct grant to verify the x509 client cert authentication? --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Karol Buler [K.Buler at adbglobal.com] Sent: Tuesday, October 10, 2017 5:06 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Can't login with certificate Hi, when I try to login with certificate according to Keycloak's documentation instructions (http://www.keycloak.org/docs/latest/server_admin/topics/authentication/x509.html) I am getting this error: curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. I also checked the logs in DEBUG level and there is: 11:01:50,494 DEBUG [io.undertow.request.io] (default I/O-4) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:920) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1015) at io.undertow.protocols.ssl.UndertowSslConnection.closeAction(UndertowSslConnection.java:146) at org.xnio.Connection.close(Connection.java:132) at org.xnio.IoUtils.safeClose(IoUtils.java:134) at io.undertow.protocols.ssl.SslConduit$4$1.run(SslConduit.java:984) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575) ... 8 more I don't know what is wrong. Maybe someone of you had the same problem? Regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png] [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From K.Buler at adbglobal.com Thu Oct 12 09:16:51 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Thu, 12 Oct 2017 15:16:51 +0200 Subject: [keycloak-user] Can't login with certificate In-Reply-To: References: <24d9ce6b-60e6-672e-99d3-e95d8ae5a20f@adbglobal.com> Message-ID: <0aef3f86-5e3c-f13f-fd49-e6a1a0b91d26@adbglobal.com> Peter, thank you so much for the response, but during waiting I resolved the problem. Problem was with my cert/key pair. They was in PKCS#12 format, but PEM is required. The solution is as follows: ??? 1. Export cert and key from your private key in PEM format. ??? ??? ??? openssl pkcs12 -in private_key.p12 -out cert.crt.pem -clcerts -nokeys ??? ??? ??? openssl pkcs12 -in private_key.p12 -out pkey.key.pem -nocerts -nodes ??? 2. Call 'curl' from documentation :) Regards, Karol On 12.10.2017 15:05, Nalyvayko, Peter wrote: > Hi Karol, > > Are you using curl and the direct grant to verify the x509 client cert authentication? > --Peter > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Karol Buler [K.Buler at adbglobal.com] > Sent: Tuesday, October 10, 2017 5:06 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Can't login with certificate > > Hi, > > when I try to login with certificate according to Keycloak's > documentation instructions > (http://www.keycloak.org/docs/latest/server_admin/topics/authentication/x509.html) > I am getting this error: > > curl: (35) gnutls_handshake() failed: The TLS connection was > non-properly terminated. > > I also checked the logs in DEBUG level and there is: > > 11:01:50,494 DEBUG [io.undertow.request.io] (default I/O-4) UT005013: An > IOException occurred: java.io.IOException: javax.net.ssl.SSLException: > Inbound closed before receiving peer's close_notify: possible truncation > attack? > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577) > at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:920) > at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1015) > at > io.undertow.protocols.ssl.UndertowSslConnection.closeAction(UndertowSslConnection.java:146) > at org.xnio.Connection.close(Connection.java:132) > at org.xnio.IoUtils.safeClose(IoUtils.java:134) > at io.undertow.protocols.ssl.SslConduit$4$1.run(SslConduit.java:984) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:580) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:464) > Caused by: javax.net.ssl.SSLException: Inbound closed before receiving > peer's close_notify: possible truncation attack? > at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) > at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) > at > io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575) > ... 8 more > > I don't know what is wrong. Maybe someone of you had the same problem? > > Regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png] > adbglobal.com > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png] [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png] [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thelo.gaultier at gmail.com Thu Oct 12 12:19:17 2017 From: thelo.gaultier at gmail.com (Thelo) Date: Thu, 12 Oct 2017 09:19:17 -0700 (MST) Subject: [keycloak-user] Load testing and performance Message-ID: <1507825157564-0.post@n6.nabble.com> Hi, As we are currently load testing Keycloak to see whether it could be a good fit in our system, we experience trouble to reach good performance for the user login. In our current set up we do direct login via password against Keycloak and we get around 30 user logins per second. Here is our current set up: - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in