The keycloak server was running fine in production mode.
We had a requirement to have a python service, that will upload bunch of users to keycloak for registration.
I passed master realm's Admin credential in that python. And as per a tutorial, I provided client_id = 'security-admin-console'. Now there was no client_secret. So I turned on 'Client AUthentication' in master realm -> 'security-admin-console' and got the client_secret.
Now I am unable to login to admin console of keycloak and getting "Invalid client or Invalid client credentials" error.
How can revert back my server to previous working state?
I tried to login by making sure I am putting correct admin credentials
Related
I’m trying to connect a user pool in my AWS Cognito instance to Auth0 following the instructions in the How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool? article.
When I click Debug from the Addon: SAML2 Web App section with the following settings…
Application Callback URL: https://{amazonCognitoDomain}.auth.{awsRegion}.amazoncognito.com/saml2/idpresponse
Settings
{
"audience": "urn:amazon:cognito:sp:{cognitopoolId}",
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
… I’m taken to the following URL
https://{subDomain}.auth0.com/login?state={someState}&client={auth0ClientId}&protocol=samlp&response_type=code&redirect_uri=https%3A%2F%2Fmanage.auth0.com%2Ftester%2Fsamlp
Which gives me this:
Opening the console I can see the error reported is…
At least one email, sms or social connection needs to be available.
I’ve also tried saving the settings and continuing on with the instructions in the article but got this same error when testing from Cognito.
I have one database connection enabled (see below) under the application’s Connections tab (which should store the email) and both the social and sms options are disabled.
Any help is very much appreciated!!
You must configure an authentication source (a connection in Auth0).
You're configuring Cognito as a SAML SP and Auth0 as the IdP. Auth0 needs to be configured to authenticate users in some way.
If you are using your own database you need to ensure you are handling authentication through hooks (action scripts).
I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:
We setup a testing environment for keycloak. The environment run on GCP. It have two keycloak instances:
Instance A acts as a test login keycloak, named test-login-1
Instance B acts as a test external identity provider, named test-login-2
We need to use the instance A to connect the instance B.
So instance A user can able to login via instance B.
Is there any way to do this? How can we implement this logic?
You need to configure the test-login-2 as an identity provider for the test-login-1. You can read about identity brokering here. I will be calling internal realm to the realm that will be used from the internal Keycloak (test-login-1), and external realm to the realm that will be used from the external Keycloak (test-login-2).
For that go to the Admin Console and:
select your Realm from test-login-1, and click on Identity Providers
On the right side of the page select Keycloak OpenID Connect from the Add provider ... dropdown menu. It will popup the Add Identity Provider form, from there set:
the alias
the Authorization URL, Token URL, Logout URL, User Info URL and Issuer to the correspondent endpoints that can be found on the realm of test-login-2 on the .well-known endpoint (i.e., <KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration)
For the Client Authentication you can select Client secret send as post
For the Client ID and Client Secret first you need to create a new client in your external realm (of test-login-2) and use its Client ID and Client Secret here.
This client:
can have Access Type Confidential
Standard Flow Enabled : ON
Valid Redirect URIs set it to your Keycloak IP followed by "*", for instance <KEYCLOAK_IP>*
Web Origins : +
Save
Bear in mind that some of those configurations might have to be adapted to your own needs.
Now if everything was set correctly, at the keycloak (test-login-1) internal realm login page will show up a new button that the users stored on the external realm (of test-login-2) can click on to authenticate against the external realm.
Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.
I'm trying to authenticate my users (from my RN application) through the LDAP server (I've already found one to try authentication here, and it works!). I can create a custom token using Firebase every time I receive the credentials of the users (username and password) and save it in the Firebase real-time database.
The main problem is that I do not know how to connect my application with the LDAP server, I investigated and found that I have to install something like openLDAP or ldapjs but I do not understand how authentication has to be
My guess is:
User login in my RN application
The RN application sends credentials to Firebase
Firebase creates a custom token (uses the Firebase Functions to generate the custom token)
Firebase returns the custom token to the RN application
The RN application sends the token to the LDAP server (the server has predetermined users and passwords for testing)
The LDAP server validates the token, therefore, authentication
LDAP server returns attributes or "not found" to the RN application
RN App grant / deny access to the app
Any help or advice will be well received, thanks :)
Sorry for my bad english.
You're almost there, but instead of sending the Firebase custom token to the LDAP server, you authenticate the user with the LDAP server before minting the Firebase token. Both of these must be done in a trusted environment, such as a server you control or Cloud Functions, and you'll typically use a Firebase Admin SDK on that environment.
So:
User login in my RN application.
The RN application sends credentials to trusted environment.
Trusted environment verified credentials with the LDAP server.
Trusted environment creates a custom token using the Firebase Admin SDK. If needed this token can contain custom attributes from the LDAP server, in the form of Custom Claims.
Trusted environment returns the custom token to the RN application
RN App grant / deny access to the app
For more on this, see the Firebase documentation on custom auth. From there:
To achieve this, you must create a server endpoint that accepts sign-in credentials—such as a username and password—and, if the credentials are valid, returns a custom JWT. The custom JWT returned from your server can then be used by a client device to authenticate with Firebase (iOS, Android, web).
WebLogic and LDAP are integrated, I can see users and groups in the Console security realm. Setup was minimal - simply added and set specs for an AD provider, nothing else.
However, all username combinations I've tried end up in wrong user/password in the analytics login screen, and "access denied" in the BI cluster log.
So what should be the username syntax that AD accounts are to enter? I am trying to allow any AD account to be able to login at this point.
UPDATED per #Chris request:
WL version 12.2.1
Documentation: very vague help screens from the WL console, missing the part I'm trying to figure out specifically
Error from the managed server log/obis1: BI security access is denied - web service credentials are invalid
The account works, however, in Windows Network, AD Server, and is visible inside WL with its specific AD group.
The correct answer to this: you can use the same exact credentials you would while logging to the AD server directly. Getting "invalid user/password" error can be indicative of a lot of other problems stemming from the LDAP Authenticator configuration.