From bburke at redhat.com Sat Apr 1 09:11:36 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 09:11:36 -0400 Subject: [keycloak-dev] [authz] Roles as first class citizens Message-ID: <96c472d6-ceec-26d5-1601-0de66277d877@redhat.com> I find creating role policies as cumbersome. Also, how is the admin supposed to know if a policy with a specific role has already been created or not? Maybe policies can have DENY and PERMIT role lists. when creating permissions you can just pick roles to add/remove to the permission. I think the most used, most common case (90% of the time?) will be assigning role permissions to resources so we should make it as easy as possible. Both within the admin UI and APIs. Thoughts? Bill From psilva at redhat.com Sat Apr 1 10:21:36 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 11:21:36 -0300 Subject: [keycloak-dev] [authz] Roles as first class citizens In-Reply-To: <96c472d6-ceec-26d5-1601-0de66277d877@redhat.com> References: <96c472d6-ceec-26d5-1601-0de66277d877@redhat.com> Message-ID: I think you are exploring now a new way of seeing things. Today we have a flexible permissioning model where you define independent policies to build these permissions or even build other policies. Where you may have a library of policies, reuse these policies across different permissions, etc. What you are proposing, if I understood correctly, and that is what I meant by the "new way of seeing things", is also allow users to create permissions more easily without necessarily having to create policies. In other words, we would be providing additional permission types (in addition to resource/scope) for some very common use cases like the one you mentioned where you just need a white/blacklist of roles. Does it make sense ? On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke wrote: > I find creating role policies as cumbersome. Also, how is the admin > supposed to know if a policy with a specific role has already been > created or not? Maybe policies can have DENY and PERMIT role lists. > when creating permissions you can just pick roles to add/remove to the > permission. I think the most used, most common case (90% of the time?) > will be assigning role permissions to resources so we should make it as > easy as possible. Both within the admin UI and APIs. Thoughts? > > Bill > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Sat Apr 1 10:31:07 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 10:31:07 -0400 Subject: [keycloak-dev] [authz] Roles as first class citizens In-Reply-To: References: <96c472d6-ceec-26d5-1601-0de66277d877@redhat.com> Message-ID: Yes, because I think the most common permission will be 100% role based. On 4/1/17 10:21 AM, Pedro Igor Silva wrote: > I think you are exploring now a new way of seeing things. > > Today we have a flexible permissioning model where you define > independent policies to build these permissions or even build other > policies. Where you may have a library of policies, reuse these > policies across different permissions, etc. > > What you are proposing, if I understood correctly, and that is what I > meant by the "new way of seeing things", is also allow users to create > permissions more easily without necessarily having to create policies. > In other words, we would be providing additional permission types (in > addition to resource/scope) for some very common use cases like the > one you mentioned where you just need a white/blacklist of roles. > > Does it make sense ? > > On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke > wrote: > > I find creating role policies as cumbersome. Also, how is the admin > supposed to know if a policy with a specific role has already been > created or not? Maybe policies can have DENY and PERMIT role lists. > when creating permissions you can just pick roles to add/remove to the > permission. I think the most used, most common case (90% of the > time?) > will be assigning role permissions to resources so we should make > it as > easy as possible. Both within the admin UI and APIs. Thoughts? > > Bill > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From psilva at redhat.com Sat Apr 1 10:40:48 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 11:40:48 -0300 Subject: [keycloak-dev] [authz] Roles as first class citizens In-Reply-To: References: <96c472d6-ceec-26d5-1601-0de66277d877@redhat.com> Message-ID: What about creating a new permission type called "Roles" or whatever, which provides a single page from where you can select: * Resource * Scopes * Whitelis of Roles * Blacklist of Roles * Policies (in case you want to also apply any other policy in addition to both white/blacklist) ? On Sat, Apr 1, 2017 at 11:31 AM, Bill Burke wrote: > Yes, because I think the most common permission will be 100% role based. > > On 4/1/17 10:21 AM, Pedro Igor Silva wrote: > > I think you are exploring now a new way of seeing things. > > Today we have a flexible permissioning model where you define independent > policies to build these permissions or even build other policies. Where you > may have a library of policies, reuse these policies across different > permissions, etc. > > What you are proposing, if I understood correctly, and that is what I > meant by the "new way of seeing things", is also allow users to create > permissions more easily without necessarily having to create policies. In > other words, we would be providing additional permission types (in addition > to resource/scope) for some very common use cases like the one you > mentioned where you just need a white/blacklist of roles. > > Does it make sense ? > > On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke wrote: > >> I find creating role policies as cumbersome. Also, how is the admin >> supposed to know if a policy with a specific role has already been >> created or not? Maybe policies can have DENY and PERMIT role lists. >> when creating permissions you can just pick roles to add/remove to the >> permission. I think the most used, most common case (90% of the time?) >> will be assigning role permissions to resources so we should make it as >> easy as possible. Both within the admin UI and APIs. Thoughts? >> >> Bill >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > From bburke at redhat.com Sat Apr 1 11:15:06 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 11:15:06 -0400 Subject: [keycloak-dev] [async] Why is async jaxrs being used? Message-ID: I don't understand why async-http support for JAXRS is being used for Authz requests. Async HTTP is only useful when you want to limit the amount of long running requests or you have an operation that may block for some time. Do you want to limit the number of authz requests that can happen at one time? Or, do you have an operation that may block? Otherwise I don't see the point of using async HTTP. It complicates the code. Looking at your ScheduledPermissionEvaluator you aren't even using the Executor that is passed into the constructor so its all happening in the same thread anyways. Bill From bburke at redhat.com Sat Apr 1 11:27:59 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 11:27:59 -0400 Subject: [keycloak-dev] [authz] Roles as first class citizens In-Reply-To: References: <96c472d6-ceec-26d5-1601-0de66277d877@redhat.com> Message-ID: <43a54579-63e9-74f9-dad9-cfe1f14cb582@redhat.com> Maybe don't need a whitelist and blacklist. Just a list. The decision strategy can decide stuff. On 4/1/17 10:40 AM, Pedro Igor Silva wrote: > What about creating a new permission type called "Roles" or whatever, > which provides a single page from where you can select: > > * Resource > * Scopes > * Whitelis of Roles > * Blacklist of Roles > * Policies (in case you want to also apply any other policy in > addition to both white/blacklist) > > ? > > > On Sat, Apr 1, 2017 at 11:31 AM, Bill Burke > wrote: > > Yes, because I think the most common permission will be 100% role > based. > > > On 4/1/17 10:21 AM, Pedro Igor Silva wrote: >> I think you are exploring now a new way of seeing things. >> >> Today we have a flexible permissioning model where you define >> independent policies to build these permissions or even build >> other policies. Where you may have a library of policies, reuse >> these policies across different permissions, etc. >> >> What you are proposing, if I understood correctly, and that is >> what I meant by the "new way of seeing things", is also allow >> users to create permissions more easily without necessarily >> having to create policies. In other words, we would be providing >> additional permission types (in addition to resource/scope) for >> some very common use cases like the one you mentioned where you >> just need a white/blacklist of roles. >> >> Does it make sense ? >> >> On Sat, Apr 1, 2017 at 10:11 AM, Bill Burke > > wrote: >> >> I find creating role policies as cumbersome. Also, how is >> the admin >> supposed to know if a policy with a specific role has already >> been >> created or not? Maybe policies can have DENY and PERMIT role >> lists. >> when creating permissions you can just pick roles to >> add/remove to the >> permission. I think the most used, most common case (90% of >> the time?) >> will be assigning role permissions to resources so we should >> make it as >> easy as possible. Both within the admin UI and APIs. Thoughts? >> >> Bill >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> > > From bburke at redhat.com Sat Apr 1 11:33:17 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 11:33:17 -0400 Subject: [keycloak-dev] [async] Why is async jaxrs being used? In-Reply-To: References: Message-ID: <934ee3ce-4780-1ef2-fd60-3392d227cbec@redhat.com> I say this because I'm trying to run the policy evaluator within the IDE within the arquillian testsuite and it is failing. We have regular non-async servlet filters in Keycloak. Undertow now checks to see if there are any non-async servlet filters and won't allow async http. On 4/1/17 11:15 AM, Bill Burke wrote: > I don't understand why async-http support for JAXRS is being used for > Authz requests. Async HTTP is only useful when you want to limit the > amount of long running requests or you have an operation that may > block for some time. Do you want to limit the number of authz > requests that can happen at one time? Or, do you have an operation > that may block? Otherwise I don't see the point of using async HTTP. > It complicates the code. > > Looking at your ScheduledPermissionEvaluator you aren't even using the > Executor that is passed into the constructor so its all happening in > the same thread anyways. > > Bill > From bburke at redhat.com Sat Apr 1 12:20:27 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 12:20:27 -0400 Subject: [keycloak-dev] [authz] All permissions must pass? Message-ID: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> So all permissions must pass when evaluating a resource/scope authorization? Just did some testing in admin console. I have 2 permissions. I used the policy evaluator for a resource/scope combo. One permission passes, the other fails. Evaluator result is DENY: Result *DENY* Scopes No scopes available. Policies # *map.role.permission.realm-management.manage-authorization *decision was*PERMIT*by*UNANIMOUS*decision. * *role.policy.realm-managementmanage-users *voted to*PERMIT*. * *role.policy.realm-managementmanage-authorization *voted to*PERMIT*. # *role-mapper-permission *decision was*DENY*by*UNANIMOUS*decision. * *role-mapper *voted to*DENY*. From psilva at redhat.com Sat Apr 1 14:16:36 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 15:16:36 -0300 Subject: [keycloak-dev] [async] Why is async jaxrs being used? In-Reply-To: <934ee3ce-4780-1ef2-fd60-3392d227cbec@redhat.com> References: <934ee3ce-4780-1ef2-fd60-3392d227cbec@redhat.com> Message-ID: As you noticed with the ScheduledPermissionEvaluator, policy evaluation is a blocking operation. The idea is provide in the future ways to configure an executor and allow more authz requests happening in parallel with complete control over how it is done. Right now, yes. We don't have this yet but just using a single thread. Some time ago I did some tests using executors but I had no success mainly because of issues with JPA EntityManager. I'm OK to remove async for now but keep an eye on the future for future improvements in this area. Regards. Pedro Igor On Sat, Apr 1, 2017 at 12:33 PM, Bill Burke wrote: > I say this because I'm trying to run the policy evaluator within the IDE > within the arquillian testsuite and it is failing. We have regular > non-async servlet filters in Keycloak. Undertow now checks to see if > there are any non-async servlet filters and won't allow async http. > > > On 4/1/17 11:15 AM, Bill Burke wrote: > > I don't understand why async-http support for JAXRS is being used for > > Authz requests. Async HTTP is only useful when you want to limit the > > amount of long running requests or you have an operation that may > > block for some time. Do you want to limit the number of authz > > requests that can happen at one time? Or, do you have an operation > > that may block? Otherwise I don't see the point of using async HTTP. > > It complicates the code. > > > > Looking at your ScheduledPermissionEvaluator you aren't even using the > > Executor that is passed into the constructor so its all happening in > > the same thread anyways. > > > > Bill > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From psilva at redhat.com Sat Apr 1 14:19:04 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 15:19:04 -0300 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> Message-ID: The evaluator may give you this output. But what about the permissions you got in the token (that 'Show Authorization Data` link on top of the result page) ? If you got PERMIT for a scope you should see it in the token. On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke wrote: > So all permissions must pass when evaluating a resource/scope > authorization? Just did some testing in admin console. I have 2 > permissions. I used the policy evaluator for a resource/scope combo. > One permission passes, the other fails. Evaluator result is DENY: > > > Result > *DENY* > Scopes > No scopes available. > Policies > # *map.role.permission.realm-management.manage-authorization > test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/ > resource-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a > >*decision > was*PERMIT*by*UNANIMOUS*decision. > > * *role.policy.realm-managementmanage-users > test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/ > resource-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd>*voted > to*PERMIT*. > * *role.policy.realm-managementmanage-authorization > test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/ > resource-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609>*voted > to*PERMIT*. > > # *role-mapper-permission > test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/ > resource-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77 > >*decision > was*DENY*by*UNANIMOUS*decision. > > * *role-mapper > test/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/ > resource-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4>*voted > to*DENY*. > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From psilva at redhat.com Sat Apr 1 14:22:42 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 15:22:42 -0300 Subject: [keycloak-dev] [async] Why is async jaxrs being used? In-Reply-To: References: Message-ID: Btw, the main design around the AuthZ API was provide a async and non-blocking API for policy evaluation. On Sat, Apr 1, 2017 at 12:15 PM, Bill Burke wrote: > I don't understand why async-http support for JAXRS is being used for > Authz requests. Async HTTP is only useful when you want to limit the > amount of long running requests or you have an operation that may block > for some time. Do you want to limit the number of authz requests that > can happen at one time? Or, do you have an operation that may block? > Otherwise I don't see the point of using async HTTP. It complicates the > code. > > Looking at your ScheduledPermissionEvaluator you aren't even using the > Executor that is passed into the constructor so its all happening in the > same thread anyways. > > Bill > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Sat Apr 1 15:17:39 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 15:17:39 -0400 Subject: [keycloak-dev] [async] Why is async jaxrs being used? In-Reply-To: References: <934ee3ce-4780-1ef2-fd60-3392d227cbec@redhat.com> Message-ID: Can only one authz request be executed concurrently at one time? If so, why? Or is it just implemented so that in the future you can execute multiple requests simultaneously? This seems like overkill. How complex do you expect these policies to get? On 4/1/17 2:16 PM, Pedro Igor Silva wrote: > As you noticed with the ScheduledPermissionEvaluator, policy > evaluation is a blocking operation. The idea is provide in the future > ways to configure an executor and allow more authz requests happening > in parallel with complete control over how it is done. > > Right now, yes. We don't have this yet but just using a single thread. > > Some time ago I did some tests using executors but I had no success > mainly because of issues with JPA EntityManager. > > I'm OK to remove async for now but keep an eye on the future for > future improvements in this area. > > Regards. > Pedro Igor > > On Sat, Apr 1, 2017 at 12:33 PM, Bill Burke > wrote: > > I say this because I'm trying to run the policy evaluator within > the IDE > within the arquillian testsuite and it is failing. We have regular > non-async servlet filters in Keycloak. Undertow now checks to see if > there are any non-async servlet filters and won't allow async http. > > > On 4/1/17 11:15 AM, Bill Burke wrote: > > I don't understand why async-http support for JAXRS is being > used for > > Authz requests. Async HTTP is only useful when you want to > limit the > > amount of long running requests or you have an operation that may > > block for some time. Do you want to limit the number of authz > > requests that can happen at one time? Or, do you have an operation > > that may block? Otherwise I don't see the point of using async > HTTP. > > It complicates the code. > > > > Looking at your ScheduledPermissionEvaluator you aren't even > using the > > Executor that is passed into the constructor so its all happening in > > the same thread anyways. > > > > Bill > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From bburke at redhat.com Sat Apr 1 15:20:33 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 15:20:33 -0400 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> Message-ID: <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> The evaluator can't be different than what is returned in the RPT,otherwise, what is the point of the evaluator? On 4/1/17 2:19 PM, Pedro Igor Silva wrote: > The evaluator may give you this output. But what about the permissions > you got in the token (that 'Show Authorization Data` link on top of > the result page) ? If you got PERMIT for a scope you should see it in > the token. > > On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke > wrote: > > So all permissions must pass when evaluating a resource/scope > authorization? Just did some testing in admin console. I have 2 > permissions. I used the policy evaluator for a resource/scope combo. > One permission passes, the other fails. Evaluator result is DENY: > > > Result > *DENY* > Scopes > No scopes available. > Policies > # *map.role.permission.realm-management.manage-authorization > >*decision > was*PERMIT*by*UNANIMOUS*decision. > > * *role.policy.realm-managementmanage-users > > >*voted > to*PERMIT*. > * *role.policy.realm-managementmanage-authorization > > >*voted > to*PERMIT*. > > # *role-mapper-permission > >*decision > was*DENY*by*UNANIMOUS*decision. > > * *role-mapper > > >*voted > to*DENY*. > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From bburke at redhat.com Sat Apr 1 15:22:41 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 15:22:41 -0400 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE Message-ID: When running arquillian tests in the IDE, I'm still seeing no log messages from the server. I had to set a breakpoint in JAX-RS code to find out a Javascript parsing error. From psilva at redhat.com Sat Apr 1 15:22:56 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 16:22:56 -0300 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> Message-ID: Sure, if you are getting different results it is a bug. Will look at that. Will try to simulate and will ask you for more info if needed. On Sat, Apr 1, 2017 at 4:20 PM, Bill Burke wrote: > The evaluator can't be different than what is returned in the > RPT,otherwise, what is the point of the evaluator? > > On 4/1/17 2:19 PM, Pedro Igor Silva wrote: > > The evaluator may give you this output. But what about the permissions you > got in the token (that 'Show Authorization Data` link on top of the result > page) ? If you got PERMIT for a scope you should see it in the token. > > On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke wrote: > >> So all permissions must pass when evaluating a resource/scope >> authorization? Just did some testing in admin console. I have 2 >> permissions. I used the policy evaluator for a resource/scope combo. >> One permission passes, the other fails. Evaluator result is DENY: >> >> >> Result >> *DENY* >> Scopes >> No scopes available. >> Policies >> # *map.role.permission.realm-management.manage-authorization >> > st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >> ce-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a>*decision >> was*PERMIT*by*UNANIMOUS*decision. >> >> * *role.policy.realm-managementmanage-users >> > st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >> ce-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd>*voted >> to*PERMIT*. >> * *role.policy.realm-managementmanage-authorization >> > st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >> ce-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609>*voted >> to*PERMIT*. >> >> # *role-mapper-permission >> > st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >> ce-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77>*decision >> was*DENY*by*UNANIMOUS*decision. >> >> * *role-mapper >> > st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >> ce-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4>*voted >> to*DENY*. >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > From bburke at redhat.com Sat Apr 1 15:37:15 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 1 Apr 2017 15:37:15 -0400 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> Message-ID: Policy1: has role FOO, Unanimous, POSITIVE Policy2: has role BAR, Unamious, POSITIVE Permission 1: Policy 1 Resource x, Scope y. Unanimous. POSITIVE Permission 2: Policy 2 Resource x, Scope y. Unamimous. POSITIVE User role mapping FOO. Evaluate. Failure, User does not have Scope y on Resource x. If I remove permission 1 and 2, and aggregate Policy 1 and Policy 2 with Affirmative permission, it does evaluate correctly. I would actually prefer this behavior, but if I depend on that behavior, I don't want it changing on me. Can you please map out how multiple permissions are supposed to evaluate? On 4/1/17 3:22 PM, Pedro Igor Silva wrote: > Sure, if you are getting different results it is a bug. Will look at > that. Will try to simulate and will ask you for more info if needed. > > On Sat, Apr 1, 2017 at 4:20 PM, Bill Burke > wrote: > > The evaluator can't be different than what is returned in the > RPT,otherwise, what is the point of the evaluator? > > > On 4/1/17 2:19 PM, Pedro Igor Silva wrote: >> The evaluator may give you this output. But what about the >> permissions you got in the token (that 'Show Authorization Data` >> link on top of the result page) ? If you got PERMIT for a scope >> you should see it in the token. >> >> On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke > > wrote: >> >> So all permissions must pass when evaluating a resource/scope >> authorization? Just did some testing in admin console. I have 2 >> permissions. I used the policy evaluator for a >> resource/scope combo. >> One permission passes, the other fails. Evaluator result is DENY: >> >> >> Result >> *DENY* >> Scopes >> No scopes available. >> Policies >> # *map.role.permission.realm-management.manage-authorization >> > >*decision >> was*PERMIT*by*UNANIMOUS*decision. >> >> * *role.policy.realm-managementmanage-users >> >> > >*voted >> to*PERMIT*. >> * *role.policy.realm-managementmanage-authorization >> >> > >*voted >> to*PERMIT*. >> >> # *role-mapper-permission >> > >*decision >> was*DENY*by*UNANIMOUS*decision. >> >> * *role-mapper >> >> > >*voted >> to*DENY*. >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> > > From psilva at redhat.com Sat Apr 1 15:38:20 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 16:38:20 -0300 Subject: [keycloak-dev] [async] Why is async jaxrs being used? In-Reply-To: References: <934ee3ce-4780-1ef2-fd60-3392d227cbec@redhat.com> Message-ID: Yes, a single authz requests could be executed concurrently. This is because an authz request may span different permissions. For instance, give me permissions for resource A, B, C, etc. So we could gain some performance by avoiding a serial processing of these permissions. I did some tests a long time ago and the results were really interesting when using policies that can run slow like Drools. Another scenario is handle multiple requests concurrently. Like I said, the idea was make this configurable and let users define what is best for their deployments. How complex I expect policies to get ? I don't know. But we can not discard that you can have any policy you want and that may impact performance. Take Drools as an example ... Although they improved *a lot* performance on 6.4, depending on how you define your rules or how many are involved in a single permission evaluation, you may have issues with performance. On Sat, Apr 1, 2017 at 4:17 PM, Bill Burke wrote: > Can only one authz request be executed concurrently at one time? If so, > why? Or is it just implemented so that in the future you can execute > multiple requests simultaneously? > > This seems like overkill. How complex do you expect these policies to > get? > > > > On 4/1/17 2:16 PM, Pedro Igor Silva wrote: > > As you noticed with the ScheduledPermissionEvaluator, policy evaluation > is a blocking operation. The idea is provide in the future ways to > configure an executor and allow more authz requests happening in parallel > with complete control over how it is done. > > Right now, yes. We don't have this yet but just using a single thread. > > Some time ago I did some tests using executors but I had no success mainly > because of issues with JPA EntityManager. > > I'm OK to remove async for now but keep an eye on the future for future > improvements in this area. > > Regards. > Pedro Igor > > On Sat, Apr 1, 2017 at 12:33 PM, Bill Burke wrote: > >> I say this because I'm trying to run the policy evaluator within the IDE >> within the arquillian testsuite and it is failing. We have regular >> non-async servlet filters in Keycloak. Undertow now checks to see if >> there are any non-async servlet filters and won't allow async http. >> >> >> On 4/1/17 11:15 AM, Bill Burke wrote: >> > I don't understand why async-http support for JAXRS is being used for >> > Authz requests. Async HTTP is only useful when you want to limit the >> > amount of long running requests or you have an operation that may >> > block for some time. Do you want to limit the number of authz >> > requests that can happen at one time? Or, do you have an operation >> > that may block? Otherwise I don't see the point of using async HTTP. >> > It complicates the code. >> > >> > Looking at your ScheduledPermissionEvaluator you aren't even using the >> > Executor that is passed into the constructor so its all happening in >> > the same thread anyways. >> > >> > Bill >> > >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > From psilva at redhat.com Sat Apr 1 16:00:21 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Sat, 1 Apr 2017 17:00:21 -0300 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> Message-ID: Now I see. You have two permissions for same resource/scope combo. They are pretty much conflicting with each other so you will get a DENY. That is something I was holding for some time where we could provide a way to configure how permissions decisions are made. Like using those decision strategies we have for policies with permissions. But I think we should probably wait for more feedback before doing this. Good thing is that the way we have things working it is pretty much easy to provide different configuration options that may change policy evaluation behavior .... Sorry, but what you mean by "how multiple permissions are supposed to evaluate" ? Is it related with the other thread where we are discussing performance ? On Sat, Apr 1, 2017 at 4:37 PM, Bill Burke wrote: > Policy1: has role FOO, Unanimous, POSITIVE > > Policy2: has role BAR, Unamious, POSITIVE > > > Permission 1: Policy 1 Resource x, Scope y. Unanimous. POSITIVE > > Permission 2: Policy 2 Resource x, Scope y. Unamimous. POSITIVE > > > User role mapping FOO. Evaluate. Failure, User does not have Scope y on > Resource x. > > > If I remove permission 1 and 2, and aggregate Policy 1 and Policy 2 with > Affirmative permission, it does evaluate correctly. I would actually > prefer this behavior, but if I depend on that behavior, I don't want it > changing on me. > > Can you please map out how multiple permissions are supposed to evaluate? > > On 4/1/17 3:22 PM, Pedro Igor Silva wrote: > > Sure, if you are getting different results it is a bug. Will look at that. > Will try to simulate and will ask you for more info if needed. > > On Sat, Apr 1, 2017 at 4:20 PM, Bill Burke wrote: > >> The evaluator can't be different than what is returned in the >> RPT,otherwise, what is the point of the evaluator? >> >> On 4/1/17 2:19 PM, Pedro Igor Silva wrote: >> >> The evaluator may give you this output. But what about the permissions >> you got in the token (that 'Show Authorization Data` link on top of the >> result page) ? If you got PERMIT for a scope you should see it in the token. >> >> On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke wrote: >> >>> So all permissions must pass when evaluating a resource/scope >>> authorization? Just did some testing in admin console. I have 2 >>> permissions. I used the policy evaluator for a resource/scope combo. >>> One permission passes, the other fails. Evaluator result is DENY: >>> >>> >>> Result >>> *DENY* >>> Scopes >>> No scopes available. >>> Policies >>> # *map.role.permission.realm-management.manage-authorization >>> >> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>> ce-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a >>> >*decision >>> was*PERMIT*by*UNANIMOUS*decision. >>> >>> * *role.policy.realm-managementmanage-users >>> >> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>> ce-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd>*voted >>> to*PERMIT*. >>> * *role.policy.realm-managementmanage-authorization >>> >> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>> ce-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609>*voted >>> to*PERMIT*. >>> >>> # *role-mapper-permission >>> >> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>> ce-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77 >>> >*decision >>> was*DENY*by*UNANIMOUS*decision. >>> >>> * *role-mapper >>> >> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>> ce-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4>*voted >>> to*DENY*. >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> >> > > From Shankar_Bhaskaran at infosys.com Sun Apr 2 15:20:28 2017 From: Shankar_Bhaskaran at infosys.com (Shankar_Bhaskaran) Date: Sun, 2 Apr 2017 19:20:28 +0000 Subject: [keycloak-dev] Keycloak on active MQ In-Reply-To: References: <1485941179202.13544@infosys.com> Message-ID: Hi , I was able to secure activemq behind keycloak using the direct access login module, but I specifically have to pass the username and password while getting a connection from active mq. The SSO aspect of keycloak is not fulfilled since I have to pass username , password from the webapplication. The activemq and my application share the same security domain also. connection = (ActiveMQConnection) connectionFactory.createConnection(username , password); Is there a way to get authenticated in ActiveMQ in the same user session as the web application that is calling the connection Regards, Shankar -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Wednesday, February 1, 2017 5:21 PM To: Shankar_Bhaskaran ; keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org Subject: Re: [keycloak-dev] Keycloak on active MQ I didn't try that yet. However I think it should work as ActiveMQ has some support for JAAS. We have some JAAS login modules, which can be used to secure those kind of services. See docs for details https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/latest/topics/oidc/java/jaas.html . Marek On 01/02/17 10:26, Shankar_Bhaskaran wrote: > Hi , > > We are using keycloak as SSO in our organization. I would like to know if securing activemq using keycloak is a valid use case. Does keycloak allow us to validate jms requests to the queue or topic? > > Regards, > Shankar > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From bburke at redhat.com Sun Apr 2 19:10:08 2017 From: bburke at redhat.com (Bill Burke) Date: Sun, 2 Apr 2017 19:10:08 -0400 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> Message-ID: I want to understand that if you have multiple scope/resource permissions defined for the same scope/resource, how do they evaluate? It looks like it is if (permission1 && permission2) then PERMIT Need to test this out for type permissions and scope-only permissions too. On 4/1/17 4:00 PM, Pedro Igor Silva wrote: > Now I see. You have two permissions for same resource/scope combo. > They are pretty much conflicting with each other so you will get a DENY. > > That is something I was holding for some time where we could provide a > way to configure how permissions decisions are made. Like using those > decision strategies we have for policies with permissions. But I think > we should probably wait for more feedback before doing this. Good > thing is that the way we have things working it is pretty much easy to > provide different configuration options that may change policy > evaluation behavior .... > > Sorry, but what you mean by "how multiple permissions are supposed to > evaluate" ? Is it related with the other thread where we are > discussing performance ? > > On Sat, Apr 1, 2017 at 4:37 PM, Bill Burke > wrote: > > Policy1: has role FOO, Unanimous, POSITIVE > > Policy2: has role BAR, Unamious, POSITIVE > > > Permission 1: Policy 1 Resource x, Scope y. Unanimous. POSITIVE > > Permission 2: Policy 2 Resource x, Scope y. Unamimous. POSITIVE > > > User role mapping FOO. Evaluate. Failure, User does not have > Scope y on Resource x. > > > If I remove permission 1 and 2, and aggregate Policy 1 and Policy > 2 with Affirmative permission, it does evaluate correctly. I > would actually prefer this behavior, but if I depend on that > behavior, I don't want it changing on me. > > Can you please map out how multiple permissions are supposed to > evaluate? > > > On 4/1/17 3:22 PM, Pedro Igor Silva wrote: >> Sure, if you are getting different results it is a bug. Will look >> at that. Will try to simulate and will ask you for more info if >> needed. >> >> On Sat, Apr 1, 2017 at 4:20 PM, Bill Burke > > wrote: >> >> The evaluator can't be different than what is returned in the >> RPT,otherwise, what is the point of the evaluator? >> >> >> On 4/1/17 2:19 PM, Pedro Igor Silva wrote: >>> The evaluator may give you this output. But what about the >>> permissions you got in the token (that 'Show Authorization >>> Data` link on top of the result page) ? If you got PERMIT >>> for a scope you should see it in the token. >>> >>> On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke >>> > wrote: >>> >>> So all permissions must pass when evaluating a >>> resource/scope >>> authorization? Just did some testing in admin console. >>> I have 2 >>> permissions. I used the policy evaluator for a >>> resource/scope combo. >>> One permission passes, the other fails. Evaluator >>> result is DENY: >>> >>> >>> Result >>> *DENY* >>> Scopes >>> No scopes available. >>> Policies >>> # *map.role.permission.realm-management.manage-authorization >>> >> >*decision >>> was*PERMIT*by*UNANIMOUS*decision. >>> >>> * *role.policy.realm-managementmanage-users >>> >>> >> >*voted >>> to*PERMIT*. >>> * *role.policy.realm-managementmanage-authorization >>> >>> >> >*voted >>> to*PERMIT*. >>> >>> # *role-mapper-permission >>> >> >*decision >>> was*DENY*by*UNANIMOUS*decision. >>> >>> * *role-mapper >>> >>> >> >*voted >>> to*DENY*. >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >>> >> >> > > From sthorger at redhat.com Mon Apr 3 02:55:56 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 3 Apr 2017 08:55:56 +0200 Subject: [keycloak-dev] Keycloak builders In-Reply-To: References: Message-ID: On 31 March 2017 at 12:33, Bruno Oliveira wrote: > I realized that while giving it a try, so thinking that we would like to > refactor it to the core. Which classes we would like to see there? > > * ClientBuilder.java > * CredentialBuilder.java > * ExecutionBuilder.java > * FederatedIdentityBuilder.java > * FlowBuilder.java > * GroupBuilder.java > * IdentityProviderBuilder.java > * RealmBuilder.java > * RoleBuilder.java > * RolesBuilder.java > * UserBuilder.java > * UserFederationProviderBuilder.java > > For my selfish purposes I just need ClientBuilder, RealBuilder, > RoleBuilder and UserBuilder. But we may want to refactor more. > > > Could even have a static method on ClientRepresentation#build/create or > something so it's easier to find. > > That would be really nice. > > I believe that RealmBuilder would be the tricky one to refactor, because > it depends on EventListenerProviderFactory (https://github.com/abstractj/ > keycloak/blob/fc9dbcf6cb1daa5e19bb3214012ed44154104cb0/testsuite/ > integration-arquillian/servers/auth-server/services/ > testsuite-providers/src/main/java/org/keycloak/testsuite/events/ > EventsListenerProviderFactory.java#L29-L29). > Doesn't it just depend on that because of the test specify things it has in it? > > > On Fri, Mar 31, 2017 at 4:49 AM Stian Thorgersen > wrote: > >> An example of things that would need to be refactored: >> https://github.com/abstractj/keycloak/blob/119435ac76c17d3a66590df0f87365 >> f64e3395cd/testsuite/integration-arquillian/tests/base/src/test/java/org/ >> keycloak/testsuite/util/RealmBuilder.java#L82 >> >> On 31 March 2017 at 09:48, Stian Thorgersen wrote: >> >> Could even have a static method on ClientRepresentation#build/create or >> something so it's easier to find. >> >> On 31 March 2017 at 09:48, Stian Thorgersen wrote: >> >> Ideal would probably be keycloak-core, but that would require some >> refactoring, adding new missing things and also I'm not sure all builders >> should be included. >> >> On 30 March 2017 at 21:04, Bruno Oliveira wrote: >> >> Hi, >> >> While writing tests for the quickstarts, we started to create some code >> which I believe overlaps with the same thing ClientBuilder, >> RealmBuilder...and other do today[1]. I would like to expose these >> builders >> to make people's life easy. >> >> There are some options: >> >> 1. Move the builders available here[2] to keycloak-core. >> 2. Move it to keycloak-test-helper >> 3. Do nothing and duplicate code that matters into keycloak-test-helper >> >> I know that doing 1 or 2, is just silly if you think about quickstarts. >> But >> at the same time, others can benefit from a more fluent API, to >> programatically create users, realms... >> >> Thoughts? >> >> [1] - >> https://github.com/keycloak/keycloak/blob/master/misc/ >> keycloak-test-helper/src/main/java/org/keycloak/helper/TestsHelper.java >> [2] - >> https://github.com/abstractj/keycloak/tree/119435ac76c17d3a66590df0f87365 >> f64e3395cd/testsuite/integration-arquillian/tests/base/src/test/java/org/ >> keycloak/testsuite/util >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> >> >> From mposolda at redhat.com Mon Apr 3 03:12:17 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 3 Apr 2017 09:12:17 +0200 Subject: [keycloak-dev] Keycloak on active MQ In-Reply-To: References: <1485941179202.13544@infosys.com> Message-ID: <9eef3811-6322-7ff5-6130-bcf6f2d75521@redhat.com> Yes, I think that for that case the second login module (BearerTokenLoginModule) is better choice. Your webapp has accessToken already, so you just need to send it as "password" to JAAS. Probably something like this should work: connectionFactory.createConnection(username , accessTokenString); Marek On 02/04/17 21:20, Shankar_Bhaskaran wrote: > Hi , > > I was able to secure activemq behind keycloak using the direct access login module, but I specifically have to pass the username and password while getting a connection from active mq. The SSO aspect of keycloak is not fulfilled since I have to pass username , password from the webapplication. The activemq and my application share the same security domain also. > connection = (ActiveMQConnection) connectionFactory.createConnection(username , password); > Is there a way to get authenticated in ActiveMQ in the same user session as the web application that is calling the connection > > Regards, > Shankar > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Wednesday, February 1, 2017 5:21 PM > To: Shankar_Bhaskaran ; keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-dev] Keycloak on active MQ > > I didn't try that yet. However I think it should work as ActiveMQ has some support for JAAS. We have some JAAS login modules, which can be used to secure those kind of services. See docs for details https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/latest/topics/oidc/java/jaas.html > . > > Marek > > On 01/02/17 10:26, Shankar_Bhaskaran wrote: >> Hi , >> >> We are using keycloak as SSO in our organization. I would like to know if securing activemq using keycloak is a valid use case. Does keycloak allow us to validate jms requests to the queue or topic? >> >> Regards, >> Shankar >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > From takashi.norimatsu.ws at hitachi.com Mon Apr 3 03:16:40 2017 From: takashi.norimatsu.ws at hitachi.com (=?iso-2022-jp?B?GyRCPmg+Pk40O1YbKEIgLyBOT1JJTUFUU1UbJEIhJBsoQlRBS0FTSEk=?=) Date: Mon, 3 Apr 2017 07:16:40 +0000 Subject: [keycloak-dev] Proposal of RFC7636 (PKCE) support In-Reply-To: <831D472326678942A9B4BB933AAA103D25F77C0F@GSjpTK1DCembx01.service.hitachi.net> References: <831D472326678942A9B4BB933AAA103D25F77C0F@GSjpTK1DCembx01.service.hitachi.net> Message-ID: <831D472326678942A9B4BB933AAA103D25F91510@GSjpTK1DCembx01.service.hitachi.net> Hi, What about the status of the PR? https://github.com/keycloak/keycloak/pull/3831 There was two PRs about PKCE, but it is now only one PR(above). I found that 3.x label is removed, and I am afraid that priority was set low. However, this patch is very important for keycloak to be competitive. And I wish the review will be resumed soon. If there is any issue, please tell me, I am willing to work. Following is background information why PKCE is necessary: In the financial API draft of OIDF, http://openid.net/specs/openid-financial-api-part-1.html It requires RFC7636. >5.2.2. Authorization Server >The Authorization Server > shall support [RFC7636] with S256 as the code challenge method; In addition, other competing products supports it. E.g.: * Gluu server supports it: https://www.gluu.org/blog/ja/gluu-server-ce-2-4-3-is-now-available/ > Support for PKCE to protect authorization code * WSO2 supports it https://docs.wso2.com/display/IS520/Mitigating+Authorization+Code+Interception+Attacks#MitigatingAuthorizationCodeInterceptionAttacks-ConfiguringPKCEwithWSO2IdentityServer >Configuring PKCE with WSO2 Identity Server * CA supports it https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-connect-implementation/open-id-connect-implementation-details > Proof Key for Code Exchange (PKCE) is supported for enhanced authorization code security. Regards, Takashi Norimatsu From andipansa at gmail.com Mon Apr 3 03:53:16 2017 From: andipansa at gmail.com (=?UTF-8?Q?Andrzej_Go=C5=82awski?=) Date: Mon, 3 Apr 2017 09:53:16 +0200 Subject: [keycloak-dev] Keycloak on active MQ In-Reply-To: <9eef3811-6322-7ff5-6130-bcf6f2d75521@redhat.com> References: <1485941179202.13544@infosys.com> <9eef3811-6322-7ff5-6130-bcf6f2d75521@redhat.com> Message-ID: I did it in one project by adding plugin to activeMQ configuration : Keycloak module definition: KeycloakModule { org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule required keycloak-config-file="classpath:keycloak.json" role-principal-class=org.apache.activemq.jaas.GroupPrincipal; }; best regards Andi 2017-04-03 9:12 GMT+02:00 Marek Posolda : > Yes, I think that for that case the second login module > (BearerTokenLoginModule) is better choice. Your webapp has accessToken > already, so you just need to send it as "password" to JAAS. Probably > something like this should work: > > connectionFactory.createConnection(username , accessTokenString); > > > Marek > > On 02/04/17 21:20, Shankar_Bhaskaran wrote: > > Hi , > > > > I was able to secure activemq behind keycloak using the direct access > login module, but I specifically have to pass the username and password > while getting a connection from active mq. The SSO aspect of keycloak is > not fulfilled since I have to pass username , password from the > webapplication. The activemq and my application share the same security > domain also. > > connection = (ActiveMQConnection) connectionFactory.createConnection(username > , password); > > Is there a way to get authenticated in ActiveMQ in the same user session > as the web application that is calling the connection > > > > Regards, > > Shankar > > > > -----Original Message----- > > From: Marek Posolda [mailto:mposolda at redhat.com] > > Sent: Wednesday, February 1, 2017 5:21 PM > > To: Shankar_Bhaskaran ; > keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-dev] Keycloak on active MQ > > > > I didn't try that yet. However I think it should work as ActiveMQ has > some support for JAAS. We have some JAAS login modules, which can be used > to secure those kind of services. See docs for details > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/v/latest/topics/oidc/java/jaas.html > > . > > > > Marek > > > > On 01/02/17 10:26, Shankar_Bhaskaran wrote: > >> Hi , > >> > >> We are using keycloak as SSO in our organization. I would like to know > if securing activemq using keycloak is a valid use case. Does keycloak > allow us to validate jms requests to the queue or topic? > >> > >> Regards, > >> Shankar > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From pkboucher801 at gmail.com Mon Apr 3 06:24:35 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Mon, 3 Apr 2017 06:24:35 -0400 Subject: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? Message-ID: <004701d2ac64$7ec93bb0$7c5bb310$@gmail.com> Sorry if this came through twice. I think there was an error the first time I sent it. Suppose there are some limited families of APIs to which we would want users to explicitly delegate access. We were thinking we could assign a role to the user that allows the use of each of the families of APIs (say for example that with the "quantum_singularity" role, they can use the "tetrion_emission" APIs, and with the "borg_cube" role, they can use the "culture_assimilation" APIs). Can we (and if so, how best would we) use openid scope to * Offline refresh tokens - Allow the user to delegate a 3rd-party app to act on their behalf in an offline fashion that is limited to one, the other, or both of the quantum_singularity and/or borg_cube roles? * Separation of duties - (only partially-related question) Allow an app to enforce separation of duties such that an online, logged-in user can only have one or the other, but not both of the quantum_singularity and/or borg_cube roles for the duration of a session? I think I gathered from this thread (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that these things should be possible, but I was hoping to confirm and to get pointers and/or practical guidance for how best to do these two things. Thanks! From psilva at redhat.com Mon Apr 3 07:24:35 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 3 Apr 2017 08:24:35 -0300 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> Message-ID: +1. However, if a scope-based permission we GRANT any scope that got a PERMIT. In your case, this is not true because you got a DENY for the same scope and that removes it from the list of granted scopes. On Sun, Apr 2, 2017 at 8:10 PM, Bill Burke wrote: > I want to understand that if you have multiple scope/resource permissions > defined for the same scope/resource, how do they evaluate? It looks like > it is > > if (permission1 && permission2) then PERMIT > > Need to test this out for type permissions and scope-only permissions too. > > On 4/1/17 4:00 PM, Pedro Igor Silva wrote: > > Now I see. You have two permissions for same resource/scope combo. They > are pretty much conflicting with each other so you will get a DENY. > > That is something I was holding for some time where we could provide a way > to configure how permissions decisions are made. Like using those decision > strategies we have for policies with permissions. But I think we should > probably wait for more feedback before doing this. Good thing is that the > way we have things working it is pretty much easy to provide different > configuration options that may change policy evaluation behavior .... > > Sorry, but what you mean by "how multiple permissions are supposed to > evaluate" ? Is it related with the other thread where we are discussing > performance ? > > On Sat, Apr 1, 2017 at 4:37 PM, Bill Burke wrote: > >> Policy1: has role FOO, Unanimous, POSITIVE >> >> Policy2: has role BAR, Unamious, POSITIVE >> >> >> Permission 1: Policy 1 Resource x, Scope y. Unanimous. POSITIVE >> >> Permission 2: Policy 2 Resource x, Scope y. Unamimous. POSITIVE >> >> >> User role mapping FOO. Evaluate. Failure, User does not have Scope y on >> Resource x. >> >> >> If I remove permission 1 and 2, and aggregate Policy 1 and Policy 2 with >> Affirmative permission, it does evaluate correctly. I would actually >> prefer this behavior, but if I depend on that behavior, I don't want it >> changing on me. >> >> Can you please map out how multiple permissions are supposed to evaluate? >> >> On 4/1/17 3:22 PM, Pedro Igor Silva wrote: >> >> Sure, if you are getting different results it is a bug. Will look at >> that. Will try to simulate and will ask you for more info if needed. >> >> On Sat, Apr 1, 2017 at 4:20 PM, Bill Burke wrote: >> >>> The evaluator can't be different than what is returned in the >>> RPT,otherwise, what is the point of the evaluator? >>> >>> On 4/1/17 2:19 PM, Pedro Igor Silva wrote: >>> >>> The evaluator may give you this output. But what about the permissions >>> you got in the token (that 'Show Authorization Data` link on top of the >>> result page) ? If you got PERMIT for a scope you should see it in the token. >>> >>> On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke wrote: >>> >>>> So all permissions must pass when evaluating a resource/scope >>>> authorization? Just did some testing in admin console. I have 2 >>>> permissions. I used the policy evaluator for a resource/scope combo. >>>> One permission passes, the other fails. Evaluator result is DENY: >>>> >>>> >>>> Result >>>> *DENY* >>>> Scopes >>>> No scopes available. >>>> Policies >>>> # *map.role.permission.realm-management.manage-authorization >>>> >>> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>>> ce-server/permission/scope/776b79cf-57e2-4b55-b9e5-84195c89fd7a >>>> >*decision >>>> was*PERMIT*by*UNANIMOUS*decision. >>>> >>>> * *role.policy.realm-managementmanage-users >>>> >>> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>>> ce-server/policy/role/29968cd1-f44e-47db-868d-c7bd61b827dd>*voted >>>> to*PERMIT*. >>>> * *role.policy.realm-managementmanage-authorization >>>> >>> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>>> ce-server/policy/role/c4da0818-432a-41d2-94a8-0fc08051a609>*voted >>>> to*PERMIT*. >>>> >>>> # *role-mapper-permission >>>> >>> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>>> ce-server/permission/scope/e8acb66c-fe1f-4310-946a-fbb638449e77 >>>> >*decision >>>> was*DENY*by*UNANIMOUS*decision. >>>> >>>> * *role-mapper >>>> >>> st/clients/b13a8867-5d75-4c8b-8927-5e806bd77518/authz/resour >>>> ce-server/policy/role/41b7d1fe-c40f-4437-93d2-aa5768227fd4>*voted >>>> to*DENY*. >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> >>> >> >> > > From bburke at redhat.com Mon Apr 3 09:23:57 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 3 Apr 2017 09:23:57 -0400 Subject: [keycloak-dev] [authz] All permissions must pass? In-Reply-To: References: <452d7c5a-4b58-67db-7d2a-d0a40dd1d529@redhat.com> <483d81ac-753b-0de5-2f3b-3d3a028908bd@redhat.com> Message-ID: <30305665-d036-d405-575b-92f0cfac0c7a@redhat.com> Ok, the behavior is: if (scope-only-permission AND resource-type-permission AND specific-resource-scope-permission) then PERMIT So, if you want different conditions to PERMIT than what is currently constrained by the default scope permission or resource type permission you can't do this. On 4/3/17 7:24 AM, Pedro Igor Silva wrote: > +1. However, if a scope-based permission we GRANT any scope that got a > PERMIT. In your case, this is not true because you got a DENY for the > same scope and that removes it from the list of granted scopes. > > On Sun, Apr 2, 2017 at 8:10 PM, Bill Burke > wrote: > > I want to understand that if you have multiple scope/resource > permissions defined for the same scope/resource, how do they > evaluate? It looks like it is > > if (permission1 && permission2) then PERMIT > > Need to test this out for type permissions and scope-only > permissions too. > > > On 4/1/17 4:00 PM, Pedro Igor Silva wrote: >> Now I see. You have two permissions for same resource/scope >> combo. They are pretty much conflicting with each other so you >> will get a DENY. >> >> That is something I was holding for some time where we could >> provide a way to configure how permissions decisions are made. >> Like using those decision strategies we have for policies with >> permissions. But I think we should probably wait for more >> feedback before doing this. Good thing is that the way we have >> things working it is pretty much easy to provide different >> configuration options that may change policy evaluation behavior .... >> >> Sorry, but what you mean by "how multiple permissions are >> supposed to evaluate" ? Is it related with the other thread where >> we are discussing performance ? >> >> On Sat, Apr 1, 2017 at 4:37 PM, Bill Burke > > wrote: >> >> Policy1: has role FOO, Unanimous, POSITIVE >> >> Policy2: has role BAR, Unamious, POSITIVE >> >> >> Permission 1: Policy 1 Resource x, Scope y. Unanimous. POSITIVE >> >> Permission 2: Policy 2 Resource x, Scope y. Unamimous. POSITIVE >> >> >> User role mapping FOO. Evaluate. Failure, User does not have >> Scope y on Resource x. >> >> >> If I remove permission 1 and 2, and aggregate Policy 1 and >> Policy 2 with Affirmative permission, it does evaluate >> correctly. I would actually prefer this behavior, but if I >> depend on that behavior, I don't want it changing on me. >> >> Can you please map out how multiple permissions are supposed >> to evaluate? >> >> >> On 4/1/17 3:22 PM, Pedro Igor Silva wrote: >>> Sure, if you are getting different results it is a bug. Will >>> look at that. Will try to simulate and will ask you for more >>> info if needed. >>> >>> On Sat, Apr 1, 2017 at 4:20 PM, Bill Burke >>> > wrote: >>> >>> The evaluator can't be different than what is returned >>> in the RPT,otherwise, what is the point of the evaluator? >>> >>> >>> On 4/1/17 2:19 PM, Pedro Igor Silva wrote: >>>> The evaluator may give you this output. But what about >>>> the permissions you got in the token (that 'Show >>>> Authorization Data` link on top of the result page) ? >>>> If you got PERMIT for a scope you should see it in the >>>> token. >>>> >>>> On Sat, Apr 1, 2017 at 1:20 PM, Bill Burke >>>> > wrote: >>>> >>>> So all permissions must pass when evaluating a >>>> resource/scope >>>> authorization? Just did some testing in admin >>>> console. I have 2 >>>> permissions. I used the policy evaluator for a >>>> resource/scope combo. >>>> One permission passes, the other fails. Evaluator >>>> result is DENY: >>>> >>>> >>>> Result >>>> *DENY* >>>> Scopes >>>> No scopes available. >>>> Policies >>>> # >>>> *map.role.permission.realm-management.manage-authorization >>>> >>> >*decision >>>> was*PERMIT*by*UNANIMOUS*decision. >>>> >>>> * *role.policy.realm-managementmanage-users >>>> >>>> >>> >*voted >>>> to*PERMIT*. >>>> * *role.policy.realm-managementmanage-authorization >>>> >>>> >>> >*voted >>>> to*PERMIT*. >>>> >>>> # *role-mapper-permission >>>> >>> >*decision >>>> was*DENY*by*UNANIMOUS*decision. >>>> >>>> * *role-mapper >>>> >>>> >>> >*voted >>>> to*DENY*. >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> >>>> >>> >>> >> >> > > From sthorger at redhat.com Mon Apr 3 09:33:58 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 3 Apr 2017 15:33:58 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: Message-ID: https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging On 1 April 2017 at 21:22, Bill Burke wrote: > When running arquillian tests in the IDE, I'm still seeing no log > messages from the server. I had to set a breakpoint in JAX-RS code to > find out a Javascript parsing error. > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Mon Apr 3 10:22:47 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 3 Apr 2017 10:22:47 -0400 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: Message-ID: And that helps how? Running in IDE should not suppress any error messages. The error message was actually an internal Undertow one complaining that async HTTP was unsupported. I did look in the log4j properties. The default logging level looks like it is INFO. On 4/3/17 9:33 AM, Stian Thorgersen wrote: > https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging > > On 1 April 2017 at 21:22, Bill Burke > wrote: > > When running arquillian tests in the IDE, I'm still seeing no log > messages from the server. I had to set a breakpoint in JAX-RS code to > find out a Javascript parsing error. > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From bburke at redhat.com Mon Apr 3 10:58:21 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 3 Apr 2017 10:58:21 -0400 Subject: [keycloak-dev] modeling map role fine grain permissions Message-ID: Here's how I am going to model role mapping with fine grain permissions in Authz service. The goal of this is to be able to limit or expand on who can map specific roles. While we want to have a default that any admin that has the "manage-users" role can map a role, we also want to be able to do things like saying that an admin can map a specific role if they belong to a group instead. DEFAULT PERMISSIONS * "permit all" policy. Just grants it. * "Default Role Mapping Policy" Policy. This is an aggregate policy that includes the "permit all" policy. * "map-role" scope * "Roles" resource. Associated scope is "map-role" * "Default Role Mapping Permission" - scope permission that binds "Roles" resource and "map-role" scope. The associated policy will be "Default Role Mapping Policy". * "manage-users" scope * "Users" resource. Associated scope is "manage-users" * "manage-users" policy that checks that "manage-users" role is present * "Default Manage Users Policy". This is an aggregate policy that includes the "manage-users" policy. * "Default Manage Users Permission". scope permission that binds "Users" resource and "manage-users" scope. The associated policy will be "Default Manage Users Policy". The above defines the default policy for mapping all roles. In the admin console "Roles" section, there will be a "Default Admin Permissions" tab. Here the user will be able to modify the "Default Role Mapping Permission". The will be able to create and add new policies for this permission. They will not be able to create any other permission. In the "Users" section of the admin console, there will be a "Default Admin Permissions" tab. Here the admin will be able to modify the "Default Manage Users Permission" FINE GRAIN PERMISSION For more fine grain permissions, there will be a resource created per role on demand. The admin will go to the role's console page and there will be a "Admin Permissions" tab. The admin will say they want to add a fine grain permission for that role and this will trigger these actions: * A resource will be created specifically for that role with an associated scope of "map-role" * A scope permission will be created for that role resource and the "map-role" scope. The "Default Role Mapping Policy" will be added automatically to this permission. THere will also be a "Admin Permissions" tab for each Group. The admin will say they want to add a fine grain permission for that group and this will trigger these actions: * A resource will be created specifically for that group with an associated scope of "manage-users" * A scope permission will be created for that group resource and the "manage-users" scope. The "Default Manage User Policy" will be added automatically to this permission. EVALUATION When evaluating whether or not a role is allowed to be mapped by a particular admin, this will be the algorithm: 1. If there is a resource for that specific role, evaluate that the admin can use the "map-role" scope with that role's resource 2. If there is not a resource for that specific role, then evaluate that teh admin can use the "map-role" scope with the "Roles" resource. 3. Evaluate if the admin can perform the "manage-users" scope on the "Users" resource. 