Kubernetes) - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of memory As it is hard to believe that one instance can only handle 10 requests per second we were wondering if someone had done similar tests and if you would be willing to share the results / test configuration . Many thanks, Thelo -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From jw at blue-yonder.com Fri Oct 13 08:15:24 2017 From: jw at blue-yonder.com (Jonas Weismueller) Date: Fri, 13 Oct 2017 14:15:24 +0200 Subject: [keycloak-user] customizable attribute mapper In-Reply-To: References: <968e3829-4a50-d2f9-73a2-c0780db0208a@blue-yonder.com> Message-ID: I looked into the PR and it looks like, that this PR is primarily for a broker configuration, whereas I need it as a "User Federation => Ldap => LDAP Mappers" mapper. @Hynek: Will this mapper be easy adaptable to the LDAP mappers as well? Cheers Jonas On 10/06/17 14:22, Hynek Mlnarik wrote: > It's not there yet. Similar functionality has already been requested > in [1]. Could you please comment on your use expected case there and > if interested, vote for it? > > Thanks > > --Hynek > > [1] https://issues.jboss.org/browse/KEYCLOAK-4781 > > On Fri, Oct 6, 2017 at 2:01 PM, Jonas Weismueller wrote: >> Hi, >> >> we are still evaluating keycloak vs. simplesamlphp. >> >> What we find quite convenient using simplesamlphp is this authentication >> processing attributealter possibility: >> >> https://simplesamlphp.org/docs/stable/core:authproc_attributealter >> >> Using this especially with the feature to be able to use regex pattern >> matching it is quite easy to combine/construct certain SAML attributes >> in the way the SP needs it. >> >> For example we could add a fixed top level domain to the IDPEmail >> Attribute, where the SP needs it in the syntax username at domain.tld >> instead of username as retrieved by our LDAP backend system. >> >> One real example from our current simplesamlphp configuration: >> >> 30 => array( >> 'class' => 'core:AttributeAlter', >> 'subject' => 'uid', >> 'pattern' => '/([a-z]+)/', >> 'replacement' => '\1 at domain.tld', >> 'target' => 'IDPEmail', >> ), >> >> >> I could not find any similar feature within keycloak or did I just >> overseen it? >> >> Cheers Jonas >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From shop24 at wolke7.net Fri Oct 13 09:07:23 2017 From: shop24 at wolke7.net (shop24 at wolke7.net) Date: Fri, 13 Oct 2017 15:07:23 +0200 Subject: [keycloak-user] sessions are lost after restart - 3.3.0.CR2 Message-ID: Hi, ? as we plan to update to 3.3.0.Final, I already started to play with the current CR2 and check the features we use. ? We save our sessions in the file based infinispan cache ? I can see the session.dat file there growing on the amount of sessions, and as long as the server stays alive, the sessions can be counted. But when I restart the server, no sessions are visible on the admin console neither by the REST API. ? Those things worked at least until 3.1.0.Final. ? Is this a bug or can I configure this some how different now? Are you working on it and it is one of the point, that are not final? ? Regards, Marie From hmlnarik at redhat.com Fri Oct 13 14:52:37 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 13 Oct 2017 20:52:37 +0200 Subject: [keycloak-user] customizable attribute mapper In-Reply-To: References: <968e3829-4a50-d2f9-73a2-c0780db0208a@blue-yonder.com> Message-ID: Might not be easily adaptable but I see the value of such a mapper in both areas (both broker and LDAP), and when being developed, it would be nice to provide same feature set. Hence feel free to either add a comment to KEYCLOAK-4781 or file a new feature request linked to the same JIRA. Thanks --Hynek On Fri, Oct 13, 2017 at 2:15 PM, Jonas Weismueller wrote: > I looked into the PR and it looks like, that this PR is primarily for a > broker configuration, whereas I need it as a "User Federation => Ldap => > LDAP Mappers" mapper. > > @Hynek: Will this mapper be easy adaptable to the LDAP mappers as well? > > Cheers Jonas > > > > On 10/06/17 14:22, Hynek Mlnarik wrote: > >> It's not there yet. Similar functionality has already been requested >> in [1]. Could you please comment on your use expected case there and >> if interested, vote for it? >> >> Thanks >> >> --Hynek >> >> [1] https://issues.jboss.org/browse/KEYCLOAK-4781 >> >> On Fri, Oct 6, 2017 at 2:01 PM, Jonas Weismueller >> wrote: >> >>> Hi, >>> >>> we are still evaluating keycloak vs. simplesamlphp. >>> >>> What we find quite convenient using simplesamlphp is this authentication >>> processing attributealter possibility: >>> >>> https://simplesamlphp.org/docs/stable/core:authproc_attributealter >>> >>> Using this especially with the feature to be able to use regex pattern >>> matching it is quite easy to combine/construct certain