<html><head></head><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1444693001625_3845">Hi Stian/Marek,</div><div id="yui_3_16_0_1_1444693001625_3847"> Thanks for your attention in the matter.</div><div id="yui_3_16_0_1_1444693001625_4124">Probably you are referring to one other issue in client level, but Mike & I are referring at User level within or across client.</div><div dir="ltr" id="yui_3_16_0_1_1444693001625_4425"><br></div><div id="yui_3_16_0_1_1444693001625_4677" dir="ltr">User John Doe authenticates with his credentials and obtains token pair <b id="yui_3_16_0_1_1444693001625_6041">A1R1</b></div><ol id="yui_3_16_0_1_1444693001625_5395" dir="ltr"><li id="yui_3_16_0_1_1444693001625_5397">After A1 expires, app refreshes the token pair to <b id="yui_3_16_0_1_1444693001625_6048">A2R2 </b>USING R1<br></li><li id="yui_3_16_0_1_1444693001625_5394">After A2 expires, app refreshes the token pair to <b id="yui_3_16_0_1_1444693001625_6585">A3R3 </b><b id="yui_3_16_0_1_1444693001625_5628"><span id="yui_3_16_0_1_1444693001625_5627" style="background-color: rgb(253, 239, 43);">USING <font id="yui_3_16_0_1_1444693001625_6101" color="#cd232c" size="3">R1</font></span></b><font size="3"><b id="yui_3_16_0_1_1444693001625_6109"> </b></font>(ideally it is should use R2 as it is the latest refresh token)<br></li></ol><div id="yui_3_16_0_1_1444693001625_4795" dir="ltr"> <br></div><div id="yui_3_16_0_1_1444693001625_5714" dir="ltr">In order to achieve this functionality, I was wondering why can't we use existing last refresh time from User session rather then checking it in the client session.</div><div id="yui_3_16_0_1_1444693001625_5803" dir="ltr">IMHO, adding one more validation in the ValidateToken method in TokenManager class like this should resolve the problem.<br></div><div id="yui_3_16_0_1_1444693001625_6328" dir="ltr"><br></div><div id="yui_3_16_0_1_1444693001625_6478" dir="ltr"> // after userSession is determined either for offline token or online token...<br></div><div id="yui_3_16_0_1_1444693001625_6378" dir="ltr"> if(oldToken.getIssuedAt() < userSession.getLastSessionRefresh()) {<br class="" id="yui_3_16_0_1_1444693001625_6365"> throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale refresh token - already used");<br class="" id="yui_3_16_0_1_1444693001625_6367"> }<br class="" id="yui_3_16_0_1_1444693001625_6369"><br></div><div id="yui_3_16_0_1_1444693001625_6325" dir="ltr"><br></div><div id="yui_3_16_0_1_1444693001625_6327" dir="ltr">Please let me know if you see any pitfalls other than the backward compatibility for existing keycloak users. I can work with you to merge this change & test it in the master.</div><div id="yui_3_16_0_1_1444693001625_6842" dir="ltr"><br></div><div id="yui_3_16_0_1_1444693001625_6885" dir="ltr">Best</div><div id="yui_3_16_0_1_1444693001625_6887" dir="ltr">Kamal<br></div><div id="yui_3_16_0_1_1444693001625_4258"><br></div><div id="yui_3_16_0_1_1444693001625_3849"><span></span></div><br> <div id="yui_3_16_0_1_1444693001625_3853" style="font-family: times new roman, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1444693001625_3852" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1444693001625_3851" dir="ltr"> <hr id="yui_3_16_0_1_1444693001625_6043" size="1"> <font id="yui_3_16_0_1_1444693001625_4064" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Stian Thorgersen <sthorger@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> Marek Posolda <mposolda@redhat.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "Jagadevan, Kamal" <kamalakannan.jagadevan@hpe.com>; "keycloak-dev@lists.jboss.org" <keycloak-dev@lists.jboss.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, October 7, 2015 8:38 AM<br> <b id="yui_3_16_0_1_1444693001625_5932"><span id="yui_3_16_0_1_1444693001625_5931" style="font-weight: bold;">Subject:</span></b> Re: [keycloak-dev] Same Refresh token can be used multiple times to obtain access token<br> </font> </div> <div id="yui_3_16_0_1_1444693001625_3855" class="y_msg_container"><br><div id="yiv2550815952"><div id="yui_3_16_0_1_1444693001625_3861"><div id="yui_3_16_0_1_1444693001625_4112" dir="ltr">You're right, we'd have to introduce a lastRefresh on ClientSession</div><div class="qtdSeparateBR"><br><br></div><div class="yiv2550815952yqt5444737751" id="yiv2550815952yqt92102"><div id="yui_3_16_0_1_1444693001625_3860" class="yiv2550815952gmail_extra"><br clear="none"><div id="yui_3_16_0_1_1444693001625_3859" class="yiv2550815952gmail_quote">On 7 October 2015 at 14:35, Marek Posolda <span id="yui_3_16_0_1_1444693001625_3858" dir="ltr"><<a id="yui_3_16_0_1_1444693001625_3857" rel="nofollow" shape="rect" ymailto="mailto:mposolda@redhat.com" target="_blank" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>></span> wrote:<br clear="none"><blockquote id="yui_3_16_0_1_1444693001625_3871" class="yiv2550815952gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div id="yui_3_16_0_1_1444693001625_3870"><span class="yiv2550815952">