4. If Step #3 fails, then for each group see if the admin has the "manage-users" scope for that group. DEFAULT PERMISSIONS FOR ADMIN ROLES By default, each admin role in the system "manage-users", "manage-realm", etc... will have a resource ad scope permission created for it as articulated above. The scope permission will be UNANIMOUS and will also associate a role policy of that role in addition to the "Default Role Mapping Policy". This additional role policy is basically saying "Admins with 'manage-users' role and the admin must have this role mapping as well". So, somebody with 'manage-users' role can't map 'manage-realm' unless they have that role themselves. MORE FINE GRAIN PERMISSIONS We also want to solve the case of allowing an admin to be able to map specific roles for members of a specific group. To do this we'll add another policy type called "Has Permission". Here you'll be able to link a permission to a policy. So, to solve the use case for specific roles for members of a specific group, we can edit the "map-role" permission for a specific role and add a "Has Permission" that links to the permission that the admin has "manage-users" scope for a specific group. Hope I'm making sense on this one. From mposolda at redhat.com Mon Apr 3 16:06:32 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 3 Apr 2017 22:06:32 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: Message-ID: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Doesn't work here too. But it worked a month ago or so. Not sure what changed in the meantime... Created https://issues.jboss.org/browse/KEYCLOAK-4705 . Will try to take a look. Marek On 03/04/17 16:22, Bill Burke wrote: > And that helps how? Running in IDE should not suppress any error > messages. The error message was actually an internal Undertow one > complaining that async HTTP was unsupported. I did look in the log4j > properties. The default logging level looks like it is INFO. > > > On 4/3/17 9:33 AM, Stian Thorgersen wrote: >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >> >> On 1 April 2017 at 21:22, Bill Burke > > wrote: >> >> When running arquillian tests in the IDE, I'm still seeing no log >> messages from the server. I had to set a breakpoint in JAX-RS code to >> find out a Javascript parsing error. >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From sthorger at redhat.com Tue Apr 4 03:12:27 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 09:12:27 +0200 Subject: [keycloak-dev] Remove providers directory Message-ID: I propose we remove the providers directory. That would leave us with two supported options to deploy providers: * JEE hot-deployment - recommended approach in most cases * Modules - for more static "deployment" of providers and would be required to add custom SPIs From sthorger at redhat.com Tue Apr 4 03:15:48 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 09:15:48 +0200 Subject: [keycloak-dev] modeling map role fine grain permissions In-Reply-To: References: Message-ID: That should have come with a long email warning ;) I'm a bit lost. I read this twice without being able to wrap my head around it. I'll try to read it again later today or tomorrow. On 3 April 2017 at 16:58, Bill Burke wrote: > Here's how I am going to model role mapping with fine grain permissions > in Authz service. The goal of this is to be able to limit or expand on > who can map specific roles. While we want to have a default that any > admin that has the "manage-users" role can map a role, we also want to > be able to do things like saying that an admin can map a specific role > if they belong to a group instead. > > DEFAULT PERMISSIONS > > * "permit all" policy. Just grants it. > > * "Default Role Mapping Policy" Policy. This is an aggregate policy > that includes the "permit all" policy. > > * "map-role" scope > > * "Roles" resource. Associated scope is "map-role" > > * "Default Role Mapping Permission" - scope permission that binds > "Roles" resource and "map-role" scope. The associated policy will be > "Default Role Mapping Policy". > > > * "manage-users" scope > > * "Users" resource. Associated scope is "manage-users" > > * "manage-users" policy that checks that "manage-users" role is present > > * "Default Manage Users Policy". This is an aggregate policy that > includes the "manage-users" policy. > > * "Default Manage Users Permission". scope permission that binds > "Users" resource and "manage-users" scope. The associated policy will > be "Default Manage Users Policy". > > > The above defines the default policy for mapping all roles. In the > admin console "Roles" section, there will be a "Default Admin > Permissions" tab. Here the user will be able to modify the "Default > Role Mapping Permission". The will be able to create and add new > policies for this permission. They will not be able to create any other > permission. In the "Users" section of the admin console, there will be > a "Default Admin Permissions" tab. Here the admin will be able to > modify the "Default Manage Users Permission" > > FINE GRAIN PERMISSION > > For more fine grain permissions, there will be a resource created per > role on demand. The admin will go to the role's console page and there > will be a "Admin Permissions" tab. The admin will say they want to add > a fine grain permission for that role and this will trigger these actions: > > * A resource will be created specifically for that role with an > associated scope of "map-role" > > * A scope permission will be created for that role resource and the > "map-role" scope. The "Default Role Mapping Policy" will be added > automatically to this permission. > > THere will also be a "Admin Permissions" tab for each Group. The admin > will say they want to add a fine grain permission for that group and > this will trigger these actions: > > * A resource will be created specifically for that group with an > associated scope of "manage-users" > > * A scope permission will be created for that group resource and the > "manage-users" scope. The "Default Manage User Policy" will be added > automatically to this permission. > > EVALUATION > > When evaluating whether or not a role is allowed to be mapped by a > particular admin, this will be the algorithm: > > 1. If there is a resource for that specific role, evaluate that the > admin can use the "map-role" scope with that role's resource > > 2. If there is not a resource for that specific role, then evaluate that > teh admin can use the "map-role" scope with the "Roles" resource. > > 3. Evaluate if the admin can perform the "manage-users" scope on the > "Users" resource. > > 4. If Step #3 fails, then for each group see if the admin has the > "manage-users" scope for that group. > > DEFAULT PERMISSIONS FOR ADMIN ROLES > > By default, each admin role in the system "manage-users", > "manage-realm", etc... will have a resource ad scope permission created > for it as articulated above. The scope permission will be UNANIMOUS and > will also associate a role policy of that role in addition to the > "Default Role Mapping Policy". This additional role policy is basically > saying "Admins with 'manage-users' role and the admin must have this > role mapping as well". So, somebody with 'manage-users' role can't map > 'manage-realm' unless they have that role themselves. > > MORE FINE GRAIN PERMISSIONS > > We also want to solve the case of allowing an admin to be able to map > specific roles for members of a specific group. To do this we'll add > another policy type called "Has Permission". Here you'll be able to > link a permission to a policy. So, to solve the use case for specific > roles for members of a specific group, we can edit the "map-role" > permission for a specific role and add a "Has Permission" that links to > the permission that the admin has "manage-users" scope for a specific > group. Hope I'm making sense on this one. > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Tue Apr 4 03:24:06 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 09:24:06 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: Pavel - can you comment on this please? If I remember correctly it wasn't working initially, then Marek fixed it, but now it's broken again. On 3 April 2017 at 22:06, Marek Posolda wrote: > Doesn't work here too. But it worked a month ago or so. Not sure what > changed in the meantime... Created https://issues.jboss.org/brows > e/KEYCLOAK-4705 . Will try to take a look. > > Marek > > On 03/04/17 16:22, Bill Burke wrote: > >> And that helps how? Running in IDE should not suppress any error >> messages. The error message was actually an internal Undertow one >> complaining that async HTTP was unsupported. I did look in the log4j >> properties. The default logging level looks like it is INFO. >> >> >> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >> >>> https://github.com/keycloak/keycloak/blob/master/testsuite/ >>> integration-arquillian/HOW-TO-RUN.md#testsuite-logging >>> >>> On 1 April 2017 at 21:22, Bill Burke >> > wrote: >>> >>> When running arquillian tests in the IDE, I'm still seeing no log >>> messages from the server. I had to set a breakpoint in JAX-RS code >>> to >>> find out a Javascript parsing error. >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >>> >>> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > From mposolda at redhat.com Tue Apr 4 04:21:30 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 4 Apr 2017 10:21:30 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: I found some workaround to fix that. PR sent here: https://github.com/keycloak/keycloak/pull/4002 Now the default logging level for "org.keycloak" is INFO when you run from IDE, but disabled when you run with maven-surefire-plugin. In both cases, system property "keycloak.logging.level" can be used to override the default. Marek On 04/04/17 09:24, Stian Thorgersen wrote: > Pavel - can you comment on this please? If I remember correctly it > wasn't working initially, then Marek fixed it, but now it's broken again. > > On 3 April 2017 at 22:06, Marek Posolda > wrote: > > Doesn't work here too. But it worked a month ago or so. Not sure > what changed in the meantime... Created > https://issues.jboss.org/browse/KEYCLOAK-4705 > . Will try to take > a look. > > Marek > > On 03/04/17 16:22, Bill Burke wrote: > > And that helps how? Running in IDE should not suppress any error > messages. The error message was actually an internal Undertow one > complaining that async HTTP was unsupported. I did look in > the log4j > properties. The default logging level looks like it is INFO. > > > On 4/3/17 9:33 AM, Stian Thorgersen wrote: > > https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging > > > On 1 April 2017 at 21:22, Bill Burke > >> wrote: > > When running arquillian tests in the IDE, I'm still > seeing no log > messages from the server. I had to set a breakpoint > in JAX-RS code to > find out a Javascript parsing error. > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > From sthorger at redhat.com Tue Apr 4 06:24:23 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 12:24:23 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: I think this probably still needs some work. When running from IDE we don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals with that in a much nicer way. When running on Travis there's probably still an issue with to much log being generated. I can try this again, but last time I tried with -Pauth-server-wildfly the sysoutput file became to big (4mb+). On 4 April 2017 at 10:21, Marek Posolda wrote: > I found some workaround to fix that. PR sent here: > https://github.com/keycloak/keycloak/pull/4002 > > Now the default logging level for "org.keycloak" is INFO when you run from > IDE, but disabled when you run with maven-surefire-plugin. In both cases, > system property "keycloak.logging.level" can be used to override the > default. > > Marek > > > On 04/04/17 09:24, Stian Thorgersen wrote: > > Pavel - can you comment on this please? If I remember correctly it wasn't > working initially, then Marek fixed it, but now it's broken again. > > On 3 April 2017 at 22:06, Marek Posolda wrote: > >> Doesn't work here too. But it worked a month ago or so. Not sure what >> changed in the meantime... Created https://issues.jboss.org/brows >> e/KEYCLOAK-4705 . Will try to take a look. >> >> Marek >> >> On 03/04/17 16:22, Bill Burke wrote: >> >>> And that helps how? Running in IDE should not suppress any error >>> messages. The error message was actually an internal Undertow one >>> complaining that async HTTP was unsupported. I did look in the log4j >>> properties. The default logging level looks like it is INFO. >>> >>> >>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>> >>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>> >>>> On 1 April 2017 at 21:22, Bill Burke >>> > wrote: >>>> >>>> When running arquillian tests in the IDE, I'm still seeing no log >>>> messages from the server. I had to set a breakpoint in JAX-RS >>>> code to >>>> find out a Javascript parsing error. >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> >>>> >>>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> >> > > From sthorger at redhat.com Tue Apr 4 06:26:41 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 12:26:41 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: Here's a cray thought. Could we somehow hide all log output for a test that passes and only show log output for failed tests? Maybe it could be done with a custom log appender that buffers log output, then the unit tests could call clear or dump depening on success/failure. On 4 April 2017 at 12:24, Stian Thorgersen wrote: > I think this probably still needs some work. When running from IDE we > don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals > with that in a much nicer way. > > When running on Travis there's probably still an issue with to much log > being generated. I can try this again, but last time I tried with > -Pauth-server-wildfly the sysoutput file became to big (4mb+). > > On 4 April 2017 at 10:21, Marek Posolda wrote: > >> I found some workaround to fix that. PR sent here: >> https://github.com/keycloak/keycloak/pull/4002 >> >> Now the default logging level for "org.keycloak" is INFO when you run >> from IDE, but disabled when you run with maven-surefire-plugin. In both >> cases, system property "keycloak.logging.level" can be used to override the >> default. >> >> Marek >> >> >> On 04/04/17 09:24, Stian Thorgersen wrote: >> >> Pavel - can you comment on this please? If I remember correctly it wasn't >> working initially, then Marek fixed it, but now it's broken again. >> >> On 3 April 2017 at 22:06, Marek Posolda wrote: >> >>> Doesn't work here too. But it worked a month ago or so. Not sure what >>> changed in the meantime... Created https://issues.jboss.org/brows >>> e/KEYCLOAK-4705 . Will try to take a look. >>> >>> Marek >>> >>> On 03/04/17 16:22, Bill Burke wrote: >>> >>>> And that helps how? Running in IDE should not suppress any error >>>> messages. The error message was actually an internal Undertow one >>>> complaining that async HTTP was unsupported. I did look in the log4j >>>> properties. The default logging level looks like it is INFO. >>>> >>>> >>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>> >>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>> >>>>> On 1 April 2017 at 21:22, Bill Burke >>>> > wrote: >>>>> >>>>> When running arquillian tests in the IDE, I'm still seeing no log >>>>> messages from the server. I had to set a breakpoint in JAX-RS >>>>> code to >>>>> find out a Javascript parsing error. >>>>> >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> >>> >> >> > From mposolda at redhat.com Tue Apr 4 07:37:41 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 4 Apr 2017 13:37:41 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: On 04/04/17 12:24, Stian Thorgersen wrote: > I think this probably still needs some work. When running from IDE we > don't need the TestEventsLogger at all as the IDE (at least IntelliJ) > deals with that in a much nicer way. TestEventsLogger is already not executed when you run from IDE though? At least for me, the junit listeners configured in pom.xml at maven-surefire-plugin section are not executed when running from IDE. The trick I used in the PR depends on it. I added the listener, which disables the logging for "org.keycloak". Assumption is that this listener is executed just during maven build, but not when executed from IDE. If it's not the case, it won't work correctly and logging will be still always disabled though... I have Intellij 14.1.4 and I am running test by click right button on the class and then "Run test" . Then seeing the test run under "Run/Debug configuration" in bookmark "JUnit". Marek > > When running on Travis there's probably still an issue with to much > log being generated. I can try this again, but last time I tried with > -Pauth-server-wildfly the sysoutput file became to big (4mb+). > > On 4 April 2017 at 10:21, Marek Posolda > wrote: > > I found some workaround to fix that. PR sent here: > https://github.com/keycloak/keycloak/pull/4002 > > > Now the default logging level for "org.keycloak" is INFO when you > run from IDE, but disabled when you run with > maven-surefire-plugin. In both cases, system property > "keycloak.logging.level" can be used to override the default. > > Marek > > > On 04/04/17 09:24, Stian Thorgersen wrote: >> Pavel - can you comment on this please? If I remember correctly >> it wasn't working initially, then Marek fixed it, but now it's >> broken again. >> >> On 3 April 2017 at 22:06, Marek Posolda > > wrote: >> >> Doesn't work here too. But it worked a month ago or so. Not >> sure what changed in the meantime... Created >> https://issues.jboss.org/browse/KEYCLOAK-4705 >> . Will try to >> take a look. >> >> Marek >> >> On 03/04/17 16:22, Bill Burke wrote: >> >> And that helps how? Running in IDE should not suppress >> any error >> messages. The error message was actually an internal >> Undertow one >> complaining that async HTTP was unsupported. I did look >> in the log4j >> properties. The default logging level looks like it is INFO. >> >> >> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >> >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >> >> >> On 1 April 2017 at 21:22, Bill Burke >> >> > >> wrote: >> >> When running arquillian tests in the IDE, I'm >> still seeing no log >> messages from the server. I had to set a >> breakpoint in JAX-RS code to >> find out a Javascript parsing error. >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> >> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> > > >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> >> >> > > From mposolda at redhat.com Tue Apr 4 07:44:42 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 4 Apr 2017 13:44:42 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: +1 It will be good if it logs the details for whole class in case that some test failed. As there could be dependencies between the order in which test method was executed etc. Also we can have an appender, which will log everything to the file. So if you still want to see full log and all the details, you can look to the file. Marek On 04/04/17 12:26, Stian Thorgersen wrote: > Here's a cray thought. Could we somehow hide all log output for a test > that passes and only show log output for failed tests? Maybe it could > be done with a custom log appender that buffers log output, then the > unit tests could call clear or dump depening on success/failure. > > On 4 April 2017 at 12:24, Stian Thorgersen > wrote: > > I think this probably still needs some work. When running from IDE > we don't need the TestEventsLogger at all as the IDE (at least > IntelliJ) deals with that in a much nicer way. > > When running on Travis there's probably still an issue with to > much log being generated. I can try this again, but last time I > tried with -Pauth-server-wildfly the sysoutput file became to big > (4mb+). > > On 4 April 2017 at 10:21, Marek Posolda > wrote: > > I found some workaround to fix that. PR sent here: > https://github.com/keycloak/keycloak/pull/4002 > > > Now the default logging level for "org.keycloak" is INFO when > you run from IDE, but disabled when you run with > maven-surefire-plugin. In both cases, system property > "keycloak.logging.level" can be used to override the default. > > Marek > > > On 04/04/17 09:24, Stian Thorgersen wrote: >> Pavel - can you comment on this please? If I remember >> correctly it wasn't working initially, then Marek fixed it, >> but now it's broken again. >> >> On 3 April 2017 at 22:06, Marek Posolda > > wrote: >> >> Doesn't work here too. But it worked a month ago or so. >> Not sure what changed in the meantime... Created >> https://issues.jboss.org/browse/KEYCLOAK-4705 >> . Will >> try to take a look. >> >> Marek >> >> On 03/04/17 16:22, Bill Burke wrote: >> >> And that helps how? Running in IDE should not >> suppress any error >> messages. The error message was actually an internal >> Undertow one >> complaining that async HTTP was unsupported. I did >> look in the log4j >> properties. The default logging level looks like it >> is INFO. >> >> >> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >> >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >> >> >> On 1 April 2017 at 21:22, Bill Burke >> >> > >> wrote: >> >> When running arquillian tests in the IDE, >> I'm still seeing no log >> messages from the server. I had to set a >> breakpoint in JAX-RS code to >> find out a Javascript parsing error. >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> >> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> > > >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> >> >> > > > From sthorger at redhat.com Tue Apr 4 08:00:11 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 14:00:11 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: This will help with those cases where you currently see a whole bunch of exceptions in the logs where they are actually expected On 4 April 2017 at 13:44, Marek Posolda wrote: > +1 > > It will be good if it logs the details for whole class in case that some > test failed. As there could be dependencies between the order in which test > method was executed etc. > > Also we can have an appender, which will log everything to the file. So if > you still want to see full log and all the details, you can look to the > file. > > Marek > > > > On 04/04/17 12:26, Stian Thorgersen wrote: > > Here's a cray thought. Could we somehow hide all log output for a test > that passes and only show log output for failed tests? Maybe it could be > done with a custom log appender that buffers log output, then the unit > tests could call clear or dump depening on success/failure. > > On 4 April 2017 at 12:24, Stian Thorgersen wrote: > >> I think this probably still needs some work. When running from IDE we >> don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals >> with that in a much nicer way. >> >> When running on Travis there's probably still an issue with to much log >> being generated. I can try this again, but last time I tried with >> -Pauth-server-wildfly the sysoutput file became to big (4mb+). >> >> On 4 April 2017 at 10:21, Marek Posolda wrote: >> >>> I found some workaround to fix that. PR sent here: >>> https://github.com/keycloak/keycloak/pull/4002 >>> >>> Now the default logging level for "org.keycloak" is INFO when you run >>> from IDE, but disabled when you run with maven-surefire-plugin. In both >>> cases, system property "keycloak.logging.level" can be used to override the >>> default. >>> >>> Marek >>> >>> >>> On 04/04/17 09:24, Stian Thorgersen wrote: >>> >>> Pavel - can you comment on this please? If I remember correctly it >>> wasn't working initially, then Marek fixed it, but now it's broken again. >>> >>> On 3 April 2017 at 22:06, Marek Posolda wrote: >>> >>>> Doesn't work here too. But it worked a month ago or so. Not sure what >>>> changed in the meantime... Created https://issues.jboss.org/brows >>>> e/KEYCLOAK-4705 . Will try to take a look. >>>> >>>> Marek >>>> >>>> On 03/04/17 16:22, Bill Burke wrote: >>>> >>>>> And that helps how? Running in IDE should not suppress any error >>>>> messages. The error message was actually an internal Undertow one >>>>> complaining that async HTTP was unsupported. I did look in the log4j >>>>> properties. The default logging level looks like it is INFO. >>>>> >>>>> >>>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>>> >>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>>> >>>>>> On 1 April 2017 at 21:22, Bill Burke >>>>> > wrote: >>>>>> >>>>>> When running arquillian tests in the IDE, I'm still seeing no log >>>>>> messages from the server. I had to set a breakpoint in JAX-RS >>>>>> code to >>>>>> find out a Javascript parsing error. >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev at lists.jboss.org >>>>> ss.org> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>> >>>> >>>> >>> >>> >> > > From bburke at redhat.com Tue Apr 4 08:59:16 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 4 Apr 2017 08:59:16 -0400 Subject: [keycloak-dev] modeling map role fine grain permissions In-Reply-To: References: Message-ID: You have to understand the Authz service. Sorry. This email was as much for me as for review. On 4/4/17 3:15 AM, Stian Thorgersen wrote: > That should have come with a long email warning ;) > > I'm a bit lost. I read this twice without being able to wrap my head > around it. I'll try to read it again later today or tomorrow. > > > On 3 April 2017 at 16:58, Bill Burke > wrote: > > Here's how I am going to model role mapping with fine grain > permissions > in Authz service. The goal of this is to be able to limit or > expand on > who can map specific roles. While we want to have a default that any > admin that has the "manage-users" role can map a role, we also want to > be able to do things like saying that an admin can map a specific role > if they belong to a group instead. > > DEFAULT PERMISSIONS > > * "permit all" policy. Just grants it. > > * "Default Role Mapping Policy" Policy. This is an aggregate policy > that includes the "permit all" policy. > > * "map-role" scope > > * "Roles" resource. Associated scope is "map-role" > > * "Default Role Mapping Permission" - scope permission that binds > "Roles" resource and "map-role" scope. The associated policy will be > "Default Role Mapping Policy". > > > * "manage-users" scope > > * "Users" resource. Associated scope is "manage-users" > > * "manage-users" policy that checks that "manage-users" role is > present > > * "Default Manage Users Policy". This is an aggregate policy that > includes the "manage-users" policy. > > * "Default Manage Users Permission". scope permission that binds > "Users" resource and "manage-users" scope. The associated policy will > be "Default Manage Users Policy". > > > The above defines the default policy for mapping all roles. In the > admin console "Roles" section, there will be a "Default Admin > Permissions" tab. Here the user will be able to modify the "Default > Role Mapping Permission". The will be able to create and add new > policies for this permission. They will not be able to create any > other > permission. In the "Users" section of the admin console, there > will be > a "Default Admin Permissions" tab. Here the admin will be able to > modify the "Default Manage Users Permission" > > FINE GRAIN PERMISSION > > For more fine grain permissions, there will be a resource created per > role on demand. The admin will go to the role's console page and > there > will be a "Admin Permissions" tab. The admin will say they want > to add > a fine grain permission for that role and this will trigger these > actions: > > * A resource will be created specifically for that role with an > associated scope of "map-role" > > * A scope permission will be created for that role resource and the > "map-role" scope. The "Default Role Mapping Policy" will be added > automatically to this permission. > > THere will also be a "Admin Permissions" tab for each Group. The > admin > will say they want to add a fine grain permission for that group and > this will trigger these actions: > > * A resource will be created specifically for that group with an > associated scope of "manage-users" > > * A scope permission will be created for that group resource and the > "manage-users" scope. The "Default Manage User Policy" will be added > automatically to this permission. > > EVALUATION > > When evaluating whether or not a role is allowed to be mapped by a > particular admin, this will be the algorithm: > > 1. If there is a resource for that specific role, evaluate that the > admin can use the "map-role" scope with that role's resource > > 2. If there is not a resource for that specific role, then > evaluate that > teh admin can use the "map-role" scope with the "Roles" resource. > > 3. Evaluate if the admin can perform the "manage-users" scope on the > "Users" resource. > > 4. If Step #3 fails, then for each group see if the admin has the > "manage-users" scope for that group. > > DEFAULT PERMISSIONS FOR ADMIN ROLES > > By default, each admin role in the system "manage-users", > "manage-realm", etc... will have a resource ad scope permission > created > for it as articulated above. The scope permission will be > UNANIMOUS and > will also associate a role policy of that role in addition to the > "Default Role Mapping Policy". This additional role policy is > basically > saying "Admins with 'manage-users' role and the admin must have this > role mapping as well". So, somebody with 'manage-users' role > can't map > 'manage-realm' unless they have that role themselves. > > MORE FINE GRAIN PERMISSIONS > > We also want to solve the case of allowing an admin to be able to map > specific roles for members of a specific group. To do this we'll add > another policy type called "Has Permission". Here you'll be able to > link a permission to a policy. So, to solve the use case for specific > roles for members of a specific group, we can edit the "map-role" > permission for a specific role and add a "Has Permission" that > links to > the permission that the admin has "manage-users" scope for a specific > group. Hope I'm making sense on this one. > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From bburke at redhat.com Tue Apr 4 09:00:54 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 4 Apr 2017 09:00:54 -0400 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> Message-ID: <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> The error that was eaten was something thrown from Undertow before it even got to org.keycloak code. On 4/4/17 8:00 AM, Stian Thorgersen wrote: > This will help with those cases where you currently see a whole bunch > of exceptions in the logs where they are actually expected > > On 4 April 2017 at 13:44, Marek Posolda > wrote: > > +1 > > It will be good if it logs the details for whole class in case > that some test failed. As there could be dependencies between the > order in which test method was executed etc. > > Also we can have an appender, which will log everything to the > file. So if you still want to see full log and all the details, > you can look to the file. > > Marek > > > > On 04/04/17 12:26, Stian Thorgersen wrote: >> Here's a cray thought. Could we somehow hide all log output for a >> test that passes and only show log output for failed tests? Maybe >> it could be done with a custom log appender that buffers log >> output, then the unit tests could call clear or dump depening on >> success/failure. >> >> On 4 April 2017 at 12:24, Stian Thorgersen > > wrote: >> >> I think this probably still needs some work. When running >> from IDE we don't need the TestEventsLogger at all as the IDE >> (at least IntelliJ) deals with that in a much nicer way. >> >> When running on Travis there's probably still an issue with >> to much log being generated. I can try this again, but last >> time I tried with -Pauth-server-wildfly the sysoutput file >> became to big (4mb+). >> >> On 4 April 2017 at 10:21, Marek Posolda > > wrote: >> >> I found some workaround to fix that. PR sent here: >> https://github.com/keycloak/keycloak/pull/4002 >> >> >> Now the default logging level for "org.keycloak" is INFO >> when you run from IDE, but disabled when you run with >> maven-surefire-plugin. In both cases, system property >> "keycloak.logging.level" can be used to override the default. >> >> Marek >> >> >> On 04/04/17 09:24, Stian Thorgersen wrote: >>> Pavel - can you comment on this please? If I remember >>> correctly it wasn't working initially, then Marek fixed >>> it, but now it's broken again. >>> >>> On 3 April 2017 at 22:06, Marek Posolda >>> > wrote: >>> >>> Doesn't work here too. But it worked a month ago or >>> so. Not sure what changed in the meantime... Created >>> https://issues.jboss.org/browse/KEYCLOAK-4705 >>> . >>> Will try to take a look. >>> >>> Marek >>> >>> On 03/04/17 16:22, Bill Burke wrote: >>> >>> And that helps how? Running in IDE should not >>> suppress any error >>> messages. The error message was actually an >>> internal Undertow one >>> complaining that async HTTP was unsupported. I >>> did look in the log4j >>> properties. The default logging level looks >>> like it is INFO. >>> >>> >>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>> >>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >>> >>> >>> On 1 April 2017 at 21:22, Bill Burke >>> >>> >> >> wrote: >>> >>> When running arquillian tests in the >>> IDE, I'm still seeing no log >>> messages from the server. I had to set >>> a breakpoint in JAX-RS code to >>> find out a Javascript parsing error. >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> >>> >> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >>> >> > >>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >>> >>> >>> >> >> >> > > From mposolda at redhat.com Tue Apr 4 09:11:58 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 4 Apr 2017 15:11:58 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> Message-ID: Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" and "org.hibernate" switched to OFF. Some other categories (resteasy etc) are switched to WARN. Maybe we can have different log4j files used when running from IDE and from maven? As when running from IDE, you are usually debugging/tracing one particular test and you want all the logging enabled in the console for most of the libraries. When with maven it is the opposite and we want to reduce console logging as much as possible. Marek On 04/04/17 15:00, Bill Burke wrote: > > The error that was eaten was something thrown from Undertow before it > even got to org.keycloak code. > > > On 4/4/17 8:00 AM, Stian Thorgersen wrote: >> This will help with those cases where you currently see a whole bunch >> of exceptions in the logs where they are actually expected >> >> On 4 April 2017 at 13:44, Marek Posolda > > wrote: >> >> +1 >> >> It will be good if it logs the details for whole class in case >> that some test failed. As there could be dependencies between the >> order in which test method was executed etc. >> >> Also we can have an appender, which will log everything to the >> file. So if you still want to see full log and all the details, >> you can look to the file. >> >> Marek >> >> >> >> On 04/04/17 12:26, Stian Thorgersen wrote: >>> Here's a cray thought. Could we somehow hide all log output for >>> a test that passes and only show log output for failed tests? >>> Maybe it could be done with a custom log appender that buffers >>> log output, then the unit tests could call clear or dump >>> depening on success/failure. >>> >>> On 4 April 2017 at 12:24, Stian Thorgersen >> > wrote: >>> >>> I think this probably still needs some work. When running >>> from IDE we don't need the TestEventsLogger at all as the >>> IDE (at least IntelliJ) deals with that in a much nicer way. >>> >>> When running on Travis there's probably still an issue with >>> to much log being generated. I can try this again, but last >>> time I tried with -Pauth-server-wildfly the sysoutput file >>> became to big (4mb+). >>> >>> On 4 April 2017 at 10:21, Marek Posolda >> > wrote: >>> >>> I found some workaround to fix that. PR sent here: >>> https://github.com/keycloak/keycloak/pull/4002 >>> >>> >>> Now the default logging level for "org.keycloak" is INFO >>> when you run from IDE, but disabled when you run with >>> maven-surefire-plugin. In both cases, system property >>> "keycloak.logging.level" can be used to override the >>> default. >>> >>> Marek >>> >>> >>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>> Pavel - can you comment on this please? If I remember >>>> correctly it wasn't working initially, then Marek fixed >>>> it, but now it's broken again. >>>> >>>> On 3 April 2017 at 22:06, Marek Posolda >>>> > wrote: >>>> >>>> Doesn't work here too. But it worked a month ago or >>>> so. Not sure what changed in the meantime... >>>> Created >>>> https://issues.jboss.org/browse/KEYCLOAK-4705 >>>> . >>>> Will try to take a look. >>>> >>>> Marek >>>> >>>> On 03/04/17 16:22, Bill Burke wrote: >>>> >>>> And that helps how? Running in IDE should not >>>> suppress any error >>>> messages. The error message was actually an >>>> internal Undertow one >>>> complaining that async HTTP was unsupported. I >>>> did look in the log4j >>>> properties. The default logging level looks >>>> like it is INFO. >>>> >>>> >>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>> >>>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>> >>>> >>>> On 1 April 2017 at 21:22, Bill Burke >>>> >>>> >>> >> wrote: >>>> >>>> When running arquillian tests in the >>>> IDE, I'm still seeing no log >>>> messages from the server. I had to >>>> set a breakpoint in JAX-RS code to >>>> find out a Javascript parsing error. >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> >>>> >>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> >>>> >>> > >>>> >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> > From sthorger at redhat.com Tue Apr 4 09:53:14 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 15:53:14 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> Message-ID: Wouldn't simply only showing log output from failed tests solve all issues? In the IDE you get the debug info you need to resolve a failing test. On Travis or Jenkins you get the details you need to look into failed tests without having X megabytes of test output, expected exceptions, etc.. On 4 April 2017 at 15:11, Marek Posolda wrote: > Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" and > "org.hibernate" switched to OFF. Some other categories (resteasy etc) are > switched to WARN. > > Maybe we can have different log4j files used when running from IDE and > from maven? As when running from IDE, you are usually debugging/tracing one > particular test and you want all the logging enabled in the console for > most of the libraries. When with maven it is the opposite and we want to > reduce console logging as much as possible. > > Marek > > > On 04/04/17 15:00, Bill Burke wrote: > > The error that was eaten was something thrown from Undertow before it even > got to org.keycloak code. > > On 4/4/17 8:00 AM, Stian Thorgersen wrote: > > This will help with those cases where you currently see a whole bunch of > exceptions in the logs where they are actually expected > > On 4 April 2017 at 13:44, Marek Posolda wrote: > >> +1 >> >> It will be good if it logs the details for whole class in case that some >> test failed. As there could be dependencies between the order in which test >> method was executed etc. >> >> Also we can have an appender, which will log everything to the file. So >> if you still want to see full log and all the details, you can look to the >> file. >> >> Marek >> >> >> >> On 04/04/17 12:26, Stian Thorgersen wrote: >> >> Here's a cray thought. Could we somehow hide all log output for a test >> that passes and only show log output for failed tests? Maybe it could be >> done with a custom log appender that buffers log output, then the unit >> tests could call clear or dump depening on success/failure. >> >> On 4 April 2017 at 12:24, Stian Thorgersen wrote: >> >>> I think this probably still needs some work. When running from IDE we >>> don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals >>> with that in a much nicer way. >>> >>> When running on Travis there's probably still an issue with to much log >>> being generated. I can try this again, but last time I tried with >>> -Pauth-server-wildfly the sysoutput file became to big (4mb+). >>> >>> On 4 April 2017 at 10:21, Marek Posolda wrote: >>> >>>> I found some workaround to fix that. PR sent here: >>>> https://github.com/keycloak/keycloak/pull/4002 >>>> >>>> Now the default logging level for "org.keycloak" is INFO when you run >>>> from IDE, but disabled when you run with maven-surefire-plugin. In both >>>> cases, system property "keycloak.logging.level" can be used to override the >>>> default. >>>> >>>> Marek >>>> >>>> >>>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>> >>>> Pavel - can you comment on this please? If I remember correctly it >>>> wasn't working initially, then Marek fixed it, but now it's broken again. >>>> >>>> On 3 April 2017 at 22:06, Marek Posolda wrote: >>>> >>>>> Doesn't work here too. But it worked a month ago or so. Not sure what >>>>> changed in the meantime... Created https://issues.jboss.org/brows >>>>> e/KEYCLOAK-4705 . Will try to take a look. >>>>> >>>>> Marek >>>>> >>>>> On 03/04/17 16:22, Bill Burke wrote: >>>>> >>>>>> And that helps how? Running in IDE should not suppress any error >>>>>> messages. The error message was actually an internal Undertow one >>>>>> complaining that async HTTP was unsupported. I did look in the log4j >>>>>> properties. The default logging level looks like it is INFO. >>>>>> >>>>>> >>>>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>>>> >>>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>>>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>>>> >>>>>>> On 1 April 2017 at 21:22, Bill Burke >>>>>> > wrote: >>>>>>> >>>>>>> When running arquillian tests in the IDE, I'm still seeing no >>>>>>> log >>>>>>> messages from the server. I had to set a breakpoint in JAX-RS >>>>>>> code to >>>>>>> find out a Javascript parsing error. >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-dev mailing list >>>>>>> keycloak-dev at lists.jboss.org >>>>>> ss.org> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >> >> > > > From sthorger at redhat.com Tue Apr 4 09:53:51 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Apr 2017 15:53:51 +0200 Subject: [keycloak-dev] modeling map role fine grain permissions In-Reply-To: References: Message-ID: Can you gives us the high level, non-authz services, specific version? ;) On 4 April 2017 at 14:59, Bill Burke wrote: > You have to understand the Authz service. Sorry. This email was as much > for me as for review. > > On 4/4/17 3:15 AM, Stian Thorgersen wrote: > > That should have come with a long email warning ;) > > I'm a bit lost. I read this twice without being able to wrap my head > around it. I'll try to read it again later today or tomorrow. > > > On 3 April 2017 at 16:58, Bill Burke wrote: > >> Here's how I am going to model role mapping with fine grain permissions >> in Authz service. The goal of this is to be able to limit or expand on >> who can map specific roles. While we want to have a default that any >> admin that has the "manage-users" role can map a role, we also want to >> be able to do things like saying that an admin can map a specific role >> if they belong to a group instead. >> >> DEFAULT PERMISSIONS >> >> * "permit all" policy. Just grants it. >> >> * "Default Role Mapping Policy" Policy. This is an aggregate policy >> that includes the "permit all" policy. >> >> * "map-role" scope >> >> * "Roles" resource. Associated scope is "map-role" >> >> * "Default Role Mapping Permission" - scope permission that binds >> "Roles" resource and "map-role" scope. The associated policy will be >> "Default Role Mapping Policy". >> >> >> * "manage-users" scope >> >> * "Users" resource. Associated scope is "manage-users" >> >> * "manage-users" policy that checks that "manage-users" role is present >> >> * "Default Manage Users Policy". This is an aggregate policy that >> includes the "manage-users" policy. >> >> * "Default Manage Users Permission". scope permission that binds >> "Users" resource and "manage-users" scope. The associated policy will >> be "Default Manage Users Policy". >> >> >> The above defines the default policy for mapping all roles. In the >> admin console "Roles" section, there will be a "Default Admin >> Permissions" tab. Here the user will be able to modify the "Default >> Role Mapping Permission". The will be able to create and add new >> policies for this permission. They will not be able to create any other >> permission. In the "Users" section of the admin console, there will be >> a "Default Admin Permissions" tab. Here the admin will be able to >> modify the "Default Manage Users Permission" >> >> FINE GRAIN PERMISSION >> >> For more fine grain permissions, there will be a resource created per >> role on demand. The admin will go to the role's console page and there >> will be a "Admin Permissions" tab. The admin will say they want to add >> a fine grain permission for that role and this will trigger these actions: >> >> * A resource will be created specifically for that role with an >> associated scope of "map-role" >> >> * A scope permission will be created for that role resource and the >> "map-role" scope. The "Default Role Mapping Policy" will be added >> automatically to this permission. >> >> THere will also be a "Admin Permissions" tab for each Group. The admin >> will say they want to add a fine grain permission for that group and >> this will trigger these actions: >> >> * A resource will be created specifically for that group with an >> associated scope of "manage-users" >> >> * A scope permission will be created for that group resource and the >> "manage-users" scope. The "Default Manage User Policy" will be added >> automatically to this permission. >> >> EVALUATION >> >> When evaluating whether or not a role is allowed to be mapped by a >> particular admin, this will be the algorithm: >> >> 1. If there is a resource for that specific role, evaluate that the >> admin can use the "map-role" scope with that role's resource >> >> 2. If there is not a resource for that specific role, then evaluate that >> teh admin can use the "map-role" scope with the "Roles" resource. >> >> 3. Evaluate if the admin can perform the "manage-users" scope on the >> "Users" resource. >> >> 4. If Step #3 fails, then for each group see if the admin has the >> "manage-users" scope for that group. >> >> DEFAULT PERMISSIONS FOR ADMIN ROLES >> >> By default, each admin role in the system "manage-users", >> "manage-realm", etc... will have a resource ad scope permission created >> for it as articulated above. The scope permission will be UNANIMOUS and >> will also associate a role policy of that role in addition to the >> "Default Role Mapping Policy". This additional role policy is basically >> saying "Admins with 'manage-users' role and the admin must have this >> role mapping as well". So, somebody with 'manage-users' role can't map >> 'manage-realm' unless they have that role themselves. >> >> MORE FINE GRAIN PERMISSIONS >> >> We also want to solve the case of allowing an admin to be able to map >> specific roles for members of a specific group. To do this we'll add >> another policy type called "Has Permission". Here you'll be able to >> link a permission to a policy. So, to solve the use case for specific >> roles for members of a specific group, we can edit the "map-role" >> permission for a specific role and add a "Has Permission" that links to >> the permission that the admin has "manage-users" scope for a specific >> group. Hope I'm making sense on this one. >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > From mposolda at redhat.com Tue Apr 4 10:23:02 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 4 Apr 2017 16:23:02 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> Message-ID: IMO it works for travis/jenkins, but doesn't work for IDE. When debugging in IDE, you usually want to see all the test output even if test not failing. You want to see it immediately. And the thread you're debugging is in many cases different then the thread, which is expected to output something to console log (eg. when debugging the test method, you want to check that after calling the line with "oauthClient.openLoginForm()" the server called the expected HTTP requests and wrote the expected items to the log etc). Also some of us use the pattern like this when developing something: @Test public void testSleep() { Thread.sleep(10000000); } in which case you usually just test the Keycloak server/UI directly and test is here just to prepare the environment, which is done in @Before methods etc. This test method is never finished and hence never failed. But still, you want to see the log/console output immediately when you're testing stuff. Marek On 04/04/17 15:53, Stian Thorgersen wrote: > Wouldn't simply only showing log output from failed tests solve all > issues? In the IDE you get the debug info you need to resolve a > failing test. On Travis or Jenkins you get the details you need to > look into failed tests without having X megabytes of test output, > expected exceptions, etc.. > > > On 4 April 2017 at 15:11, Marek Posolda > wrote: > > Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" and > "org.hibernate" switched to OFF. Some other categories (resteasy > etc) are switched to WARN. > > Maybe we can have different log4j files used when running from IDE > and from maven? As when running from IDE, you are usually > debugging/tracing one particular test and you want all the logging > enabled in the console for most of the libraries. When with maven > it is the opposite and we want to reduce console logging as much > as possible. > > Marek > > > On 04/04/17 15:00, Bill Burke wrote: >> >> The error that was eaten was something thrown from Undertow >> before it even got to org.keycloak code. >> >> >> On 4/4/17 8:00 AM, Stian Thorgersen wrote: >>> This will help with those cases where you currently see a whole >>> bunch of exceptions in the logs where they are actually expected >>> >>> On 4 April 2017 at 13:44, Marek Posolda >> > wrote: >>> >>> +1 >>> >>> It will be good if it logs the details for whole class in >>> case that some test failed. As there could be dependencies >>> between the order in which test method was executed etc. >>> >>> Also we can have an appender, which will log everything to >>> the file. So if you still want to see full log and all the >>> details, you can look to the file. >>> >>> Marek >>> >>> >>> >>> On 04/04/17 12:26, Stian Thorgersen wrote: >>>> Here's a cray thought. Could we somehow hide all log output >>>> for a test that passes and only show log output for failed >>>> tests? Maybe it could be done with a custom log appender >>>> that buffers log output, then the unit tests could call >>>> clear or dump depening on success/failure. >>>> >>>> On 4 April 2017 at 12:24, Stian Thorgersen >>>> > wrote: >>>> >>>> I think this probably still needs some work. When >>>> running from IDE we don't need the TestEventsLogger at >>>> all as the IDE (at least IntelliJ) deals with that in a >>>> much nicer way. >>>> >>>> When running on Travis there's probably still an issue >>>> with to much log being generated. I can try this again, >>>> but last time I tried with -Pauth-server-wildfly the >>>> sysoutput file became to big (4mb+). >>>> >>>> On 4 April 2017 at 10:21, Marek Posolda >>>> > wrote: >>>> >>>> I found some workaround to fix that. PR sent here: >>>> https://github.com/keycloak/keycloak/pull/4002 >>>> >>>> >>>> Now the default logging level for "org.keycloak" is >>>> INFO when you run from IDE, but disabled when you >>>> run with maven-surefire-plugin. In both cases, >>>> system property "keycloak.logging.level" can be >>>> used to override the default. >>>> >>>> Marek >>>> >>>> >>>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>>> Pavel - can you comment on this please? If I >>>>> remember correctly it wasn't working initially, >>>>> then Marek fixed it, but now it's broken again. >>>>> >>>>> On 3 April 2017 at 22:06, Marek Posolda >>>>> > >>>>> wrote: >>>>> >>>>> Doesn't work here too. But it worked a month >>>>> ago or so. Not sure what changed in the >>>>> meantime... Created >>>>> https://issues.jboss.org/browse/KEYCLOAK-4705 >>>>> >>>>> . Will try to take a look. >>>>> >>>>> Marek >>>>> >>>>> On 03/04/17 16:22, Bill Burke wrote: >>>>> >>>>> And that helps how? Running in IDE should >>>>> not suppress any error >>>>> messages. The error message was actually >>>>> an internal Undertow one >>>>> complaining that async HTTP was >>>>> unsupported. I did look in the log4j >>>>> properties. The default logging level >>>>> looks like it is INFO. >>>>> >>>>> >>>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>>> >>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>> >>>>> >>>>> On 1 April 2017 at 21:22, Bill Burke >>>>> >>>> >>>>> >>>> >> wrote: >>>>> >>>>> When running arquillian tests in >>>>> the IDE, I'm still seeing no log >>>>> messages from the server. I had >>>>> to set a breakpoint in JAX-RS code to >>>>> find out a Javascript parsing error. >>>>> >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> >>>>> >>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>>> >>>>> >>>> > >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> > > From psilva at redhat.com Tue Apr 4 11:41:48 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 4 Apr 2017 12:41:48 -0300 Subject: [keycloak-dev] modeling map role fine grain permissions In-Reply-To: References: Message-ID: Didn't get the part below. Also, I'm curious to check how are you enforcing these permissions. Could you link the branch you have this implemented ? On Mon, Apr 3, 2017 at 11:58 AM, Bill Burke wrote: > > MORE FINE GRAIN PERMISSIONS > > We also want to solve the case of allowing an admin to be able to map > specific roles for members of a specific group. To do this we'll add > another policy type called "Has Permission". Here you'll be able to > link a permission to a policy. So, to solve the use case for specific > roles for members of a specific group, we can edit the "map-role" > permission for a specific role and add a "Has Permission" that links to > the permission that the admin has "manage-users" scope for a specific > group. Hope I'm making sense on this one. > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From thomas.darimont at googlemail.com Tue Apr 4 16:45:40 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 4 Apr 2017 22:45:40 +0200 Subject: [keycloak-dev] Extension for Health-Checks in Keycloak Message-ID: Hello group, I wrote a small Keycloak extension [0] that exposes a health endpoint with health-checks as a RealmResource. Health Checks can be contributed with a dedicated SPI. (I took some inspiration from Spring Boot and Wildfly Swarm Health-Checks: [1]) I'm now looking for general feedback and suggestions for additional health checks that could be added (infinispan?) - perhaps this could even be added to Keycloak directly. Some things I noticed: 1) RealmResourceProvider allows to expose custom JAX-RS resources on realm level but there is no equivalent for "global" Resources, e.g. something like KeycloakResourceProvider / PublicResourceProvider is missing. I wanted to add health-check for the whole Keycloak Server not just a realm... 2) It seems that many requests lead to a database tx being commited via org.keycloak.services.filters.KeycloakTransactionCommitter, even if there is no write to the database. Is this intended? 3) The keycloak-server BOMs didn't work for me. Even if I declare org.keycloak.bom keycloak-spi-bom ${keycloak.version} pom import in my pom.xml I need to provide settings to keycloak dependencies, e.g. org.keycloak keycloak-server-spi-private ${keycloak.version} which shouldn't be the case with a correct maven BOM. I tried this with keycloak version 2.5.5.Final and 3.0.0.Final Cheers, Thomas [0] https://github.com/thomasdarimont/keycloak-health-checks [1] https://wildfly-swarm.gitbooks.io/wildfly-swarm-users-guide/advanced/monitoring.html From sthorger at redhat.com Wed Apr 5 02:34:36 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Apr 2017 08:34:36 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> Message-ID: Ok, so not for the IDE then. It's not really needed for the IDE anyways as at least IntelliJ is smart enough to group output per test so it's easy to find relevant info. On 4 April 2017 at 16:23, Marek Posolda wrote: > IMO it works for travis/jenkins, but doesn't work for IDE. > > When debugging in IDE, you usually want to see all the test output even if > test not failing. You want to see it immediately. And the thread you're > debugging is in many cases different then the thread, which is expected to > output something to console log (eg. when debugging the test method, you > want to check that after calling the line with > "oauthClient.openLoginForm()" the server called the expected HTTP requests > and wrote the expected items to the log etc). > > Also some of us use the pattern like this when developing something: > > @Test > public void testSleep() { > Thread.sleep(10000000); > } > > in which case you usually just test the Keycloak server/UI directly and > test is here just to prepare the environment, which is done in @Before > methods etc. This test method is never finished and hence never failed. But > still, you want to see the log/console output immediately when you're > testing stuff. > > Marek > > > > On 04/04/17 15:53, Stian Thorgersen wrote: > > Wouldn't simply only showing log output from failed tests solve all > issues? In the IDE you get the debug info you need to resolve a failing > test. On Travis or Jenkins you get the details you need to look into failed > tests without having X megabytes of test output, expected exceptions, etc.. > > > On 4 April 2017 at 15:11, Marek Posolda wrote: > >> Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" and >> "org.hibernate" switched to OFF. Some other categories (resteasy etc) are >> switched to WARN. >> >> Maybe we can have different log4j files used when running from IDE and >> from maven? As when running from IDE, you are usually debugging/tracing one >> particular test and you want all the logging enabled in the console for >> most of the libraries. When with maven it is the opposite and we want to >> reduce console logging as much as possible. >> >> Marek >> >> >> On 04/04/17 15:00, Bill Burke wrote: >> >> The error that was eaten was something thrown from Undertow before it >> even got to org.keycloak code. >> >> On 4/4/17 8:00 AM, Stian Thorgersen wrote: >> >> This will help with those cases where you currently see a whole bunch of >> exceptions in the logs where they are actually expected >> >> On 4 April 2017 at 13:44, Marek Posolda wrote: >> >>> +1 >>> >>> It will be good if it logs the details for whole class in case that some >>> test failed. As there could be dependencies between the order in which test >>> method was executed etc. >>> >>> Also we can have an appender, which will log everything to the file. So >>> if you still want to see full log and all the details, you can look to the >>> file. >>> >>> Marek >>> >>> >>> >>> On 04/04/17 12:26, Stian Thorgersen wrote: >>> >>> Here's a cray thought. Could we somehow hide all log output for a test >>> that passes and only show log output for failed tests? Maybe it could be >>> done with a custom log appender that buffers log output, then the unit >>> tests could call clear or dump depening on success/failure. >>> >>> On 4 April 2017 at 12:24, Stian Thorgersen wrote: >>> >>>> I think this probably still needs some work. When running from IDE we >>>> don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals >>>> with that in a much nicer way. >>>> >>>> When running on Travis there's probably still an issue with to much log >>>> being generated. I can try this again, but last time I tried with >>>> -Pauth-server-wildfly the sysoutput file became to big (4mb+). >>>> >>>> On 4 April 2017 at 10:21, Marek Posolda wrote: >>>> >>>>> I found some workaround to fix that. PR sent here: >>>>> https://github.com/keycloak/keycloak/pull/4002 >>>>> >>>>> Now the default logging level for "org.keycloak" is INFO when you run >>>>> from IDE, but disabled when you run with maven-surefire-plugin. In both >>>>> cases, system property "keycloak.logging.level" can be used to override the >>>>> default. >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>>> >>>>> Pavel - can you comment on this please? If I remember correctly it >>>>> wasn't working initially, then Marek fixed it, but now it's broken again. >>>>> >>>>> On 3 April 2017 at 22:06, Marek Posolda wrote: >>>>> >>>>>> Doesn't work here too. But it worked a month ago or so. Not sure what >>>>>> changed in the meantime... Created https://issues.jboss.org/brows >>>>>> e/KEYCLOAK-4705 . Will try to take a look. >>>>>> >>>>>> Marek >>>>>> >>>>>> On 03/04/17 16:22, Bill Burke wrote: >>>>>> >>>>>>> And that helps how? Running in IDE should not suppress any error >>>>>>> messages. The error message was actually an internal Undertow one >>>>>>> complaining that async HTTP was unsupported. I did look in the log4j >>>>>>> properties. The default logging level looks like it is INFO. >>>>>>> >>>>>>> >>>>>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>>>>> >>>>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>>>>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>>>>> >>>>>>>> On 1 April 2017 at 21:22, Bill Burke >>>>>>> > wrote: >>>>>>>> >>>>>>>> When running arquillian tests in the IDE, I'm still seeing no >>>>>>>> log >>>>>>>> messages from the server. I had to set a breakpoint in JAX-RS >>>>>>>> code to >>>>>>>> find out a Javascript parsing error. >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-dev mailing list >>>>>>>> keycloak-dev at lists.jboss.org >>>>>>> ss.org> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>> keycloak-dev mailing list >>>>>>> keycloak-dev at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>> >> >> >> > > From mposolda at redhat.com Wed Apr 5 03:25:24 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 5 Apr 2017 09:25:24 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> Message-ID: <67e691ad-5341-d6f6-fb84-508df313d06c@redhat.com> Btv. I've just saw some logs of the wildfly job. And there are some differences between undertow and Wildfly. With undertow, the maven job has disabled logging for "org.keycloak", so the expected exceptions are not displayed in the log. However with Wildfly job, they are still displayed. This is likely the reason why the 4MB limit on travis