SAML attributes >>> in the way the SP needs it. >>> >>> For example we could add a fixed top level domain to the IDPEmail >>> Attribute, where the SP needs it in the syntax username at domain.tld >>> instead of username as retrieved by our LDAP backend system. >>> >>> One real example from our current simplesamlphp configuration: >>> >>> 30 => array( >>> 'class' => 'core:AttributeAlter', >>> 'subject' => 'uid', >>> 'pattern' => '/([a-z]+)/', >>> 'replacement' => '\1 at domain.tld', >>> 'target' => 'IDPEmail', >>> ), >>> >>> >>> I could not find any similar feature within keycloak or did I just >>> overseen it? >>> >>> Cheers Jonas >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > -- --Hynek From ylevine20 at gmail.com Sat Oct 14 17:05:26 2017 From: ylevine20 at gmail.com (Y Levine) Date: Sat, 14 Oct 2017 14:05:26 -0700 Subject: [keycloak-user] Keycloak Production? Message-ID: Is Keycloak ready for production use? Or still considered by RedHat as in product development. And if suitable for production --- use with EAP or WildFly? Thanks. From sblanc at redhat.com Sun Oct 15 04:05:10 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Sun, 15 Oct 2017 10:05:10 +0200 Subject: [keycloak-user] Keycloak Production? In-Reply-To: References: Message-ID: Hi, We have a supported product, Red Hat SSO, which is just a productized version of Keycloak https://access.redhat.com/products/red-hat-single-sign-on But you can also use Keycloak in Production without official support of course, it's up to you. Seb On Sat, Oct 14, 2017 at 11:05 PM, Y Levine wrote: > Is Keycloak ready for production use? Or still considered by RedHat as in > product development. > > And if suitable for production --- use with EAP or WildFly? > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From franzm.de at gmx.de Sun Oct 15 07:42:45 2017 From: franzm.de at gmx.de (Franjo Marjanovic) Date: Sun, 15 Oct 2017 13:42:45 +0200 Subject: [keycloak-user] (no subject) Message-ID: <50689b00-bfa5-7fbe-39cf-ee45968451f2@gmx.de> is ok From parky128 at googlemail.com Mon Oct 16 05:47:11 2017 From: parky128 at googlemail.com (Rob Parker) Date: Mon, 16 Oct 2017 10:47:11 +0100 Subject: [keycloak-user] Generated token too large for usage as authorization bearer header value Message-ID: I am finding the size of the token returned from keycloak is too large to use as a bearer Authorization header when making subsequent api requests from my application via our nodejs express server. This happens after I add many roles to the user account I am using. When removing enough roles, eventually they size of the header is allowed through. Is it possible to not include user roles in the token issued to a user when authenticating? I could then retrieve the users roles after logging in to our application through some other means, e.g userinfo endpoint? Thanks From degtyarev.sergei at gmail.com Mon Oct 16 07:41:59 2017 From: degtyarev.sergei at gmail.com (Sergei Degtyarev) Date: Mon, 16 Oct 2017 11:41:59 +0000 Subject: [keycloak-user] Authenticate REST API call with IDP Brokering (one more time) Message-ID: Hello I have web application (UI and REST services java/Wildfly). Keycloak is used as Identity Broker with Salesforce (OpenID Connect Brokering) and if I try to access UI application I can successfully log in via Salesforce. At the moment I need to make REST service call from Salesforce Apex code and authenticate caller by his access_token (provided by Salesforce). Is it possible to make client authentication based on that access_token? (or how can I extend Keycloak adapter and Server via SPI)? Yes, I know about Direct Grant and Service Account if I want to call RestAPI method. But in that cases I need to somehow fill securityContext with rights roles. Regards, Sergei Degtyarev From psilva at redhat.com Mon Oct 16 12:02:16 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 16 Oct 2017 14:02:16 -0200 Subject: [keycloak-user] Authorization with service account In-Reply-To: References: Message-ID: Glad it worked. FYI, you don't actually need the *else* clause because the engine will always deny if the policy did not call either grant or deny. On Thu, Oct 12, 2017 at 9:32 AM, Jean-Fran?ois HEROUARD < jfherouard.almerys at gmail.com> wrote: > I answer myslef, a js policy script to allow a service account : > > var context = $evaluation.getContext(); > var identity = context.getIdentity(); > var attributes = identity.getAttributes(); > var username = attributes.getValue('preferred_username').asString(0); > var clientId = attributes.getValue('clientId').asString(0); > > if (username === 'service-account-' + clientId) { > $evaluation.grant(); > } else { > $evaluation.deny(); > } > > 2017-10-12 10:40 GMT+02:00 Jean-Fran?ois HEROUARD < > jfherouard.almerys at gmail.com>: > > > Hi, > > > > In a client, I have service account and authorization enabled. When > > service account fetches all resources, authorizations applied. I would > like > > a specific user policy rule for this user but "service-account-(client > > name)" is not suggested nor accepted by the user policy provider. > > Is there another way to do that ? In js but what is the uuid of a service > > user ? Is that a functionnal bug ? > > > > Thanks. