Now we are about to use keycloak 14 (after 10.0.2).
And i found strange problem with 14 kc.
We have two custom required actions which have correct order on the page with required actions(in admin console). I add this actions to user. And after redirect to the first action i found that execution parameter in the uri was setted in wrong value(value for another required action). So links don't work correctly on the page because of it(got error page with loginTimeout message error).
Found place in kc code where execution parameter is setted
AuthenticationManager
On 1035 line in reqAction variable i have wrong required action name. I think this value have to be setted using required action priority. Is it bug? Or i do smth wrong?
On keycloak 10.0.2 i didn't find this problem.
Thank you for help.
this is probably already too late but I thought for any other people in the future its still nice to see one answer.
I had the exact same problem and I was able to solve it for me. I don't know if it will also work for you.
Apparently, there was one part in my own custom code where I add actionB and before actionA.
user.addRequiredAction("actionB"); //added first
user.addRequiredAction("actionA"); //added second
But in the rank (under Authentication > required Action in Keycloak) actionA is above actionB and therefore is shown first to the user.
However, it seems like the actions are saved in the order given by the code (makes sense) and the url the user is redirected after login does not take the rank into account and therefore the url is:
[website]/auth/realms/bpc/login-actions/required-action?execution=actionB[...]
which of course causes problems with the generated links in the form.
Once I changed the order in the code to reflect the actual ranking, everything worked perfectly.
Related
I am using custom required actions in keycloak 16. Now at the end of the action processing the user sees the content of the info.ftl template. Is it possible to use different info.ftls depending on which action was performed or is there a way to find out which action(s) where executed from within the info.ftl template?
I helped myself by adding a cookie in the request an query this cookie in the info.ftl. Not very elegant, but it works for me.
Trying to retrofit an old webforms application.
Got my configuration working so that it's prompting for login and successfully redirecting back to the application. The folks that manage the IP can see the response is generated.
However in the callback to my application the User is null. I'm told if it's configured correctly it should be populated.
We have a custom IHttpModule and that is where I can see getting hit with the call to /Saml2/Acs with the User not populated. I think this may be expected as the handler for that is supposed to populate the User, I think? However the following call (the returnUrl configured in sustainsys.Saml2) still has no User and I don't see any sort of error or anything.
Anyone with experience have an idea how to debug this?
The call to /Saml2/Acs should be taken care of by the Sustainsys.Saml2.HttpModule. It will process the response and then call the SessionAuthenticationModule to set a cookie that preservers the User across calls.
To get some more information about what's happening in the library, you can assign an implementation of ILoggerAdapter to Sustainsys.Saml2.Configuration.Options.FromConfiguration.SPOPtions.Logger to get some logging output from the library.
My issue turned out to be that I had another authentication module loaded before SessionAuthenticationModule and Saml2AuthenticationModule in the web config.
The comment in the example was
Add these modules below any existing. The SessionAuthenticatioModule
must be loaded before the Saml2AuthenticationModule
However in my case with I had another authentication module involved that needed to go last.
For some reason I cant't get the transitions (next available states) for a work item with a rest call.
I tried exactly what is in the document:
transitions
Here is my REST call:
BASE_URL/_apis/wit/workitemtransitions?ids=14&api-version=4.1-preview.1
The BASE_URL works with other calls, the id 14 could be loaded also, so it exits, but i don't get back any result if i want to get the transitions(Usual Page not found is returned).
What is the problem here?
Tested on my side and everything works as expected.
Generally if the base url is incorrect you will receive the Page not found message. So please double check if you have entered the correct base url... (maybe a typo?)
Another possibility is that no transitions defined for the specific work item type...
I have the following setup on my site:
You enter credentials on a login page and that takes you to a second page (which normally produces no screen output) which validates the user and redirects them to the appropriate homepage.
My step definitions consist of three steps:
Load up initial login page.
Enter credentials and submit.
Verify (by checking page title) that I made it in the homepage.
