I now using Keycloak 18.0.1.
When the user log in my system by Keycloak, I want to know exactly when the password will be expired.
For your information, I'm using keycloak-angular and keycloak-js
I have searched on https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation but it doesn't have an API that suit my need
Related
I am trying to set up SSO between two Keycloaks. The target Keycloak, where I want to configure the SSO has user federation set up in place and the user management is disabled. I was thinking of configuring IdP brokering between my source Keycloak and the target Keycloak so that I can use the same authentication token.
I have configured login redirection and when I try to login to the target system, I was promptly redirected to the source Keycloak. Unfortunately, upon entering the username and password, I was presented with a dialog box stating that my user already exists and offering me to either Review the profile or Add to existing profile.
Initially, I thought it is because the user modification is disabled by the user federation. I have manually created the same username on the system, which is providing a list of the users but even with this in place, I am still unable to log in and am presented with exactly the same error message.
When an user account is disabled on a connected IdP, how do I ensure the account is blocked as soon as possible on Keycloak? At the moment, the “disabled” user is able to continue using my SPA because Keycloak continues to refresh the access token without speaking to the external IdP.
One of the critical features required by my partners when using SSO is that they have control over their users’ access to my application. At the moment if the user was logged into my SPA, they can continue using it for about 24 hours. I would hope to cut that time down to 5 minutes, the lifetime of the access token.
The external IdP is Google. I have tried using both Keycloak’s builtin Social provider for Google as well as setting up a SAML app in Google and user-defind SAML provider in Keycloak. I’m using Keycloak v9 but can upgrade if necessary.
Is there a recipe to achieve my goal? What options do I need to set in the Keycloak client and SAML provider?
Many thanks!
The approach could be as follows. The resource server will need to do the checking with the IDP, not Keycloak.
Enable the option to Store Tokens and Read Stored Tokens in the IDP settings.
Assign users the broker/read-tokens role.
On the resource server, decide on a frequency to check whether the user has been disabled on the IDP. Be aware of each IDP's token introspection's endpoint. Each time the API is consumed:
First of course verify the access token as usual.
If it's time to verify against the IDP, call the Keycloak API with the access token to retrieve the IDP's access token.
The Keycloak endpoint is: https://{domain}/realms/{realm}/broker/{idpid}/token
Call the IDP's token introspection endpoint to validate the IDP access token.
Act accordingly if the IDP responds that the token is not valid. Respond with 401 and ensure that the Keycloak access token can't be used again. Maybe the end_session_endpoint or revocation_endpoint, not sure.
Token validation endpoints:
Google: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={access_token}
AuthO: https://{tenant}.eu.auth0.com/userinfo
MS Azure: doesn't exist, good luck with that!
I have configured Keycloak to the SAML/IDP given by "samltest.id" and it works if the user logs into the application. On some user actions I want to enforce the user to enter his credentials again.
In the application I use the login method in the Keycloak JS adapter as follows:
keycloak.login({ prompt: 'login' })
Also I set the "force authentication" flag in the SAML configuration in Keycloak.
So, what is happening is, that after trying the re-login, the user is redirected to the IDP (like expected) but after entering his credentials a WARN message is shown in Keycloak log:
WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
and the user is again redirected to the IDP.
After entering the credentials again, instead of updating the active user session, an additional session is created by Keycloak (so I can see two sessions for the user in the Keycloak admin console). This way, the token (which belongs to the first session) will not be updated, so in the application I can not recognize the success of the re-login of the user.
Currently I use the Keycloak version 7.0.0
This re-login behavior work just fine, if I do it on user authenticated directly by Keycloak .
This behavior I can not just reproduce with "samltest.id" but also with another IDP.
I also thought about, to do a logout instead of re-login, but this will close the user session and if the user decides to cancel his action, he will not be able to go just back to the application without authenticating himself again.
Has someone an idea how to solve this issue? Or if it can be solved at all?
We have configured a SAML based ext-idp with keycloak. Now we are trying to onboard users from ext-idm to keycloak. Usecase is, same user is already present in keycloak and same user is trying to login from ext-idm. Now keycloak is showing a consent page for linking the user. Is there a way to bypass this consent and link the ext-idm user to keycloak user?
For all Client Scopes in keycloak we disabled the 'Display On Consent Screen' option.
All clients 'Consent Required' is disabled.
Both changes did not help.
After disabling consent in Client scope we expected ext-idm users auto link with keycloak user. But as of now Keycloak asks for a consent before linking.
Probably you changed a SAML client (SAML SP) settings but you need to change Identity Brokering (SAML IdP) settings. Please read this section:
https://www.keycloak.org/docs/latest/server_admin/index.html#automatically-link-existing-first-login-flow
I have configured OpenLDAP with my keycloak, so that user management is taken care by LDAP. I have successfully sync the users from LDAP and I can see the user details in my List of users in Keycloak.I am using master realm only.
But when I try to generate token giving admin-cli client it gives this error.
Even the Authorization code flow it doesn't work.Tried to log in via keycloak UI it gives Invalid Credentials.
How can we use LDAP users for authentication in Keycloak ?