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Oct 17 02:04:39 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 17 Oct 2017 08:04:39 +0200 Subject: [keycloak-user] Keycloak Architecture In-Reply-To: References: Message-ID: You need to subscribe to the mailing list to send to it On 16 October 2017 at 19:45, Manikanta Surya Movva (CDS) < surya.movva at cogentdatasolutions.in> wrote: > Hello Keycloak Team > > When I tried to post my question to *keycloak-user at lists.jboss.org > , *I'm getting the following response. > > *"You are not allowed to post to this mailing list, and your message has* > > > *been automatically rejected. If you think that your messages arebeing > rejected in error, contact the mailing list owner > atkeycloak-user-owner at lists.jboss.org ."* > > > I do have a question regarding the keycloak architecture. I'm trying to > integrate keycloak for my application (Job Portal) which is developed using > Java with spring and hibernate frameworks. > My application consists of 4 modules. Job Seeker, Employer, Admin and > Sales. All modules are build as a same war file too. If I want to integrate > keycloak, do I need to take Single realm with multiple clients or Multiple > realms with single client. If I need to go with single realm can I able to > distinguish login and registration pages per each and every client. I don't > want to show same view for each and every client and don't want to ask same > attributes in all registration pages. In forgot password functionality if I > gave non existing emailId I'm not getting a proper message. Please assist > me . > > The response I got while I'm sending an email is attached below. > > > Thanks and Regards > Surya > > > From garret.ruh at optum.com Tue Oct 17 11:57:55 2017 From: garret.ruh at optum.com (Ruh, Garret) Date: Tue, 17 Oct 2017 15:57:55 +0000 Subject: [keycloak-user] Mapping provider user ID to user attribute Message-ID: <01F81909-C21A-4B3C-845C-22CE9BBC4F1A@contoso.com> Context: Using Keycloak as an OpenID Connect identity broker, and onboarding an IDP. Is it possible to map a provider user ID (from an OpenID Connect identity provider ? so the value in the sub claim) to a user attribute? Have attempted using an "Attribute Importer" mapper w/ claim "sub" to no avail. End goal is to include that attribute (if it exists) in generated access tokens so that applications can still reference the provider user ID during a transitional period. Seems like it?d be a pretty common use case, so apologies if this has been asked and answered before. Could be missing the applicable search term(s). Regards, Garret Ruh This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. From graham.oregan at gmail.com Tue Oct 17 15:45:06 2017 From: graham.oregan at gmail.com (Graham O'Regan) Date: Tue, 17 Oct 2017 20:45:06 +0100 Subject: [keycloak-user] preferred identity mechanism for rest clients Message-ID: <8A3BD169-E537-445B-AC2E-7A9A4A34FCB2@gmail.com> Hi, We are using mod_auth_openidc set up as a keycloak client so we can use openid-connect for browsers and oauth20 for REST clients. We have setup some REST clients as users and use a grant_type=password to get a bearer token but I?ve also tested using a keycloak client with a service account to achieve a similar effect. There is a benefit to us in using a user account because we have hooked the account creation into our internal authorization mechanism but would it be preferable to use service accounts instead? Thanks in advance, G From madocdoyu at gmail.com Wed Oct 18 08:30:41 2017 From: madocdoyu at gmail.com (=?utf-8?B?Ik1hdHRoaWFzIEouIETDqWrDoCI=?=) Date: Wed, 18 Oct 2017 14:30:41 +0200 Subject: [keycloak-user] Users with no firstName and lastName? Message-ID: Hello, new user here, so please forgive oversights on my part. After reading the documentation and searching the mailing list, I did not find this question answered. I am creating a user storage SPI implementation that is backed by an external user storage. That external user storage does not have first or last names for users. The only intrinsic information for a user on the external storage is a unique username and the password. The Keycloak user storage SPI that I am about to implement will make the users available in Keycloak, such that they can be displayed, created and edited via Keycloak. Authentication will also be possible. Here is the problem: In Keycloak, first name and last name are intrinsic properties of a user. (I am