</span><div id="yui_3_16_0_1_1444693001625_5188">On 07/10/15 14:23, Stian Thorgersen
wrote:<br clear="none">
</div>
<blockquote id="yui_3_16_0_1_1444693001625_4417" type="cite">
<div id="yui_3_16_0_1_1444693001625_4416" dir="ltr">We should make this configurable. For those worried
about security they can enforce new refresh tokens as well as
offline tokens will replace the old tokens. It would be fairly
simply to implement. If enabled we would only allow refresh
token where iat is >= the last session refresh time.</div>
</blockquote>
I was also thinking about this possibility. However if you have 2
clients and you refresh the token for client1, the refresh token of
client2 won't be valid as his "iat" will be older. Also SSO login
currently refreshes lastSessionRefresh on UserSession. However maybe
we can introduce lastSessionRefresh to ClientSession as well?<span class="yiv2550815952HOEnZb"><font color="#888888"><br clear="none">
<br clear="none">
Marek</font></span><div id="yui_3_16_0_1_1444693001625_3869"><div id="yui_3_16_0_1_1444693001625_3868" class="yiv2550815952h5"><br clear="none">
<blockquote id="yui_3_16_0_1_1444693001625_3878" type="cite">
<div id="yui_3_16_0_1_1444693001625_3877" dir="ltr">
<div id="yui_3_16_0_1_1444693001625_3876">I wouldn't make it default behavior for two reasons:
<div><br clear="none">
</div>
<div>* It would break existing clients if they expect to
continue using the old refresh token</div>
<div id="yui_3_16_0_1_1444693001625_4414">* It comes at a performance cost as clients will have to
store the new refresh tokens and offline tokens each time
they refresh the token</div>
<div>* For offline tokens Keycloak would also have to persist
the last refresh time each time the offline token is
refreshed</div>
<div id="yui_3_16_0_1_1444693001625_3875"><br clear="none">
</div>
<div id="yui_3_16_0_1_1444693001625_3975">I think we'd need to make it a realm wide configuration
option.<br clear="none">
<div id="yui_3_16_0_1_1444693001625_3977" class="yiv2550815952gmail_extra"><br clear="none">
<div id="yui_3_16_0_1_1444693001625_3981" class="yiv2550815952gmail_quote">On 7 October 2015 at 14:12, Marek
Posolda <span id="yui_3_16_0_1_1444693001625_3980" dir="ltr"><<a id="yui_3_16_0_1_1444693001625_3979" rel="nofollow" shape="rect" ymailto="mailto:mposolda@redhat.com" target="_blank" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>></span>
wrote:<br clear="none">
<blockquote id="yui_3_16_0_1_1444693001625_3985" class="yiv2550815952gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div id="yui_3_16_0_1_1444693001625_3984">
<div id="yui_3_16_0_1_1444693001625_3983">The points are valid and security can be always
improved, however sometimes improving security
makes things complicated with the not-so-big
advantage... IMO admin should always protect the
machine to make sure that nobody unauthorized has
access to refresh tokens. And for the transport,
HTTPS should be always used. But feel free to
create JIRA and we will see...<br clear="none">
<br clear="none">
When user or client is deleted, all
refresh/offline tokens will defacto become invalid
as well and can't be used anymore. You're right
that offline token is still valid after user
logout. User can revoke it manually in account
management or admin can revoke it in admin
console. However refresh token is invalid after
user logout. All refresh/offline tokens for
particular client can be revoked by admin by set
notBefore policy to now, which can be done in
admin console in "Revocation" tab of particular
client.<span><font color="#888888"><br clear="none">
<br clear="none">
Marek</font></span>
<div id="yui_3_16_0_1_1444693001625_4407">
<div id="yui_3_16_0_1_1444693001625_4406"><br clear="none">
<br clear="none">
On 07/10/15 04:27, Raghuram Prabhala wrote:<br clear="none">
</div>
</div>
</div>
<div id="yui_3_16_0_1_1444693001625_3994">
<div id="yui_3_16_0_1_1444693001625_3993">
<blockquote id="yui_3_16_0_1_1444693001625_3992" type="cite">
<div id="yui_3_16_0_1_1444693001625_3991" style="color:#000;background-color:#fff;font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px;">
<div><span>Very valid points Mike and even I
have similar concerns. But please do
understand that even if the refresh
token is stolen or compromised,it cannot
be used by any client unless both the
client_id and client_secret are also
compromised/stolen. But nevertheless, it
is a good practice to assume the worst
and add in protective measures to
minimize the chances. </span></div>
<div><span><br clear="none">
</span></div>
<div>Marek/Bill/Stian - Even our
organization is very particular that such
potential security issues be addressed.
