We have installed Argo CD and integrated with keycloak as the OIDC provider following the steps - https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/keycloak/#integrating-keycloak-and-argocd
When we try to login to the Argo CD UI via keycloak, we see that the session is getting logged out in 5 mins. We did try to increase the Access token Lifespan to 15 mins but this still indeed did not increase the logout timeout of the UI and we observed that the user got logged out of the session within 15 mins. And this logout happens even though the user is doing some activity in the UI.
Any suggestions how we can increase the timeout so that the user doesn't get logged out quite frequently?
Related
I have a webapp that uses Keycloak for user management and auth provider successfully.
The same application requires a CLI tool for some operations (similar to the gcloud CLI + web console).
I've implemented the CLI part using the OIDC Authorization Code Flow that opens the browser for the user to authenticate. It works like a charm.
However, if the user logoff from the browser, Keycloak will invalidate the session and the cli will have to re-authenticate to get a new access_token and refresh_token.
My question here is, how can I force the CLI app login to create a new session separate from the browser session.
Or, if not possible, what's the correct way of achieving this?
Eventually, found out that I just have to add the scope offline_access to the list of scopes I am requesting. Keycloak will then create a new offline session (bad name for the feature, Offline just means that the user doesn't have to be present, but all the refreshes happen the same way)
https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/sessions/offline.adoc
I have configured Keycloak to the SAML/IDP given by "samltest.id" and it works if the user logs into the application. On some user actions I want to enforce the user to enter his credentials again.
In the application I use the login method in the Keycloak JS adapter as follows:
keycloak.login({ prompt: 'login' })
Also I set the "force authentication" flag in the SAML configuration in Keycloak.
So, what is happening is, that after trying the re-login, the user is redirected to the IDP (like expected) but after entering his credentials a WARN message is shown in Keycloak log:
WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
and the user is again redirected to the IDP.
After entering the credentials again, instead of updating the active user session, an additional session is created by Keycloak (so I can see two sessions for the user in the Keycloak admin console). This way, the token (which belongs to the first session) will not be updated, so in the application I can not recognize the success of the re-login of the user.
Currently I use the Keycloak version 7.0.0
This re-login behavior work just fine, if I do it on user authenticated directly by Keycloak .
This behavior I can not just reproduce with "samltest.id" but also with another IDP.
I also thought about, to do a logout instead of re-login, but this will close the user session and if the user decides to cancel his action, he will not be able to go just back to the application without authenticating himself again.
Has someone an idea how to solve this issue? Or if it can be solved at all?
We are using Keycloak 3.4.0 / Keycloak.js in our single page app. Keycloak stores its data within a MariaDB.
When I restart the Keycloak server (NOT MariaDB) and refresh my single page app I am redirected to the login page. I thougt that Keycloak stores all tokens within its database, shouldn't these tokens still be valid after a restart? Or is it expected that all sessions are logged out?
Do I have to use offline tokens to support this scenario?
The offline token is valid even after a user logout or server restart.
https://www.keycloak.org/docs/3.4/server_admin/index.html#_offline-access
This is written by one of the members of the Keycloak development team:
The JPA user session provider was
dropped (performance was horrible so we deemed it unusable). The user
session persister is only used for offline sessions, they survive a server
restart.
So yes, it seems like they removed it because of performance related issues. Here you've got the whole thread.
I downloaded WSO2 IS, took care of all the prerequisites and started it using "wso2server.bat --run" command.
It's running and I am able to configure it in Management Console as Identity Provider (SAML 2.0). I also added my app as Service Provider (SAML 2.0). SSO seems to be working - I navigate to my app, it redirects to WSO2 IS where I log in using default admin/admin. I am then redirected to assertion service in my app when I am authenticating a user. Everything great so far!
The problem is that when I close the browser (using incognito mode) and try to repeat that process and login to WSO2 IS using the same user (admin/admin) I get error message:
"Login failed! Please recheck the username and password and try again."
I also get similar message in console:
[2018-02-08 15:57:39,258] ERROR {org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener} - Trying to login from an inactive account of user: admin
How is that possible? It looks like the second I use given user during SSO process - that account gets deactivated. I can't even login to WSO2 IS Management Console.
I did not change any configuration other than mentioned above.
I would appreciate any help.
I'm trying to connect a Spring App Keycloak, but I get this error:
After I enter to my app, and I was redirected to Keycloak for authentication, I receive an error in my browser:
192.168.1.66 redirected you too many times.
Full url
URL: http://192.168.1.66:9092/keycloak-sp-example/sso/login?state=139%2F1ed115fb-4d4f-468c-9a72-845f9cfa9cdb&code=PVGhg5X28G8fjNt36tMGHTJIP7CQdHOhoK4XhPgUh3E.2d885db5-5c4f-43b1-9095-305494718a97
And, in the console, I got:
ERROR org.keycloak.adapters.OAuthRequestAuthenticator - failed verification of token: Token is not active.
It's a bug? Or is anything that I should configure in the console?
I found the problem, I was testing the product in a virtual machine without the correct time zone configured.
Try to sync the server timing of Keycloak and application server or else increase the access token life span which is not recommended.