was reached with Wildfly. I think the reason is, that Wildfly logging needs to be configured in standalone/configuration/standalone.xml in logging subsystem, hence disabled "org.keycloak" in testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties has no effect. So it seems that for Wildfly we need to ensure that logging subsystem in standalone.xml is properly configured and add the appender here as well if we do the appender (which maybe means adding another module or library with the appender etc). And we need to do that in the preparation of all the various wildfly servers (wildfly, adapter, cluster etc). Marek On 05/04/17 08:34, Stian Thorgersen wrote: > Ok, so not for the IDE then. It's not really needed for the IDE > anyways as at least IntelliJ is smart enough to group output per test > so it's easy to find relevant info. > > On 4 April 2017 at 16:23, Marek Posolda > wrote: > > IMO it works for travis/jenkins, but doesn't work for IDE. > > When debugging in IDE, you usually want to see all the test output > even if test not failing. You want to see it immediately. And the > thread you're debugging is in many cases different then the > thread, which is expected to output something to console log (eg. > when debugging the test method, you want to check that after > calling the line with "oauthClient.openLoginForm()" the server > called the expected HTTP requests and wrote the expected items to > the log etc). > > Also some of us use the pattern like this when developing something: > > @Test > public void testSleep() { > Thread.sleep(10000000); > } > > in which case you usually just test the Keycloak server/UI > directly and test is here just to prepare the environment, which > is done in @Before methods etc. This test method is never finished > and hence never failed. But still, you want to see the log/console > output immediately when you're testing stuff. > > Marek > > > > On 04/04/17 15:53, Stian Thorgersen wrote: >> Wouldn't simply only showing log output from failed tests solve >> all issues? In the IDE you get the debug info you need to resolve >> a failing test. On Travis or Jenkins you get the details you need >> to look into failed tests without having X megabytes of test >> output, expected exceptions, etc.. >> >> >> On 4 April 2017 at 15:11, Marek Posolda > > wrote: >> >> Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" >> and "org.hibernate" switched to OFF. Some other categories >> (resteasy etc) are switched to WARN. >> >> Maybe we can have different log4j files used when running >> from IDE and from maven? As when running from IDE, you are >> usually debugging/tracing one particular test and you want >> all the logging enabled in the console for most of the >> libraries. When with maven it is the opposite and we want to >> reduce console logging as much as possible. >> >> Marek >> >> >> On 04/04/17 15:00, Bill Burke wrote: >>> >>> The error that was eaten was something thrown from Undertow >>> before it even got to org.keycloak code. >>> >>> >>> On 4/4/17 8:00 AM, Stian Thorgersen wrote: >>>> This will help with those cases where you currently see a >>>> whole bunch of exceptions in the logs where they are >>>> actually expected >>>> >>>> On 4 April 2017 at 13:44, Marek Posolda >>>> > wrote: >>>> >>>> +1 >>>> >>>> It will be good if it logs the details for whole class >>>> in case that some test failed. As there could be >>>> dependencies between the order in which test method was >>>> executed etc. >>>> >>>> Also we can have an appender, which will log everything >>>> to the file. So if you still want to see full log and >>>> all the details, you can look to the file. >>>> >>>> Marek >>>> >>>> >>>> >>>> On 04/04/17 12:26, Stian Thorgersen wrote: >>>>> Here's a cray thought. Could we somehow hide all log >>>>> output for a test that passes and only show log output >>>>> for failed tests? Maybe it could be done with a custom >>>>> log appender that buffers log output, then the unit >>>>> tests could call clear or dump depening on >>>>> success/failure. >>>>> >>>>> On 4 April 2017 at 12:24, Stian Thorgersen >>>>> > wrote: >>>>> >>>>> I think this probably still needs some work. When >>>>> running from IDE we don't need the >>>>> TestEventsLogger at all as the IDE (at least >>>>> IntelliJ) deals with that in a much nicer way. >>>>> >>>>> When running on Travis there's probably still an >>>>> issue with to much log being generated. I can try >>>>> this again, but last time I tried with >>>>> -Pauth-server-wildfly the sysoutput file became to >>>>> big (4mb+). >>>>> >>>>> On 4 April 2017 at 10:21, Marek Posolda >>>>> > >>>>> wrote: >>>>> >>>>> I found some workaround to fix that. PR sent >>>>> here: >>>>> https://github.com/keycloak/keycloak/pull/4002 >>>>> >>>>> >>>>> Now the default logging level for >>>>> "org.keycloak" is INFO when you run from IDE, >>>>> but disabled when you run with >>>>> maven-surefire-plugin. In both cases, system >>>>> property "keycloak.logging.level" can be used >>>>> to override the default. >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>>>> Pavel - can you comment on this please? If I >>>>>> remember correctly it wasn't working >>>>>> initially, then Marek fixed it, but now it's >>>>>> broken again. >>>>>> >>>>>> On 3 April 2017 at 22:06, Marek Posolda >>>>>> >>>>> > wrote: >>>>>> >>>>>> Doesn't work here too. But it worked a >>>>>> month ago or so. Not sure what changed in >>>>>> the meantime... Created >>>>>> https://issues.jboss.org/browse/KEYCLOAK-4705 >>>>>> >>>>>> . Will try to take a look. >>>>>> >>>>>> Marek >>>>>> >>>>>> On 03/04/17 16:22, Bill Burke wrote: >>>>>> >>>>>> And that helps how? Running in IDE >>>>>> should not suppress any error >>>>>> messages. The error message was >>>>>> actually an internal Undertow one >>>>>> complaining that async HTTP was >>>>>> unsupported. I did look in the log4j >>>>>> properties. The default logging level >>>>>> looks like it is INFO. >>>>>> >>>>>> >>>>>> On 4/3/17 9:33 AM, Stian Thorgersen >>>>>> wrote: >>>>>> >>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>>> >>>>>> >>>>>> On 1 April 2017 at 21:22, Bill >>>>>> Burke >>>>> >>>>>> >>>>> >> wrote: >>>>>> >>>>>> When running arquillian >>>>>> tests in the IDE, I'm still >>>>>> seeing no log >>>>>> messages from the server. I >>>>>> had to set a breakpoint in JAX-RS >>>>>> code to >>>>>> find out a Javascript >>>>>> parsing error. >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev at lists.jboss.org >>>>>> >>>>>> >>>>> > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>>> >>>>>> >>>>> > >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev at lists.jboss.org >>>>>> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >> >> > > From sthorger at redhat.com Wed Apr 5 03:48:21 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Apr 2017 09:48:21 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: <67e691ad-5341-d6f6-fb84-508df313d06c@redhat.com> References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> <67e691ad-5341-d6f6-fb84-508df313d06c@redhat.com> Message-ID: Actually it's probably the combination of WildFly log output and the test log output that generates 4mb+. Maybe we could write a custom appender that buffers everything between " STARTED" and FAILED/FINISHED. If it's a FINISHED it will just clear the buffer, but if it's a FAILED it will output to std out. We could also add a log output per test class. We could make it an option when running the tests (something like -PshowFailuresOnly). So output on Travis/Jenkins would be something like: [UndertowDemoFilterServletAdapterTest] Starting [UndertowDemoFilterServletAdapterTest] historyOfAccessResourceTest() STARTED ... Loads of stuff ... [UndertowDemoFilterServletAdapterTest] historyOfAccessResourceTest() FAILED [NextTest] Starting [NextNextTest] Starting Results : Tests run: 335, Failures: 1, Errors: 0, Skipped: 12 On 5 April 2017 at 09:25, Marek Posolda wrote: > Btv. I've just saw some logs of the wildfly job. And there are some > differences between undertow and Wildfly. > > With undertow, the maven job has disabled logging for "org.keycloak", so > the expected exceptions are not displayed in the log. However with Wildfly > job, they are still displayed. This is likely the reason why the 4MB limit > on travis was reached with Wildfly. > > I think the reason is, that Wildfly logging needs to be configured in > standalone/configuration/standalone.xml in logging subsystem, hence > disabled "org.keycloak" in testsuite/integration- > arquillian/tests/base/src/test/resources/log4j.properties has no effect. > > So it seems that for Wildfly we need to ensure that logging subsystem in > standalone.xml is properly configured and add the appender here as well if > we do the appender (which maybe means adding another module or library with > the appender etc). And we need to do that in the preparation of all the > various wildfly servers (wildfly, adapter, cluster etc). > > Marek > > > > On 05/04/17 08:34, Stian Thorgersen wrote: > > Ok, so not for the IDE then. It's not really needed for the IDE anyways as > at least IntelliJ is smart enough to group output per test so it's easy to > find relevant info. > > On 4 April 2017 at 16:23, Marek Posolda wrote: > >> IMO it works for travis/jenkins, but doesn't work for IDE. >> >> When debugging in IDE, you usually want to see all the test output even >> if test not failing. You want to see it immediately. And the thread you're >> debugging is in many cases different then the thread, which is expected to >> output something to console log (eg. when debugging the test method, you >> want to check that after calling the line with >> "oauthClient.openLoginForm()" the server called the expected HTTP requests >> and wrote the expected items to the log etc). >> >> Also some of us use the pattern like this when developing something: >> >> @Test >> public void testSleep() { >> Thread.sleep(10000000); >> } >> >> in which case you usually just test the Keycloak server/UI directly and >> test is here just to prepare the environment, which is done in @Before >> methods etc. This test method is never finished and hence never failed. But >> still, you want to see the log/console output immediately when you're >> testing stuff. >> >> Marek >> >> >> >> On 04/04/17 15:53, Stian Thorgersen wrote: >> >> Wouldn't simply only showing log output from failed tests solve all >> issues? In the IDE you get the debug info you need to resolve a failing >> test. On Travis or Jenkins you get the details you need to look into failed >> tests without having X megabytes of test output, expected exceptions, etc.. >> >> >> On 4 April 2017 at 15:11, Marek Posolda wrote: >> >>> Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" and >>> "org.hibernate" switched to OFF. Some other categories (resteasy etc) are >>> switched to WARN. >>> >>> Maybe we can have different log4j files used when running from IDE and >>> from maven? As when running from IDE, you are usually debugging/tracing one >>> particular test and you want all the logging enabled in the console for >>> most of the libraries. When with maven it is the opposite and we want to >>> reduce console logging as much as possible. >>> >>> Marek >>> >>> >>> On 04/04/17 15:00, Bill Burke wrote: >>> >>> The error that was eaten was something thrown from Undertow before it >>> even got to org.keycloak code. >>> >>> On 4/4/17 8:00 AM, Stian Thorgersen wrote: >>> >>> This will help with those cases where you currently see a whole bunch of >>> exceptions in the logs where they are actually expected >>> >>> On 4 April 2017 at 13:44, Marek Posolda wrote: >>> >>>> +1 >>>> >>>> It will be good if it logs the details for whole class in case that >>>> some test failed. As there could be dependencies between the order in which >>>> test method was executed etc. >>>> >>>> Also we can have an appender, which will log everything to the file. So >>>> if you still want to see full log and all the details, you can look to the >>>> file. >>>> >>>> Marek >>>> >>>> >>>> >>>> On 04/04/17 12:26, Stian Thorgersen wrote: >>>> >>>> Here's a cray thought. Could we somehow hide all log output for a test >>>> that passes and only show log output for failed tests? Maybe it could be >>>> done with a custom log appender that buffers log output, then the unit >>>> tests could call clear or dump depening on success/failure. >>>> >>>> On 4 April 2017 at 12:24, Stian Thorgersen wrote: >>>> >>>>> I think this probably still needs some work. When running from IDE we >>>>> don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals >>>>> with that in a much nicer way. >>>>> >>>>> When running on Travis there's probably still an issue with to much >>>>> log being generated. I can try this again, but last time I tried with >>>>> -Pauth-server-wildfly the sysoutput file became to big (4mb+). >>>>> >>>>> On 4 April 2017 at 10:21, Marek Posolda wrote: >>>>> >>>>>> I found some workaround to fix that. PR sent here: >>>>>> https://github.com/keycloak/keycloak/pull/4002 >>>>>> >>>>>> Now the default logging level for "org.keycloak" is INFO when you run >>>>>> from IDE, but disabled when you run with maven-surefire-plugin. In both >>>>>> cases, system property "keycloak.logging.level" can be used to override the >>>>>> default. >>>>>> >>>>>> Marek >>>>>> >>>>>> >>>>>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>>>> >>>>>> Pavel - can you comment on this please? If I remember correctly it >>>>>> wasn't working initially, then Marek fixed it, but now it's broken again. >>>>>> >>>>>> On 3 April 2017 at 22:06, Marek Posolda wrote: >>>>>> >>>>>>> Doesn't work here too. But it worked a month ago or so. Not sure >>>>>>> what changed in the meantime... Created >>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4705 . Will try to take a >>>>>>> look. >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>> On 03/04/17 16:22, Bill Burke wrote: >>>>>>> >>>>>>>> And that helps how? Running in IDE should not suppress any error >>>>>>>> messages. The error message was actually an internal Undertow one >>>>>>>> complaining that async HTTP was unsupported. I did look in the >>>>>>>> log4j >>>>>>>> properties. The default logging level looks like it is INFO. >>>>>>>> >>>>>>>> >>>>>>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>>>>>> >>>>>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>>>>>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>>>>>> >>>>>>>>> On 1 April 2017 at 21:22, Bill Burke >>>>>>>> > wrote: >>>>>>>>> >>>>>>>>> When running arquillian tests in the IDE, I'm still seeing no >>>>>>>>> log >>>>>>>>> messages from the server. I had to set a breakpoint in >>>>>>>>> JAX-RS code to >>>>>>>>> find out a Javascript parsing error. >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-dev mailing list >>>>>>>>> keycloak-dev at lists.jboss.org >>>>>>>> ss.org> >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>> keycloak-dev mailing list >>>>>>>> keycloak-dev at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >>> >>> >> >> > > From sthorger at redhat.com Wed Apr 5 03:50:41 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Apr 2017 09:50:41 +0200 Subject: [keycloak-dev] testsuite still eats server-side logs in IDE In-Reply-To: References: <83e1ab2f-15ba-03dd-3c99-bd555e662112@redhat.com> <7e6fe6c6-e711-6ef4-9017-b49489f92d85@redhat.com> <67e691ad-5341-d6f6-fb84-508df313d06c@redhat.com> Message-ID: Never mind that doesn't work as it's different processes :( We'd need to write some sort of wrapper for the "mvn job" that could do the job. Something like: mvn -Pauth-server-wildfly | filter-log-output On 5 April 2017 at 09:48, Stian Thorgersen wrote: > Actually it's probably the combination of WildFly log output and the test > log output that generates 4mb+. > > Maybe we could write a custom appender that buffers everything between > " STARTED" and FAILED/FINISHED. If it's a FINISHED it will just clear > the buffer, but if it's a FAILED it will output to std out. We could also > add a log output per test class. We could make it an option when running > the tests (something like -PshowFailuresOnly). So output on Travis/Jenkins > would be something like: > > [UndertowDemoFilterServletAdapterTest] Starting > > [UndertowDemoFilterServletAdapterTest] historyOfAccessResourceTest() STARTED > > ... Loads of stuff ... > > [UndertowDemoFilterServletAdapterTest] historyOfAccessResourceTest() FAILED > > [NextTest] Starting > > [NextNextTest] Starting > > > Results : > > Tests run: 335, Failures: 1, Errors: 0, Skipped: 12 > > > On 5 April 2017 at 09:25, Marek Posolda wrote: > >> Btv. I've just saw some logs of the wildfly job. And there are some >> differences between undertow and Wildfly. >> >> With undertow, the maven job has disabled logging for "org.keycloak", so >> the expected exceptions are not displayed in the log. However with Wildfly >> job, they are still displayed. This is likely the reason why the 4MB limit >> on travis was reached with Wildfly. >> >> I think the reason is, that Wildfly logging needs to be configured in >> standalone/configuration/standalone.xml in logging subsystem, hence >> disabled "org.keycloak" in testsuite/integration-arquilli >> an/tests/base/src/test/resources/log4j.properties has no effect. >> >> So it seems that for Wildfly we need to ensure that logging subsystem in >> standalone.xml is properly configured and add the appender here as well if >> we do the appender (which maybe means adding another module or library with >> the appender etc). And we need to do that in the preparation of all the >> various wildfly servers (wildfly, adapter, cluster etc). >> >> Marek >> >> >> >> On 05/04/17 08:34, Stian Thorgersen wrote: >> >> Ok, so not for the IDE then. It's not really needed for the IDE anyways >> as at least IntelliJ is smart enough to group output per test so it's easy >> to find relevant info. >> >> On 4 April 2017 at 16:23, Marek Posolda wrote: >> >>> IMO it works for travis/jenkins, but doesn't work for IDE. >>> >>> When debugging in IDE, you usually want to see all the test output even >>> if test not failing. You want to see it immediately. And the thread you're >>> debugging is in many cases different then the thread, which is expected to >>> output something to console log (eg. when debugging the test method, you >>> want to check that after calling the line with >>> "oauthClient.openLoginForm()" the server called the expected HTTP requests >>> and wrote the expected items to the log etc). >>> >>> Also some of us use the pattern like this when developing something: >>> >>> @Test >>> public void testSleep() { >>> Thread.sleep(10000000); >>> } >>> >>> in which case you usually just test the Keycloak server/UI directly and >>> test is here just to prepare the environment, which is done in @Before >>> methods etc. This test method is never finished and hence never failed. But >>> still, you want to see the log/console output immediately when you're >>> testing stuff. >>> >>> Marek >>> >>> >>> >>> On 04/04/17 15:53, Stian Thorgersen wrote: >>> >>> Wouldn't simply only showing log output from failed tests solve all >>> issues? In the IDE you get the debug info you need to resolve a failing >>> test. On Travis or Jenkins you get the details you need to look into failed >>> tests without having X megabytes of test output, expected exceptions, etc.. >>> >>> >>> On 4 April 2017 at 15:11, Marek Posolda wrote: >>> >>>> Hmm... I guess it might be "org.xnio" ? As we have "org.xnio" and >>>> "org.hibernate" switched to OFF. Some other categories (resteasy etc) are >>>> switched to WARN. >>>> >>>> Maybe we can have different log4j files used when running from IDE and >>>> from maven? As when running from IDE, you are usually debugging/tracing one >>>> particular test and you want all the logging enabled in the console for >>>> most of the libraries. When with maven it is the opposite and we want to >>>> reduce console logging as much as possible. >>>> >>>> Marek >>>> >>>> >>>> On 04/04/17 15:00, Bill Burke wrote: >>>> >>>> The error that was eaten was something thrown from Undertow before it >>>> even got to org.keycloak code. >>>> >>>> On 4/4/17 8:00 AM, Stian Thorgersen wrote: >>>> >>>> This will help with those cases where you currently see a whole bunch >>>> of exceptions in the logs where they are actually expected >>>> >>>> On 4 April 2017 at 13:44, Marek Posolda wrote: >>>> >>>>> +1 >>>>> >>>>> It will be good if it logs the details for whole class in case that >>>>> some test failed. As there could be dependencies between the order in which >>>>> test method was executed etc. >>>>> >>>>> Also we can have an appender, which will log everything to the file. >>>>> So if you still want to see full log and all the details, you can look to >>>>> the file. >>>>> >>>>> Marek >>>>> >>>>> >>>>> >>>>> On 04/04/17 12:26, Stian Thorgersen wrote: >>>>> >>>>> Here's a cray thought. Could we somehow hide all log output for a test >>>>> that passes and only show log output for failed tests? Maybe it could be >>>>> done with a custom log appender that buffers log output, then the unit >>>>> tests could call clear or dump depening on success/failure. >>>>> >>>>> On 4 April 2017 at 12:24, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> I think this probably still needs some work. When running from IDE we >>>>>> don't need the TestEventsLogger at all as the IDE (at least IntelliJ) deals >>>>>> with that in a much nicer way. >>>>>> >>>>>> When running on Travis there's probably still an issue with to much >>>>>> log being generated. I can try this again, but last time I tried with >>>>>> -Pauth-server-wildfly the sysoutput file became to big (4mb+). >>>>>> >>>>>> On 4 April 2017 at 10:21, Marek Posolda wrote: >>>>>> >>>>>>> I found some workaround to fix that. PR sent here: >>>>>>> https://github.com/keycloak/keycloak/pull/4002 >>>>>>> >>>>>>> Now the default logging level for "org.keycloak" is INFO when you >>>>>>> run from IDE, but disabled when you run with maven-surefire-plugin. In both >>>>>>> cases, system property "keycloak.logging.level" can be used to override the >>>>>>> default. >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>> >>>>>>> On 04/04/17 09:24, Stian Thorgersen wrote: >>>>>>> >>>>>>> Pavel - can you comment on this please? If I remember correctly it >>>>>>> wasn't working initially, then Marek fixed it, but now it's broken again. >>>>>>> >>>>>>> On 3 April 2017 at 22:06, Marek Posolda wrote: >>>>>>> >>>>>>>> Doesn't work here too. But it worked a month ago or so. Not sure >>>>>>>> what changed in the meantime... Created >>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4705 . Will try to take a >>>>>>>> look. >>>>>>>> >>>>>>>> Marek >>>>>>>> >>>>>>>> On 03/04/17 16:22, Bill Burke wrote: >>>>>>>> >>>>>>>>> And that helps how? Running in IDE should not suppress any error >>>>>>>>> messages. The error message was actually an internal Undertow one >>>>>>>>> complaining that async HTTP was unsupported. I did look in the >>>>>>>>> log4j >>>>>>>>> properties. The default logging level looks like it is INFO. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 4/3/17 9:33 AM, Stian Thorgersen wrote: >>>>>>>>> >>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/i >>>>>>>>>> ntegration-arquillian/HOW-TO-RUN.md#testsuite-logging >>>>>>>>>> >>>>>>>>>> On 1 April 2017 at 21:22, Bill Burke >>>>>>>>> > wrote: >>>>>>>>>> >>>>>>>>>> When running arquillian tests in the IDE, I'm still seeing >>>>>>>>>> no log >>>>>>>>>> messages from the server. I had to set a breakpoint in >>>>>>>>>> JAX-RS code to >>>>>>>>>> find out a Javascript parsing error. >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-dev mailing list >>>>>>>>>> keycloak-dev at lists.jboss.org >>>>>>>>> ss.org> >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-dev mailing list >>>>>>>>> keycloak-dev at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >> >> > From bburke at redhat.com Wed Apr 5 17:18:21 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 5 Apr 2017 17:18:21 -0400 Subject: [keycloak-dev] modeling map role fine grain permissions In-Reply-To: References: Message-ID: Yeah, maybe that wouldn't work. How would you say something like: This admin can manage users that belong to this group and can only assign roles A, B, and C to members in that group. On 4/4/17 11:41 AM, Pedro Igor Silva wrote: > Didn't get the part below. > > Also, I'm curious to check how are you enforcing these permissions. > Could you link the branch you have this implemented ? > > On Mon, Apr 3, 2017 at 11:58 AM, Bill Burke > wrote: > > > MORE FINE GRAIN PERMISSIONS > > We also want to solve the case of allowing an admin to be able to map > specific roles for members of a specific group. To do this we'll add > another policy type called "Has Permission". Here you'll be able to > link a permission to a policy. So, to solve the use case for specific > roles for members of a specific group, we can edit the "map-role" > permission for a specific role and add a "Has Permission" that > links to > the permission that the admin has "manage-users" scope for a specific > group. Hope I'm making sense on this one. > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From bruno at abstractj.org Wed Apr 5 20:18:57 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 06 Apr 2017 00:18:57 +0000 Subject: [keycloak-dev] Functional tests for Keycloak console Message-ID: Ahoy, I'm writing some tests for this https://issues.jboss.org/browse/KEYCLOAK-4445 and would like to know if this is the appropriate place for testing E-mail settings. It looks like console module is not part of our tests. Thanks in advance. From sthorger at redhat.com Thu Apr 6 03:51:46 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Apr 2017 09:51:46 +0200 Subject: [keycloak-dev] Functional tests for Keycloak console In-Reply-To: References: Message-ID: That would be the correct place yes. Console tests have been to unstable in the past to have them enabled by default. Once they are stable (and quick) enough we can enable by default. On 6 April 2017 at 02:18, Bruno Oliveira wrote: > Ahoy, I'm writing some tests for this > https://issues.jboss.org/browse/KEYCLOAK-4445 and would like to know if > this is the appropriate place for testing E-mail settings. > > It looks like console module is not part of our tests. > > Thanks in advance. > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bruno at abstractj.org Thu Apr 6 07:18:22 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 06 Apr 2017 11:18:22 +0000 Subject: [keycloak-dev] Functional tests for Keycloak console In-Reply-To: References: Message-ID: Thank you! On Wed, Apr 5, 2017 at 9:18 PM Bruno Oliveira wrote: > Ahoy, I'm writing some tests for this > https://issues.jboss.org/browse/KEYCLOAK-4445 and would like to know if > this is the appropriate place for testing E-mail settings. > > It looks like console module is not part of our tests. > > Thanks in advance. > From sthorger at redhat.com Thu Apr 6 09:21:49 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Apr 2017 15:21:49 +0200 Subject: [keycloak-dev] Red Hat Single Sign-On 7.1.GA is available Message-ID: RH-SSO 7.1.GA is out! This is based on Keycloak 2.5.5.Final. For more details check: http://middlewareblog.redhat.com/2017/04/05/announcing-red-hat-single-sign-on-7-1-ga-is-available/ From takashi.norimatsu.ws at hitachi.com Thu Apr 6 21:36:01 2017 From: takashi.norimatsu.ws at hitachi.com (=?iso-2022-jp?B?GyRCPmg+Pk40O1YbKEIgLyBOT1JJTUFUU1UbJEIhJBsoQlRBS0FTSEk=?