Can this be taken up? BTW I am not sure if
you have an API/End point to invalidate
tokens for those that are either
compromised or must be invalidated as
either the user or client is no longer
active. If you do not have one then it is
a good idea to make one available.</div>
<div><br clear="none">
</div>
<div>Thanks,</div>
<div>Raghu</div>
<br clear="none">
<div id="yui_3_16_0_1_1444693001625_3990" style="font-family:Courier New, courier, monaco, monospace, sans-serif;font-size:13px;">
<div id="yui_3_16_0_1_1444693001625_3989" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
<div id="yui_3_16_0_1_1444693001625_3988" dir="ltr">
<hr size="1"> <font id="yui_3_16_0_1_1444693001625_3996" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b>
"Kuznetsov, Mike" <a rel="nofollow" shape="rect" ymailto="mailto:mikhail.kuznetsov@hpe.com" target="_blank" href="mailto:mikhail.kuznetsov@hpe.com"></a><a rel="nofollow" shape="rect" ymailto="mailto:mikhail.kuznetsov@hpe.com" target="_blank" href="mailto:mikhail.kuznetsov@hpe.com"><mikhail.kuznetsov@hpe.com></a><br clear="none">
<b><span style="font-weight:bold;">To:</span></b>
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">"keycloak-dev@lists.jboss.org"</a>
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org"><keycloak-dev@lists.jboss.org></a>
<br clear="none">
<b><span style="font-weight:bold;">Cc:</span></b>
"Jagadevan, Kamal" <a rel="nofollow" shape="rect" ymailto="mailto:kamalakannan.jagadevan@hpe.com" target="_blank" href="mailto:kamalakannan.jagadevan@hpe.com"></a><a rel="nofollow" shape="rect" ymailto="mailto:kamalakannan.jagadevan@hpe.com" target="_blank" href="mailto:kamalakannan.jagadevan@hpe.com"><kamalakannan.jagadevan@hpe.com></a>
<br clear="none">
<b><span style="font-weight:bold;">Sent:</span></b>
Tuesday, October 6, 2015 4:34 PM<br clear="none">
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [keycloak-dev] Same Refresh
token can be used multiple times to
obtain access token<br clear="none">
</font> </div>
<div id="yui_3_16_0_1_1444693001625_3999"><br clear="none">
<div id="yui_3_16_0_1_1444693001625_4005">
<div id="yui_3_16_0_1_1444693001625_4004">
<div id="yui_3_16_0_1_1444693001625_4003">
<div><span style="color:windowtext;">Hello,</span></div>
<div><span style="color:windowtext;"> </span></div>
<div id="yui_3_16_0_1_1444693001625_4063"><span id="yui_3_16_0_1_1444693001625_4062" style="color:windowtext;">The
reason I brought this up is
that we are currently
working on migrating out
authentication from a
commercially available
product called Ping to
Keycloak. We noticed that
Ping invalidates the refresh
token after it is used once,
while Keycloak does not.</span></div>
<div><span style="color:windowtext;"> </span></div>
<div id="yui_3_16_0_1_1444693001625_4002"><span id="yui_3_16_0_1_1444693001625_4001" style="color:windowtext;">I
and my colleague, Kamal are
concerned that by not
invalidating the refresh
token after first use, we
may be opening a security
hole. While SSL may protect
the token in transit, we can
see a scenario where the
refresh token would be
compromised or stolen from
the client itself. In this
case, the stolen refresh
token could be used to get