thinking of AbstractUserAdapterFederatedStorage, which I understand would be a good idea to implement.) This is what I imagine as a realistic solution: - In Keycloak, first and last name are still, in principle, present. But they are always empty. - They cannot be changed. The last point is important, as I do not want data to be split among Keycloak and the external user storage. When a Keycloak user can successfully set the first/last name of a user, this implies that this is a meaningful operation. Therefore, I would like to make those fields empty and non-editable. What would be the best way to achieve this? Do you see another way that would be better? My current working hypothesis would be one of those: A) Override setFirstName and setLastName to throw an exception that the Keycloak UI can deal with. (Which one?) B) Have the storage return an unsuccessful result when attempting to store a user with non-empty values on any of those fields. (How exactly?) C) Before storing a user, simply hardcode an assignment to firstName and lastName with either null or the empty string. (That would mean silently ignore changes to those fields and pretend that storing went okay.) Thanks for your input. Matthias Deja. From mstrukel at redhat.com Wed Oct 18 10:11:10 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 18 Oct 2017 16:11:10 +0200 Subject: [keycloak-user] Load testing and performance In-Reply-To: <1507825157564-0.post@n6.nabble.com> References: <1507825157564-0.post@n6.nabble.com> Message-ID: The default hashing iterations is fairly high to safeguard for the case of a leaked database. See: http://www.keycloak.org/docs/latest/server_admin/topics/threat/password-db-compromised.html If you are comfortable with decreasing the number of iterations that's definitely the first thing to try to increase performance. On Oct 12, 2017 18:53, "Thelo" wrote: > Hi, > > > As we are currently load testing Keycloak to see whether it could be a good > fit in our system, we experience trouble to reach good performance for the > user login. > > In our current set up we do direct login via password against Keycloak and > we get around 30 user logins per second. > > Here is our current set up: > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in > Kubernetes) > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of > memory > > As it is hard to believe that one instance can only handle 10 requests per > second we were wondering if someone had done similar tests and if you would > be willing to share the results / test configuration . > > Many thanks, > > Thelo > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From to_sud at yahoo.com Wed Oct 18 10:24:57 2017 From: to_sud at yahoo.com (Sud Ramasamy) Date: Wed, 18 Oct 2017 10:24:57 -0400 Subject: [keycloak-user] failover scenario Message-ID: Hi Keycloak devs/users, We are trying to wrap our heads around how we might deploy Keycloak in a PROD with DR failover topology and are running into a concern with the client secret being different between the clusters. We have two separate Keycloak clusters with their own databases for our PROD and DR datacenters. As part of initial one-time client setup when we register the client in the PROD cluster we also register the same client in our DR cluster. The configuration for the client is identical between the two clusters except for the client secret which is generated by Keycloak. When there is a DR event for Keycloak (either failure or scheduled maintenance) we have the ability to repoint the URL for the PROD Keycloak to the DR Keycloak cluster. We don?t change anything else. Unfortunately the PROD clients will not be able to establish SSO with the DR cluster because the client secret is different. We?ve considered instead of using the Keycloak APIs to register the client in both clusters (thereby having different client secrets) to register the client in one cluster and use database scripts to push the same configuration to the other cluster database and thereby keep the secrets the same. I was wondering if others have run into this limitation and how you may have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support purposes). This might be addressed in the upcoming release of Keycloak with multi-datacenter support. But that is currently not an option for us. Thanks in advance for your insight. -sud From mzmien at onet.pl Wed Oct 18 18:21:14 2017 From: mzmien at onet.pl (mzmien) Date: Thu, 19 Oct 2017 00:21:14 +0200 Subject: [keycloak-user] Problem with Oracle sql Message-ID: <160032729-dd26ec2c107454c75a46aae9edd4c352@pmq2v.m5r2.onet> Hi All! ? I'm trying to "generate" raw sql file for the latest keycloak 3.3.0.CR2, but without connection to the database (Oracle). Is't possible? Every time, I'm trying to start standalone.sh I'm getting an error: ? caused by: java.net.ConnectException: Connection