=) Date: Fri, 7 Apr 2017 01:36:01 +0000 Subject: [keycloak-dev] Proposal of RFC7636 (PKCE) support In-Reply-To: <831D472326678942A9B4BB933AAA103D25F91510@GSjpTK1DCembx01.service.hitachi.net> References: <831D472326678942A9B4BB933AAA103D25F77C0F@GSjpTK1DCembx01.service.hitachi.net> <831D472326678942A9B4BB933AAA103D25F91510@GSjpTK1DCembx01.service.hitachi.net> Message-ID: <831D472326678942A9B4BB933AAA103D25F9267C@GSjpTK1DCembx01.service.hitachi.net> I've found it was merged. Thank you very much! -----Original Message----- From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of ???? / NORIMATSU?TAKASHI Sent: Monday, April 03, 2017 4:17 PM To: 'keycloak-dev at lists.jboss.org' Subject: [!]Re: [keycloak-dev] Proposal of RFC7636 (PKCE) support Hi, What about the status of the PR? https://github.com/keycloak/keycloak/pull/3831 There was two PRs about PKCE, but it is now only one PR(above). I found that 3.x label is removed, and I am afraid that priority was set low. However, this patch is very important for keycloak to be competitive. And I wish the review will be resumed soon. If there is any issue, please tell me, I am willing to work. Following is background information why PKCE is necessary: In the financial API draft of OIDF, http://openid.net/specs/openid-financial-api-part-1.html It requires RFC7636. >5.2.2. Authorization Server >The Authorization Server > shall support [RFC7636] with S256 as the code challenge method; In addition, other competing products supports it. E.g.: * Gluu server supports it: https://www.gluu.org/blog/ja/gluu-server-ce-2-4-3-is-now-available/ > Support for PKCE to protect authorization code * WSO2 supports it https://docs.wso2.com/display/IS520/Mitigating+Authorization+Code+Interception+Attacks#MitigatingAuthorizationCodeInterceptionAttacks-ConfiguringPKCEwithWSO2IdentityServer >Configuring PKCE with WSO2 Identity Server * CA supports it https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-connect-implementation/open-id-connect-implementation-details > Proof Key for Code Exchange (PKCE) is supported for enhanced authorization code security. Regards, Takashi Norimatsu _______________________________________________ keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev From mstrukel at redhat.com Fri Apr 7 03:58:49 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 7 Apr 2017 09:58:49 +0200 Subject: [keycloak-dev] Online Export Message-ID: I've been working on online Export functionality for Admin Console (RHSSO-402). Primary use case is to get core realm configuration with identity providers and user storage, but no users, and optionally also excluding clients, roles, and groups. As opposed to offline export (at startup time), which can serve as a backup to restore the server, the idea of online export is to help gather server configuration for troubleshooting so you can reproduce / diagnose issues. In terms of implementation the idea was first to just trigger the same logic that creates a single JSON export during offline export, just filter it to have less content, and no secrets. Then one would ssh to the server to retrieve the file. But, that's a complicated workflow, especially when dealing with a cluster of servers - how to know which server performed the export? A more usable implementation would be to download the exported JSON through Admin Console. That does return a lot of information through a simple REST request - anybody sees any issues here? Another thing is to be careful that triggering an export does not slow or block processing of other requests to the server. Current implementation performs single file export within a single UserTransaction. With no users, groups, roles, and clients there should be no issues here. But if exporting many thousands of clients, that might interfere with normal operation of the server. One idea how to prevent that is to hardcode a fixed limit on instance count for groups, roles, and clients. Export page would display client count next to toggle button for exporting of client, and analogous for groups, and roles. If count is greater than let's say 10k, the toggle for that inclusion would be disabled. That will require an extra rest endpoint for gathering these counts. To consistently enforce the limits the check would have to be performed inside Admin REST export call as well. Such implementation is more complicated but the whole workflow to get to exported JSON is much better. Any thoughts on such an approach? From krishna1shiva at gmail.com Fri Apr 7 04:09:16 2017 From: krishna1shiva at gmail.com (Shiva Krishna) Date: Fri, 7 Apr 2017 13:39:16 +0530 Subject: [keycloak-dev] Retrieve SAMLResponse after login Message-ID: Hello, I need to retrieve SAMLResponse as is after login using Keycloak. I am able to retrieve SAMLPrincipal and other variables. But, I am not able to see the parameter "SAMLResponse". What is the way to get it? Thanks, Krishna S From sthorger at redhat.com Fri Apr 7 04:43:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 7 Apr 2017 10:43:57 +0200 Subject: [keycloak-dev] Retrieve SAMLResponse after login In-Reply-To: References: Message-ID: Please use the user mailing list. This mailing list is for discussing Keycloak development. See keycloak.org for more details. On 7 April 2017 at 10:09, Shiva Krishna wrote: > Hello, > > I need to retrieve SAMLResponse as is after login using Keycloak. I > am able to retrieve SAMLPrincipal and other variables. But, I am not > able to see the parameter "SAMLResponse". > > What is the way to get it? > > Thanks, > Krishna S > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From thomas.darimont at googlemail.com Mon Apr 10 10:04:19 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 10 Apr 2017 16:04:19 +0200 Subject: [keycloak-dev] Support for passing custom attributes from authenticators to login pages Message-ID: Hello group, are there any plans to support custom attributes to be passed from authenticators to (login-) forms? Concrete use-case is that I want to pass information from a custom OTP authenticator down to the login-totp.ftl template. Would be helpful if it were possible to pass custom attributes to the create*Page(..) methods in org.keycloak.forms.login.LoginFormsProvider. This would really ease customizations. Other alternatives to pass data are: - use some ThreadLocal storage within an Authenticator (set and clear) - but this feels more like a hack - custom page template and population logic in in a custom FreeMarkerLoginFormsProvider (quite involved...) Cheers, Thomas From thomas.darimont at googlemail.com Mon Apr 10 11:35:27 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 10 Apr 2017 17:35:27 +0200 Subject: [keycloak-dev] Support for passing custom attributes from authenticators to login pages In-Reply-To: References: Message-ID: FYI my current solution (ab)uses the attributes of the current HttpServletRequest to pass custom data down to the templates with a (small) adjustment of FreeMarkerLoginFormsProvider as shown below. This is quite hacky but does it's job until I find a better way to do this. Within my custom Authenticator: private static final String MY_CUSTOM_ATTRIBUTE="my_custom_attribute"; @Override public void authenticate(AuthenticationFlowContext context) { HttpServletRequest request = context.getSession().getContext().getContextObject(HttpServletRequest.class); try { request.setAttribute(MY_CUSTOM_ATTRIBUTE, "bubu"); super.authenticate(context); } finally { request.removeAttribute(MY_CUSTOM_ATTRIBUTE); } } Small extension to the FreeMarkerLoginFormsProvider in "private Response createResponse(LoginFormsPages page)": ... HttpServletRequest currentHttpRequest = session.getContext().getContextObject(HttpServletRequest.class); if (currentHttpRequest != null) { attributes.put("currentRequestAttributes", new HttpServletRequestAttributesBean(currentHttpRequest)); } ... public static class HttpServletRequestAttributesBean { private final HttpServletRequest request; public HttpServletRequestAttributesBean(HttpServletRequest request){ this.request = request; } public Object getAttribute(String name){ return this.request.getAttribute(name); } public Map getAttributes(){ Map attributes = new HashMap<>(); for(String name : Collections.list(request.getAttributeNames())){ attributes.put(name, request.getAttribute(name)); } return attributes; } } In my template login-totp.ftl: Custom value: ${currentRequestAttributes.getAttribute('my_custom_attribute')!'default'} 2017-04-10 16:04 GMT+02:00 Thomas Darimont : > Hello group, > > are there any plans to support custom attributes to be passed from > authenticators to (login-) forms? > > Concrete use-case is that I want to pass information > from a custom OTP authenticator down to the login-totp.ftl template. > > Would be helpful if it were possible to pass custom attributes to the > create*Page(..) methods in org.keycloak.forms.login.LoginFormsProvider. > > This would really ease customizations. > > Other alternatives to pass data are: > - use some ThreadLocal storage within an Authenticator (set and clear) - > but this feels more like a hack > - custom page template and population logic in in a custom > FreeMarkerLoginFormsProvider (quite involved...) > > Cheers, > Thomas > From mposolda at redhat.com Mon Apr 10 15:32:06 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 10 Apr 2017 21:32:06 +0200 Subject: [keycloak-dev] Support for passing custom attributes from authenticators to login pages In-Reply-To: References: Message-ID: Hi Thomas, the LoginFormsProvider has method "setAttribute" . I think that in the authenticator, you can use something like context.form().setAttribute("foo", "bar"); when "context" is AuthenticationFlowContext passed to the authenticator. Then in the template, the attribute "foo" can be directly referenced. Does it working for you? Marek On 10/04/17 17:35, Thomas Darimont wrote: > FYI my current solution (ab)uses the attributes of the current > HttpServletRequest to pass custom > data down to the templates with a (small) adjustment of > FreeMarkerLoginFormsProvider as shown below. > > This is quite hacky but does it's job until I find a better way to do this. > > Within my custom Authenticator: > > private static final String MY_CUSTOM_ATTRIBUTE="my_custom_attribute"; > > @Override > public void authenticate(AuthenticationFlowContext context) { > HttpServletRequest request = > context.getSession().getContext().getContextObject(HttpServletRequest.class); > try { > request.setAttribute(MY_CUSTOM_ATTRIBUTE, "bubu"); > super.authenticate(context); > } finally { > request.removeAttribute(MY_CUSTOM_ATTRIBUTE); > } > } > > Small extension to the FreeMarkerLoginFormsProvider in "private Response > createResponse(LoginFormsPages page)": > ... > HttpServletRequest currentHttpRequest = > session.getContext().getContextObject(HttpServletRequest.class); > if (currentHttpRequest != null) { > attributes.put("currentRequestAttributes", new > HttpServletRequestAttributesBean(currentHttpRequest)); > } > ... > > public static class HttpServletRequestAttributesBean { > > private final HttpServletRequest request; > > public HttpServletRequestAttributesBean(HttpServletRequest request){ > this.request = request; > } > > public Object getAttribute(String name){ > return this.request.getAttribute(name); > } > > public Map getAttributes(){ > > Map attributes = new HashMap<>(); > for(String name : Collections.list(request.getAttributeNames())){ > attributes.put(name, request.getAttribute(name)); > } > > return attributes; > } > } > > In my template login-totp.ftl: > Custom value: > ${currentRequestAttributes.getAttribute('my_custom_attribute')!'default'} > > 2017-04-10 16:04 GMT+02:00 Thomas Darimont : > >> Hello group, >> >> are there any plans to support custom attributes to be passed from >> authenticators to (login-) forms? >> >> Concrete use-case is that I want to pass information >> from a custom OTP authenticator down to the login-totp.ftl template. >> >> Would be helpful if it were possible to pass custom attributes to the >> create*Page(..) methods in org.keycloak.forms.login.LoginFormsProvider. >> >> This would really ease customizations. >> >> Other alternatives to pass data are: >> - use some ThreadLocal storage within an Authenticator (set and clear) - >> but this feels more like a hack >> - custom page template and population logic in in a custom >> FreeMarkerLoginFormsProvider (quite involved...) >> >> Cheers, >> Thomas >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From thomas.darimont at googlemail.com Mon Apr 10 16:16:53 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 10 Apr 2017 22:16:53 +0200 Subject: [keycloak-dev] Support for passing custom attributes from authenticators to login pages In-Reply-To: References: Message-ID: Hi Marek, I totally missed that - thanks a ton :) Cheers, Thomas 2017-04-10 21:32 GMT+02:00 Marek Posolda : > Hi Thomas, > > the LoginFormsProvider has method "setAttribute" . I think that in the > authenticator, you can use something like > > context.form().setAttribute("foo", "bar"); > > when "context" is AuthenticationFlowContext passed to the authenticator. > Then in the template, the attribute "foo" can be directly referenced. Does > it working for you? > > Marek > > > On 10/04/17 17:35, Thomas Darimont wrote: > >> FYI my current solution (ab)uses the attributes of the current >> HttpServletRequest to pass custom >> data down to the templates with a (small) adjustment of >> FreeMarkerLoginFormsProvider as shown below. >> >> This is quite hacky but does it's job until I find a better way to do >> this. >> >> Within my custom Authenticator: >> >> private static final String MY_CUSTOM_ATTRIBUTE="my_custom_attribute"; >> >> @Override >> public void authenticate(AuthenticationFlowContext context) { >> HttpServletRequest request = >> context.getSession().getContext().getContextObject(HttpServl >> etRequest.class); >> try { >> request.setAttribute(MY_CUSTOM_ATTRIBUTE, "bubu"); >> super.authenticate(context); >> } finally { >> request.removeAttribute(MY_CUSTOM_ATTRIBUTE); >> } >> } >> >> Small extension to the FreeMarkerLoginFormsProvider in "private Response >> createResponse(LoginFormsPages page)": >> ... >> HttpServletRequest currentHttpRequest = >> session.getContext().getContextObject(HttpServletRequest.class); >> if (currentHttpRequest != null) { >> attributes.put("currentRequestAttributes", new >> HttpServletRequestAttributesBean(currentHttpRequest)); >> } >> ... >> >> public static class HttpServletRequestAttributesBean { >> >> private final HttpServletRequest request; >> >> public HttpServletRequestAttributesBean(HttpServletRequest request){ >> this.request = request; >> } >> >> public Object getAttribute(String name){ >> return this.request.getAttribute(name); >> } >> >> public Map getAttributes(){ >> >> Map attributes = new HashMap<>(); >> for(String name : Collections.list(request.getAttributeNames())){ >> attributes.put(name, request.getAttribute(name)); >> } >> >> return attributes; >> } >> } >> >> In my template login-totp.ftl: >> Custom value: >> ${currentRequestAttributes.getAttribute('my_custom_attribute >> ')!'default'} >> >> 2017-04-10 16:04 GMT+02:00 Thomas Darimont > m>: >> >> Hello group, >>> >>> are there any plans to support custom attributes to be passed from >>> authenticators to (login-) forms? >>> >>> Concrete use-case is that I want to pass information >>> from a custom OTP authenticator down to the login-totp.ftl template. >>> >>> Would be helpful if it were possible to pass custom attributes to the >>> create*Page(..) methods in org.keycloak.forms.login.LoginFormsProvider. >>> >>> This would really ease customizations. >>> >>> Other alternatives to pass data are: >>> - use some ThreadLocal storage within an Authenticator (set and clear) - >>> but this feels more like a hack >>> - custom page template and population logic in in a custom >>> FreeMarkerLoginFormsProvider (quite involved...) >>> >>> Cheers, >>> Thomas >>> >>> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > From Martin.Plank at softec.sk Tue Apr 11 06:03:31 2017 From: Martin.Plank at softec.sk (Plank Martin) Date: Tue, 11 Apr 2017 10:03:31 +0000 Subject: [keycloak-dev] Running keycloak behind web proxy Message-ID: Hi all! We're using Keycloak in a corporate environment where all external requests are blocked and must be sent via web proxy. Therefore the ReCAPTCHA and social identity providers (from version 3.0.0.CR1) do not work correctly. It can be fixed by configuring proxy host on Apache HttpClient, e.g. [1]. I would be interested in contributing this. But I'm new to Keycloak development, so I will appreciate any information that could help, specifically: - What kind of automated tests do you expect to develop? - Where shoud be the proxy configuration stored? I have also submitted a Feature request with more information: https://issues.jboss.org/browse/KEYCLOAK-4743 Thanks Martin Plank [1] https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientExecuteProxy.java From christian.polzer at kaufland.com Wed Apr 12 10:02:32 2017 From: christian.polzer at kaufland.com (christian.polzer at kaufland.com) Date: Wed, 12 Apr 2017 16:02:32 +0200 Subject: [keycloak-dev] Keycloak 1.9.1: Theme: pass eventtype to eventlistener? Message-ID: Hello, I have implemented a custom EventListenerProvider to use with a custom registration form template ("login/register.ftl"). Now I am having problems distinguishing incoming events from the login.ftl, register.ftl and so on templates. as I understand it in my EventListenerProvider the entry point is the implemented onEvent(Event event)method. Unfortunatelly the events that get passed through from the template to the keycloak backend into my EventListenerProvider seem to be missing event type information: Incoming Event is:{ "clientId": "internet-master-client", "details": { ? ?"auth_method": "openid-connect", ? ?"auth_type": "code", ? ?"code_id": "5ba2de19-e7f4-4274-9054-d71343c21c96", ? ?"email": "test at test.com", ? ?"redirect_uri": "https://www.test.com/", ? ?"username": "test at test.com" }, "ipAddress": "...", "realmId": "users", "time": 1492001884000, "type": {"saveByDefault": true}, // type is not set? "userId": "b...." } This makes it impossible for me to distinguish between EventTypes and send Mail accordingly. What am I missing (apart from beeing new to keycloak development)? Regards, Christian Polzer Mit freundlichen Gr??en Christian Polzer Anwendungsentwicklung NonSAP +49 7132 94 920383 Kaufland Informationssysteme GmbH & Co. KG Postfach 12 53 - 74172 Neckarsulm Kommanditgesellschaft Sitz: Neckarsulm Registergericht: Stuttgart HRA 104163 From adam.williams at compositeapps.net Wed Apr 12 19:23:10 2017 From: adam.williams at compositeapps.net (Adam Williams) Date: Wed, 12 Apr 2017 16:23:10 -0700 Subject: [keycloak-dev] Arabic Locale Message-ID: Are there any plans to support the Arabic Locale setting? Thanks, Adam From mposolda at redhat.com Thu Apr 13 04:09:29 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 13 Apr 2017 10:09:29 +0200 Subject: [keycloak-dev] Arabic Locale In-Reply-To: References: Message-ID: <5e27060b-26ef-1ed0-9382-f44550c2b139@redhat.com> Just if someone from community contributes it and will be able to maintain it in the future ;) Marek On 13/04/17 01:23, Adam Williams wrote: > Are there any plans to support the Arabic Locale setting? > > > > Thanks, > > Adam > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From adam.williams at compositeapps.net Thu Apr 13 12:40:21 2017 From: adam.williams at compositeapps.net (Adam Williams) Date: Thu, 13 Apr 2017 09:40:21 -0700 Subject: [keycloak-dev] Arabic Locale In-Reply-To: <5e27060b-26ef-1ed0-9382-f44550c2b139@redhat.com> References: <5e27060b-26ef-1ed0-9382-f44550c2b139@redhat.com> Message-ID: <73C8FAED-F137-4A5D-9A9A-2ED3FA409D39@compositeapps.net> What's the best way to accomplish this? Via themes? Does anything need to happen on the JBoss side? Adam Williams On Apr 13, 2017, at 1:09 AM, Marek Posolda wrote: Just if someone from community contributes it and will be able to maintain it in the future ;) Marek > On 13/04/17 01:23, Adam Williams wrote: > Are there any plans to support the Arabic Locale setting? > > > Thanks, > > Adam > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From telekomunikacije at gmail.com Thu Apr 13 17:45:26 2017 From: telekomunikacije at gmail.com (Gorazd) Date: Thu, 13 Apr 2017 23:45:26 +0200 Subject: [keycloak-dev] Keycloak and FreeIPA through certificates Message-ID: Hi there, i am interested is there any solution planned for this issue: https://issues.jboss.org/browse/KEYCLOAK-3368 Is it not needed to solve or better option exist for users to authenticate with certificates to Keycloak while having FreeIPA as a IdM/IdP? Regards, Gorazd From mposolda at redhat.com Tue Apr 18 03:09:15 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 18 Apr 2017 09:09:15 +0200 Subject: [keycloak-dev] Arabic Locale In-Reply-To: <73C8FAED-F137-4A5D-9A9A-2ED3FA409D39@compositeapps.net> References: <5e27060b-26ef-1ed0-9382-f44550c2b139@redhat.com> <73C8FAED-F137-4A5D-9A9A-2ED3FA409D39@compositeapps.net> Message-ID: <422a058b-22b3-02a5-2088-485674c987fe@redhat.com> Yes, via themes and properties files inside the themes. See docs for more details: https://keycloak.gitbooks.io/documentation/content/server_development/topics/themes.html Marek On 13/04/17 18:40, Adam Williams wrote: > What's the best way to accomplish this? Via themes? Does anything need to happen on the JBoss side? > > Adam Williams > > On Apr 13, 2017, at 1:09 AM, Marek Posolda wrote: > > Just if someone from community contributes it and will be able to maintain it in the future ;) > > Marek > >> On 13/04/17 01:23, Adam Williams wrote: >> Are there any plans to support the Arabic Locale setting? >> >> >> Thanks, >> >> Adam >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Tue Apr 18 09:01:32 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Apr 2017 15:01:32 +0200 Subject: [keycloak-dev] Arabic Locale In-Reply-To: <422a058b-22b3-02a5-2088-485674c987fe@redhat.com> References: <5e27060b-26ef-1ed0-9382-f44550c2b139@redhat.com> <73C8FAED-F137-4A5D-9A9A-2ED3FA409D39@compositeapps.net> <422a058b-22b3-02a5-2088-485674c987fe@redhat.com> Message-ID: Take a look at https://github.com/keycloak/keycloak/pull/3885. That's a PR for Swedish translation. Arabic would be interesting as we only have left-to-right languages at the moment. For Arabic I'm not sure it would be as simple as adding the message bundles due to it being right-to-left. As Marek mentioned, we do not do any languages other than English ourselves. Everything else is purely contributed and maintained by the community. On 18 April 2017 at 09:09, Marek Posolda wrote: > Yes, via themes and properties files inside the themes. See docs for > more details: > https://keycloak.gitbooks.io/documentation/content/server_ > development/topics/themes.html > > > Marek > > On 13/04/17 18:40, Adam Williams wrote: > > What's the best way to accomplish this? Via themes? Does anything need > to happen on the JBoss side? > > > > Adam Williams > > > > On Apr 13, 2017, at 1:09 AM, Marek Posolda wrote: > > > > Just if someone from community contributes it and will be able to > maintain it in the future ;) > > > > Marek > > > >> On 13/04/17 01:23, Adam Williams wrote: > >> Are there any plans to support the Arabic Locale setting? > >> > >> > >> Thanks, > >> > >> Adam > >> > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Tue Apr 18 09:05:56 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Apr 2017 15:05:56 +0200 Subject: [keycloak-dev] Running keycloak behind web proxy In-Reply-To: References: Message-ID: The configuration should be on the default HttpClient provider [1], configured through standalone.xml. Documentation is [2]. We'd need some way of automating tests for it. Honestly, I don't know how that would look like. Maybe it could be achieved with a dummy proxy that allows checking what requests was made to it. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/connections/httpclient/DefaultHttpClientFactory.java [2] https://keycloak.gitbooks.io/documentation/server_installation/topics/network/outgoing.html On 11 April 2017 at 12:03, Plank Martin wrote: > Hi all! > > We're using Keycloak in a corporate environment where all external > requests are blocked and must be sent via web proxy. > Therefore the ReCAPTCHA and social identity providers (from version > 3.0.0.CR1) do not work correctly. It can be fixed by configuring proxy host > on Apache HttpClient, e.g. [1]. > > I would be interested in contributing this. But I'm new to Keycloak > development, so I will appreciate any information that could help, > specifically: > > - What kind of automated tests do you expect to develop? > > - Where shoud be the proxy configuration stored? > > I have also submitted a Feature request with more information: > https://issues.jboss.org/browse/KEYCLOAK-4743 > > Thanks > Martin Plank > > [1] https://hc.apache.org/httpcomponents-client-ga/ > httpclient/examples/org/apache/http/examples/client/ > ClientExecuteProxy.java > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Tue Apr 18 09:06:39 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Apr 2017 15:06:39 +0200 Subject: [keycloak-dev] Keycloak 1.9.1: Theme: pass eventtype to eventlistener? In-Reply-To: References: Message-ID: This list is for development of Keycloak itself. Please use the user mailing list for help. On 12 April 2017 at 16:02, wrote: > > > Hello, > > I have implemented a custom EventListenerProvider to use with a custom > registration form template ("login/register.ftl"). > Now I am having problems distinguishing incoming events from the login.ftl, > register.ftl and so on templates. as I understand it in my > EventListenerProvider the entry point is the implemented onEvent(Event > event)method. > > Unfortunatelly the events that get passed through from the template to the > keycloak backend into my EventListenerProvider seem to be missing event > type information: > Incoming Event is:{ > "clientId": "internet-master-client", > "details": { > "auth_method": "openid-connect", > "auth_type": "code", > "code_id": "5ba2de19-e7f4-4274-9054-d71343c21c96", > "email": "test at test.com", > "redirect_uri": "https://www.test.com/", > "username": "test at test.com" > }, > "ipAddress": "...", > "realmId": "users", > "time": 1492001884000, > "type": {"saveByDefault": true}, // type is not set? > "userId": "b...." > > } > > This makes it impossible for me to distinguish between EventTypes and send > Mail accordingly. > > What am I missing (apart from beeing new to keycloak development)? > > Regards, > > Christian Polzer > > Mit freundlichen Gr??en > Christian Polzer > > Anwendungsentwicklung NonSAP > +49 7132 94 920383 > > Kaufland Informationssysteme GmbH & Co. KG > Postfach 12 53 - 74172 Neckarsulm > Kommanditgesellschaft > Sitz: Neckarsulm > Registergericht: Stuttgart HRA 104163 > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Tue Apr 18 10:54:43 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 18 Apr 2017 10:54:43 -0400 Subject: [keycloak-dev] Running keycloak behind web proxy In-Reply-To: References: Message-ID: We gotta figure out if there is anything we can do out of the box to help with this. THere's just so many questions on this and we're continually referencing docs to people. On 4/18/17 9:05 AM, Stian Thorgersen wrote: > The configuration should be on the default HttpClient provider [1], > configured through standalone.xml. Documentation is [2]. > > We'd need some way of automating tests for it. Honestly, I don't know how > that would look like. Maybe it could be achieved with a dummy proxy that > allows checking what requests was made to it. > > [1] > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/connections/httpclient/DefaultHttpClientFactory.java > [2] > https://keycloak.gitbooks.io/documentation/server_installation/topics/network/outgoing.html > > On 11 April 2017 at 12:03, Plank Martin wrote: > >> Hi all! >> >> We're using Keycloak in a corporate environment where all external >> requests are blocked and must be sent via web proxy. >> Therefore the ReCAPTCHA and social identity providers (from version >> 3.0.0.CR1) do not work correctly. It can be fixed by configuring proxy host >> on Apache HttpClient, e.g. [1]. >> >> I would be interested in contributing this. But I'm new to Keycloak >> development, so I will appreciate any information that could help, >> specifically: >> >> - What kind of automated tests do you expect to develop? >> >> - Where shoud be the proxy configuration stored? >> >> I have also submitted a Feature request with more information: >> https://issues.jboss.org/browse/KEYCLOAK-4743 >> >> Thanks >> Martin Plank >> >> [1] https://hc.apache.org/httpcomponents-client-ga/ >> httpclient/examples/org/apache/http/examples/client/ >> ClientExecuteProxy.java >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From bartosz at redhat.com Tue Apr 18 11:26:20 2017 From: bartosz at redhat.com (Bartosz Majsak) Date: Tue, 18 Apr 2017 17:26:20 +0200 Subject: [keycloak-dev] jgroups / infinispan exception while doing load tests - causing cluster to stop working Message-ID: Hi, we are running series of performance tests for our cluster KeyCloak setup and we have encountered some pretty low level exception with jgroups/infinispan. TL;DR; version - we are performing 450 req/sec over the period of 30 minutes - we doing simple GET calls - getting access token from auth/realms/test/protocol/openid-connect/token - at some point inifinispan / jgroups fails and we have to restart the whole cluster. The exception seems to be very low level [1] For the longer version we have captured our results in the Google doc [2] (access for Red Hat only at the moment) Any ideas / suggestion how to troubleshoot this problem more than welcome :) Cheers, Bartosz. [1] https://gist.github.com/hectorj2f/5cbd98fadeba019dc94af08219183640#file-logs_broken_pod-L220 [2] https://docs.google.com/a/redhat.com/document/d/1gcuQbEL2ZTiVcmy39EFMVV9fZxCaS3Oj6ikKZHk9q18/edit?usp=sharing ? From thomas.darimont at googlemail.com Tue Apr 18 11:56:25 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 18 Apr 2017 17:56:25 +0200 Subject: [keycloak-dev] Generated standalone-ha.xml seems to be wrong Message-ID: Hello group, I just build a keycloak distribution from current master (last commit e54c1d7de) and got an error when I tried to run the standalone-ha.xml variant via bin/standalone.sh -c standalone-ha.xml. It seems that the infinispan configuration is not generated correctly - error shown below. The standalone.xml variants works though. Cheers, Thomas $ bin/standalone.sh -c standalone-ha.xml ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/tom/dev/playground/keycloak/keycloak-3.1.0.CR1-SNAPSHOT JAVA: /usr/lib/jvm/java-8-oracle/bin/java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 16:50:24,683 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 16:50:24,866 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 16:50:24,928 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049: Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) starting 16:50:25,473 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.server.ServerService.boot(ServerService.java:356) [wildfly-server-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121] Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[229,17] Message: WFLYCTL0133: Missing required attribute(s): MODE at org.jboss.as.controller.parsing.ParseUtils.missingRequired(ParseUtils.java:161) [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.parseReplicatedCache(InfinispanSubsystemXMLReader.java:366) at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.parseContainer(InfinispanSubsystemXMLReader.java:195) at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.readElement(InfinispanSubsystemXMLReader.java:75) at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.readElement(InfinispanSubsystemXMLReader.java:53) at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.2.0.Final.jar:1.2.0.Final] at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1.2.0.Final] at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) [wildfly-server-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) [wildfly-server-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) [wildfly-server-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) [wildfly-server-2.0.10.Final.jar:2.0.10.Final] at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) [wildfly-server-2.0.10.Final.jar:2.0.10.Final] at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.2.0.Final.jar:1.2.0.Final] at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.2.0.Final.jar:1.2.0.Final] at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123) [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] ... 3 more 16:50:25,475 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 16:50:25,477 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested. 16:50:25,492 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) stopped in 11ms From thomas.darimont at googlemail.com Tue Apr 18 12:00:11 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 18 Apr 2017 18:00:11 +0200 Subject: [keycloak-dev] Generated standalone-ha.xml seems to be wrong In-Reply-To: References: Message-ID: The relevant lines from standalone-ha.xml file: 229: 230: 231: 2017-04-18 17:56 GMT+02:00 Thomas Darimont : > Hello group, > > I just build a keycloak distribution from current master (last commit > e54c1d7de) > and got an error when I tried to run the standalone-ha.xml variant via > bin/standalone.sh -c standalone-ha.xml. > It seems that the infinispan configuration is not generated correctly - > error shown below. > > The standalone.xml variants works though. > > Cheers, > Thomas > > $ bin/standalone.sh -c standalone-ha.xml > ========================================================================= > > JBoss Bootstrap Environment > > JBOSS_HOME: /home/tom/dev/playground/keycloak/keycloak-3.1.0.CR1- > SNAPSHOT > > JAVA: /usr/lib/jvm/java-8-oracle/bin/java > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > ========================================================================= > > 16:50:24,683 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > 16:50:24,866 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > 16:50:24,928 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049: > Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) starting > 16:50:25,473 ERROR [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0055: Caught exception during boot: org.jboss.as.controller. > persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to > parse configuration > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:131) [wildfly-controller-2.0.10. > Final.jar:2.0.10.Final] > at org.jboss.as.server.ServerService.boot(ServerService.java:356) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.as.controller.AbstractControllerService$1. > run(AbstractControllerService.java:299) [wildfly-controller-2.0.10. > Final.jar:2.0.10.Final] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121] > Caused by: javax.xml.stream.XMLStreamException: ParseError at > [row,col]:[229,17] > Message: WFLYCTL0133: Missing required attribute(s): MODE > at org.jboss.as.controller.parsing.ParseUtils.missingRequired(ParseUtils.java:161) > [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.as.clustering.infinispan.subsystem. > InfinispanSubsystemXMLReader.parseReplicatedCache( > InfinispanSubsystemXMLReader.java:366) > at org.jboss.as.clustering.infinispan.subsystem. > InfinispanSubsystemXMLReader.parseContainer(InfinispanSubsystemXMLReader. > java:195) > at org.jboss.as.clustering.infinispan.subsystem. > InfinispanSubsystemXMLReader.readElement(InfinispanSubsystemXMLReader. > java:75) > at org.jboss.as.clustering.infinispan.subsystem. > InfinispanSubsystemXMLReader.readElement(InfinispanSubsystemXMLReader. > java:53) > at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) > [staxmapper-1.2.0.Final.jar:1.2.0.Final] > at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny( > XMLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1. > 2.0.Final] > at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) > [staxmapper-1.2.0.Final.jar:1.2.0.Final] > at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) > [staxmapper-1.2.0.Final.jar:1.2.0.Final] > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:123) [wildfly-controller-2.0.10. > Final.jar:2.0.10.Final] > ... 