We use Keycloak REST api to send update password email to users. In my setup Keycloak and application making REST calls to Keycloak (using keycloak admin client library) is deployed inside Kubernetes cluster. From my application I am using Kubernetes service name to talk to keycloak.
e.g. http://keycloak-http:8100/auth
With this setup, update password link in email becomes like this
http://keycloak-http:8100/auth/realms/test/login-actions/action-token?key=somekey
So I need to change only host in this URL.
I looked at executeActions.ftl file in keycloak theme and it doesn't have any specific parameter for just host which I can customize.
Any ideas how I can achieve this?
Thanks in advance.
In my case, Keycloak 9+, I used the "Frontend URL" in the Realm Setting to specify the hostname.
I had a similar issue, and it turns out that by default, the host name is filled with the request hostname. (Using Keycloak 6.0.1)
All i had to do was to trigger the email generation with the hostname i wanted in the email.
--> Trigger the update action from the url you need (and that is accessible)
http://externalurl.keycloak.com/auth/...
You can also change the hostname provider, to use a FixedHostnameProvider, or a custom one (it is RequestHostnameProvider by default)
https://www.keycloak.org/docs/latest/server_installation/#_hostname
Related
I have now two domains pointing to the same server where Keycloak is running.
Now Keycloak is set to domain testa.com. What I would like to do is to change the domain to domain b testb.com.
We added a new domain. Which steps do I need to perform? I will change the URL under the clients, but still, Keycloak will always use the admin console URL of the old domain.
Thank you
I'm reading through https://kubernetes.io/docs/reference/access-authn-authz/authentication/, but it is not giving any concrete commands and it is mostly focusing when we want to create everything from scratch. It's also explaining auth for engineers using Kubernetes.
I have an existing deployment and service (with exposed external IP) and would like to create the simplest possible authentication (preferably token based) for an external user accessing the exposed IP. I can't add authentication to the services since I don't have access to their code. If somebody could help me with some commands I would be grateful.
The documentation which referred is for authentication with k8s (for api accesses). This is not for application layer authentication.
However I can suggest one way to implement application layer authentication without changing the service at all. You can redirect the traffic to nginx (or any other reverse proxy) which can perform the authentication and redirect the authenticated user to service directly. It can also perform some kind of authorization too.
There are various resources available which can help you choose various authentication mechanism available in nginx such as password file based mechanism (link) or JWT based authentication (link)
I am connecting to Keycloak remotely. And when I try to open the Admin Console, I get an error saying HTTPS required.
In one of the websites, it says that I should do this: "update REALM set ssl_required='NONE' where id = 'master';"
But I do not know the consequences of doing this. Will this make it unsecure? Or can I reverse this?
Thank you
(And If I would run Keycloak within a docker image would this problem be solved?)
Admim console uses open id connect protocol, which needs HTTPS to be secure. So it isn't good idea to disable ssl in the prod environment.
Keycloak in the container doesn't solve your problem. But it provides user friendly approach to generate selfsigned cert - Keycloak Docker HTTPS required
Secure option is to generate valid TLS certificate and use it in your Keycloak instance, so you have valid secure TLS/HTTPS connection.
We recently changed the IP-address on a server hosting one of our services based on .NET Web API 2.
The service is using OAuth2, providing external logins via Facebook/Google.
We're still using the same server and the same host name for our services, only the IP-address has changed. Now I'm getting back my login URL with "&error=access_denied" whenever I try to login using Facebook/Google.
I have checked every setting in both Facebook's and Google's developer consoles but nothing seems to apply. If I remove the OAuth redirect URI, I get an error that the URL is blocked, so the settings seems to take effect.
What have I missed?
Funny how asking a question makes you think even more outside of the box. The culprit was that wrong DNS-server was set on the web host.
I'll see myself out...
After a fresh install, I'm able to login into the https://host:9443/carbon URL, but not able to register a local user through dashboard due to an
immediate redirect onto the URL https://localhost:9443/samlsso.
Which files needs to be configured to reflect the valid hostname? Are
there any digital certificates required to secure SSL that host and where is the place to store it?
Thanks in advance for hints how to setup the WSO2 Identity environment.
Regards,
Claude
You can change the hostname value for key IdentityProviderSSOServiceURL in repository/conf/security/authenticators.xml file.