From n.preusker at gmail.com Tue Apr 1 05:00:50 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 1 Apr 2014 11:00:50 +0200 Subject: [keycloak-user] @RolesAllowed leads to HTTP 500 when user doesn't have the required role Message-ID: Hi, I'm currently testing the @SecurityDomain("keycloak") and @RolesAllowed annotations on my JAX-RS services and was surprised to see that I get a HTTP 500 (internal server error) when a requesting user doesn't have the role that is required by @RolesAllowed. Is this intentional or a known issue or am I doing something wrong in the config? I'm using Wildfly 8.0.0.Final with the default RestEasy module. Would upgrading RestEasy do the trick? Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/05373cb0/attachment.html From ungarida at gmail.com Tue Apr 1 07:15:23 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 1 Apr 2014 13:15:23 +0200 Subject: [keycloak-user] MongoDB and removing datasource KeycloakDS Message-ID: Hi everybody, I'm tryng to use keycloak withh mongo. I followed the documantation: http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 But removing datasource KeycloakDS from standalone/configuration/standalone.xml causes an error message: 13:10:56,838 INFO [org.jboss.as.jpa] (MSC service thread 1-1) JBAS011401: Read persistence.xml for jpa-keycloak-identity-store 13:10:57,321 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "auth-server.war")]) - failure description: {"JBAS014771: Services with missing/unavailable dependencies" => ["jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\".__FIRST_PHASE__ is missing [jboss.naming.context.java.jboss.datasources.KeycloakDS]"]} Suggestions? Thanks -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/3f148eee/attachment.html From bburke at redhat.com Tue Apr 1 08:57:52 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 01 Apr 2014 08:57:52 -0400 Subject: [keycloak-user] @RolesAllowed leads to HTTP 500 when user doesn't have the required role In-Reply-To: References: Message-ID: <533AB7D0.3060907@redhat.com> Just a regular JAX-RS class? Not an EJB? On 4/1/2014 5:00 AM, Nils Preusker wrote: > Hi, > > I'm currently testing the @SecurityDomain("keycloak") and @RolesAllowed > annotations on my JAX-RS services and was surprised to see that I get a > HTTP 500 (internal server error) when a requesting user doesn't have the > role that is required by @RolesAllowed. Is this intentional or a known > issue or am I doing something wrong in the config? > > I'm using Wildfly 8.0.0.Final with the default RestEasy module. Would > upgrading RestEasy do the trick? > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Tue Apr 1 09:09:21 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 1 Apr 2014 15:09:21 +0200 Subject: [keycloak-user] @RolesAllowed leads to HTTP 500 when user doesn't have the required role In-Reply-To: <533AB7D0.3060907@redhat.com> References: <533AB7D0.3060907@redhat.com> Message-ID: Hey Bill, it is actually an EJB (@Stateless @Path(...)). Another question about this: You mention in the user guide that you are planning to improve the integration and get rid of the @SecurityDomain annotation. Are you currently working on this or can you give me some estimate on which release this is planned for? Cheers, Nils On Tue, Apr 1, 2014 at 2:57 PM, Bill Burke wrote: > Just a regular JAX-RS class? Not an EJB? > > On 4/1/2014 5:00 AM, Nils Preusker wrote: > > Hi, > > > > I'm currently testing the @SecurityDomain("keycloak") and @RolesAllowed > > annotations on my JAX-RS services and was surprised to see that I get a > > HTTP 500 (internal server error) when a requesting user doesn't have the > > role that is required by @RolesAllowed. Is this intentional or a known > > issue or am I doing something wrong in the config? > > > > I'm using Wildfly 8.0.0.Final with the default RestEasy module. Would > > upgrading RestEasy do the trick? > > > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/1b4f933b/attachment.html From bburke at redhat.com Tue Apr 1 09:11:49 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 01 Apr 2014 09:11:49 -0400 Subject: [keycloak-user] @RolesAllowed leads to HTTP 500 when user doesn't have the required role In-Reply-To: References: <533AB7D0.3060907@redhat.com> Message-ID: <533ABB15.9090609@redhat.com> I don't have a solution to getting rid of @SecurityDomain yet. What should happen is that the EJB should inherit the security domain of the WAR, but it doesn't. I opened a Wildfly bug and hopefully it will be fixed. As for this particular bug, it may just be that you have to write an ExceptionMapper and unwrap EJBException. Can you show the stack trace in the log? On 4/1/2014 9:09 AM, Nils Preusker wrote: > Hey Bill, > > it is actually an EJB (@Stateless @Path(...)). > > Another question about this: You mention in the user guide that you are > planning to improve the integration and get rid of the @SecurityDomain > annotation. Are you currently working on this or can you give me some > estimate on which release this is planned for? > > Cheers, > Nils > > > On Tue, Apr 1, 2014 at 2:57 PM, Bill Burke > wrote: > > Just a regular JAX-RS class? Not an EJB? > > On 4/1/2014 5:00 AM, Nils Preusker wrote: > > Hi, > > > > I'm currently testing the @SecurityDomain("keycloak") and > @RolesAllowed > > annotations on my JAX-RS services and was surprised to see that I > get a > > HTTP 500 (internal server error) when a requesting user doesn't > have the > > role that is required by @RolesAllowed. Is this intentional or a > known > > issue or am I doing something wrong in the config? > > > > I'm using Wildfly 8.0.0.Final with the default RestEasy module. Would > > upgrading RestEasy do the trick? > > > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Apr 1 10:06:47 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 01 Apr 2014 16:06:47 +0200 Subject: [keycloak-user] MongoDB and removing datasource KeycloakDS In-Reply-To: References: Message-ID: <533AC7F7.7040401@redhat.com> |Hi, It's ok to remove KeycloakDS datasource from standalone.xml if you switch to mongo model, but note that in this case, you should also remove file standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml . If you remove just datasource, but keep persistence.xml, then Application server will automatically try to initialize JPA from persistence.xml file, but in this case it won't work as persistence.xml contains reference to KeycloakDS datasource, which is not available. You need to either: - Remove both KeycloakDS and persistence.xml file (that's recommended to have a bit faster startup time) - Keep both datasource and persistence.xml Hope it helps, Marek|| |On 1.4.2014 13:15, Davide Ungari wrote: > Hi everybody, > I'm tryng to use keycloak withh mongo. > > I followed the documantation: > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 > > But removing datasource |KeycloakDS| from > |standalone/configuration/standalone.xml causes an error message:| > | > | > | > 13:10:56,838 INFO [org.jboss.as.jpa] (MSC service thread 1-1) > JBAS011401: Read persistence.xml for jpa-keycloak-identity-store > 13:10:57,321 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - > address: ([("deployment" => "auth-server.war")]) - failure > description: {"JBAS014771: Services with missing/unavailable > dependencies" => > ["jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\".__FIRST_PHASE__ > is missing [jboss.naming.context.java.jboss.datasources.KeycloakDS]"]} > > | > Suggestions? > > Thanks > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/1e0cf357/attachment.html From ungarida at gmail.com Tue Apr 1 11:14:29 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 1 Apr 2014 17:14:29 +0200 Subject: [keycloak-user] MongoDB and removing datasource KeycloakDS In-Reply-To: <533AC7F7.7040401@redhat.com> References: <533AC7F7.7040401@redhat.com> Message-ID: Yes it helps! Now it works, maybe this information should be added to the documentation. Thanks -- Davide On Tue, Apr 1, 2014 at 4:06 PM, Marek Posolda wrote: > Hi, > > It's ok to remove KeycloakDS datasource from standalone.xml if you switch > to mongo model, but note that in this case, you should also remove file > standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml > . > > If you remove just datasource, but keep persistence.xml, then Application > server will automatically try to initialize JPA from persistence.xml file, > but in this case it won't work as persistence.xml contains reference to > KeycloakDS datasource, which is not available. > > You need to either: > - Remove both KeycloakDS and persistence.xml file (that's recommended to > have a bit faster startup time) > - Keep both datasource and persistence.xml > > Hope it helps, > Marek > > On 1.4.2014 13:15, Davide Ungari wrote: > > Hi everybody, > I'm tryng to use keycloak withh mongo. > > I followed the documantation: > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 > > But removing datasource KeycloakDS from standalone/configuration/standalone.xml > causes an error message: > > 13:10:56,838 INFO [org.jboss.as.jpa] (MSC service thread 1-1) > JBAS011401: Read persistence.xml for jpa-keycloak-identity-store > 13:10:57,321 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - address: > ([("deployment" => "auth-server.war")]) - failure description: > {"JBAS014771: Services with missing/unavailable dependencies" => > ["jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\".__FIRST_PHASE__ > is missing [jboss.naming.context.java.jboss.datasources.KeycloakDS]"]} > > Suggestions? > > Thanks > -- > Davide > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/e0293453/attachment.html From mposolda at redhat.com Tue Apr 1 11:53:14 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 01 Apr 2014 17:53:14 +0200 Subject: [keycloak-user] MongoDB and removing datasource KeycloakDS In-Reply-To: References: <533AC7F7.7040401@redhat.com> Message-ID: <533AE0EA.3080904@redhat.com> It's already there if you look at the http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 (very last line) Did you just overlook it or is it not understandable that both actions are needed? I wonder if I should somehow rewrite this paragraph to emphasize that both things (removing datasource and persistence.xml) are required? wdyt? Marek On 1.4.2014 17:14, Davide Ungari wrote: > Yes it helps! Now it works, maybe this information should be added to > the documentation. > > Thanks > > -- > Davide > > > On Tue, Apr 1, 2014 at 4:06 PM, Marek Posolda > wrote: > > |Hi, > > It's ok to remove KeycloakDS datasource from standalone.xml if you > switch to mongo model, but note that in this case, you should also > remove file > standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml > . > > If you remove just datasource, but keep persistence.xml, then > Application server will automatically try to initialize JPA from > persistence.xml file, but in this case it won't work as > persistence.xml contains reference to KeycloakDS datasource, which > is not available. > > You need to either: > - Remove both KeycloakDS and persistence.xml file (that's > recommended to have a bit faster startup time) > - Keep both datasource and persistence.xml > > Hope it helps, > Marek|| > > | > On 1.4.2014 13:15, Davide Ungari wrote: >> Hi everybody, >> I'm tryng to use keycloak withh mongo. >> >> I followed the documantation: >> http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 >> >> But removing datasource |KeycloakDS| from >> |standalone/configuration/standalone.xml causes an error message:| >> | >> | >> | >> 13:10:56,838 INFO [org.jboss.as.jpa] (MSC service thread 1-1) >> JBAS011401: Read persistence.xml for jpa-keycloak-identity-store >> 13:10:57,321 ERROR [org.jboss.as.controller.management-operation] >> (Controller Boot Thread) JBAS014613: Operation ("deploy") failed >> - address: ([("deployment" => "auth-server.war")]) - failure >> description: {"JBAS014771: Services with missing/unavailable >> dependencies" => >> ["jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\".