3 more > > 16:50:25,475 FATAL [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. > See previous messages for details. > 16:50:25,477 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested. > 16:50:25,492 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: > Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) stopped in 11ms > > From thomas.darimont at googlemail.com Tue Apr 18 12:09:10 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 18 Apr 2017 18:09:10 +0200 Subject: [keycloak-dev] Generated standalone-ha.xml seems to be wrong In-Reply-To: References: Message-ID: It seems that the cache configuration elements are missing a mode attribute. I managed to start Keycloak standalone-ha.xml with the following (dummy) settings. Cheers, Thomas 2017-04-18 18:00 GMT+02:00 Thomas Darimont : > The relevant lines from standalone-ha.xml file: > 229: > 230: > 231: > > 2017-04-18 17:56 GMT+02:00 Thomas Darimont >: > >> Hello group, >> >> I just build a keycloak distribution from current master (last commit >> e54c1d7de) >> and got an error when I tried to run the standalone-ha.xml variant via >> bin/standalone.sh -c standalone-ha.xml. >> It seems that the infinispan configuration is not generated correctly - >> error shown below. >> >> The standalone.xml variants works though. >> >> Cheers, >> Thomas >> >> $ bin/standalone.sh -c standalone-ha.xml >> ========================================================================= >> >> JBoss Bootstrap Environment >> >> JBOSS_HOME: /home/tom/dev/playground/keycl >> oak/keycloak-3.1.0.CR1-SNAPSHOT >> >> JAVA: /usr/lib/jvm/java-8-oracle/bin/java >> >> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true >> >> ========================================================================= >> >> 16:50:24,683 INFO [org.jboss.modules] (main) JBoss Modules version >> 1.5.1.Final >> 16:50:24,866 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final >> 16:50:24,928 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049: >> Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) starting >> 16:50:25,473 ERROR [org.jboss.as.server] (Controller Boot Thread) >> WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persis >> tence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse >> configuration >> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >> r.load(XmlConfigurationPersister.java:131) [wildfly-controller-2.0.10.Fin >> al.jar:2.0.10.Final] >> at org.jboss.as.server.ServerService.boot(ServerService.java:356) >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.as.controller.AbstractControllerService$1.run( >> AbstractControllerService.java:299) [wildfly-controller-2.0.10.Fin >> al.jar:2.0.10.Final] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121] >> Caused by: javax.xml.stream.XMLStreamException: ParseError at >> [row,col]:[229,17] >> Message: WFLYCTL0133: Missing required attribute(s): MODE >> at org.jboss.as.controller.parsing.ParseUtils.missingRequired(ParseUtils.java:161) >> [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy >> stemXMLReader.parseReplicatedCache(InfinispanSubsystemXMLReader.java:366) >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy >> stemXMLReader.parseContainer(InfinispanSubsystemXMLReader.java:195) >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy >> stemXMLReader.readElement(InfinispanSubsystemXMLReader.java:75) >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy >> stemXMLReader.readElement(InfinispanSubsystemXMLReader.java:53) >> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) >> [staxmapper-1.2.0.Final.jar:1.2.0.Final] >> at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(X >> MLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1. >> 2.0.Final] >> at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) >> [staxmapper-1.2.0.Final.jar:1.2.0.Final] >> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) >> [staxmapper-1.2.0.Final.jar:1.2.0.Final] >> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >> r.load(XmlConfigurationPersister.java:123) [wildfly-controller-2.0.10.Fin >> al.jar:2.0.10.Final] >> ... 3 more >> >> 16:50:25,475 FATAL [org.jboss.as.server] (Controller Boot Thread) >> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. >> See previous messages for details. >> 16:50:25,477 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server >> shutdown has been requested. >> 16:50:25,492 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: >> Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) stopped in 11ms >> >> > From Shankar_Bhaskaran at infosys.com Wed Apr 19 01:30:02 2017 From: Shankar_Bhaskaran at infosys.com (Shankar_Bhaskaran) Date: Wed, 19 Apr 2017 05:30:02 +0000 Subject: [keycloak-dev] Accessing javascript and css files from an iframe. Message-ID: <8ece886bf6824158be89b36edb0e8b73@CHNSHLMBX33.ad.infosys.com> Hi , We have secured our jbpm application behind keycloak using keycloakloginmodule. We have a requirement where we get a link to an html page as response to a rest call. This link is put inside an iframe to load. Even though the html is rendered we are getting a http 302 response for all the calls to the css and javascript files. Just to be more clear , we are calling a rest service getting the response and getting the form url from the response. We are packaging that in an iframe and populating a div in the html page. Now the entire html page is inside another iframe. On loading the page , all the requests to css and js stop with http 302 status. f (status == 'SUCCESS') { var formURL = xmlDoc.getElementsByTagName("formUrl"); if (formURL && formURL.length > 0 && formURL[0].childNodes.length > 0) { this.formURL = formURL[0].childNodes[0].nodeValue; var iFrameFormUrl = this.formURL + "&packageName=" + params[0] + "&taskName=" + params[1] + "&processDefinitionId=" + params[2] + "&processInstanceId=" + params[3] + "&userId=" + params[4]; var html = ""; var targetDiv = document.getElementById(this.containerId); targetDiv.innerHTML = html; if (successCallback) successCallback(responseText); return; } Is there any solution for this ? Regards, Shankar From sthorger at redhat.com Wed Apr 19 02:36:51 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Apr 2017 08:36:51 +0200 Subject: [keycloak-dev] Generated standalone-ha.xml seems to be wrong In-Reply-To: References: Message-ID: https://issues.jboss.org/browse/KEYCLOAK-4764 It's probably my fault so I'll look into it On 18 April 2017 at 18:09, Thomas Darimont wrote: > It seems that the cache configuration elements are missing a mode > attribute. > > I managed to start Keycloak standalone-ha.xml with the following (dummy) > settings. > > mode="SYNC"> > mode="ASYNC"> > mode="ASYNC"> > mode="ASYNC"> > mode="SYNC"> > > Cheers, > Thomas > > 2017-04-18 18:00 GMT+02:00 Thomas Darimont >: > > > The relevant lines from standalone-ha.xml file: > > 229: > > 230: > > 231: > > > > 2017-04-18 17:56 GMT+02:00 Thomas Darimont com > > >: > > > >> Hello group, > >> > >> I just build a keycloak distribution from current master (last commit > >> e54c1d7de) > >> and got an error when I tried to run the standalone-ha.xml variant via > >> bin/standalone.sh -c standalone-ha.xml. > >> It seems that the infinispan configuration is not generated correctly - > >> error shown below. > >> > >> The standalone.xml variants works though. > >> > >> Cheers, > >> Thomas > >> > >> $ bin/standalone.sh -c standalone-ha.xml > >> ============================================================ > ============= > >> > >> JBoss Bootstrap Environment > >> > >> JBOSS_HOME: /home/tom/dev/playground/keycl > >> oak/keycloak-3.1.0.CR1-SNAPSHOT > >> > >> JAVA: /usr/lib/jvm/java-8-oracle/bin/java > >> > >> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > >> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > >> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > >> > >> ============================================================ > ============= > >> > >> 16:50:24,683 INFO [org.jboss.modules] (main) JBoss Modules version > >> 1.5.1.Final > >> 16:50:24,866 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > >> 16:50:24,928 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049: > >> Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) starting > >> 16:50:25,473 ERROR [org.jboss.as.server] (Controller Boot Thread) > >> WFLYSRV0055: Caught exception during boot: > org.jboss.as.controller.persis > >> tence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse > >> configuration > >> at org.jboss.as.controller.persistence.XmlConfigurationPersiste > >> r.load(XmlConfigurationPersister.java:131) > [wildfly-controller-2.0.10.Fin > >> al.jar:2.0.10.Final] > >> at org.jboss.as.server.ServerService.boot(ServerService.java:356) > >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.as.controller.AbstractControllerService$1.run( > >> AbstractControllerService.java:299) [wildfly-controller-2.0.10.Fin > >> al.jar:2.0.10.Final] > >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121] > >> Caused by: javax.xml.stream.XMLStreamException: ParseError at > >> [row,col]:[229,17] > >> Message: WFLYCTL0133: Missing required attribute(s): MODE > >> at org.jboss.as.controller.parsing.ParseUtils. > missingRequired(ParseUtils.java:161) > >> [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy > >> stemXMLReader.parseReplicatedCache(InfinispanSubsystemXMLReader. > java:366) > >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy > >> stemXMLReader.parseContainer(InfinispanSubsystemXMLReader.java:195) > >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy > >> stemXMLReader.readElement(InfinispanSubsystemXMLReader.java:75) > >> at org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsy > >> stemXMLReader.readElement(InfinispanSubsystemXMLReader.java:53) > >> at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > >> [staxmapper-1.2.0.Final.jar:1.2.0.Final] > >> at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(X > >> MLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1. > >> 2.0.Final] > >> at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile( > StandaloneXml_4.java:546) > >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement( > StandaloneXml_4.java:242) > >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.as.server.parsing.StandaloneXml_4.readElement( > StandaloneXml_4.java:141) > >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:103) > >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.as.server.parsing.StandaloneXml.readElement( > StandaloneXml.java:49) > >> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > >> at org.jboss.staxmapper.XMLMapperImpl.processNested( > XMLMapperImpl.java:110) > >> [staxmapper-1.2.0.Final.jar:1.2.0.Final] > >> at org.jboss.staxmapper.XMLMapperImpl.parseDocument( > XMLMapperImpl.java:69) > >> [staxmapper-1.2.0.Final.jar:1.2.0.Final] > >> at org.jboss.as.controller.persistence.XmlConfigurationPersiste > >> r.load(XmlConfigurationPersister.java:123) > [wildfly-controller-2.0.10.Fin > >> al.jar:2.0.10.Final] > >> ... 3 more > >> > >> 16:50:25,475 FATAL [org.jboss.as.server] (Controller Boot Thread) > >> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. > >> See previous messages for details. > >> 16:50:25,477 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > >> shutdown has been requested. > >> 16:50:25,492 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: > >> Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) stopped in 11ms > >> > >> > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Wed Apr 19 02:45:50 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Apr 2017 08:45:50 +0200 Subject: [keycloak-dev] jgroups / infinispan exception while doing load tests - causing cluster to stop working In-Reply-To: References: Message-ID: Did you ask on Infinispan mailing lists? Or #infinispan? On 18 April 2017 at 17:26, Bartosz Majsak wrote: > Hi, > > we are running series of performance tests for our cluster KeyCloak setup > and we have encountered some pretty low level exception with > jgroups/infinispan. > > TL;DR; version > > - we are performing 450 req/sec over the period of 30 minutes > - we doing simple GET calls - getting access token from > auth/realms/test/protocol/openid-connect/token > - at some point inifinispan / jgroups fails and we have to restart the > whole cluster. The exception seems to be very low level [1] > > For the longer version we have captured our results in the Google doc [2] > (access for Red Hat only at the moment) > > Any ideas / suggestion how to troubleshoot this problem more than welcome > :) > > Cheers, > Bartosz. > > [1] > https://gist.github.com/hectorj2f/5cbd98fadeba019dc94af082191836 > 40#file-logs_broken_pod-L220 > [2] > https://docs.google.com/a/redhat.com/document/d/ > 1gcuQbEL2ZTiVcmy39EFMVV9fZxCaS3Oj6ikKZHk9q18/edit?usp=sharing > ? > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From sthorger at redhat.com Wed Apr 19 02:50:08 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Apr 2017 08:50:08 +0200 Subject: [keycloak-dev] Running keycloak behind web proxy In-Reply-To: References: Message-ID: This is a different case. This is when Keycloak can't communicate to the outside world unless it talks through a web proxy/firewall. But, yes it would be nice to make it simpler for those that are using a reverse proxy in front of Keycloak. Not sure we can though. The proxy has to be configured correctly and it's not always trivial. We also have to have the configuration option in Keycloak disabled by default as otherwise it would allow sending fake X-Forwarded-.. headers to fake the remote IP address. We can certainly improve docs around it though as they are not straightforward and quite hidden. On 18 April 2017 at 16:54, Bill Burke wrote: > We gotta figure out if there is anything we can do out of the box to > help with this. THere's just so many questions on this and we're > continually referencing docs to people. > > > On 4/18/17 9:05 AM, Stian Thorgersen wrote: > > The configuration should be on the default HttpClient provider [1], > > configured through standalone.xml. Documentation is [2]. > > > > We'd need some way of automating tests for it. Honestly, I don't know how > > that would look like. Maybe it could be achieved with a dummy proxy that > > allows checking what requests was made to it. > > > > [1] > > https://github.com/keycloak/keycloak/blob/master/services/ > src/main/java/org/keycloak/connections/httpclient/ > DefaultHttpClientFactory.java > > [2] > > https://keycloak.gitbooks.io/documentation/server_ > installation/topics/network/outgoing.html > > > > On 11 April 2017 at 12:03, Plank Martin wrote: > > > >> Hi all! > >> > >> We're using Keycloak in a corporate environment where all external > >> requests are blocked and must be sent via web proxy. > >> Therefore the ReCAPTCHA and social identity providers (from version > >> 3.0.0.CR1) do not work correctly. It can be fixed by configuring proxy > host > >> on Apache HttpClient, e.g. [1]. > >> > >> I would be interested in contributing this. But I'm new to Keycloak > >> development, so I will appreciate any information that could help, > >> specifically: > >> > >> - What kind of automated tests do you expect to develop? > >> > >> - Where shoud be the proxy configuration stored? > >> > >> I have also submitted a Feature request with more information: > >> https://issues.jboss.org/browse/KEYCLOAK-4743 > >> > >> Thanks > >> Martin Plank > >> > >> [1] https://hc.apache.org/httpcomponents-client-ga/ > >> httpclient/examples/org/apache/http/examples/client/ > >> ClientExecuteProxy.java > >> > >> > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Wed Apr 19 08:52:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Apr 2017 14:52:57 +0200 Subject: [keycloak-dev] Keycloak 3.1.0.CR1 coming up Message-ID: Keycloak 3.1.0.CR1 is scheduled to be released on Wed next week (26th April). From pkboucher801 at gmail.com Wed Apr 19 14:53:57 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Wed, 19 Apr 2017 14:53:57 -0400 Subject: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? In-Reply-To: <004701d2ac64$7ec93bb0$7c5bb310$@gmail.com> References: <004701d2ac64$7ec93bb0$7c5bb310$@gmail.com> Message-ID: <000001d2b93e$4cdd05f0$e69711d0$@gmail.com> Is my question interesting to anyone on this list? Any anyone steer me to the right docs? Do we need to write lots of custom code for this sort of thing? From: Peter K. Boucher [mailto:pkboucher801 at gmail.com] Sent: Monday, April 3, 2017 6:25 AM To: keycloak-dev at lists.jboss.org Cc: Jyoti Kumar Singh (US - Bengaluru) Subject: Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? Sorry if this came through twice. I think there was an error the first time I sent it. Suppose there are some limited families of APIs to which we would want users to explicitly delegate access. We were thinking we could assign a role to the user that allows the use of each of the families of APIs (say for example that with the "quantum_singularity" role, they can use the "tetrion_emission" APIs, and with the "borg_cube" role, they can use the "culture_assimilation" APIs). Can we (and if so, how best would we) use openid scope to * Offline refresh tokens - Allow the user to delegate a 3rd-party app to act on their behalf in an offline fashion that is limited to one, the other, or both of the quantum_singularity and/or borg_cube roles? * Separation of duties - (only partially-related question) Allow an app to enforce separation of duties such that an online, logged-in user can only have one or the other, but not both of the quantum_singularity and/or borg_cube roles for the duration of a session? I think I gathered from this thread (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that these things should be possible, but I was hoping to confirm and to get pointers and/or practical guidance for how best to do these two things. Thanks! From sthorger at redhat.com Thu Apr 20 02:08:52 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 20 Apr 2017 08:08:52 +0200 Subject: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? In-Reply-To: <000001d2b93e$4cdd05f0$e69711d0$@gmail.com> References: <004701d2ac64$7ec93bb0$7c5bb310$@gmail.com> <000001d2b93e$4cdd05f0$e69711d0$@gmail.com> Message-ID: This is not the list to use for help. This list is only for discussing development of Keycloak itself. Please use the user mailing list On 19 April 2017 at 20:53, Peter K. Boucher wrote: > Is my question interesting to anyone on this list? Any anyone steer me to > the right docs? Do we need to write lots of custom code for this sort of > thing? > > > > From: Peter K. Boucher [mailto:pkboucher801 at gmail.com] > Sent: Monday, April 3, 2017 6:25 AM > To: keycloak-dev at lists.jboss.org > Cc: Jyoti Kumar Singh (US - Bengaluru) > Subject: Use openid Scope to limit the roles included in Offline Token > and/or to enforce separation of duties? > > > > Sorry if this came through twice. I think there was an error the first > time > I sent it. > > > > Suppose there are some limited families of APIs to which we would want > users > to explicitly delegate access. We were thinking we could assign a role to > the user that allows the use of each of the families of APIs (say for > example that with the "quantum_singularity" role, they can use the > "tetrion_emission" APIs, and with the "borg_cube" role, they can use the > "culture_assimilation" APIs). > > > > Can we (and if so, how best would we) use openid scope to > > * Offline refresh tokens - Allow the user to delegate a 3rd-party app > to act on their behalf in an offline fashion that is limited to one, the > other, or both of the quantum_singularity and/or borg_cube roles? > > * Separation of duties - (only partially-related question) Allow an > app to enforce separation of duties such that an online, logged-in user can > only have one or the other, but not both of the quantum_singularity and/or > borg_cube roles for the duration of a session? > > > > I think I gathered from this thread > (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that > these things should be possible, but I was hoping to confirm and to get > pointers and/or practical guidance for how best to do these two things. > > > > Thanks! > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From pkboucher801 at gmail.com Thu Apr 20 07:50:31 2017 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Thu, 20 Apr 2017 07:50:31 -0400 Subject: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? In-Reply-To: References: <004701d2ac64$7ec93bb0$7c5bb310$@gmail.com> <000001d2b93e$4cdd05f0$e69711d0$@gmail.com> Message-ID: <000901d2b9cc$5003a9d0$f00afd70$@gmail.com> You seem to be saying that there would be no development needed of Keycloak itself to make this happen. That?s good news for me. Thanks! From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, April 20, 2017 2:09 AM To: Peter K. Boucher Cc: keycloak-dev ; Jyoti Kumar Singh (US - Bengaluru) Subject: Re: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? This is not the list to use for help. This list is only for discussing development of Keycloak itself. Please use the user mailing list On 19 April 2017 at 20:53, Peter K. Boucher > wrote: Is my question interesting to anyone on this list? Any anyone steer me to the right docs? Do we need to write lots of custom code for this sort of thing? From: Peter K. Boucher [mailto:pkboucher801 at gmail.com ] Sent: Monday, April 3, 2017 6:25 AM To: keycloak-dev at lists.jboss.org Cc: Jyoti Kumar Singh (US - Bengaluru) > Subject: Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? Sorry if this came through twice. I think there was an error the first time I sent it. Suppose there are some limited families of APIs to which we would want users to explicitly delegate access. We were thinking we could assign a role to the user that allows the use of each of the families of APIs (say for example that with the "quantum_singularity" role, they can use the "tetrion_emission" APIs, and with the "borg_cube" role, they can use the "culture_assimilation" APIs). Can we (and if so, how best would we) use openid scope to * Offline refresh tokens - Allow the user to delegate a 3rd-party app to act on their behalf in an offline fashion that is limited to one, the other, or both of the quantum_singularity and/or borg_cube roles? * Separation of duties - (only partially-related question) Allow an app to enforce separation of duties such that an online, logged-in user can only have one or the other, but not both of the quantum_singularity and/or borg_cube roles for the duration of a session? I think I gathered from this thread (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that these things should be possible, but I was hoping to confirm and to get pointers and/or practical guidance for how best to do these two things. Thanks! _______________________________________________ keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev From sthorger at redhat.com Thu Apr 20 09:36:28 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 20 Apr 2017 15:36:28 +0200 Subject: [keycloak-dev] Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties? In-Reply-To: <000901d2b9cc$5003a9d0$f00afd70$@gmail.com> References: <004701d2ac64$7ec93bb0$7c5bb310$@gmail.com> <000001d2b93e$4cdd05f0$e69711d0$@gmail.com> <000901d2b9cc$5003a9d0$f00afd70$@gmail.com> Message-ID: I didn't say that.. Didn't sound like you where discussing development/contribution of code though. On 20 April 2017 at 13:50, Peter K. Boucher wrote: > You seem to be saying that there would be no development needed of > Keycloak itself to make this happen. > > > > That?s good news for me. > > > > Thanks! > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Thursday, April 20, 2017 2:09 AM > *To:* Peter K. Boucher > *Cc:* keycloak-dev ; Jyoti Kumar Singh (US > - Bengaluru) > *Subject:* Re: [keycloak-dev] Use openid Scope to limit the roles > included in Offline Token and/or to enforce separation of duties? > > > > This is not the list to use for help. This list is only for discussing > development of Keycloak itself. Please use the user mailing list > > > > On 19 April 2017 at 20:53, Peter K. Boucher > wrote: > > Is my question interesting to anyone on this list? Any anyone steer me to > the right docs? Do we need to write lots of custom code for this sort of > thing? > > > > From: Peter K. Boucher [mailto:pkboucher801 at gmail.com] > Sent: Monday, April 3, 2017 6:25 AM > To: keycloak-dev at lists.jboss.org > Cc: Jyoti Kumar Singh (US - Bengaluru) > Subject: Use openid Scope to limit the roles included in Offline Token > and/or to enforce separation of duties? > > > > > Sorry if this came through twice. I think there was an error the first > time > I sent it. > > > > Suppose there are some limited families of APIs to which we would want > users > to explicitly delegate access. We were thinking we could assign a role to > the user that allows the use of each of the families of APIs (say for > example that with the "quantum_singularity" role, they can use the > "tetrion_emission" APIs, and with the "borg_cube" role, they can use the > "culture_assimilation" APIs). > > > > Can we (and if so, how best would we) use openid scope to > > * Offline refresh tokens - Allow the user to delegate a 3rd-party app > to act on their behalf in an offline fashion that is limited to one, the > other, or both of the quantum_singularity and/or borg_cube roles? > > * Separation of duties - (only partially-related question) Allow an > app to enforce separation of duties such that an online, logged-in user can > only have one or the other, but not both of the quantum_singularity and/or > borg_cube roles for the duration of a session? > > > > I think I gathered from this thread > (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that > these things should be possible, but I was hoping to confirm and to get > pointers and/or practical guidance for how best to do these two things. > > > > Thanks! > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > From Chris.Rains at jtv.com Thu Apr 20 10:57:49 2017 From: Chris.Rains at jtv.com (Rains, Chris) Date: Thu, 20 Apr 2017 14:57:49 +0000 Subject: [keycloak-dev] NullPointerException with empty attribute Message-ID: <2021E96B-E8C4-4667-9A1D-47D72D4DC539@jtv.com> Hi, I?m seeing Keycloak throw a NullPointerException whenever an access token is being generated for a user with an empty attribute value. Here?s a snippet of the stack trace: Caused By: java.lang.NullPointerException at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.convertToType(OIDCAttributeMapperHelper.java:103) at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapAttributeValue(OIDCAttributeMapperHelper.java:77) at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(OIDCAttributeMapperHelper.java:147) at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:98) at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:520) at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:324) at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:674) Looking at OIDCAttributeMapperHelper.java, this seems to be happening because no null check is being performed on attributeValue in convertToType. Therefore, I think we would just need to add a null check at the beginning of convertToType: if (attributeValue == null) return null; Would this be a reasonable solution? Thanks! - Chris Rains From sthorger at redhat.com Fri Apr 21 03:59:58 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 21 Apr 2017 09:59:58 +0200 Subject: [keycloak-dev] NullPointerException with empty attribute In-Reply-To: <2021E96B-E8C4-4667-9A1D-47D72D4DC539@jtv.com> References: <2021E96B-E8C4-4667-9A1D-47D72D4DC539@jtv.com> Message-ID: Please use the user mailing list for help or to report issues. This list is only to discuss development of Keycloak. On 20 April 2017 at 16:57, Rains, Chris wrote: > Hi, > > I?m seeing Keycloak throw a NullPointerException whenever an access token > is being generated for a user with an empty attribute value. Here?s a > snippet of the stack trace: > > Caused By: java.lang.NullPointerException > at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper. > convertToType(OIDCAttributeMapperHelper.java:103) > at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper. > mapAttributeValue(OIDCAttributeMapperHelper.java:77) > at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim( > OIDCAttributeMapperHelper.java:147) > at org.keycloak.protocol.oidc.mappers.UserAttributeMapper. > setClaim(UserAttributeMapper.java:98) > at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper. > transformAccessToken(AbstractOIDCProtocolMapper.java:81) > at org.keycloak.protocol.oidc.TokenManager.transformAccessToken( > TokenManager.java:520) > at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken( > TokenManager.java:324) > at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder. > generateAccessToken(TokenManager.java:674) > > Looking at OIDCAttributeMapperHelper.java, this seems to be happening > because no null check is being performed on attributeValue in > convertToType. Therefore, I think we would just need to add a null check at > the beginning of convertToType: > > if (attributeValue == null) return null; > > Would this be a reasonable solution? > > Thanks! > - Chris Rains > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From sthorger at redhat.com Fri Apr 21 05:09:56 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 21 Apr 2017 11:09:56 +0200 Subject: [keycloak-dev] Removing providers directory Message-ID: I'm planning on removing the providers directory. Any objections? At the moment we have 3 approaches to deploy custom providers: * 'deployments' dir * 'providers' dir * module The deployments and providers are similar, but deployments is much nicer and more powerful. So we should just remove the providers directory. Modules needs to stay at least for now as that is the only way to deploy custom SPIs. From alexander.schwartz at gmx.net Fri Apr 21 10:53:57 2017 From: alexander.schwartz at gmx.net (Alexander Schwartz) Date: Fri, 21 Apr 2017 16:53:57 +0200 Subject: [keycloak-dev] [keycloak-user] [keycloak-spring-boot-adapter] disable security via application.properties file In-Reply-To: References: Message-ID: Hi keycloak developers, I like this idea to be able to disable keycloak with a property. It would be useful in the keycloak-spring projects that I've seen The convention with other libraries is usually to add a property like keycloak.enabled=false to the spring boot configuration file and a @ConditionalOnProperty(value = "keycloak.enabled", matchIfMissing = true) to the spring autoconfiguration. What do you think? If this is OK-ed, I'll open a JIRA and prepare a PR. Thanks, Alexander Am 10.03.2017 um 16:49 schrieb Pavel Maslov: > Hi all, > > > Sometimes (for testing purposes) I need to disable keycloak security > > Is it possible to do so via application.properties file? Right now > apart from the properties file I also have to comment out these > dependencies and rebuild the project: > > compile 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' > compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' > > > > Regards, > Pavel Maslov, MS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de From sblanc at redhat.com Sat Apr 22 03:10:34 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Sat, 22 Apr 2017 09:10:34 +0200 Subject: [keycloak-dev] [keycloak-user] [keycloak-spring-boot-adapter] disable security via application.properties file In-Reply-To: References: Message-ID: Sure ! Go for it ! On Fri, Apr 21, 2017 at 4:53 PM, Alexander Schwartz < alexander.schwartz at gmx.net> wrote: > Hi keycloak developers, > > I like this idea to be able to disable keycloak with a property. It > would be useful in the keycloak-spring projects that I've seen > > The convention with other libraries is usually to add a property like > > keycloak.enabled=false > > to the spring boot configuration file and a > > @ConditionalOnProperty(value = "keycloak.enabled", matchIfMissing = true) > > to the spring autoconfiguration. > > What do you think? If this is OK-ed, I'll open a JIRA and prepare a PR. > > Thanks, > Alexander > > > Am 10.03.2017 um 16:49 schrieb Pavel Maslov: > > Hi all, > > > > > > Sometimes (for testing purposes) I need to disable keycloak security > > > > Is it possible to do so via application.properties file? Right now > > apart from the properties file I also have to comment out these > > dependencies and rebuild the project: > > > > compile 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' > > compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' > > > > > > > > Regards, > > Pavel Maslov, MS > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Alexander Schwartz (alexander.schwartz at gmx.net) > http://www.ahus1.de > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From thomas.darimont at googlemail.com Sat Apr 22 06:34:27 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Sat, 22 Apr 2017 12:34:27 +0200 Subject: [keycloak-dev] Step-up Authentication for Keycloak Message-ID: Hello guys, (longish email) I have an idea how step up authentication could work with Keycloak that I'd like to share. Summary: Clients require certain authentication steps by using scopes linked to authenticators. An authenticator would only be executed if it's scope is present. An application can detect the current authentication level by inspecting the OIDC token or SAML assertions and request additional authentication if necessary. All that with (IMHO) a few little additions to Keycloak. Idea: The main idea is to have a new option 'Scope Param Required' for authenticators as there is for Roles. If 'Scope Param Required' is "On" then the authenticator is only executed if the scope parameter in the login URL contains the authenticator provider id, e.g. 