refused My standalone.xml ?????????????? ??????????????????????? ??????????????????????????????? jdbc:oracle:thin:@127.0.0.1:1521:ORCLCDB ??????????????????????? ??????????????? ??????????????????????? oracle ??????????????? ??????????????? ??????????????????????? username ??????????????????????? password ??????????????? ??????????????? select * from dual ??????????????? ? In drivers section: ??????????????????? ??????????????????????????????? oracle.jdbc.xa.client.OracleXADataSource ??????????????????? ? and strategy options: ?????????????????? ??????????????????????? ??????????????????????? ??????????????????????? ??????????????????????? ??????????????????? ? I'm expecting keycloak-database-updata.sql file... ? Thanks! ? Regards, Mike From sthorger at redhat.com Wed Oct 18 23:44:23 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 19 Oct 2017 05:44:23 +0200 Subject: [keycloak-user] preferred identity mechanism for rest clients In-Reply-To: <8A3BD169-E537-445B-AC2E-7A9A4A34FCB2@gmail.com> References: <8A3BD169-E537-445B-AC2E-7A9A4A34FCB2@gmail.com> Message-ID: One thing is that the client should authenticate itself as well. If you use service account you have one set of credentials for the client, but if you use regular user account you have two. Service accounts also have different authentication mechanisms to users and doesn't get "interrupted" by required actions. On 18 Oct 2017 7:36 am, "Graham O'Regan" wrote: > Hi, > > We are using mod_auth_openidc set up as a keycloak client so we can use > openid-connect for browsers and oauth20 for REST clients. We have setup > some REST clients as users and use a grant_type=password to get a bearer > token but I?ve also tested using a keycloak client with a service account > to achieve a similar effect. There is a benefit to us in using a user > account because we have hooked the account creation into our internal > authorization mechanism but would it be preferable to use service accounts > instead? > > Thanks in advance, > > G > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Oct 18 23:47:53 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 19 Oct 2017 05:47:53 +0200 Subject: [keycloak-user] failover scenario In-Reply-To: References: Message-ID: Why not just do DB replication? On 18 Oct 2017 10:33 pm, "Sud Ramasamy" wrote: > Hi Keycloak devs/users, > > We are trying to wrap our heads around how we might deploy Keycloak in a > PROD with DR failover topology and are running into a concern with the > client secret being different between the clusters. > > We have two separate Keycloak clusters with their own databases for our > PROD and DR datacenters. As part of initial one-time client setup when we > register the client in the PROD cluster we also register the same client in > our DR cluster. The configuration for the client is identical between the > two clusters except for the client secret which is generated by Keycloak. > > When there is a DR event for Keycloak (either failure or scheduled > maintenance) we have the ability to repoint the URL for the PROD Keycloak > to the DR Keycloak cluster. We don?t change anything else. Unfortunately > the PROD clients will not be able to establish SSO with the DR cluster > because the client secret is different. > > We?ve considered instead of using the Keycloak APIs to register the client > in both clusters (thereby having different client secrets) to register the > client in one cluster and use database scripts to push the same > configuration to the other cluster database and thereby keep the secrets > the same. > > I was wondering if others have run into this limitation and how you may > have solved for it. Also we are on Keycloak 2.5 (for RH-SSO support > purposes). This might be addressed in the upcoming release of Keycloak with > multi-datacenter support. But that is currently not an option for us. > > Thanks in advance for your insight. > -sud > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Thu Oct 19 03:05:47 2017 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 19 Oct 2017 09:05:47 +0200 Subject: [keycloak-user] Load testing and performance In-Reply-To: References: <1507825157564-0.post@n6.nabble.com> Message-ID: Is it possible disable it ? On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj wrote: > The default hashing iterations is fairly high to safeguard for the case of > a leaked database. > > See: > http://www.keycloak.org/docs/latest/server_admin/topics/ > threat/password-db-compromised.html > > If you are comfortable with decreasing the number of iterations that's > definitely the first thing to try to increase performance. > > > On Oct 12, 2017 18:53, "Thelo" wrote: > > > Hi, > > > > > > As we are currently load testing Keycloak to see whether it could be a > good > > fit in our system, we experience trouble to reach good performance