__FIRST_PHASE__ >> is missing >> [jboss.naming.context.java.jboss.datasources.KeycloakDS]"]} >> >> | >> Suggestions? >> >> Thanks >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/64fc5bed/attachment.html From ungarida at gmail.com Tue Apr 1 12:06:04 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 1 Apr 2014 18:06:04 +0200 Subject: [keycloak-user] MongoDB and removing datasource KeycloakDS In-Reply-To: <533AE0EA.3080904@redhat.com> References: <533AC7F7.7040401@redhat.com> <533AE0EA.3080904@redhat.com> Message-ID: It's my fault, I always read too fast the documentation. I can suggest to use a ordered list, maybe could help to emphasize that steps are 2. I'm sorry for the waste of time, again it's my fault. -- Davide On Tue, Apr 1, 2014 at 5:53 PM, Marek Posolda wrote: > It's already there if you look at the > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167(very last line) > > Did you just overlook it or is it not understandable that both actions are > needed? I wonder if I should somehow rewrite this paragraph to emphasize > that both things (removing datasource and persistence.xml) are required? > wdyt? > > Marek > > > On 1.4.2014 17:14, Davide Ungari wrote: > > Yes it helps! Now it works, maybe this information should be added to the > documentation. > > Thanks > > -- > Davide > > > On Tue, Apr 1, 2014 at 4:06 PM, Marek Posolda wrote: > >> Hi, >> >> It's ok to remove KeycloakDS datasource from standalone.xml if you switch >> to mongo model, but note that in this case, you should also remove file >> standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml >> . >> >> If you remove just datasource, but keep persistence.xml, then Application >> server will automatically try to initialize JPA from persistence.xml file, >> but in this case it won't work as persistence.xml contains reference to >> KeycloakDS datasource, which is not available. >> >> You need to either: >> - Remove both KeycloakDS and persistence.xml file (that's recommended to >> have a bit faster startup time) >> - Keep both datasource and persistence.xml >> >> Hope it helps, >> Marek >> >> On 1.4.2014 13:15, Davide Ungari wrote: >> >> Hi everybody, >> I'm tryng to use keycloak withh mongo. >> >> I followed the documantation: >> >> http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 >> >> But removing datasource KeycloakDS from standalone/configuration/standalone.xml >> causes an error message: >> >> 13:10:56,838 INFO [org.jboss.as.jpa] (MSC service thread 1-1) >> JBAS011401: Read persistence.xml for jpa-keycloak-identity-store >> 13:10:57,321 ERROR [org.jboss.as.controller.management-operation] >> (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - address: >> ([("deployment" => "auth-server.war")]) - failure description: >> {"JBAS014771: Services with missing/unavailable dependencies" => >> ["jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\".__FIRST_PHASE__ >> is missing [jboss.naming.context.java.jboss.datasources.KeycloakDS]"]} >> >> Suggestions? >> >> Thanks >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/10b4b875/attachment-0001.html From mposolda at redhat.com Tue Apr 1 12:19:26 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 01 Apr 2014 18:19:26 +0200 Subject: [keycloak-user] MongoDB and removing datasource KeycloakDS In-Reply-To: References: <533AC7F7.7040401@redhat.com> <533AE0EA.3080904@redhat.com> Message-ID: <533AE70E.70601@redhat.com> No problem, everyone is doing mistakes and for me it's good to know that someone is using mongo model :-) Thanks for the suggestion, will try to improve docs a bit to ensure that no-one will do similar mistake in the future. Thanks, Marek On 1.4.2014 18:06, Davide Ungari wrote: > It's my fault, I always read too fast the documentation. > > I can suggest to use a ordered list, maybe could help to emphasize > that steps are 2. > > I'm sorry for the waste of time, again it's my fault. > > -- > Davide > > > On Tue, Apr 1, 2014 at 5:53 PM, Marek Posolda > wrote: > > It's already there if you look at the > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 > (very last line) > > Did you just overlook it or is it not understandable that both > actions are needed? I wonder if I should somehow rewrite this > paragraph to emphasize that both things (removing datasource and > persistence.xml) are required? wdyt? > > Marek > > > On 1.4.2014 17:14, Davide Ungari wrote: >> Yes it helps! Now it works, maybe this information should be >> added to the documentation. >> >> Thanks >> >> -- >> Davide >> >> >> On Tue, Apr 1, 2014 at 4:06 PM, Marek Posolda >> > wrote: >> >> |Hi, >> >> It's ok to remove KeycloakDS datasource from standalone.xml >> if you switch to mongo model, but note that in this case, you >> should also remove file >> standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml >> . >> >> If you remove just datasource, but keep persistence.xml, then >> Application server will automatically try to initialize JPA >> from persistence.xml file, but in this case it won't work as >> persistence.xml contains reference to KeycloakDS datasource, >> which is not available. >> >> You need to either: >> - Remove both KeycloakDS and persistence.xml file (that's >> recommended to have a bit faster startup time) >> - Keep both datasource and persistence.xml >> >> Hope it helps, >> Marek|| >> >> | >> On 1.4.2014 13:15, Davide Ungari wrote: >>> Hi everybody, >>> I'm tryng to use keycloak withh mongo. >>> >>> I followed the documantation: >>> http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html/server-installation.html#d4e167 >>> >>> But removing datasource |KeycloakDS| from >>> |standalone/configuration/standalone.xml causes an error >>> message:| >>> | >>> | >>> | >>> 13:10:56,838 INFO [org.jboss.as.jpa] (MSC service thread >>> 1-1) JBAS011401: Read persistence.xml for >>> jpa-keycloak-identity-store >>> 13:10:57,321 ERROR >>> [org.jboss.as.controller.management-operation] (Controller >>> Boot Thread) JBAS014613: Operation ("deploy") failed - >>> address: ([("deployment" => "auth-server.war")]) - failure >>> description: {"JBAS014771: Services with missing/unavailable >>> dependencies" => >>> ["jboss.persistenceunit.\"auth-server.war#jpa-keycloak-identity-store\".__FIRST_PHASE__ >>> is missing >>> [jboss.naming.context.java.jboss.datasources.KeycloakDS]"]} >>> >>> | >>> Suggestions? >>> >>> Thanks >>> -- >>> Davide >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140401/134f8a97/attachment.html From n.preusker at gmail.com Tue Apr 1 15:16:04 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 1 Apr 2014 21:16:04 +0200 Subject: [keycloak-user] @RolesAllowed leads to HTTP 500 when user doesn't have the required role In-Reply-To: <533ABB15.9090609@redhat.com> References: <533AB7D0.3060907@redhat.com> <533ABB15.9090609@redhat.com> Message-ID: Hi Bill, that did the trick, I just added an exception mapper. Thanks! About the wildfly issue, can u share a link to it so I can track it? I'm quite eager to get this to work since we want to deploy our war modules without security for test cases (in combination with arquillian). So we just discard the web.xml in the test deployments and the roles allowed annotations are being ignored. But with the security domain annotation that would be a bit more tricky. Cheers, Nils -- Blog: www.nilspreusker.de > On Apr 1, 2014, at 15:11, Bill Burke wrote: > > I don't have a solution to getting rid of @SecurityDomain yet. What > should happen is that the EJB should inherit the security domain of the > WAR, but it doesn't. I opened a Wildfly bug and hopefully it will be fixed. > > As for this particular bug, it may just be that you have to write an > ExceptionMapper and unwrap EJBException. > > Can you show the stack trace in the log? > >> On 4/1/2014 9:09 AM, Nils Preusker wrote: >> Hey Bill, >> >> it is actually an EJB (@Stateless @Path(...)). >> >> Another question about this: You mention in the user guide that you are >> planning to improve the integration and get rid of the @SecurityDomain >> annotation. Are you currently working on this or can you give me some >> estimate on which release this is planned for? >> >> Cheers, >> Nils >> >> >> On Tue, Apr 1, 2014 at 2:57 PM, Bill Burke > > wrote: >> >> Just a regular JAX-RS class? Not an EJB? >> >>> On 4/1/2014 5:00 AM, Nils Preusker wrote: >>> Hi, >>> >>> I'm currently testing the @SecurityDomain("keycloak") and >> @RolesAllowed >>> annotations on my JAX-RS services and was surprised to see that I >> get a >>> HTTP 500 (internal server error) when a requesting user doesn't >> have the >>> role that is required by @RolesAllowed. Is this intentional or a >> known >>> issue or am I doing something wrong in the config? >>> >>> I'm using Wildfly 8.0.0.Final with the default RestEasy module. Would >>> upgrading RestEasy do the trick? >>> >>> Cheers, >>> Nils >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From juraci at kroehling.de Wed Apr 2 14:39:15 2014 From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=) Date: Wed, 02 Apr 2014 20:39:15 +0200 Subject: [keycloak-user] CORS only for OPTIONS? Message-ID: <533C5953.4010505@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, I've noticed that KC sets the CORS headers only during pre-flight request, not on the regular requests. While this is in accordance with the documentation, I'm wondering if there's a reason for not sending the CORS headers for non-OPTIONS headers as well. As it currently is, I'd have to implement the CORS response filter in my application anyway, so, I'm wondering in which scenarios I'd delegate this to KC. By the way, it seems that setting "enable-cors" to false has no effect, as the headers are still being added by KC. Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPFlTAAoJEDnJtskdmzLMWsMIAJ8vUxOUz+XKJQqQD5TceG40 d0A0TZC4zuypgezorGASvL7mSb7NbElytI07zXfH1fD/kNwCZn3wO1oyXNjGA+BY TzVB+jfViDpEYNYqtlL93WlkcqS+uaAmrBL0ag1N6L1OHWlN7QnYhxIZckSgTW99 t0P3U02Qr0dnmKuS8JzeKemKKC8rF3uR0cIBRi7+s3gsBUXDWmL9fYAvzcSLcX5h mA4Qn7eGCW6T5bSE6HzTzCtSxFbpkuSRQwXb77+n4HnZ2RHMGdeDLcMcObEIr2RF 63w2XafaJ2/p9yVRL55gwuyQH198p8dzpvBfvxO5sGMreTCeWt2nDfnBrjBNxek= =DfVk -----END PGP SIGNATURE----- From bburke at redhat.com Wed Apr 2 15:30:03 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 02 Apr 2014 15:30:03 -0400 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533C5953.4010505@kroehling.de> References: <533C5953.4010505@kroehling.de> Message-ID: <533C653B.7080908@redhat.com> Which headers are we not sending back? The way it works is that for non-authenticated requests, we do handle pre-flight requests, but not regular requests. If the request is authenticated then we valid the origin vs. the allowed origins in the token. On 4/2/2014 2:39 PM, Juraci Paix?o Kr?hling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hello, > > I've noticed that KC sets the CORS headers only during pre-flight > request, not on the regular requests. While this is in accordance with > the documentation, I'm wondering if there's a reason for not sending > the CORS headers for non-OPTIONS headers as well. As it currently is, > I'd have to implement the CORS response filter in my application > anyway, so, I'm wondering in which scenarios I'd delegate this to KC. > > By the way, it seems that setting "enable-cors" to false has no > effect, as the headers are still being added by KC. > > Juca. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJTPFlTAAoJEDnJtskdmzLMWsMIAJ8vUxOUz+XKJQqQD5TceG40 > d0A0TZC4zuypgezorGASvL7mSb7NbElytI07zXfH1fD/kNwCZn3wO1oyXNjGA+BY > TzVB+jfViDpEYNYqtlL93WlkcqS+uaAmrBL0ag1N6L1OHWlN7QnYhxIZckSgTW99 > t0P3U02Qr0dnmKuS8JzeKemKKC8rF3uR0cIBRi7+s3gsBUXDWmL9fYAvzcSLcX5h > mA4Qn7eGCW6T5bSE6HzTzCtSxFbpkuSRQwXb77+n4HnZ2RHMGdeDLcMcObEIr2RF > 63w2XafaJ2/p9yVRL55gwuyQH198p8dzpvBfvxO5sGMreTCeWt2nDfnBrjBNxek= > =DfVk > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From juraci at kroehling.de Thu Apr 3 02:37:28 2014 From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=) Date: Thu, 03 Apr 2014 08:37:28 +0200 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533C653B.7080908@redhat.com> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> Message-ID: <533D01A8.9030900@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/02/2014 09:30 PM, Bill Burke wrote: > Which headers are we not sending back? The Access-Control-* headers for non-preflight requests (ie: a POST). Without an additional filter at the application side that adds CORS headers to the non-OPTIONS requests, the browsers would prevent the webapp from reading the response. I guess the question then is: why are the authenticated, non-preflight requests, not handled? I might be wrong, but I think that KC already has all the information it needs to handle such requests, no? Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPQGoAAoJEDnJtskdmzLMDogH/2ZrUhDI3zQysMc735rDmb1u T12iLE5OgtvQs23GyKvCRFfv827xTXrs+WXDJKI6jiWrraAcoTTLX3CZh702S8Xz NWNUuv3j7rYKgChSqMnU+y43a2b6K9mQSx59gXRqKWo2mTLKtVFvPnR5CA40bpH2 JZh13pPW1jB/klSBq2ZEe/km+eE3Av5KRE+RqifWVk9ktN43uOjNAnw1oRnIpamO Ch2GQPDxEXQM7JEmJum8u5IVnAC14juhltk5UiCZFNqnaYa389UAs9J9DlvwgSVr 6s+pBuP2CO17Hwes921DxLZOkFSObAI+0jzZcOLRD61Js9qiB52B844Lxd/hRm0= =bQkI -----END PGP SIGNATURE----- From bburke at redhat.com Thu Apr 3 09:25:35 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 03 Apr 2014 09:25:35 -0400 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533D01A8.9030900@kroehling.de> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> <533D01A8.9030900@kroehling.de> Message-ID: <533D614F.70301@redhat.com> On 4/3/2014 2:37 AM, Juraci Paix?o Kr?hling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 04/02/2014 09:30 PM, Bill Burke wrote: >> Which headers are we not sending back? > > The Access-Control-* headers for non-preflight requests (ie: a POST). > Without an additional filter at the application side that adds CORS > headers to the non-OPTIONS requests, the browsers would prevent the > webapp from reading the response. > > I guess the question then is: why are the authenticated, non-preflight > requests, not handled? I might be wrong, but I think that KC already > has all the information it needs to handle such requests, no? > Authenticated, non-preflight requests are handled. Non-authenticated requests are not handled. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From juraci at kroehling.de Thu Apr 3 10:14:50 2014 From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=) Date: Thu, 03 Apr 2014 16:14:50 +0200 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533D614F.70301@redhat.com> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> Message-ID: <533D6CDA.2030006@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/03/2014 03:25 PM, Bill Burke wrote: > Authenticated, non-preflight requests are handled. > Non-authenticated requests are not handled. Ok, I'm not sure if you mean that the second part is for "non-preflight" as well. In any case, the authorization header is not sent on the preflight (understandably), so, I guess you meant "non-authenticated" on the first part. A couple of requests/responses from my application, to illustrate what is currently happening: Pre-flight (OPTIONS) request, without authentication (CORS sent) - - http://pastebin.com/45raBqy0 Non-preflight (POST), authenticated (no CORS sent): http://pastebin.com/E9B6iaAE Because of the second request, Chrome (and possibly other browsers) will not deliver the response to the web application, even though it executed the request (as it was allowed by the CORS from the first request). Is this how it should be, or is there a bug somewhere? - - Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPWzaAAoJEDnJtskdmzLMfncH/0iWPnCPOXCeD4ckmSfNGM9Z vx4fmVrWrr1BExzfmJqeqOfVYnGfaVKgN0U3Dq1mRexGW7hedybHhXwTiJME5SH3 48fvoAUzekXMLk1OhlFdHKzQmCCbI8GdtdebAri7gigqVNBMI/usOPkY1kUGxbTO w12PZqwnaUgSbHuwL/5zKLuhMF16TqzPan1E1jj3yhKGtZBCJz8TA0G6dHv76LbL Y4ociQEJOsy3TFym4PSES8gQ24sDtR8WQPycl/Q88PvI+7SkZ6lGfq4SYhNXYcIY gh/5v/MQXlGKAHN5doNbRlpWPqozWHK9/RqV34qtG9S5w3eNz6DeetpWdDzYOYg= =WhPv -----END PGP SIGNATURE----- From stian at redhat.com Thu Apr 3 10:20:08 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 3 Apr 2014 10:20:08 -0400 (EDT) Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533D6CDA.2030006@kroehling.de> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> <533D6CDA.2030006@kroehling.de> Message-ID: <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> Have you specified any web origins for your application? ----- Original Message ----- > From: "Juraci Paix?o Kr?hling" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 3 April, 2014 3:14:50 PM > Subject: Re: [keycloak-user] CORS only for OPTIONS? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 04/03/2014 03:25 PM, Bill Burke wrote: > > Authenticated, non-preflight requests are handled. > > Non-authenticated requests are not handled. > > Ok, I'm not sure if you mean that the second part is for > "non-preflight" as well. In any case, the authorization header is not > sent on the preflight (understandably), so, I guess you meant > "non-authenticated" on the first part. > > A couple of requests/responses from my application, to illustrate what > is currently happening: > > Pre-flight (OPTIONS) request, without authentication (CORS sent) > - - http://pastebin.com/45raBqy0 > > Non-preflight (POST), authenticated (no CORS sent): > http://pastebin.com/E9B6iaAE > > Because of the second request, Chrome (and possibly other browsers) > will not deliver the response to the web application, even though it > executed the request (as it was allowed by the CORS from the first > request). > > Is this how it should be, or is there a bug somewhere? > > - - Juca. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJTPWzaAAoJEDnJtskdmzLMfncH/0iWPnCPOXCeD4ckmSfNGM9Z > vx4fmVrWrr1BExzfmJqeqOfVYnGfaVKgN0U3Dq1mRexGW7hedybHhXwTiJME5SH3 > 48fvoAUzekXMLk1OhlFdHKzQmCCbI8GdtdebAri7gigqVNBMI/usOPkY1kUGxbTO > w12PZqwnaUgSbHuwL/5zKLuhMF16TqzPan1E1jj3yhKGtZBCJz8TA0G6dHv76LbL > Y4ociQEJOsy3TFym4PSES8gQ24sDtR8WQPycl/Q88PvI+7SkZ6lGfq4SYhNXYcIY > gh/5v/MQXlGKAHN5doNbRlpWPqozWHK9/RqV34qtG9S5w3eNz6DeetpWdDzYOYg= > =WhPv > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From juraci at kroehling.de Thu Apr 3 10:23:18 2014 From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=) Date: Thu, 03 Apr 2014 16:23:18 +0200 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> <533D6CDA.2030006@kroehling.de> <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> Message-ID: <533D6ED6.2020909@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yes, there are two apps in the game: - - frontend, with http://127.0.0.1:9000 as an allowed origin - - backend, bearer-only, without origins defined Frontend is an HTML-only application, while backend is a REST-only API. - - Juca. On 04/03/2014 04:20 PM, Stian Thorgersen wrote: > Have you specified any web origins for your application? > > ----- Original Message ----- >> From: "Juraci Paix?o Kr?hling" To: >> keycloak-user at lists.jboss.org Sent: Thursday, 3 April, 2014 >> 3:14:50 PM Subject: Re: [keycloak-user] CORS only for OPTIONS? >> > On 04/03/2014 03:25 PM, Bill Burke wrote: >>>> Authenticated, non-preflight requests are handled. >>>> Non-authenticated requests are not handled. > > Ok, I'm not sure if you mean that the second part is for > "non-preflight" as well. In any case, the authorization header is > not sent on the preflight (understandably), so, I guess you meant > "non-authenticated" on the first part. > > A couple of requests/responses from my application, to illustrate > what is currently happening: > > Pre-flight (OPTIONS) request, without authentication (CORS sent) - > http://pastebin.com/45raBqy0 > > Non-preflight (POST), authenticated (no CORS sent): > http://pastebin.com/E9B6iaAE > > Because of the second request, Chrome (and possibly other > browsers) will not deliver the response to the web application, > even though it executed the request (as it was allowed by the CORS > from the first request). > > Is this how it should be, or is there a bug somewhere? > > - Juca. >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPW7WAAoJEDnJtskdmzLM9YEH/3xE0Czb06QSpN/tJYBh93wn rUcGXwiH3PqVtOqJcBmCWfYD734Zqe2ZfG2UN3E12VT4gWuA73SlE2lhHqt5/KS+ 6G4gKuH45EXkO3GgdpTm60qPIRpBQbR0UjFo+k1dhR/f4ck3VR2uPLmmWvAeREpG sMlu8ZbR/S0EO6by69Lp3l3TcXYKuYdEDBK404i7Js46r8IgMAE4c/Mx8ZtRTAQa 1liqg5YQ16DkuBd0m45Vhdk1gseSe+vUHSOyF46+J/daOn4THsaLMebYKXAAAp3s uIG3tMyKx/q6E7pICHD+/iW04NlPoHevcbFlLhSnwz8O8oH19Yr4WuYcSKKhaTI= =SfMO -----END PGP SIGNATURE----- From bburke at redhat.com Thu Apr 3 18:07:25 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 03 Apr 2014 18:07:25 -0400 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533D6ED6.2020909@kroehling.de> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> <533D6CDA.2030006@kroehling.de> <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> <533D6ED6.2020909@kroehling.de> Message-ID: <533DDB9D.9010203@redhat.com> What he means is, did you register your web origins in the admin console for the realm's registered application? On 4/3/2014 10:23 AM, Juraci Paix?o Kr?hling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Yes, there are two apps in the game: > > - - frontend, with http://127.0.0.1:9000 as an allowed origin > - - backend, bearer-only, without origins defined > > Frontend is an HTML-only application, while backend is a REST-only API. > > - - Juca. > > On 04/03/2014 04:20 PM, Stian Thorgersen wrote: >> Have you specified any web origins for your application? >> >> ----- Original Message ----- >>> From: "Juraci Paix?o Kr?hling" To: >>> keycloak-user at lists.jboss.org Sent: Thursday, 3 April, 2014 >>> 3:14:50 PM Subject: Re: [keycloak-user] CORS only for OPTIONS? >>> >> On 04/03/2014 03:25 PM, Bill Burke wrote: >>>>> Authenticated, non-preflight requests are handled. >>>>> Non-authenticated requests are not handled. >> >> Ok, I'm not sure if you mean that the second part is for >> "non-preflight" as well. In any case, the authorization header is >> not sent on the preflight (understandably), so, I guess you meant >> "non-authenticated" on the first part. >> >> A couple of requests/responses from my application, to illustrate >> what is currently happening: >> >> Pre-flight (OPTIONS) request, without authentication (CORS sent) - >> http://pastebin.com/45raBqy0 >> >> Non-preflight (POST), authenticated (no CORS sent): >> http://pastebin.com/E9B6iaAE >> >> Because of the second request, Chrome (and possibly other >> browsers) will not deliver the response to the web application, >> even though it executed the request (as it was allowed by the CORS >> from the first request). >> >> Is this how it should be, or is there a bug somewhere? >> >> - Juca. >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJTPW7WAAoJEDnJtskdmzLM9YEH/3xE0Czb06QSpN/tJYBh93wn > rUcGXwiH3PqVtOqJcBmCWfYD734Zqe2ZfG2UN3E12VT4gWuA73SlE2lhHqt5/KS+ > 6G4gKuH45EXkO3GgdpTm60qPIRpBQbR0UjFo+k1dhR/f4ck3VR2uPLmmWvAeREpG > sMlu8ZbR/S0EO6by69Lp3l3TcXYKuYdEDBK404i7Js46r8IgMAE4c/Mx8ZtRTAQa > 1liqg5YQ16DkuBd0m45Vhdk1gseSe+vUHSOyF46+J/daOn4THsaLMebYKXAAAp3s > uIG3tMyKx/q6E7pICHD+/iW04NlPoHevcbFlLhSnwz8O8oH19Yr4WuYcSKKhaTI= > =SfMO > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Fri Apr 4 03:55:28 2014 From: ungarida at gmail.com (Davide Ungari) Date: Fri, 4 Apr 2014 09:55:28 +0200 Subject: [keycloak-user] Tomcat / Jetty adapter In-Reply-To: References: Message-ID: Hi everybody, I developed a draft adapter for tomcat https://github.com/ungarida/keycloak/ . Is a copy of as7-eap and as a lot of dependencies from jboss, but it's working. Does Someone want to review it? Suggestions? -- Davide On Tue, Mar 18, 2014 at 10:48 PM, Davide Ungari wrote: > I will take a look at the as7-eap adapter this weekend. > > As I will star development I will inform you on the developers list. > > > > > -- > -- > Davide > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140404/beb43460/attachment.html From juraci at kroehling.de Fri Apr 4 04:05:33 2014 From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=) Date: Fri, 04 Apr 2014 10:05:33 +0200 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533DDB9D.9010203@redhat.com> References: <533C5953.4010505@kroehling.de> <533C653B.7080908@redhat.com> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> <533D6CDA.2030006@kroehling.de> <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> <533D6ED6.2020909@kroehling.de> <533DDB9D.9010203@redhat.com> Message-ID: <533E67CD.5040507@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yes. In the admin console for my realm, I have two applications, as described before :-) > - frontend, with http://127.0.0.1:9000 as an allowed origin - > backend, bearer-only, without origins defined Besides those two, there's a third application on the realm, which comes by default when creating the realm: "account". - - Juca. On 04/04/2014 12:07 AM, Bill Burke wrote: > What he means is, did you register your web origins in the admin > console for the realm's registered application? > > On 4/3/2014 10:23 AM, Juraci Paix?o Kr?hling wrote: Yes, there are > two apps in the game: > > - frontend, with http://127.0.0.1:9000 as an allowed origin - > backend, bearer-only, without origins defined > > Frontend is an HTML-only application, while backend is a REST-only > API. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTPmfNAAoJEDnJtskdmzLMF/QH/15IG0a8V8DpCXCNcV96rF1r qLx0rtDLkHEeLf6FL2+FhBEOTiaQCjBhrQta+VF7PLEq7z3wo4AAqTOf1WMVsikj vJG76v8ychj1AoZ8Fe2AC+5PswAGsdvXIzPHzQEctXO+nrec6aSrU/oriAaHA0Np 5DHbNVFmM/10xOkkFXioKP3XFJBBRdjUMbMjEwPgnE8wLtwG0VdsQwfPA9l/Vb1M a9J39QN8cAIJb9Y8kuWgse/80Y5Zm+bdxGlEJLnS1U6ux3XRZxs7JqZTk7uIMlSU a24xlEjJNaEJOlXUcz+TRZvA+9Q/tzRkRA5MyTDJ7E8PCg4QGo6FjlMyhAPA0cg= =mECM -----END PGP SIGNATURE----- From stian at redhat.com Mon Apr 7 08:41:22 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 7 Apr 2014 08:41:22 -0400 (EDT) Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <533E67CD.5040507@kroehling.de> References: <533C5953.4010505@kroehling.de> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> <533D6CDA.2030006@kroehling.de> <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> <533D6ED6.2020909@kroehling.de> <533DDB9D.9010203@redhat.com> <533E67CD.5040507@kroehling.de> Message-ID: <1615628260.685891.1396874482654.JavaMail.zimbra@redhat.com> The adapter doesn't load the CORS properties from the config. Updated with: https://github.com/keycloak/keycloak/commit/2916cce6fb8c7a8b7797c255ec8209484c6f17dc ----- Original Message ----- > From: "Juraci Paix?o Kr?hling" > To: keycloak-user at lists.jboss.org > Sent: Friday, 4 April, 2014 9:05:33 AM > Subject: Re: [keycloak-user] CORS only for OPTIONS? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Yes. In the admin console for my realm, I have two applications, as > described before :-) > > > - frontend, with http://127.0.0.1:9000 as an allowed origin - > > backend, bearer-only, without origins defined > > Besides those two, there's a third application on the realm, which > comes by default when creating the realm: "account". > > - - Juca. > > On 04/04/2014 12:07 AM, Bill Burke wrote: > > What he means is, did you register your web origins in the admin > > console for the realm's registered application? > > > > On 4/3/2014 10:23 AM, Juraci Paix?o Kr?hling wrote: Yes, there are > > two apps in the game: > > > > - frontend, with http://127.0.0.1:9000 as an allowed origin - > > backend, bearer-only, without origins defined > > > > Frontend is an HTML-only application, while backend is a REST-only > > API. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJTPmfNAAoJEDnJtskdmzLMF/QH/15IG0a8V8DpCXCNcV96rF1r > qLx0rtDLkHEeLf6FL2+FhBEOTiaQCjBhrQta+VF7PLEq7z3wo4AAqTOf1WMVsikj > vJG76v8ychj1AoZ8Fe2AC+5PswAGsdvXIzPHzQEctXO+nrec6aSrU/oriAaHA0Np > 5DHbNVFmM/10xOkkFXioKP3XFJBBRdjUMbMjEwPgnE8wLtwG0VdsQwfPA9l/Vb1M > a9J39QN8cAIJb9Y8kuWgse/80Y5Zm+bdxGlEJLnS1U6ux3XRZxs7JqZTk7uIMlSU > a24xlEjJNaEJOlXUcz+TRZvA+9Q/tzRkRA5MyTDJ7E8PCg4QGo6FjlMyhAPA0cg= > =mECM > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From juraci at kroehling.de Mon Apr 7 09:30:38 2014 From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=) Date: Mon, 07 Apr 2014 15:30:38 +0200 Subject: [keycloak-user] CORS only for OPTIONS? In-Reply-To: <1615628260.685891.1396874482654.JavaMail.zimbra@redhat.com> References: <533C5953.4010505@kroehling.de> <533D01A8.9030900@kroehling.de> <533D614F.70301@redhat.com> <533D6CDA.2030006@kroehling.de> <670974874.6865477.1396534808793.JavaMail.zimbra@redhat.com> <533D6ED6.2020909@kroehling.de> <533DDB9D.9010203@redhat.com> <533E67CD.5040507@kroehling.de> <1615628260.685891.1396874482654.JavaMail.zimbra@redhat.com> Message-ID: <5342A87E.4070202@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thanks Stian! With the commit right after this one (aec8feab4) it works fine! Juca. On 04/07/2014 02:41 PM, Stian Thorgersen wrote: > The adapter doesn't load the CORS properties from the config. > Updated with: > > https://github.com/keycloak/keycloak/commit/2916cce6fb8c7a8b7797c255ec8209484c6f17dc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTQqh+AAoJEDnJtskdmzLMht8H/isFcU2JPiOEDG9TmiOEIOcW YrV6I8gC4f8Gts7JG0s5E60O3fhOmN84HLd/U6xB+Q9iGCAMNle/s+2Ck2fnPrbQ QrHkbxnIDpeK0y5JG98bFnnlEL7vhXjamBH7pQHXIysh3ZZ84yojcB0MjNcsjoML 5DF8mIu5+eUWecWWtulsB2Hgdk+dE2jXWy/DwVkEUPLb9adYxikb7cg6YQJKEsks 5lOMpkjoyQbMsxNu2s3kqrIMuJTh66+MOCWz1hReSDh2hnTv2bXPkerqauBdo1pt nOLGnbdkRCOb+ij9dA0MSUgfX93lPD3TLTwf1G6WAqJ+cp09HpkGNmq5oBSTM8E= =sD1P -----END PGP SIGNATURE----- From kenny.goodridge at gmail.com Fri Apr 11 22:52:46 2014 From: kenny.goodridge at gmail.com (Ken Goodridge) Date: Fri, 11 Apr 2014 22:52:46 -0400 Subject: [keycloak-user] Any plans to allow customization of EmailSender? Message-ID: EmailSender hard-codes the messages in both sendEmailVerification and sendPasswordReset. Am I right that there is no easy way to customize these? If not, are there any future plans to allow it? Could it be rolled into the admin or the themes? Other than that, I have been able to accomplish an amazing amount with just the 3rd alpha release. Keep up the good work. Thanks, Ken -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140411/27b952ac/attachment.html From ungarida at gmail.com Sat Apr 12 04:58:39 2014 From: ungarida at gmail.com (Davide Ungari) Date: Sat, 12 Apr 2014 10:58:39 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow Message-ID: Hi everybody, I configured keycloak with mongodb, then I secured frontend on Tomcat making an adapter. I need to secure backend, it is an JAX-RS service based on resteasy and running on undertow. I do not use EJB so I need some help to figure out the best way to implement security with keycloak in my scenario. Suggestions? -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140412/2922fbba/attachment.html From n.preusker at gmail.com Sat Apr 12 13:09:27 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Sat, 12 Apr 2014 19:09:27 +0200 Subject: [keycloak-user] REST API security Message-ID: Hi all, I'm trying to figure out how I could use keycloak to secure a REST API that is used bu a pure backend REST client. Do you have any recommendations for that (i.e. API keys)? Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140412/b1d42b02/attachment.html From n.preusker at gmail.com Sun Apr 13 04:30:28 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Sun, 13 Apr 2014 10:30:28 +0200 Subject: [keycloak-user] REST API security In-Reply-To: References: Message-ID: To clarify, I've been looking at the various clients in the examples and know that I can simply add an authorization header with a bearer token to the REST requests. However, as far as I understand the examples and the code, all the login flows are based on login forms and redirects. While this is convenient for web applications, I'm missing a simple way for a "headless" client to obtain a token in return for application credentials or an API key. Are you planning to support this kind of use case? Cheers, Nils On Sat, Apr 12, 2014 at 7:09 PM, Nils Preusker wrote: > Hi all, > > I'm trying to figure out how I could use keycloak to secure a REST API > that is used bu a pure backend REST client. Do you have any recommendations > for that (i.e. API keys)? > > Cheers, > Nils > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140413/2f1b19a9/attachment.html From mposolda at redhat.com Mon Apr 14 02:44:22 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Apr 2014 08:44:22 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: Message-ID: <534B83C6.90702@redhat.com> Hi Davide, I think that this exactly is already addressed by our examples. You can take a look especially at this example https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-service which is JAX-RS service service based on resteasy, which requires Bearer token authentication, so all requests sent to it from "frontend" applications like "customer-portal" or "product-portal" need to contain header like: Authorization: Bearer . You can try existing set of examples to see how it all works together. See instructions in README files under https://github.com/keycloak/keycloak/tree/master/examples/demo-template Marek On 12.4.2014 10:58, Davide Ungari wrote: > Hi everybody, > I configured keycloak with mongodb, > then I secured frontend on Tomcat making an adapter. > > I need to secure backend, it is an JAX-RS service based on resteasy > and running on undertow. > > I do not use EJB so I need some help to figure out the best way to > implement security with keycloak in my scenario. > > Suggestions? > > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/2c4a7161/attachment.html From mposolda at redhat.com Mon Apr 14 02:49:33 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Apr 2014 08:49:33 +0200 Subject: [keycloak-user] Any plans to allow customization of EmailSender? In-Reply-To: References: Message-ID: <534B84FD.8000907@redhat.com> On 12.4.2014 04:52, Ken Goodridge wrote: > > EmailSender hard-codes the messages in both sendEmailVerification > and sendPasswordReset. > > Am I right that there is no easy way to customize these? > > If not, are there any future plans to allow it? Could it be rolled > into the admin or the themes? I think that there is plan to "externalize" these messages possibly to freemarker templates or properties file, so that it will be easy to customize them. Just not sure when this is planned. Feel free to create JIRA if there is not already existing JIRA for this. Thanks, Marek > > Other than that, I have been able to accomplish an amazing amount > with just the 3rd alpha release. Keep up the good work. > > Thanks, > Ken > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/fa500a6e/attachment.html From ungarida at gmail.com Mon Apr 14 03:18:59 2014 From: ungarida at gmail.com (Davide Ungari) Date: Mon, 14 Apr 2014 09:18:59 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: <534B83C6.90702@redhat.com> References: <534B83C6.90702@redhat.com> Message-ID: Hi Marek, I worked on it during the weekend. Now my problem is the header like: Authorization: Bearer . I'm running the frontend on Tomcat, I made an adapter for it https://github.com/ungarida/keycloak/, I adapted AS7. Now I can not figure out how to retrieve the access token to include it in the JS that call the JAX-RS service. -- Davide On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda wrote: > Hi Davide, > > I think that this exactly is already addressed by our examples. You can > take a look especially at this example > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-servicewhich is JAX-RS service service based on resteasy, which requires Bearer > token authentication, so all requests sent to it from "frontend" > applications like "customer-portal" or "product-portal" need to contain > header like: Authorization: Bearer . > > You can try existing set of examples to see how it all works together. See > instructions in README files under > https://github.com/keycloak/keycloak/tree/master/examples/demo-template > > Marek > > > On 12.4.2014 10:58, Davide Ungari wrote: > > Hi everybody, > I configured keycloak with mongodb, > then I secured frontend on Tomcat making an adapter. > > I need to secure backend, it is an JAX-RS service based on resteasy and > running on undertow. > > I do not use EJB so I need some help to figure out the best way to > implement security with keycloak in my scenario. > > Suggestions? > > -- > Davide > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/43d5c262/attachment-0001.html From mposolda at redhat.com Mon Apr 14 03:26:25 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Apr 2014 09:26:25 +0200 Subject: [keycloak-user] REST API security In-Reply-To: References: Message-ID: <534B8DA1.70903@redhat.com> Hi, I would suggest to look at this endpoint https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L155 . I wonder that this is something you are looking for as it allows to retrieve token for some user in exchange to application and user credentials. It's defacto something described in OAuth2 specs in Resource Owner flow http://tools.ietf.org/html/rfc6749#page-37 . So what I've just tried is this curl request: curl --request POST http://localhost:8081/auth/rest/realms/myRealm/tokens/grants/access --data "client_id=myApp&client_secret=c52dc243-8004-4843-b03b-bc139fd3a6fc&username=john&password=password" --header "Accept: application/json" --header "Content-type: application/x-www-form-urlencoded" where client_id and client_secret are credentials of my application and username/password are credentials of user and "myRealm" is name of my realm where user "john" and application "myApp" are registered. Note that instead of client_id and client_secret you can also use Authorization header (see the code for more details) Marek On 13.4.2014 10:30, Nils Preusker wrote: > To clarify, I've been looking at the various clients in the examples > and know that I can simply add an authorization header with a bearer > token to the REST requests. However, as far as I understand the > examples and the code, all the login flows are based on login forms > and redirects. While this is convenient for web applications, I'm > missing a simple way for a "headless" client to obtain a token in > return for application credentials or an API key. Are you planning to > support this kind of use case? > > Cheers, > Nils > > > On Sat, Apr 12, 2014 at 7:09 PM, Nils Preusker > wrote: > > Hi all, > > I'm trying to figure out how I could use keycloak to secure a REST > API that is used bu a pure backend REST client. Do you have any > recommendations for that (i.e. API keys)? > > Cheers, > Nils > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/485cac53/attachment.html From mposolda at redhat.com Mon Apr 14 03:56:49 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Apr 2014 09:56:49 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: <534B83C6.90702@redhat.com> Message-ID: <534B94C1.4080701@redhat.com> On 14.4.2014 09:18, Davide Ungari wrote: > Hi Marek, > I worked on it during the weekend. > > Now my problem is the header like: Authorization: Bearer > . > > I'm running the frontend on Tomcat, I made an adapter for it > https://github.com/ungarida/keycloak/, I adapted AS7. > > Now I can not figure out how to retrieve the access token to include > it in the JS that call the JAX-RS service. If your frontend is JEE application, then you can use something like this example is doing https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46 . Note that KeycloakSecurityContext is added automatically to request by the adapter of your frontend application (In this case customer-portal application, which is just simple servlet JEE application). So you need to make sure that your Tomcat adapter is adding it as well. You can take a deeper look at existing examples and try them on AS7 for inspiration. I think that your Tomcat adapter should be quite similar to the already existing AS7 adapter as AS7 is using jboss-web, which is defacto Tomcat stuff:-) Marek > > > > -- > Davide > > > On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda > wrote: > > Hi Davide, > > I think that this exactly is already addressed by our examples. > You can take a look especially at this example > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-service > which is JAX-RS service service based on resteasy, which requires > Bearer token authentication, so all requests sent to it from > "frontend" applications like "customer-portal" or "product-portal" > need to contain header like: Authorization: Bearer > . > > You can try existing set of examples to see how it all works > together. See instructions in README files under > https://github.com/keycloak/keycloak/tree/master/examples/demo-template > > Marek > > > On 12.4.2014 10:58, Davide Ungari wrote: >> Hi everybody, >> I configured keycloak with mongodb, >> then I secured frontend on Tomcat making an adapter. >> >> I need to secure backend, it is an JAX-RS service based on >> resteasy and running on undertow. >> >> I do not use EJB so I need some help to figure out the best way >> to implement security with keycloak in my scenario. >> >> Suggestions? >> >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/5f2396fc/attachment.html From n.preusker at gmail.com Mon Apr 14 05:36:50 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Mon, 14 Apr 2014 11:36:50 +0200 Subject: [keycloak-user] REST API security In-Reply-To: <534B8DA1.70903@redhat.com> References: <534B8DA1.70903@redhat.com> Message-ID: Thanks Marek, I'll look into that! Nils On Mon, Apr 14, 2014 at 9:26 AM, Marek Posolda wrote: > Hi, > > I would suggest to look at this endpoint > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L155. I wonder that this is something you are looking for as it allows to > retrieve token for some user in exchange to application and user > credentials. It's defacto something described in OAuth2 specs in Resource > Owner flow http://tools.ietf.org/html/rfc6749#page-37 . > > So what I've just tried is this curl request: > curl --request POST > http://localhost:8081/auth/rest/realms/myRealm/tokens/grants/access--data > "client_id=myApp&client_secret=c52dc243-8004-4843-b03b-bc139fd3a6fc&username=john&password=password" > --header "Accept: application/json" --header "Content-type: > application/x-www-form-urlencoded" > > where client_id and client_secret are credentials of my application and > username/password are credentials of user and "myRealm" is name of my realm > where user "john" and application "myApp" are registered. Note that instead > of client_id and client_secret you can also use Authorization header (see > the code for more details) > > Marek > > > > On 13.4.2014 10:30, Nils Preusker wrote: > > To clarify, I've been looking at the various clients in the examples and > know that I can simply add an authorization header with a bearer token to > the REST requests. However, as far as I understand the examples and the > code, all the login flows are based on login forms and redirects. While > this is convenient for web applications, I'm missing a simple way for a > "headless" client to obtain a token in return for application credentials > or an API key. Are you planning to support this kind of use case? > > Cheers, > Nils > > > On Sat, Apr 12, 2014 at 7:09 PM, Nils Preusker wrote: > >> Hi all, >> >> I'm trying to figure out how I could use keycloak to secure a REST API >> that is used bu a pure backend REST client. Do you have any recommendations >> for that (i.e. API keys)? >> >> Cheers, >> Nils >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/2f160cb0/attachment.html From bburke at redhat.com Mon Apr 14 09:32:12 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 14 Apr 2014 09:32:12 -0400 Subject: [keycloak-user] REST API security In-Reply-To: References: Message-ID: <534BE35C.1060407@redhat.com> Bearer token security. Take a look at the examples, specifically the database-service. This is a pure REST service secured by keyloak. At the moment, we only have support for JBoss/Wildfly, but it wouldn't take much to write an adapter for another java environment. On 4/12/2014 1:09 PM, Nils Preusker wrote: > Hi all, > > I'm trying to figure out how I could use keycloak to secure a REST API > that is used bu a pure backend REST client. Do you have any > recommendations for that (i.e. API keys)? > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Apr 14 09:34:03 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 14 Apr 2014 09:34:03 -0400 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: Message-ID: <534BE3CB.1000608@redhat.com> On 4/12/2014 4:58 AM, Davide Ungari wrote: > Hi everybody, > I configured keycloak with mongodb, > then I secured frontend on Tomcat making an adapter. > You made a Tomcat adapter? Want to share? > I need to secure backend, it is an JAX-RS service based on resteasy and > running on undertow. > > I do not use EJB so I need some help to figure out the best way to > implement security with keycloak in my scenario. > Running on Undertow alone or Undertow within Wildfly? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Mon Apr 14 10:34:49 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Mon, 14 Apr 2014 16:34:49 +0200 Subject: [keycloak-user] REST API security In-Reply-To: <534BE35C.1060407@redhat.com> References: <534BE35C.1060407@redhat.com> Message-ID: Hi Bill, I'm familiar with the examples, however I'm looking for a way to grant third-party clients access to my API. Since they could be written in a variety of languages, I'd like them to be able to obtain a token in a defined way without being dependent on Keycloak. I suppose the approach Marek mentioned (OAuth spec section 4.3) should do the trick though (as long as you are planning to continue supporting it). Cheers, Nils On Mon, Apr 14, 2014 at 3:32 PM, Bill Burke wrote: > Bearer token security. Take a look at the examples, specifically the > database-service. This is a pure REST service secured by keyloak. > > At the moment, we only have support for JBoss/Wildfly, but it wouldn't > take much to write an adapter for another java environment. > > On 4/12/2014 1:09 PM, Nils Preusker wrote: > > Hi all, > > > > I'm trying to figure out how I could use keycloak to secure a REST API > > that is used bu a pure backend REST client. Do you have any > > recommendations for that (i.e. API keys)? > > > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/92f7dd60/attachment.html From bburke at redhat.com Mon Apr 14 10:39:14 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 14 Apr 2014 10:39:14 -0400 Subject: [keycloak-user] REST API security In-Reply-To: References: <534BE35C.1060407@redhat.com> Message-ID: <534BF312.1040809@redhat.com> You could use section 4.1 (Auth code grant) or 4.3 (Resource Owner Password Credentials Grant) with any OAuth library. 4.1 will require a browser. 4.3 doesn't. We will always support OAuth 2.0 through OpenID Connect. On 4/14/2014 10:34 AM, Nils Preusker wrote: > Hi Bill, > > I'm familiar with the examples, however I'm looking for a way to grant > third-party clients access to my API. Since they could be written in a > variety of languages, I'd like them to be able to obtain a token in a > defined way without being dependent on Keycloak. > > I suppose the approach Marek mentioned (OAuth spec section 4.3) should > do the trick though (as long as you are planning to continue supporting it). > > Cheers, > Nils > > > On Mon, Apr 14, 2014 at 3:32 PM, Bill Burke > wrote: > > Bearer token security. Take a look at the examples, specifically the > database-service. This is a pure REST service secured by keyloak. > > At the moment, we only have support for JBoss/Wildfly, but it wouldn't > take much to write an adapter for another java environment. > > On 4/12/2014 1:09 PM, Nils Preusker wrote: > > Hi all, > > > > I'm trying to figure out how I could use keycloak to secure a > REST API > > that is used bu a pure backend REST client. Do you have any > > recommendations for that (i.e. API keys)? > > > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Mon Apr 14 12:14:33 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Mon, 14 Apr 2014 18:14:33 +0200 Subject: [keycloak-user] REST API security In-Reply-To: <534BF312.1040809@redhat.com> References: <534BE35C.1060407@redhat.com> <534BF312.1040809@redhat.com> Message-ID: Hi Bill, ok, so 4.3 seems to be the way to go for us. Did I understand you correctly that keycloak will continue to support this? Cheers, Nils On Mon, Apr 14, 2014 at 4:39 PM, Bill Burke wrote: > You could use section 4.1 (Auth code grant) or 4.3 (Resource Owner > Password Credentials Grant) with any OAuth library. 