'auth-otp-form'. On the client / adapter side there could be a new configuration property like 'additional-scopes' to specify a required authentication scope. Optionally there could be an additional property 'required-claims: auth-otp-form=true' to indicate that a user can only access the app if the given claim is present. Authenticators could also by default emit a 'User session note' with the provider id to indicate that they were executed, e.g. "auth-otp-form: true". This could then be mapped via a protocol mapper into a OIDC token / SAML response. (for OIDC one could also configure an ACR level that is provided by an authenticator, but this wouldn't help for SAML) With this clients could detect the executed authenticators based on the claims in the OIDC token (or ACR value) or SAML assertions and trigger reauthentication if necessary, e.g. by sending a redirect to the '/auth' URL with parameters 'prompt=login' and 'scope=openid+auth-otp-form'. Example Scenario (OIDC): In realm 'acme' we have two clients 'A' and 'B'. To access 'A' username/password authentication is enough, but for 'B' one needs to provide an additional factor, e.g. an OTP token or code via SMS. The auth-otp-form authenticator is configured with 'Scope Param Required=On' B's adapter config contains 'additional-scopes: auth-otp-form' First the user accesses 'A' and authenticates with username-password. Then the user tries to access 'B'. 'B' detects that the current OIDC (access/ID) token doesn't contain the required claim 'auth-otp-form'. Thus it sends a redirect as mentioned above, e.g.: http://localhost:8081/auth/realms/acme/protocol/openid-connect/auth?client_id=B&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth%2Frealms%2Facme%2FB%2Flogin-redirect&state=0%2F1fa9fb6b-8ac9-4f4d-ac98-beb0c3548271&response_type=code&scope=openid+auth-otp-form&prompt=login Keycloak would now detect that it needs to execute the OTPForm authentiator based on the scope parameter auth-otp-form which will prompt the user for OTP input. Note that the user still would need to provide his username/password. If one would be able to skip that (since the user is already authenticated via username/password) one could think of an additional parameter like 'auth_mode=step_up' to signal Keycloak that it should only verify credentials that have not yet checked. In this case it would skip the username / password authenticator and jump to the OTP form. What do you think? Cheers, Thomas From bburke at redhat.com Mon Apr 24 09:23:47 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 24 Apr 2017 09:23:47 -0400 Subject: [keycloak-dev] Step-up Authentication for Keycloak In-Reply-To: References: Message-ID: <1769c9d6-2ac4-afd0-af02-2cc4094ce871@redhat.com> I think in the security community, step-up is done in terms of levels. Level 0, Level 1, Level 2, Level 3, etc. Client would ask for a specific level not a specific authentication type. Our current idea is to add marker in the flow that bumps the successful security level. You'd then have to define different flows on how to go from 0 to 1, 2 to 3, etc. On 4/22/17 6:34 AM, Thomas Darimont wrote: > Hello guys, > > (longish email) > > I have an idea how step up authentication could work with Keycloak that I'd > like to share. > > Summary: > Clients require certain authentication steps by using scopes linked to > authenticators. > An authenticator would only be executed if it's scope is present. > An application can detect the current authentication level by inspecting > the > OIDC token or SAML assertions and request additional authentication if > necessary. > > All that with (IMHO) a few little additions to Keycloak. > > Idea: > The main idea is to have a new option 'Scope Param Required' for > authenticators as > there is for Roles. If 'Scope Param Required' is "On" then the > authenticator is > only executed if the scope parameter in the login URL contains the > authenticator > provider id, e.g. 'auth-otp-form'. > > On the client / adapter side there could be a new configuration property > like > 'additional-scopes' to specify a required authentication scope. > Optionally there could be an additional property 'required-claims: > auth-otp-form=true' to > indicate that a user can only access the app if the given claim is present. > > Authenticators could also by default emit a 'User session note' with the > provider id to > indicate that they were executed, e.g. "auth-otp-form: true". > This could then be mapped via a protocol mapper into a OIDC token / SAML > response. > (for OIDC one could also configure an ACR level that is provided by an > authenticator, > but this wouldn't help for SAML) > > With this clients could detect the executed authenticators based on the > claims in the > OIDC token (or ACR value) or SAML assertions and trigger reauthentication > if necessary, e.g. by sending a > redirect to the '/auth' URL with parameters 'prompt=login' and > 'scope=openid+auth-otp-form'. > > Example Scenario (OIDC): > In realm 'acme' we have two clients 'A' and 'B'. > To access 'A' username/password authentication is enough, but for 'B' one > needs to provide an > additional factor, e.g. an OTP token or code via SMS. > > The auth-otp-form authenticator is configured with 'Scope Param Required=On' > B's adapter config contains 'additional-scopes: auth-otp-form' > > First the user accesses 'A' and authenticates with username-password. Then > the user tries > to access 'B'. 'B' detects that the current OIDC (access/ID) token doesn't > contain the > required claim 'auth-otp-form'. Thus it sends a redirect as mentioned > above, e.g.: > http://localhost:8081/auth/realms/acme/protocol/openid-connect/auth?client_id=B&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth%2Frealms%2Facme%2FB%2Flogin-redirect&state=0%2F1fa9fb6b-8ac9-4f4d-ac98-beb0c3548271&response_type=code&scope=openid+auth-otp-form&prompt=login > > Keycloak would now detect that it needs to execute the OTPForm authentiator > based on the scope > parameter auth-otp-form which will prompt the user for OTP input. > > Note that the user still would need to provide his username/password. If > one would be able to skip > that (since the user is already authenticated via username/password) one > could think of an additional > parameter like 'auth_mode=step_up' to signal Keycloak that it should only > verify credentials that have not yet checked. > > In this case it would skip the username / password authenticator and jump > to the OTP form. > > What do you think? > > Cheers, > Thomas > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From sblanc at redhat.com Mon Apr 24 11:09:38 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 24 Apr 2017 17:09:38 +0200 Subject: [keycloak-dev] Make the application context path available on the HttpFacade Message-ID: Hi ! While trying to fix https://issues.jboss.org/browse/KEYCLOAK-4342 I realized that I need to have the application context path. The fix is for the CookieTokenStore, it's failing currently when no application context is set (for instance a Spring Boot or WF Swarm app running directly under localhost:8080). (details are in the ticket) I was hoping to rely on this method getRelativePath(); https://github.com/keycloak/keycloak/blob/master/adapters/spi/adapter-spi/src/main/java/org/keycloak/adapters/spi/HttpFacade.java#L51 but for the Undertow implementation for instance , it returns an empty string. So, we could add a seperate method on the HttpFacade (or the KeycloakDeployment object) that returns the application context path, it's not trivial since it needs to be added to all the adapter implementations. WDYT ? Sebi From mposolda at redhat.com Tue Apr 25 05:47:15 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 25 Apr 2017 11:47:15 +0200 Subject: [keycloak-dev] Make the application context path available on the HttpFacade In-Reply-To: References: Message-ID: <7b3725bf-6b2a-b905-999c-023852f13fc5@redhat.com> +1 to have the context path available on HttpFacade. Marek On 24/04/17 17:09, Sebastien Blanc wrote: > Hi ! > > While trying to fix https://issues.jboss.org/browse/KEYCLOAK-4342 I > realized that I need to have the application context path. > The fix is for the CookieTokenStore, it's failing currently when no > application context is set (for instance a Spring Boot or WF Swarm app > running directly under localhost:8080). (details are in the ticket) > > I was hoping to rely on this method getRelativePath(); > https://github.com/keycloak/keycloak/blob/master/adapters/spi/adapter-spi/src/main/java/org/keycloak/adapters/spi/HttpFacade.java#L51 > but for the Undertow implementation for instance , it returns an empty > string. > > So, we could add a seperate method on the HttpFacade (or the > KeycloakDeployment object) that returns the application context path, it's > not trivial since it needs to be added to all the adapter implementations. > WDYT ? > > Sebi > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From alexandre.heroux at infinisolution.ca Wed Apr 26 11:00:37 2017 From: alexandre.heroux at infinisolution.ca (=?UTF-8?Q?Alexandre_H=C3=A9roux?=) Date: Wed, 26 Apr 2017 11:00:37 -0400 Subject: [keycloak-dev] Slow query performance for client with large data volume Message-ID: After some benchmark tests, a point comes where the performance of the JPA repository become a bottle neck. At this point, we are doing tests with: - 21 560 391 COMPOSITE_ROLE rows - 14 774 947 USER_ROLE_MAPPING rows - 1 332 324 KEYCLOAK_ROLE rows - 191 034 CREDENTIAL rows - 191 034 USER_ENTITY rows - 145 905 PROTOCOL_MAPPER_CONFIG rows - 191 033 USER_REQUIRED_ACTION rows - 30 187 PROTOCOL_MAPPER rows - 5 031 CLIENT rows - 10 054 REDIRECT_URIS rows - 5 026 WEB_ORIGINS rows - 6 AUTHENTICATOR_CONFIG_ENTRY rows - 27 COMPONENT_CONFIG rows - 6 IDENTITY_PROVIDER_CONFIG rows - 41 AUTHENTICATION_EXECUTION rows - 16 AUTHENTICATION_FLOW rows - 4 AUTHENTICATOR_CONFIG rows - 2 CLIENT_DEFAULT_ROLES rows - 10 COMPONENT rows - 39 DATABASECHANGELOG rows - 1 DATABASECHANGELOGLOCK rows - 1 DATABASECHANGELOG_EXAMPLE_EN rows - 2 IDENTITY_PROVIDER rows - 1 MIGRATION_MODEL rows - 1 REALM rows - 13 REALM_ATTRIBUTE rows - 2 REALM_DEFAULT_ROLES rows - 1 REALM_EVENTS_LISTENERS rows - 1 REALM_REQUIRED_CREDENTIAL rows - 11 REALM_SUPPORTED_LOCALES rows - 5 REQUIRED_ACTION_PROVIDER rows - 2 SCOPE_MAPPING rows - 1 USER_ATTRIBUTE rows 1) When we are trying to load clients for migration/administration purpose, Keycloak load each client one by one and perform lazy loading. 2) When the administrator delete a client, listeners are notified and some of them reload all clients from the realm to load resources for each occurrence from resourceServerStore one by one in a foreach loop. With the current test volume, that take approximatively 1 hour 3 minutes to : - load reaml's clients into memory - delete 11 clients - delete 50 Users - delete 340 user/role association - delete 85 roles - create 11 clients - create 85 roles - create 50 users - create 340 user/role association After some tuning we can optimize the query and surrounded services to take only 5 minutes *Impacted projects* - keycloak-authz-policy-common - org.keycloak.authorization.policy.provider.user.UserPolicyProviderFactory - keycloak-model-infinispan - org.keycloak.models.authorization.infinispan.CachedResourceServerStore - org.keycloak.models.cache.infinispan.RealmCacheSession - keycloak-model-jpa - org.keycloak.authorization.jpa.entities.ResourceServerEntity - org.keycloak.models.jpa.entities.ClientEntity - org.keycloak.models.jpa.entities.ScopeMappingEntity - org.keycloak.authorization.jpa.store.JPAResourceServerStore - org.keycloak.models.jpa.JpaRealmProvider - keycloak-server-spi-private - org.keycloak.authorization.store.ResourceServerStore - org.keycloak.authorization.store.syncronization.RealmSynchronizer - org.keycloak.authorization.store.syncronization.UserSynchronizer - org.keycloak.migration.migrators.MigrateTo2_1_0 - keycloak-services - org.keycloak.authorization.admin.AuthorizationService - org.keycloak.services.resources.admin.ClientsResource From psilva at redhat.com Wed Apr 26 11:46:15 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 26 Apr 2017 12:46:15 -0300 Subject: [keycloak-dev] Slow query performance for client with large data volume In-Reply-To: References: Message-ID: Are you able to send a PR with your changes so we can discuss them from there ? On Wed, Apr 26, 2017 at 12:00 PM, Alexandre H?roux < alexandre.heroux at infinisolution.ca> wrote: > After some benchmark tests, a point comes where the performance of the JPA > repository become a bottle neck. > > At this point, we are doing tests with: > > - 21 560 391 COMPOSITE_ROLE rows > - 14 774 947 USER_ROLE_MAPPING rows > - 1 332 324 KEYCLOAK_ROLE rows > - 191 034 CREDENTIAL rows > - 191 034 USER_ENTITY rows > - 145 905 PROTOCOL_MAPPER_CONFIG rows > - 191 033 USER_REQUIRED_ACTION rows > - 30 187 PROTOCOL_MAPPER rows > - 5 031 CLIENT rows > - 10 054 REDIRECT_URIS rows > - 5 026 WEB_ORIGINS rows > - 6 AUTHENTICATOR_CONFIG_ENTRY rows > - 27 COMPONENT_CONFIG rows > - 6 IDENTITY_PROVIDER_CONFIG rows > - 41 AUTHENTICATION_EXECUTION rows > - 16 AUTHENTICATION_FLOW rows > - 4 AUTHENTICATOR_CONFIG rows > - 2 CLIENT_DEFAULT_ROLES rows > - 10 COMPONENT rows > - 39 DATABASECHANGELOG rows > - 1 DATABASECHANGELOGLOCK rows > - 1 DATABASECHANGELOG_EXAMPLE_EN rows > - 2 IDENTITY_PROVIDER rows > - 1 MIGRATION_MODEL rows > - 1 REALM rows > - 13 REALM_ATTRIBUTE rows > - 2 REALM_DEFAULT_ROLES rows > - 1 REALM_EVENTS_LISTENERS rows > - 1 REALM_REQUIRED_CREDENTIAL rows > - 11 REALM_SUPPORTED_LOCALES rows > - 5 REQUIRED_ACTION_PROVIDER rows > - 2 SCOPE_MAPPING rows > - 1 USER_ATTRIBUTE rows > > > 1) When we are trying to load clients for migration/administration purpose, > Keycloak load each client one by one and perform lazy loading. > > 2) When the administrator delete a client, listeners are notified and some > of them reload all clients from the realm to load resources for each > occurrence from resourceServerStore one by one in a foreach loop. > > With the current test volume, that take approximatively 1 hour 3 minutes to > : > > - load reaml's clients into memory > - delete 11 clients > - delete 50 Users > - delete 340 user/role association > - delete 85 roles > - create 11 clients > - create 85 roles > - create 50 users > - create 340 user/role association > > After some tuning we can optimize the query and surrounded services to take > only 5 minutes > > *Impacted projects* > > - keycloak-authz-policy-common > - > org.keycloak.authorization.policy.provider.user. > UserPolicyProviderFactory > - keycloak-model-infinispan > - > org.keycloak.models.authorization.infinispan. > CachedResourceServerStore > - org.keycloak.models.cache.infinispan.RealmCacheSession > - keycloak-model-jpa > - org.keycloak.authorization.jpa.entities.ResourceServerEntity > - org.keycloak.models.jpa.entities.ClientEntity > - org.keycloak.models.jpa.entities.ScopeMappingEntity > - org.keycloak.authorization.jpa.store.JPAResourceServerStore > - org.keycloak.models.jpa.JpaRealmProvider > - keycloak-server-spi-private > - org.keycloak.authorization.store.ResourceServerStore > - org.keycloak.authorization.store.syncronization.RealmSynchronizer > - org.keycloak.authorization.store.syncronization.UserSynchronizer > - org.keycloak.migration.migrators.MigrateTo2_1_0 > - keycloak-services > - org.keycloak.authorization.admin.AuthorizationService > - org.keycloak.services.resources.admin.ClientsResource > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Thu Apr 27 09:00:24 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Apr 2017 15:00:24 +0200 Subject: [keycloak-dev] Master bumped to 3.2 Message-ID: 3.1.0 release is on it's way and master is ready for 3.2 commits. From jm85martins at gmail.com Thu Apr 27 10:37:07 2017 From: jm85martins at gmail.com (Jorge M.) Date: Thu, 27 Apr 2017 15:37:07 +0100 Subject: [keycloak-dev] Help with SSO Message-ID: Hi, In the past some systems inside my company were using a custom made sso implementation that had the ability to do silent login among them. On of that systems was completly refactored and is using keycloak for authentication and authorization. Since than, we lost that silent login feature with the other systems. We assumed that it was ok to lost this feature for a while but now we are trying to implement the silent login again. So..summing up: - System "A" is using keycloak with a realm "RealmA" with multiple clients (modules) with sso between them. - Other systems "B", "C" with their custom authentication and authorization - We are using a custom federation on keycloak over the same users database that is shared among all the systems. What's the best practise to achieve sso between all the systems? We are thinking about a proxy that detects if the user has a session on some of the other systems and if that is true, we programatically create a session on keycloak for a given (Is this possible with the API?). Thank you, JM From sthorger at redhat.com Thu Apr 27 13:11:52 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Apr 2017 19:11:52 +0200 Subject: [keycloak-dev] Help with SSO In-Reply-To: References: Message-ID: This mailing list is to discuss development of Keycloak. For help and advice please use our user mailing list. For more details look at http://keycloak.org/community.html On 27 April 2017 at 16:37, Jorge M. wrote: > Hi, > > In the past some systems inside my company were using a custom made sso > implementation that had the ability to do silent login among them. > On of that systems was completly refactored and is using keycloak for > authentication and authorization. Since than, we lost that silent login > feature with the other systems. > We assumed that it was ok to lost this feature for a while but now we are > trying to implement the silent login again. > > So..summing up: > - System "A" is using keycloak with a realm "RealmA" with multiple clients > (modules) with sso between them. > - Other systems "B", "C" with their custom authentication and authorization > - We are using a custom federation on keycloak over the same users database > that is shared among all the systems. > > What's the best practise to achieve sso between all the systems? > We are thinking about a proxy that detects if the user has a session on > some of the other systems and if that is true, we programatically create a > session on keycloak for a given (Is this possible with the API?). > > Thank you, > JM > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From sthorger at redhat.com Thu Apr 27 13:47:49 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Apr 2017 19:47:49 +0200 Subject: [keycloak-dev] Keycloak 3.1.0.CR1 Released Message-ID: Keycloak 3.1.0.CR1 has just been released. To download the release go to the Keycloak homepage . Highlights - *X509 Certificate user authentication* - Thanks to Peter Nalyvayko for the contribution - *Proof Key for Code Exchange by OAuth Public Clients* - Thanks to Takashi Norimatsu for the contribution - *WildFly Elytron adapters* - Adapters for Elytron, a new security subsystem coming in WildFly 11 and EAP 7.1 - *TypeScript type definitions for keycloak.js* - Simplifies using keycloak.js from TypeScript - *Identity Provider for Openshift* - Thanks to Bartosz Majsak for the contribution The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . Release candidates are not recommended in production and we do not support upgrading from release candidates. From alexander.schwartz at gmx.net Fri Apr 28 02:53:11 2017 From: alexander.schwartz at gmx.net (Alexander Schwartz) Date: Fri, 28 Apr 2017 08:53:11 +0200 Subject: [keycloak-dev] [keycloak-user] [keycloak-spring-boot-adapter] disable security via application.properties file In-Reply-To: References: Message-ID: This is now being tracked as KEYCLOAK-4814 Am 22.04.2017 um 09:10 schrieb Sebastien Blanc: > Sure ! Go for it ! > > On Fri, Apr 21, 2017 at 4:53 PM, Alexander Schwartz > > wrote: > > Hi keycloak developers, > > I like this idea to be able to disable keycloak with a property. It > would be useful in the keycloak-spring projects that I've seen > > The convention with other libraries is usually to add a property like > > keycloak.enabled=false > > to the spring boot configuration file and a > > @ConditionalOnProperty(value = "keycloak.enabled", matchIfMissing > = true) > > to the spring autoconfiguration. > > What do you think? If this is OK-ed, I'll open a JIRA and prepare > a PR. > > Thanks, > Alexander > > > Am 10.03.2017 um 16:49 schrieb Pavel Maslov: > > Hi all, > > > > > > Sometimes (for testing purposes) I need to disable keycloak security > > > > Is it possible to do so via application.properties file? Right now > > apart from the properties file I also have to comment out these > > dependencies and rebuild the project: > > > > compile 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' > > compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' > > > > > > > > Regards, > > Pavel Maslov, MS > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Alexander Schwartz (alexander.schwartz at gmx.net > ) > http://www.ahus1.de > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > -- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de From daviddd.kl at gmail.com Fri Apr 28 04:36:32 2017 From: daviddd.kl at gmail.com (David Klassen) Date: Fri, 28 Apr 2017 10:36:32 +0200 Subject: [keycloak-dev] [keycloak-user] [keycloak-spring-boot-adapter] disable security via application.properties file In-Reply-To: References: Message-ID: ?I had the same issue ?in the past. This was my solution: *You can disable the keycloak by excluding the autoconfiguration in your application.properties:* spring.autoconfigure.exclude=org.keycloak.adapters.springboot.KeycloakSpringBootConfiguration Full example here: https://github.com/daklassen/budgeteer/blob/master/budgeteer-web-interface/src/main/resources/application.properties Hope this helps :) 2017-04-28 8:53 GMT+02:00 Alexander Schwartz : > This is now being tracked as KEYCLOAK-4814 > > > Am 22.04.2017 um 09:10 schrieb Sebastien Blanc: > > Sure ! Go for it ! > > > > On Fri, Apr 21, 2017 at 4:53 PM, Alexander Schwartz > > > wrote: > > > > Hi keycloak developers, > > > > I like this idea to be able to disable keycloak with a property. It > > would be useful in the keycloak-spring projects that I've seen > > > > The convention with other libraries is usually to add a property like > > > > keycloak.enabled=false > > > > to the spring boot configuration file and a > > > > @ConditionalOnProperty(value = "keycloak.enabled", matchIfMissing > > = true) > > > > to the spring autoconfiguration. > > > > What do you think? If this is OK-ed, I'll open a JIRA and prepare > > a PR. > > > > Thanks, > > Alexander > > > > > > Am 10.03.2017 um 16:49 schrieb Pavel Maslov: > > > Hi all, > > > > > > > > > Sometimes (for testing purposes) I need to disable keycloak > security > > > > > > Is it possible to do so via application.properties file? Right now > > > apart from the properties file I also have to comment out these > > > dependencies and rebuild the project: > > > > > > compile 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' > > > compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' > > > > > > > > > > > > Regards, > > > Pavel Maslov, MS > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > Alexander Schwartz (alexander.schwartz at gmx.net > > ) > > http://www.ahus1.de > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > -- > Alexander Schwartz (alexander.schwartz at gmx.net) > http://www.ahus1.de > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From alexander.schwartz at gmx.net Fri Apr 28 10:18:05 2017 From: alexander.schwartz at gmx.net (Alexander Schwartz) Date: Fri, 28 Apr 2017 16:18:05 +0200 Subject: [keycloak-dev] [keycloak-user] [keycloak-spring-boot-adapter] disable security via application.properties file In-Reply-To: References: Message-ID: <6be56846-a096-4884-f39f-660cc7e61d44@gmx.net> Hello David, nice one! I updated the ticket. The pull request is ready, let's see if it gets in. Regards, Alexander Am 28.04.2017 um 10:36 schrieb David Klassen: > ?I had the same issue ?in the past. This was my solution: > > *You can disable the keycloak by excluding the autoconfiguration in > your application.properties:* > spring.autoconfigure.exclude=org.keycloak.adapters.springboot.KeycloakSpringBootConfiguration > > Full example here: > https://github.com/daklassen/budgeteer/blob/master/budgeteer-web-interface/src/main/resources/application.properties > > Hope this helps :) > > 2017-04-28 8:53 GMT+02:00 Alexander Schwartz > >: > > This is now being tracked as KEYCLOAK-4814 > > > Am 22.04.2017 um 09:10 schrieb Sebastien Blanc: > > Sure ! Go for it ! > > > > On Fri, Apr 21, 2017 at 4:53 PM, Alexander Schwartz > > > >> wrote: > > > > Hi keycloak developers, > > > > I like this idea to be able to disable keycloak with a > property. It > > would be useful in the keycloak-spring projects that I've seen > > > > The convention with other libraries is usually to add a > property like > > > > keycloak.enabled=false > > > > to the spring boot configuration file and a > > > > @ConditionalOnProperty(value = "keycloak.enabled", > matchIfMissing > > = true) > > > > to the spring autoconfiguration. > > > > What do you think? If this is OK-ed, I'll open a JIRA and > prepare > > a PR. > > > > Thanks, > > Alexander > > > > > > Am 10.03.2017 um 16:49 schrieb Pavel Maslov: > > > Hi all, > > > > > > > > > Sometimes (for testing purposes) I need to disable > keycloak security > > > > > > Is it possible to do so via application.properties file? > Right now > > > apart from the properties file I also have to comment out > these > > > dependencies and rebuild the project: > > > > > > compile > 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' > > > compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' > > > > > > > > > > > > Regards, > > > Pavel Maslov, MS > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > Alexander Schwartz (alexander.schwartz at gmx.net > > > >) > >http://www.ahus1.de > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > > > -- > Alexander Schwartz (alexander.schwartz at gmx.net > ) > http://www.ahus1.de > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > -- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de From alexander.schwartz at gmx.net Fri Apr 28 10:30:22 2017 From: alexander.schwartz at gmx.net (Alexander Schwartz) Date: Fri, 28 Apr 2017 16:30:22 +0200 Subject: [keycloak-dev] Support rfc6750 Form-Encoded Body Parameter for access tokens in Keycloak Message-ID: <07cd8d8f-8128-a091-1cea-3b4c8f7dcae3@gmx.net> Hi Keycloak Developers, RFC6750 allows the access token to be submitted as part of a POST request. I found that this is the only good way to do file downloads in a JavaScript frontend. https://tools.ietf.org/html/rfc6750#section-2.1 Excerpt: When sending the access token in the HTTP request entity-body, client adds the access token to the request-body using the "access_token" parameter. [...] Resource servers MAY support this method. I don't remember a thread on this mailing list. The only place I could find in the code was the User Endpoint that does this quite manually. Currently Keycloak only supports the query parameter using QueryParamterTokenRequestAuthenticator. A similar class will be needed to support a Form Parameter. Like the QueryParamterTokenRequestAuthenticator it will be part of the request processing and it will not be configurable. I'd like to open a JIRA issue for this as part of the Java Keycloak Clients to track the efforts and thoughts. Comments welcome! Regards, Alexander -- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de