for > the > > user login. > > > > In our current set up we do direct login via password against Keycloak > and > > we get around 30 user logins per second. > > > > Here is our current set up: > > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in > > Kubernetes) > > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of > > memory > > > > As it is hard to believe that one instance can only handle 10 requests > per > > second we were wondering if someone had done similar tests and if you > would > > be willing to share the results / test configuration . > > > > Many thanks, > > > > Thelo > > > > > > > > -- > > Sent from: http://keycloak-user.88327.x6.nabble.com/ > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thelo.gaultier at gmail.com Thu Oct 19 03:49:19 2017 From: thelo.gaultier at gmail.com (Thelo Gaultier) Date: Thu, 19 Oct 2017 09:49:19 +0200 Subject: [keycloak-user] Load testing and performance In-Reply-To: References: <1507825157564-0.post@n6.nabble.com> Message-ID: Hi, Indeed the performance increased but this is not really recommended ( the new nist guideline recommend at least 10K iterations, but this will only increase over time). Has anyone tried to move the password hashing outside of Keycloak ( AWS Lambda for example, or any scalable micro service) to reduce the CPU usage of keycloak and allow it to deal with more request per second ( the latency will be high but this might be ok) ? @Meissa: You can reduce the number of iteration or switch to another hashing algorithm, but once again if your database leaks, your password might be more easily crackable. @Marko: do you know if at some point the interaction between the different node of a cluster might become a possible bottleneck in the case of a large cluster? Many thanks, Thelo 2017-10-19 9:05 GMT+02:00 Meissa M'baye Sakho : > Is it possible disable it ? > > On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj > wrote: > >> The default hashing iterations is fairly high to safeguard for the case of >> a leaked database. >> >> See: >> http://www.keycloak.org/docs/latest/server_admin/topics/thre >> at/password-db-compromised.html >> >> If you are comfortable with decreasing the number of iterations that's >> definitely the first thing to try to increase performance. >> >> >> On Oct 12, 2017 18:53, "Thelo" wrote: >> >> > Hi, >> > >> > >> > As we are currently load testing Keycloak to see whether it could be a >> good >> > fit in our system, we experience trouble to reach good performance for >> the >> > user login. >> > >> > In our current set up we do direct login via password against Keycloak >> and >> > we get around 30 user logins per second. >> > >> > Here is our current set up: >> > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in >> > Kubernetes) >> > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of >> > memory >> > >> > As it is hard to believe that one instance can only handle 10 requests >> per >> > second we were wondering if someone had done similar tests and if you >> would >> > be willing to share the results / test configuration . >> > >> > Many thanks, >> > >> > Thelo >> > >> > >> > >> > -- >> > Sent from: http://keycloak-user.88327.x6.nabble.com/ >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From msakho at redhat.com Thu Oct 19 05:21:02 2017 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 19 Oct 2017 11:21:02 +0200 Subject: [keycloak-user] Load testing and performance In-Reply-To: References: <1507825157564-0.post@n6.nabble.com> Message-ID: Thelo, *do you know if at some point the interaction between the different node of a cluster might become a possible bottleneck in the case of a large cluster?* It depends on how you cluster is configured particulary the server cache configuration. If you replicate everything accross your cluster nodes, you may encounter performance issues. You can change the number of nodes that replicate a piece of data by change the owners attribute in the distributed-cache declaration. take a look at the section 9.2 of the documentation below: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/server_installation_and_configuration_guide/server_cache_configuration Meissa On Thu, Oct 19, 2017 at 9:49 AM, Thelo Gaultier wrote: > Hi, > > Indeed the performance increased but this is not really recommended ( the > new nist guideline recommend at least 10K iterations, but this will only > increase over time). Has anyone tried to move the password hashing outside > of Keycloak ( AWS Lambda for example, or any scalable micro service) to > reduce the CPU usage of keycloak and allow it to deal with more request per > second ( the latency will be high but this might be ok) ? > > @Meissa: You can reduce the number of iteration or switch to another > hashing algorithm, but once again if your database leaks, your password > might be more easily