4.1 will require a > browser. 4.3 doesn't. > > We will always support OAuth 2.0 through OpenID Connect. > > On 4/14/2014 10:34 AM, Nils Preusker wrote: > > Hi Bill, > > > > I'm familiar with the examples, however I'm looking for a way to grant > > third-party clients access to my API. Since they could be written in a > > variety of languages, I'd like them to be able to obtain a token in a > > defined way without being dependent on Keycloak. > > > > I suppose the approach Marek mentioned (OAuth spec section 4.3) should > > do the trick though (as long as you are planning to continue supporting > it). > > > > Cheers, > > Nils > > > > > > On Mon, Apr 14, 2014 at 3:32 PM, Bill Burke > > wrote: > > > > Bearer token security. Take a look at the examples, specifically the > > database-service. This is a pure REST service secured by keyloak. > > > > At the moment, we only have support for JBoss/Wildfly, but it > wouldn't > > take much to write an adapter for another java environment. > > > > On 4/12/2014 1:09 PM, Nils Preusker wrote: > > > Hi all, > > > > > > I'm trying to figure out how I could use keycloak to secure a > > REST API > > > that is used bu a pure backend REST client. Do you have any > > > recommendations for that (i.e. API keys)? > > > > > > Cheers, > > > Nils > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140414/a75ff201/attachment.html From bburke at redhat.com Mon Apr 14 16:09:11 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 14 Apr 2014 16:09:11 -0400 Subject: [keycloak-user] REST API security In-Reply-To: References: <534BE35C.1060407@redhat.com> <534BF312.1040809@redhat.com> Message-ID: <534C4067.1080502@redhat.com> Yes. On 4/14/2014 12:14 PM, Nils Preusker wrote: > Hi Bill, > > ok, so 4.3 seems to be the way to go for us. Did I understand you > correctly that keycloak will continue to support this? > > Cheers, > Nils > > > On Mon, Apr 14, 2014 at 4:39 PM, Bill Burke > wrote: > > You could use section 4.1 (Auth code grant) or 4.3 (Resource Owner > Password Credentials Grant) with any OAuth library. 4.1 will require a > browser. 4.3 doesn't. > > We will always support OAuth 2.0 through OpenID Connect. > > On 4/14/2014 10:34 AM, Nils Preusker wrote: > > Hi Bill, > > > > I'm familiar with the examples, however I'm looking for a way to > grant > > third-party clients access to my API. Since they could be written > in a > > variety of languages, I'd like them to be able to obtain a token in a > > defined way without being dependent on Keycloak. > > > > I suppose the approach Marek mentioned (OAuth spec section 4.3) > should > > do the trick though (as long as you are planning to continue > supporting it). > > > > Cheers, > > Nils > > > > > > On Mon, Apr 14, 2014 at 3:32 PM, Bill Burke > > >> wrote: > > > > Bearer token security. Take a look at the examples, > specifically the > > database-service. This is a pure REST service secured by > keyloak. > > > > At the moment, we only have support for JBoss/Wildfly, but it > wouldn't > > take much to write an adapter for another java environment. > > > > On 4/12/2014 1:09 PM, Nils Preusker wrote: > > > Hi all, > > > > > > I'm trying to figure out how I could use keycloak to secure a > > REST API > > > that is used bu a pure backend REST client. Do you have any > > > recommendations for that (i.e. API keys)? > > > > > > Cheers, > > > Nils > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Mon Apr 14 19:01:50 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 15 Apr 2014 01:01:50 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: <534B94C1.4080701@redhat.com> References: <534B83C6.90702@redhat.com> <534B94C1.4080701@redhat.com> Message-ID: Thanks Marek, the information I need were these lines : KeycloakSecurityContext session = (KeycloakSecurityContext) getServletRequest().getAttribute(KeycloakSecurityContext.class.getName()); String token = session.getIdTokenString(); I use this token to add an header to every call: $httpProvider.defaults.headers.common.Authorization = 'Bearer '+keycloak.token; I see my backend is authenticating the call infact: 2014-04-15 00:00:52,868|INFO |adapters.RequestAuthenticator|Bearer AUTHENTICATED Now I have a different issue, that I hope you can help to figure out. On the browser I see two calls: 1- I dont expect, it is an OPTIONS call 2- I expected, it fails is a GET call I try to do the second call directly with cURL: curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://localhost:8080/dashboard/' -H 'Origin: http://localhost:8080' -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2ZWIwYzc1Mi1kZTc2LTQ1ZjQtYTAxNi1mMTQ1OTZmMTc1OTUiLCJleHAiOjEzOTc1MTYyMTgsIm5iZiI6MCwiaWF0IjoxMzk3NTE1OTE4LCJpc3MiOiJiaWxsZHJhd2VyIiwiYXVkIjoiYmlsbGRyYXdlciIsInN1YiI6IjQyNGZlZDlkLTk3MDQtNDUwNS04NTcwLWQ4N2I5MWVjNDM1NCIsImF6cCI6IndlYnNpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZGUifQ.epRcVbsN_wS44uOMOCyCQ6qkj8JAFn875-N_QYIakom4SPFYBWjU9jS9eBdXsvltwlT-NjlmCOlzbjGT32ZN0bj-_oQ449G9pN35tzzIN0_HXM14cIGdyOchluu4DQz3W6ZKF5m1jm6aFmwPD39ld_Zn7yGoBPPh_3qaYNFy-wl8YJBCCb34BvSRLZhtGdcVLYT4EJW8Y3R_YSnybrPqKr8eJOriLWOl-VOAJrtxT-MAvTDo0rXSubvpZF1CwQKuXHC9AkJ-NM582puVUZkZXt0AgBGJOjxlV7zJr4hLPYaXUG9JX2KMQUMvkhpXuug_tmu1ZR43UnxwLzoJey9C2Q' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36' --compressed And the response is: ErrorForbidden If I try: curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json, text/plain, */*' The response is: ErrorUnauthorized% What am I doing wrong? I tried to put play with annotation @RolesAllowed("user") on the JAX-RS but it does not the difference. -- Davide On Mon, Apr 14, 2014 at 9:56 AM, Marek Posolda wrote: > On 14.4.2014 09:18, Davide Ungari wrote: > > Hi Marek, > I worked on it during the weekend. > > Now my problem is the header like: Authorization: Bearer > . > > I'm running the frontend on Tomcat, I made an adapter for it > https://github.com/ungarida/keycloak/, I adapted AS7. > > Now I can not figure out how to retrieve the access token to include it > in the JS that call the JAX-RS service. > > If your frontend is JEE application, then you can use something like this > example is doing > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46. Note that KeycloakSecurityContext > is added automatically to request by the adapter of your frontend > application (In this case customer-portal application, which is just simple > servlet JEE application). So you need to make sure that your Tomcat adapter > is adding it as well. > > You can take a deeper look at existing examples and try them on AS7 for > inspiration. I think that your Tomcat adapter should be quite similar to > the already existing AS7 adapter as AS7 is using jboss-web, which is > defacto Tomcat stuff :-) > > Marek > > > > > -- > Davide > > > On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda wrote: > >> Hi Davide, >> >> I think that this exactly is already addressed by our examples. You can >> take a look especially at this example >> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-servicewhich is JAX-RS service service based on resteasy, which requires Bearer >> token authentication, so all requests sent to it from "frontend" >> applications like "customer-portal" or "product-portal" need to contain >> header like: Authorization: Bearer . >> >> You can try existing set of examples to see how it all works together. >> See instructions in README files under >> https://github.com/keycloak/keycloak/tree/master/examples/demo-template >> >> Marek >> >> >> On 12.4.2014 10:58, Davide Ungari wrote: >> >> Hi everybody, >> I configured keycloak with mongodb, >> then I secured frontend on Tomcat making an adapter. >> >> I need to secure backend, it is an JAX-RS service based on resteasy and >> running on undertow. >> >> I do not use EJB so I need some help to figure out the best way to >> implement security with keycloak in my scenario. >> >> Suggestions? >> >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/7b54070c/attachment-0001.html From bburke at redhat.com Mon Apr 14 19:05:14 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 14 Apr 2014 19:05:14 -0400 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: <534B83C6.90702@redhat.com> <534B94C1.4080701@redhat.com> Message-ID: <534C69AA.3000407@redhat.com> On 4/14/2014 7:01 PM, Davide Ungari wrote: > Thanks Marek, > the information I need were these lines : > > KeycloakSecurityContext session = (KeycloakSecurityContext) > getServletRequest().getAttribute(KeycloakSecurityContext.class.getName()); > String token = session.getIdTokenString(); > > I use this token to add an header to every call: > > $httpProvider.defaults.headers.common.Authorization = 'Bearer > '+keycloak.token; > > > I see my backend is authenticating the call infact: > 2014-04-15 00:00:52,868|INFO |adapters.RequestAuthenticator|Bearer > AUTHENTICATED > > > Now I have a different issue, that I hope you can help to figure out. > I don't understand what the flow is below. In your flow above you said your server is making a call to the backend service with the token and is authenticated correctly, right? What I don't understand is what you are doing below. Are you saying you have a Browser client (Javascript) making a call to your backend? > On the browser I see two calls: > 1- I dont expect, it is an OPTIONS call > > 2- I expected, it fails is a GET call > > I try to do the second call directly with cURL: > curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json, > text/plain, */*' -H 'Referer: http://localhost:8080/dashboard/' -H > 'Origin: http://localhost:8080' -H 'Authorization: Bearer > eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2ZWIwYzc1Mi1kZTc2LTQ1ZjQtYTAxNi1mMTQ1OTZmMTc1OTUiLCJleHAiOjEzOTc1MTYyMTgsIm5iZiI6MCwiaWF0IjoxMzk3NTE1OTE4LCJpc3MiOiJiaWxsZHJhd2VyIiwiYXVkIjoiYmlsbGRyYXdlciIsInN1YiI6IjQyNGZlZDlkLTk3MDQtNDUwNS04NTcwLWQ4N2I5MWVjNDM1NCIsImF6cCI6IndlYnNpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZGUifQ.epRcVbsN_wS44uOMOCyCQ6qkj8JAFn875-N_QYIakom4SPFYBWjU9jS9eBdXsvltwlT-NjlmCOlzbjGT32ZN0bj-_oQ449G9pN35tzzIN0_HXM14cIGdyOchluu4DQz3W6ZKF5m1jm6aFmwPD39ld_Zn7yGoBPPh_3qaYNFy-wl8YJBCCb34BvSRLZhtGdcVLYT4EJW8Y3R_YSnybrPqKr8eJOriLWOl-VOAJrtxT-MAvTDo0rXSubvpZF1CwQKuXHC9AkJ-NM582puVUZkZXt0AgBGJOjxlV7zJr4hLPYaXUG9JX2KMQUMvkhpXuug_tmu1ZR43UnxwLzoJey9C2Q' > -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36' --compressed > And the response is: > ErrorForbidden > > If I try: > curl 'http://localhost:8000/1/documents/' -H 'Accept: application/json, > text/plain, */*' The response is: > ErrorUnauthorized% > > > > What am I doing wrong? > > I tried to put play with annotation @RolesAllowed("user") on the JAX-RS > but it does not the difference. > > > > -- > Davide > > > On Mon, Apr 14, 2014 at 9:56 AM, Marek Posolda > wrote: > > On 14.4.2014 09:18, Davide Ungari wrote: >> Hi Marek, >> I worked on it during the weekend. >> >> Now my problem is the header like: Authorization: Bearer >> . >> >> I'm running the frontend on Tomcat, I made an adapter for it >> https://github.com/ungarida/keycloak/, I adapted AS7. >> >> Now I can not figure out how to retrieve the access token to >> include it in the JS that call the JAX-RS service. > If your frontend is JEE application, then you can use something like > this example is doing > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L46 > . Note that KeycloakSecurityContext is added automatically to > request by the adapter of your frontend application (In this case > customer-portal application, which is just simple servlet JEE > application). So you need to make sure that your Tomcat adapter is > adding it as well. > > You can take a deeper look at existing examples and try them on AS7 > for inspiration. I think that your Tomcat adapter should be quite > similar to the already existing AS7 adapter as AS7 is using > jboss-web, which is defacto Tomcat stuff:-) > > Marek >> >> >> >> -- >> Davide >> >> >> On Mon, Apr 14, 2014 at 8:44 AM, Marek Posolda >> > wrote: >> >> Hi Davide, >> >> I think that this exactly is already addressed by our >> examples. You can take a look especially at this example >> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/database-service >> which is JAX-RS service service based on resteasy, which >> requires Bearer token authentication, so all requests sent to >> it from "frontend" applications like "customer-portal" or >> "product-portal" need to contain header like: Authorization: >> Bearer . >> >> You can try existing set of examples to see how it all works >> together. See instructions in README files under >> https://github.com/keycloak/keycloak/tree/master/examples/demo-template >> >> Marek >> >> >> On 12.4.2014 10:58, Davide Ungari wrote: >>> Hi everybody, >>> I configured keycloak with mongodb, >>> then I secured frontend on Tomcat making an adapter. >>> >>> I need to secure backend, it is an JAX-RS service based on >>> resteasy and running on undertow. >>> >>> I do not use EJB so I need some help to figure out the best >>> way to implement security with keycloak in my scenario. >>> >>> Suggestions? >>> >>> -- >>> Davide >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Mon Apr 14 19:09:55 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 15 Apr 2014 01:09:55 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow Message-ID: Hi Bill! > You made a Tomcat adapter? Want to share? You can find it here: https://github.com/ungarida/keycloak/ It's a copy and paste from AS7 and it has a lot of dependencies from JBOSS stuff, but if you give me some suggestion I can work on it. > Running on Undertow alone or Undertow within Wildfly? The backend is running on an embedded Undertow, I like when the backend is so lightweight I fill like is more scalable and sustainable. -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/74253687/attachment.html From ungarida at gmail.com Mon Apr 14 19:43:22 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 15 Apr 2014 01:43:22 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow Message-ID: Hi Bill,it's a mixed approach, maybe this is confusing you. > I don't understand what the flow is below. In your flow above you said > your server is making a call to the backend service with the token and > is authenticated correctly, right? My frontend is a WAR running on Tomcat and it is secured by keycloak. > What I don't understand is what you are doing below. Are you saying you > have a Browser client (Javascript) making a call to your backend? The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls. The flow is: 1- The user call http://.../dashboard 2- The frontend server redirects to the keycloak login 3- Keycloak authenticates the user and redirects to frontend server 4- The frontend server serves the AngularJS dashboard injecting the token 5- The client side dashboard makes ajax calls to the backend to load data At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing. -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/5f85ffe2/attachment.html From ungarida at gmail.com Tue Apr 15 02:16:40 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 15 Apr 2014 08:16:40 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow Message-ID: I think my problem is the same as the thread with subject "CORS only for OPTIONS? " I tried to pull last updates from https://github.com/keycloak/keycloak but there is somenthing not working. Which is the last working commit on the master? -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/095fbab3/attachment.html From n.preusker at gmail.com Tue Apr 15 04:22:44 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 15 Apr 2014 10:22:44 +0200 Subject: [keycloak-user] Sharing users Message-ID: Hi, I have a question regarding user management and sharing access to the keycloak database between applications. While the keycloak admin console can be used to manage users, other applications may also need to access the user database. Is there a recommended way of accomplishing this? I've been experimenting with adding keycloak-model-jpa to my .war as a dependency and looking at the bootstrapping in org.keycloak.services.resources.KeycloakApplication. However, I wasn't able to get it to work yet and have the feeling that I might be going the wrong way here. Any hints? Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/27abab7e/attachment.html From stian at redhat.com Tue Apr 15 04:30:57 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 15 Apr 2014 04:30:57 -0400 (EDT) Subject: [keycloak-user] Sharing users In-Reply-To: References: Message-ID: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> At some point we'll add a Java and REST api's for user management. This will also include being able to register listeners for user events (for example user created, user deleted, etc). In the mean time I don't see any issues with using keycloak-model-jpa directly, especially not for read only. This API will quite likely change between versions, and we won't support any backwards compatibility. The "official" user management API once it's ready will be more stable, but I'm not sure when we'll have time to implement that. ----- Original Message ----- > From: "Nils Preusker" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 15 April, 2014 9:22:44 AM > Subject: [keycloak-user] Sharing users > > Hi, I have a question regarding user management and sharing access to the > keycloak database between applications. > > While the keycloak admin console can be used to manage users, other > applications may also need to access the user database. Is there a > recommended way of accomplishing this? > > I've been experimenting with adding keycloak-model-jpa to my .war as a > dependency and looking at the bootstrapping in > org.keycloak.services.resources.KeycloakApplication. However, I wasn't able > to get it to work yet and have the feeling that I might be going the wrong > way here. > > Any hints? > > Cheers, > Nils > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From n.preusker at gmail.com Tue Apr 15 04:47:49 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 15 Apr 2014 10:47:49 +0200 Subject: [keycloak-user] Sharing users In-Reply-To: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> Message-ID: Hi Stian, thanks for the quick reply! That sounds good, lack of backwards compatibility goes without saying :) So is the bootstrapping done in org.keycloak.services.resources.KeycloakApplication the right place to look at? Cheers, Nils On Tue, Apr 15, 2014 at 10:30 AM, Stian Thorgersen wrote: > At some point we'll add a Java and REST api's for user management. This > will also include being able to register listeners for user events (for > example user created, user deleted, etc). > > In the mean time I don't see any issues with using keycloak-model-jpa > directly, especially not for read only. This API will quite likely change > between versions, and we won't support any backwards compatibility. The > "official" user management API once it's ready will be more stable, but I'm > not sure when we'll have time to implement that. > > ----- Original Message ----- > > From: "Nils Preusker" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 15 April, 2014 9:22:44 AM > > Subject: [keycloak-user] Sharing users > > > > Hi, I have a question regarding user management and sharing access to the > > keycloak database between applications. > > > > While the keycloak admin console can be used to manage users, other > > applications may also need to access the user database. Is there a > > recommended way of accomplishing this? > > > > I've been experimenting with adding keycloak-model-jpa to my .war as a > > dependency and looking at the bootstrapping in > > org.keycloak.services.resources.KeycloakApplication. However, I wasn't > able > > to get it to work yet and have the feeling that I might be going the > wrong > > way here. > > > > Any hints? > > > > Cheers, > > Nils > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/107438ec/attachment-0001.html From stian at redhat.com Tue Apr 15 04:55:15 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 15 Apr 2014 04:55:15 -0400 (EDT) Subject: [keycloak-user] Sharing users In-Reply-To: References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> Message-ID: <156676420.5696448.1397552115809.JavaMail.zimbra@redhat.com> Yep, https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/KeycloakApplication.java#L108 ----- Original Message ----- > From: "Nils Preusker" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 15 April, 2014 9:47:49 AM > Subject: Re: [keycloak-user] Sharing users > > Hi Stian, thanks for the quick reply! That sounds good, lack of backwards > compatibility goes without saying :) So is the bootstrapping done in > org.keycloak.services.resources.KeycloakApplication the right place to look > at? > > Cheers, > Nils > > > On Tue, Apr 15, 2014 at 10:30 AM, Stian Thorgersen < stian at redhat.com > > wrote: > > > At some point we'll add a Java and REST api's for user management. This will > also include being able to register listeners for user events (for example > user created, user deleted, etc). > > In the mean time I don't see any issues with using keycloak-model-jpa > directly, especially not for read only. This API will quite likely change > between versions, and we won't support any backwards compatibility. The > "official" user management API once it's ready will be more stable, but I'm > not sure when we'll have time to implement that. > > ----- Original Message ----- > > From: "Nils Preusker" < n.preusker at gmail.com > > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 15 April, 2014 9:22:44 AM > > Subject: [keycloak-user] Sharing users > > > > Hi, I have a question regarding user management and sharing access to the > > keycloak database between applications. > > > > While the keycloak admin console can be used to manage users, other > > applications may also need to access the user database. Is there a > > recommended way of accomplishing this? > > > > I've been experimenting with adding keycloak-model-jpa to my .war as a > > dependency and looking at the bootstrapping in > > org.keycloak.services.resources.KeycloakApplication. However, I wasn't able > > to get it to work yet and have the feeling that I might be going the wrong > > way here. > > > > Any hints? > > > > Cheers, > > Nils > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Apr 15 05:28:43 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 15 Apr 2014 11:28:43 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: Message-ID: <534CFBCB.3030808@redhat.com> Hi Davide, I would suggest to change your flow a bit. You have frontend JEE servlet application, which is authenticated with Keycloak. So I think that you don't need any Keycloak accessTokens to be shared with your AngularJS dashboard at all. I would suggest that your AngularJS dashboard won't communicate directly with your JAX-RS backend application, but instead it will communicate just with your servlet JEE application, which will then re-send request to JAX-RS application with the usage of KeycloakSecurityContext as shown in the customer-portal example. So assuming that your frontend application is on "http://localhost:8080/frontend" and your JAX-RS is at "http://localhost:8080/backend" you can do: 1- The user call