My first step passes with flying colors.
My second step claims to pass.
My third step fails.
Upon review, I found that it's because the second step, while officially it didn't fail, didn't do what it was supposed to do. Zombie got stuck on the validation page. At first I thought it was just missing the redirect, but it seems that it doesn't execute ANYTHING on the validation page. I even commented out the entire page and simply put an output of "Hello" at the top of the page. If my browser.html(); can be believed, it doesn't even see that. I know I make it to the second page because I have
console.log("\n" + browser.location.href);
which shows me the URL of the second page.
I then have
console.log(browser.html());
which is empty.
I even have a:
browser.wait(10000,callback);
beforehand to give it some processing time but to no avail.
Some information that might be relevant:
This is a ColdFusion site. I know zombie's handling the concept of CF since it's loading the login page initially, although there's not much actual CF processing going on there.
There's DB access happening. If zombie is accessing like a regular browser, it shouldn't make a difference, but it's there. Although even when I comment everything out, it still doesn't work, so I doubt that's actually relevant.
This is my script portion for the login step. Please advise if I'm approaching this the wrong way.
this.When(/^I input my credentials$/, function(callback) {
browser.fill("login", "myusername").fill("password", "mypassword");
browser.document.forms[0].submit();
// Put in here to account for redirect time it will take to get past validation page to actual home page
browser.wait(10000,callback);
callback();
});
If you need any other information, please let me know. I would appreciate any help whatsoever in being able to make this work!
I am not sure I fully understand your problem, but it looks like this may be an issue with the way you are handling asynchronous calls. At any rate, you should not need to browser.wait for something like this at all. Try something like the following:
this.When(/^I input my credentials$/, function(callback) {
browser
.fill("login", "myusername")
.fill("password", "mypassword")
.pressButton("#selectorForYourButton", function (err) {
// Check for errors or any other behaviour this test is actually about
callback();
});
});
First, the pressButton method is preferable because it gets closer to testing actual browser interaction. But more importantly, callback() is only executed after all the events fired off by pressing the button have been resolved.
I'm using OpenAM for authentication on my application. I access to my app using such URL:
http://my.company.com/appfolder/appservlet?lang=EN&user=test
On first access, OpenAM agent catches the URL and redirect my browser to the authentication page using this redirection URL:
...openam/UI/Login?goto=http%3A%2F%2Fmy.company.com%3A8080%2Fappfolder
After correct authentication, I'm finally redirected to the following URL:
http://my.company.com/appfolder
This is logic since this is the URL referenced in goto param. But it's not the same than original one: the servlet and custom params (lang and user) are missing.
Any idea how to configure my agent to make it keep servlet and params after redirection ?
take a look at this step of the tutorial "Add Authentication to a Website using OpenAM".
In section "Creating An Access Policy" -> "Wildcard matching" is your answer:
The wildcard * in policy URLs does not match '?'. As such if you
wish to allow GET parameters to be submitted then a second policy for
http://webserver.example.com/*?* is required.
Thanks for your answer. As mentionned in my previous comment, the adding of new policy does not resolve my issue. Actually, I'm not sure to understand how the policies can solve the issue since the goto parameter is generated by the J2EE agent, which acts before policies are applied (as far as I know... I'm maybe wrong).
Anyway, I could solve my problem by re-compiling the J2EE Agent: I've build a new agent.jar based on v3.0.3 available at forgerock. Then I replaced the AmFilterRequestContext.class by a new one, build on source available here:
http://www.docjar.com/html/api/com/sun/identity/agents/filter/AmFilterRequestContext.java.html
With this new agent, my goto is now correct, and redirection works well (and I don't have to define any policy).
The strange thing is that I don't understand why it works now ! I couldn't find any difference between java source mentionned above and uncompiled version of original class! I just added some System.out.println to get variables values and functions results, and built the jar. After restaring my jboss, the goto was correct. I'll try to understand why this finally work now when I've time.