new access tokens without
the owner of the client
machine knowing. </span></div>
<div id="yui_3_16_0_1_1444693001625_4007"><span style="color:windowtext;"> </span></div>
<div><span style="color:windowtext;">However,
if the behavior was changed
so that the refresh token
could only be used once,
then either:</span></div>
<div id="yui_3_16_0_1_1444693001625_4009"><span style="color:windowtext;"><span>1.<span style="font:7.0pt;">
</span></span></span><span id="yui_3_16_0_1_1444693001625_4060" style="color:windowtext;">If
the owner of the client
machine would use the
refresh token first, then
the stolen refresh token
could not be used</span></div>
<div id="yui_3_16_0_1_1444693001625_4012"><span style="color:windowtext;"><span>2.<span style="font:7.0pt;">
</span></span></span><span id="yui_3_16_0_1_1444693001625_4011" style="color:windowtext;">If
the stolen refresh token
would be used first, then
the client machine would not
be able to use it and the
user of that client machine
could be alerted that
something was wrong. This
user could then reset their
password or invalidate all
of their access and refresh
tokens.</span></div>
<div><span style="color:windowtext;"> </span></div>
<div id="yui_3_16_0_1_1444693001625_4025"><span id="yui_3_16_0_1_1444693001625_4030" style="color:windowtext;">Furthermore,
we are concerned about this
same scenario, but with the
offline token. My
understanding is that the
offline token does not
expire and that it can’t be
invalidated by logging out
the user or changing the
user’s password. Have you
thought about this scenario?</span></div>
<div><span style="color:#1f497d;">
</span></div>
<div id="yui_3_16_0_1_1444693001625_4016">Thank You,</div>
<div id="yui_3_16_0_1_1444693001625_4019"><span style="font-size:9.0pt;"><br clear="none">
</span><b><span style="font-size:10.0pt;">Mikhail
Kuznetsov</span></b></div>
<div><span style="font-size:9.0pt;">Software
Engineer</span></div>
<div><span style="font-size:9.0pt;">Hewlett
Packard Enterprise</span></div>
<div><span style="color:#1f497d;">
</span></div>
<div><br clear="none">
<br clear="none">
</div>
<div id="yui_3_16_0_1_1444693001625_4023">
<div id="yui_3_16_0_1_1444693001625_4059">
<div id="yui_3_16_0_1_1444693001625_4058" style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in;">
<div id="yui_3_16_0_1_1444693001625_4057"><b><span style="color:windowtext;">From:</span></b><span style="color:windowtext;"> Marek Posolda [<a rel="nofollow" shape="rect" ymailto="mailto:mposolda@redhat.com" target="_blank" href="mailto:mposolda@redhat.com">mailto:mposolda@redhat.com</a>]
<br clear="none">
<b>Sent:</b> Tuesday,
October 06, 2015 1:16
PM<br clear="none">
<b>To:</b> Raghu
Prabhala<br clear="none">
<b>Cc:</b> Kuznetsov,
Mike; <a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org"></a><a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">
<b>Subject:</b> Re:
[keycloak-dev] Same
Refresh token can be
used multiple times to
obtain access token</span></div>
</div>
</div>
<div> </div>
<div id="yui_3_16_0_1_1444693001625_4022">
<div id="yui_3_16_0_1_1444693001625_4021">Hi Raghu,<br clear="none">
<br clear="none">
>From the specs, it
looks to me that this is
not anything mandatory.