crackable. > > > @Marko: do you know if at some point the interaction between the different > node of a cluster might become a possible bottleneck in the case of a large > cluster? > > Many thanks, > > Thelo > > > 2017-10-19 9:05 GMT+02:00 Meissa M'baye Sakho : > >> Is it possible disable it ? >> >> On Wed, Oct 18, 2017 at 4:11 PM, Marko Strukelj >> wrote: >> >>> The default hashing iterations is fairly high to safeguard for the case >>> of >>> a leaked database. >>> >>> See: >>> http://www.keycloak.org/docs/latest/server_admin/topics/thre >>> at/password-db-compromised.html >>> >>> If you are comfortable with decreasing the number of iterations that's >>> definitely the first thing to try to increase performance. >>> >>> >>> On Oct 12, 2017 18:53, "Thelo" wrote: >>> >>> > Hi, >>> > >>> > >>> > As we are currently load testing Keycloak to see whether it could be a >>> good >>> > fit in our system, we experience trouble to reach good performance for >>> the >>> > user login. >>> > >>> > In our current set up we do direct login via password against Keycloak >>> and >>> > we get around 30 user logins per second. >>> > >>> > Here is our current set up: >>> > - 4 instances of Keycloak ( 1 CPU / 800MB of memory each, running in >>> > Kubernetes) >>> > - 1 Postgres db in AWS RDS with 20GB of SSD storage, 2 vCPU and 8GB of >>> > memory >>> > >>> > As it is hard to believe that one instance can only handle 10 >>> requests per >>> > second we were wondering if someone had done similar tests and if you >>> would >>> > be willing to share the results / test configuration . >>> > >>> > Many thanks, >>> > >>> > Thelo >>> > >>> > >>> > >>> > -- >>> > Sent from: http://keycloak-user.88327.x6.nabble.com/ >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From msakho at redhat.com Thu Oct 19 07:34:17 2017 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 19 Oct 2017 13:34:17 +0200 Subject: [keycloak-user] Problem with Oracle sql In-Reply-To: <160032729-dd26ec2c107454c75a46aae9edd4c352@pmq2v.m5r2.onet> References: <160032729-dd26ec2c107454c75a46aae9edd4c352@pmq2v.m5r2.onet> Message-ID: Mike, Can you validate your datasource connexion by running the command-cli below after starting the CLI: 1) first you start the CLi by running the command below from you /Keycloak_Home/bin ./jboss-cli.sh --connect 2)you run the command below to validate that you datasource configuration is ok. It will request a valid connection to the database /subsystem=datasources/data-source=KeycloakDS:test-connection-in-pool Meissa On Thu, Oct 19, 2017 at 12:21 AM, mzmien wrote: > Hi All! > > I'm trying to "generate" raw sql file for the latest keycloak 3.3.0.CR2, > but without connection to the database (Oracle). Is't possible? > Every time, I'm trying to start standalone.sh I'm getting an error: > > caused by: java.net.ConnectException: Connection refused > My standalone.xml > > pool-name="KeycloakDS" enabled="true" jta="true" use-java-context="true"> > > jdbc:oracle:thin:@127.0.0.1:1521:ORCLCDB > > > oracle > > > username > password > > select * from dual > > > > In drivers section: > > > oracle. > jdbc.xa.client.OracleXADataSource > > > > and strategy options: > > > value="java:jboss/datasources/KeycloakDS"/> > > > value="${jboss.home.dir}/keycloak-database-update.sql"/> > > > > I'm expecting keycloak-database-updata.sql file... > > Thanks! > > Regards, > Mike > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Gregoire.Jeanmart at ai-london.com Thu Oct 19 08:23:22 2017 From: Gregoire.Jeanmart at ai-london.com (Gregoire Jeanmart) Date: Thu, 19 Oct 2017 12:23:22 +0000 Subject: [keycloak-user] Username enumeration Message-ID: <18c68efe64f649b19f4fbbe9da6a84b5@EXCHANGE.airas.lan> Hello, One of our customers ran a penetration tests on our platform which uses Keycloak as Identity & Access Management system. The penetration result was good except a medium issue that could result a large discovery of usernames. Let me explain the steps to reproduce this: 1. Login to the system with valid credentials 2. Copy the execution parameter [%EXECUTION%] from the POST authenticate HTTP request https://%KEYCLOAK%/auth/realms/%REALM%/login-actions/authenticate?code=%CODE%&execution=%EXECUTION%&client_id=%CLIENT_ID% 3. Copy the AUTH_SESSION_ID cookie [%AUTH_SESSION_ID%] from the POST authenticate HTTP request 4. Execute the POST authenticate HTTP request again with the execution parameter %EXECUTION% and AUTH_SESSION_ID cookie %AUTH_SESSION_ID% POST /auth/realms/%REALM%/login-actions/authenticate?code=%CODE%&execution=%EXECUTION%&client_id=%CLIENT_ID% HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: AUTH_SESSION_ID=%AUTH_SESSION_ID% Cache-Control: no-cache Body: username=%USERNAME%&password=123&login=Log+in 5. From the HTML response (Invalid username or password) extract the code %CODE% (because unique) from the form action