If you ever try to get #Keycloak OAuth2 login working with #Odoo, and wonder why there are dozens of reported issues about "Sign up is not allowed on this database", here is the fix:
Go to /odoo/system-parameters and add a new parameter "auth_oauth.authorization_header" with value "True". It's infuriating I had to come to this conclusion by actively trying to fix the Python code, only to find out it doesn't need fixing but an undocumented config parameter.
@hacksilon Thanks for your response. Let me give you a bit more context on the issue I'm facing.
I installed OCIS (ownCloud Infinite Scale) and configured it to use Keycloak as the OIDC provider. The web login works perfectly, but I'm having trouble with the mobile apps (iOS and Android). Whenever I try to log in from the mobile apps, Keycloak reports a "client not found" error.
From what I've gathered from various forum posts, it seems that Keycloak is creating a new client each time a login attempt is made from the mobile apps. These dynamically created clients are not configured properly, which is causing the login to fail.
One developer suggested disabling dynamic client registration in Keycloak to prevent this issue. However, I'm not sure how to do this, especially since I'm using Keycloak version 26 and the settings aren't intuitive.
Your understanding that dynamic client registration is disabled by default makes sense, but it seems like something might be triggering it in my setup. Do you have any ideas on how I can ensure dynamic client registration is fully disabled, or any other suggestions to resolve this issue?
Thanks for your help!
How can I disable dynamic client registration on keycloak?
Keycloak release 26.0.6 includes fixes for five vulnerabilities.
CVEs are pending publication but the release notes contain all the details.
#keycloak #vulnerabilities #vulnerability #cve #opensource
https://vulnerability.circl.lu/bundle/6dcc559a-77e3-4a18-986f-df02f894221c
We found our first #Y2K38 bug today, in #Keycloak‘s Client credential rotation feature. https://github.com/keycloak/keycloak/issues/35104
Will probably not be the last one - the runup to 2038 will be interesting.
@paco We started to integrate DNS-UI (https://github.com/operasoftware/dns-ui) from @thomasp with #oauth2proxy and #keycloak.
We are also working on some features to bring it up to speed (see https://github.com/operasoftware/dns-ui/pull/218).
hi #keycloak and/or #docker fans, I'm looking at the getting started instructions here, can anyone help me understand where keycloak would be storing its data if I follow this guide? https://www.keycloak.org/getting-started/getting-started-docker
I don't see any bind mounts and I'm sorta worried all my data will go poof when the container is destroyed next reboot
@hacksilon
KeyConf24, our 2024 #Keycloak Identity Summit, happened in Vienna in September this year.
Re-watch the talks at https://keyconf.dev with all recordings and slides available. Enjoy!
Our security researchers @cod_rse@twitter.com and @inode conducted a security assessment on #Keycloak, identifying significant vulnerabilities impacting this open-source #IAM solution.
Read the full article at https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system
Ive recently set up #SSO into my #kubernetes ingress layer using #traefik in my #homelab setup, and I have to say its going quite well.
Im using the keycloakopenid middleware and pointing it to my #keycloak instance.
I could then enable the middleware on all of my ingressRoutes, and traefik immediately redirects requests to the login page if a valid bearer token is not present in the request.
I had to carve out some exceptions so the keycloak admin panel is protected but the routes needed to login are still accessible anonymously.
It works well, without any fuss.
Next up I am hoping to configure the backend apps protected by this for better integration.
For example, #argoCD has SSO capabilities, and I should be able to enable them and not be promoted for a second login after the traefik layer login.
Long shot but, if there's any keycloak expert: sometimes the session for federated uses doesn't include email although it's in scope. Any idea where I should look to investigate and ideally fix the problem?
(I can't find anything on GitHub and Google, of course)
#Keycloak's yearly conference about OpenID Connect and the latest from the ecosystem happens tomorrow on Sep 19. While sold-out for on-site, join our live stream: https://keyconf.dev/
See you all there!
Je viens de publier un cours intitulé "Identité et méthodes d'authentification" sous licence CC-BY : https://broken-by-design.fr/posts/cours-id-authn/
Ce cours s'adresse aux personnes de niveau M2 et aux professionnel.les débutant.es, même si les plus expérimenté.es pourraient y trouver des informations intéressantes.
Il comprend une introduction aux différents types de référentiels d'identités, avant de plonger dans l'authentification, sous des angles juridiques et techniques. Authentification multifacteur, forte, résistante au phishing, assurant de bonnes garanties de vie privée ! Authentification à l'état de l'art ! Vous pourrez en apprendre plus à ces sujets grâce à ce cours.
Et ce n'est que la première partie ! Ce mois-ci, une seconde partie sera publiée, sur le sujet de l'autorisation, avec un TP de mise en place de #Keycloak pour une authentification fédérée avec OpenID Connect! À suivre !
My #introduction (since I changed instance):
I am a Norwegian IT-engineer at the University of #Oslo. Originally from #Brazil, I moved to #Norway in 2011.
I work mostly with VMware stuff, but also spend most part of my days configuring #linux images for VDI's, #Nextcloud, #Kerberos, #FreeIPA, #keycloak, etc.
I love #running, #sourdough baking and became #vegan in Feb 2022. I have #glaucoma.
I started https://mastodon.babb.no for friends and colleagues.
/
/