[keycloak-user] keycloak-user Digest, Vol 61, Issue 39

Hans Zandbelt hans.zandbelt at zmartzone.eu
Mon Jan 28 15:27:50 EST 2019 

Hey Ed,

Ouch, bad NetIQ :-( apparently it considers the signature on the request as
something unexpected, which it really shouldn't...
However, you should be able to configure the signing certificate of
Keycloak on the NetIQ side (which you needed to do anyway for the
validation of the Logout requests) and make it "require" or "expect" signed
authentication requests from the Keycloak SP.

Hans.

On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request at lists.jboss.org>
wrote:

>
> ------------------------------
>
> Message: 3
> Date: Mon, 28 Jan 2019 16:16:20 +0000
> From: "Edgar Vonk - Info.nl" <Edgar at info.nl>
> Subject: Re: [keycloak-user] Keycloak Identity provider SAML
>         LogoutRequest not working with NetIQ Access Manager because it is
> not
>         signed?
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4 at info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Hans! :-)
>
> Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
> log in to the external IdP.. I will check with the NetIQ provider people to
> check.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 28 Jan 2019 14:51:26 -0200
> From: Wagner <wagnerspi at gmail.com>
> Subject: [keycloak-user]  Keycloak integration with django
> To: keycloak-user at lists.jboss.org
> Message-ID:
>         <CAO0ino=
> wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi there,
>
> I've been looking for ways to integrate keycloak with django, and have
> found the django-keycloak project, but the docs are kind of limited.
>
> Can anyone point me in the direction of integrating it with an existing
> django project? I don't want to use the django admin web interface to
> configure it, but haven't found any other way to do so.
>
> Thanks,
> Wagner
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 28 Jan 2019 13:04:58 -0500
> From: Nhut Thai Le <ntle at castortech.com>
> Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
>         class   on every request
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
>         <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
> iE6nGV0JQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env
> to filter requests to our REST service as follow:
>
> @Component(
> service = {
> ContainerRequestFilter.class,
> ContainerResponseFilter.class
> },
> scope = ServiceScope.PROTOTYPE,
> property = {
> "osgi.jaxrs.extension=true",
> JAX_RS_NAME + "=DiagramRestFilter",
> DiagramConstants.REST_APP_SELECT
> }
> )
> @PreMatching
> @Priority(Priorities.AUTHENTICATION)
> public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl
> implements ContainerResponseFilter {
> private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
> private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
> private final Logger log = LoggerFactory.getLogger(getClass());
>
> @Reference
> private SessionService sessionService;
>
> @Activate
> public void activate(BundleContext bundleContext) {
> log.trace("Activating {}", getClass()); //$NON-NLS-1$
>
> setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
> //$NON-NLS-1$
> setBundleContext(bundleContext);
> }
>
> As you can see, we set the filter scope to Prototype as recommended by OSGI
> compedium (
> https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
> )
> but we see a lot of the following line got printed when the server started
> INFO: Using
>
> com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver at 738e48f7
> to resolve Keycloak configuration on a per-request basis.
>
> Does that means the config resolver is being instantiate for each request ?
> Since the the configuration never change, would it make sense to
> instantiate this config resolver only once?
>
> Thai Le
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 28 Jan 2019 21:00:02 +0100
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-user] User sessions in DB
> To: Lukasz Lech <l.lech at ringler.ch>,    "keycloak-user at lists.jboss.org"
>         <keycloak-user at lists.jboss.org>
> Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 28/01/2019 16:30, Lukasz Lech wrote:
> > Hello,
> >
> > I'm using Keycloak docker image for 4.8.1
> >
> > I have logged in users, but in DB, I see no entries in user_session.
> That is expected. The USER_SESSION table is probably something like a
> tombstone of some previous implementation. User sessions are not saved
> in the DB.
> >
> > Additionally, after some time server run, I've got NPE in
> RealmAdminResource.getClientSessionStats:614 when trying to navigate to
> Sessions position in Menu in Admin Console.
>
> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
> exact steps to reproduce).
>
> Thanks,
> Marek
>
> >
> > Are there any issues with JPA cache?
> >
> > Best regards,
> > Lukasz Lech
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 28 Jan 2019 21:07:05 +0100
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>         not in Active Directory domain
> To: Dmitry Telegin <dt at acutus.pro>, Chris Smith
>         <chris.smith at cmfirstgroup.com>, "keycloak-user at lists.jboss.org"
>         <keycloak-user at lists.jboss.org>
> Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> +1
>
> GSSCredential is used just during SPNEGO authentication. You may
> possibly change the built-in authentication flows or userStorage
> provider, so that after verification with username/password, the
> GSSCredential will be somehow obtained from the JAAS Subject used for
> the authentication (See class KerberosUsernamePasswordAuthenticator for
> the details).
>
> However I am not sure if this is really possible and it will require
> some more deep-dive into the Keycloak codebase and Kerberos
> implementation in JDK... Just a hint...
>
> Marek
>
> On 28/01/2019 07:21, Dmitry Telegin wrote:
> > Hello Chris,
> >
> > AFAIK GSSCredential is something very specific to Kerberos, so I'm not
> sure it's possible at all to obtain it outside of Kerberos context, like
> e.g. via pure LDAP authentication.
> >
> > Cheers,
> > Dmitry
> >
> > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> >> Does anyone have feedback about getting a delegated GSSCredential?
> >>
> >> -----Original Message-----
> >>> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
> >> Sent: Wednesday, January 23, 2019 10:12 PM
> >> To: keycloak-user at lists.jboss.org
> >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
> >>
> >> Here is a Diagram of what I'm trying to do
> >>
> >> From: Chris Smith
> >> Sent: Wednesday, January 23, 2019 8:08 AM
> >>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> >> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
> >>
> >> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
> >>
> >> I can get a Delegated GSSCredential when the SPNEGO enabled
> browser??runs on a workstation in the AD domain.
> >> When the browser workstation is not a member of the AD Domain, Keycloak
> will authenticate the user id and password entered on the keycloak login
> page, but there will not be a Delegated GSSCredential in the Access Token
> in my servlet.
> >>
> >> I have a requirement to use the GSSCredential to call programs on an
> IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
> Kerberos Ticket from Active Directory as an authenticated credential (aka
> EIM, Enterprise Identity Mapping).
> >>
> >> Less than 1% of the users will be using browsers on workstations in the
> Active Directory domain.
> >>
> >> Can Keycloak put a GSSCredential for the logged in user??in the Access
> Token when SPNEGO is not available from the browser?
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 61, Issue 39
> *********************************************
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

More information about the keycloak-user mailing list