The paragraph is starting
"For example". Feel free
to create JIRA, but I
personally can't promise
anything regarding this...<br clear="none">
<br clear="none">
Marek<br clear="none">
<br clear="none">
<br clear="none">
On 06/10/15 17:37, Raghu
Prabhala wrote:<span style="font-size:12.0pt;"></span></div>
</div>
<blockquote id="yui_3_16_0_1_1444693001625_4035" style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div>Hi Marek - section
10.4 of rfc6749 mentions
that the prior refresh
token should be
invalidated but retained
by the server - to
handle compromise of
refresh tokens as they
are long lived. </div>
</div>
<div id="yui_3_16_0_1_1444693001625_4034">
<div id="yui_3_16_0_1_1444693001625_4033"> </div>
</div>
<div>
<div>Thanks,</div>
</div>
<div id="yui_3_16_0_1_1444693001625_4055">
<div id="yui_3_16_0_1_1444693001625_4054">Raghu<br clear="none">
<br clear="none">
Sent from my iPhone</div>
</div>
<div>
<div style="margin-bottom:12.0pt;"><br clear="none">
On Oct 6, 2015, at 10:53
AM, Marek Posolda <<a rel="nofollow" shape="rect" ymailto="mailto:mposolda@redhat.com" target="_blank" href="mailto:mposolda@redhat.com"></a><a rel="nofollow" shape="rect" ymailto="mailto:mposolda@redhat.com" target="_blank" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>>
wrote:</div>
</div>
<blockquote id="yui_3_16_0_1_1444693001625_4042" style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div id="yui_3_16_0_1_1444693001625_4041">
<div id="yui_3_16_0_1_1444693001625_4040">
<div id="yui_3_16_0_1_1444693001625_4039">You're right,
same refresh token
can be used more
times. However it is
still better to use
refresh token R2 in
your step 3 instead
of using old refresh
token R1 because R2
has updated
timestamp (each
token is valid just
for 30 minutes or
so, depends on the
configured SSO
session idle
timeout).<br clear="none">
<br clear="none">
Or are you referring
that this is
security issue and
potential
possibility to Man
in the middle? If
you use HTTPS (which
is recommended for
production
environment, and
especially if you
have
unsecured/untrusted
networkl), this
shouldn't be an
issue.<br clear="none">
<br clear="none">
Marek<br clear="none">
<br clear="none">
On 06/10/15 16:34,
Kuznetsov, Mike
wrote:</div>
</div>
<blockquote id="yui_3_16_0_1_1444693001625_4045" style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div id="yui_3_16_0_1_1444693001625_4044">Hello,</div>
<div id="yui_3_16_0_1_1444693001625_4050"> </div>
<div id="yui_3_16_0_1_1444693001625_4052">I noticed that
with Keycloak, it
seems that refresh
tokens are still
valid after they are
used once. This
means that Keycloak
does <b>not</b>
invalidate Refresh
Tokens after they
have been used once.</div>
<div> </div>
<div id="yui_3_16_0_1_1444693001625_4314">I am able to
successfully execute
the following flow:</div>
<div id="yui_3_16_0_1_1444693001625_4308"><span>1.<span style="font:7.0pt;">
</span></span>Obtain
Access Token (A1)
and Refresh Token
(R1)</div>
<div id="yui_3_16_0_1_1444693001625_4310"><span>2.<span style="font:7.0pt;">
</span></span>Use
Refresh Token (R1)
to obtain new Access
Token (A2) and
Refresh Token (R2)</div>
<div id="yui_3_16_0_1_1444693001625_4312"><span>3.<span style="font:7.0pt;">
</span></span>Use
same Refresh Token
(R1) again to obtain
new Access Token
(A3) and Refresh
Token (R3)</div>
<div> </div>
<div> </div>
<div>Can you please
tell me if this is
the intended
functionality?</div>
<div> </div>
<div>Thank You,</div>
<div><span style="font-size:9.0pt;"><br clear="none">
</span><b><span style="font-size:10.0pt;">Mikhail
Kuznetsov</span></b></div>
<div><span style="font-size:9.0pt;">Software
Engineer</span></div>
<div><span style="font-size:9.0pt;">Hewlett
Packard Enterprise</span></div>
<div> </div>
<div><span style="font-size:12.0pt;"><br clear="none">
<br clear="none">
<br clear="none">
</span></div>
<pre>_______________________________________________</pre>
<pre>keycloak-dev mailing list</pre>
<pre><a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></pre>
<pre><a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<div><span style="font-size:12.0pt;">
</span></div>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<div><span style="font-size:12.0pt;">_______________________________________________<br clear="none">
keycloak-dev mailing
list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org"></a><a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"></a><a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></span></div>
</div>
</blockquote>
</blockquote>
</div>
<div><span style="font-size:12.0pt;"> </span></div>
</div>
</div>
</div>
<br clear="none">
<div>_______________________________________________<br clear="none">
keycloak-dev mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
<br clear="none">
<fieldset></fieldset>
<br clear="none">
<pre>_______________________________________________
keycloak-dev mailing list
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br clear="none">
</div>
</div>
</div>
<br clear="none">
_______________________________________________<br clear="none">
keycloak-dev mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" target="_blank" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br clear="none">
</blockquote>
</div>
<br clear="none">
</div>
</div>
</div>
</div>
</blockquote>
<br clear="none">
</div></div></div>
</blockquote></div><br clear="none"></div></div></div></div><br><div class="yqt5444737751" id="yqt84888">_______________________________________________<br clear="none">keycloak-dev mailing list<br clear="none"><a shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br clear="none"><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></div><br><br></div> </div> </div> </div></body></html>