http://.../frontend 2- Thefrontendserver redirects to the keycloak login 3- Keycloak authenticates the user and redirects to frontendserver 4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all) 5- User clicks to something in AngularJS app, which will send request to http://localhost:8080/frontend/someEndpoint 6- Frontend will re-send this to http://localhost:8080/backend/someBackendEndpoint similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion. Marek On 15.4.2014 01:43, Davide Ungari wrote: > Hi Bill, > it's a mixed approach, maybe this is confusing you. > > I don't understand what the flow is below. In your flow above you said > > your server is making a call to the backend service with the token and > > is authenticated correctly, right? > My frontend is a WAR running on Tomcat and it is secured by keycloak. > > What I don't understand is what you are doing below. Are you saying you > > have a Browser client (Javascript) making a call to your backend? > The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls. > The flow is: > 1- The user call http://.../dashboard > 2- Thefrontendserver redirects to the keycloak login > 3- Keycloak authenticates the user and redirects to frontendserver > 4- The frontend server serves the AngularJS dashboard injecting the token > 5- The client side dashboard makes ajax calls to the backend to load data > At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing. > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/dc0e791f/attachment.html From ungarida at gmail.com Tue Apr 15 05:51:03 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 15 Apr 2014 11:51:03 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: <534CFBCB.3030808@redhat.com> References: <534CFBCB.3030808@redhat.com> Message-ID: Hi Marek, I started thinking to a public REST API because I want to offer this service also to third parties, but I see your point. I must organize in a different way the authentication of my frontend and then the authentication of third parties. Thank for your suggestions are very welcome. -- Davide On Tue, Apr 15, 2014 at 11:28 AM, Marek Posolda wrote: > Hi Davide, > > I would suggest to change your flow a bit. You have frontend JEE servlet > application, which is authenticated with Keycloak. So I think that you > don't need any Keycloak accessTokens to be shared with your AngularJS > dashboard at all. I would suggest that your AngularJS dashboard won't > communicate directly with your JAX-RS backend application, but instead it > will communicate just with your servlet JEE application, which will then > re-send request to JAX-RS application with the usage of > KeycloakSecurityContext as shown in the customer-portal example. So > assuming that your frontend application is on > "http://localhost:8080/frontend" and > your JAX-RS is at "http://localhost:8080/backend"you can do: > > 1- The user call http://.../frontend > > 2- The frontend server redirects to the keycloak login > > 3- Keycloak authenticates the user and redirects to frontend server > > 4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all) > > 5- User clicks to something in AngularJS app, which will send request to http://localhost:8080/frontend/someEndpoint > > 6- Frontend will re-send this to http://localhost:8080/backend/someBackendEndpoint similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request > > 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. > > So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like > refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion. > > Marek > > > > On 15.4.2014 01:43, Davide Ungari wrote: > > Hi Bill,it's a mixed approach, maybe this is confusing you. > > > I don't understand what the flow is below. In your flow above you said > > your server is making a call to the backend service with the token and > > is authenticated correctly, right? > > My frontend is a WAR running on Tomcat and it is secured by keycloak. > > > What I don't understand is what you are doing below. Are you saying you > have a Browser client (Javascript) making a call to your backend? > > The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls. > > The flow is: > > 1- The user call http://.../dashboard > > 2- The frontend server redirects to the keycloak login > > 3- Keycloak authenticates the user and redirects to frontend server > > 4- The frontend server serves the AngularJS dashboard injecting the token > > 5- The client side dashboard makes ajax calls to the backend to load data > > At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing. > > -- > Davide > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/0c0d6c3e/attachment.html From stian at redhat.com Tue Apr 15 07:28:35 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 15 Apr 2014 07:28:35 -0400 (EDT) Subject: [keycloak-user] Any plans to allow customization of EmailSender? In-Reply-To: <534B84FD.8000907@redhat.com> References: <534B84FD.8000907@redhat.com> Message-ID: <317757664.5749169.1397561315178.JavaMail.zimbra@redhat.com> I can confirm that the plan is to add customization of emails using FreeMarker templates. Not sure when we'll get around to adding it though. ----- Original Message ----- > From: "Marek Posolda" > To: "Ken Goodridge" , keycloak-user at lists.jboss.org > Sent: Monday, 14 April, 2014 7:49:33 AM > Subject: Re: [keycloak-user] Any plans to allow customization of EmailSender? > > On 12.4.2014 04:52, Ken Goodridge wrote: > > > > > EmailSender hard-codes the messages in both sendEmailVerification and > sendPasswordReset. > > Am I right that there is no easy way to customize these? > > If not, are there any future plans to allow it? Could it be rolled into the > admin or the themes? > I think that there is plan to "externalize" these messages possibly to > freemarker templates or properties file, so that it will be easy to > customize them. Just not sure when this is planned. Feel free to create JIRA > if there is not already existing JIRA for this. > > Thanks, > Marek > > > > > Other than that, I have been able to accomplish an amazing amount with just > the 3rd alpha release. Keep up the good work. > > Thanks, > Ken > > > _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Tue Apr 15 09:10:45 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 15 Apr 2014 09:10:45 -0400 Subject: [keycloak-user] Sharing users In-Reply-To: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> Message-ID: <534D2FD5.4090902@redhat.com> IMO, you should not use the model directly in your applications. The management REST API gives you full access to security metadata. Use that. Plus, in the very near future (after beta-1 release) we'll be implementing a cache and if you are modifying data directly, there will be possibilities of this cache using stale data. On 4/15/2014 4:30 AM, Stian Thorgersen wrote: > At some point we'll add a Java and REST api's for user management. This will also include being able to register listeners for user events (for example user created, user deleted, etc). > > In the mean time I don't see any issues with using keycloak-model-jpa directly, especially not for read only. This API will quite likely change between versions, and we won't support any backwards compatibility. The "official" user management API once it's ready will be more stable, but I'm not sure when we'll have time to implement that. > > ----- Original Message ----- >> From: "Nils Preusker" >> To: keycloak-user at lists.jboss.org >> Sent: Tuesday, 15 April, 2014 9:22:44 AM >> Subject: [keycloak-user] Sharing users >> >> Hi, I have a question regarding user management and sharing access to the >> keycloak database between applications. >> >> While the keycloak admin console can be used to manage users, other >> applications may also need to access the user database. Is there a >> recommended way of accomplishing this? >> >> I've been experimenting with adding keycloak-model-jpa to my .war as a >> dependency and looking at the bootstrapping in >> org.keycloak.services.resources.KeycloakApplication. However, I wasn't able >> to get it to work yet and have the feeling that I might be going the wrong >> way here. >> >> Any hints? >> >> Cheers, >> Nils >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Tue Apr 15 10:08:55 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 15 Apr 2014 10:08:55 -0400 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: <534CFBCB.3030808@redhat.com> Message-ID: <534D3D77.8080906@redhat.com> We do support CORS, you just have to enable it at the adapter level and set up the allowed origins for each application in the management console. On 4/15/2014 5:51 AM, Davide Ungari wrote: > Hi Marek, > I started thinking to a public REST API because I want to offer this > service also to third parties, but I see your point. > I must organize in a different way the authentication of my frontend and > then the authentication of third parties. > > Thank for your suggestions are very welcome. > > > -- > Davide > > > On Tue, Apr 15, 2014 at 11:28 AM, Marek Posolda > wrote: > > Hi Davide, > > I would suggest to change your flow a bit. You have frontend JEE > servlet application, which is authenticated with Keycloak. So I > think that you don't need any Keycloak accessTokens to be shared > with your AngularJS dashboard at all. I would suggest that your > AngularJS dashboard won't communicate directly with your JAX-RS > backend application, but instead it will communicate just with your > servlet JEE application, which will then re-send request to JAX-RS > application with the usage of KeycloakSecurityContext as shown in > the customer-portal example. So assuming that your frontend > application is on > "http://localhost:8080/frontend" > and your JAX-RS is at "http://localhost:8080/backend" > you can do: > > 1- The user callhttp://.../frontend > > 2- Thefrontendserver redirects to the keycloak login > > 3- Keycloak authenticates the user and redirects to frontendserver > > 4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all) > > 5- User clicks to something in AngularJS app, which will send request tohttp://localhost:8080/frontend/someEndpoint > > 6- Frontend will re-send this tohttp://localhost:8080/backend/someBackendEndpoint similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request > > 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. > > So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like > refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion. > > Marek > > > > On 15.4.2014 01:43, Davide Ungari wrote: >> Hi Bill, >> it's a mixed approach, maybe this is confusing you. >> > I don't understand what the flow is below. In your flow above you said >> > your server is making a call to the backend service with the token and >> > is authenticated correctly, right? >> My frontend is a WAR running on Tomcat and it is secured by keycloak. >> > What I don't understand is what you are doing below. Are you saying you >> > have a Browser client (Javascript) making a call to your backend? >> The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls. >> The flow is: >> 1- The user callhttp://.../dashboard >> 2- Thefrontendserver redirects to the keycloak login >> 3- Keycloak authenticates the user and redirects to frontendserver >> 4- The frontend server serves the AngularJS dashboard injecting the token >> 5- The client side dashboard makes ajax calls to the backend to load data >> At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing. >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Tue Apr 15 10:41:02 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 15 Apr 2014 16:41:02 +0200 Subject: [keycloak-user] Sharing users In-Reply-To: <534D2FD5.4090902@redhat.com> References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> <534D2FD5.4090902@redhat.com> Message-ID: By management REST API you mean the API the admin console uses? Just to make sure I understand your suggestion correctly: * I would use the management REST API (same API the admin console uses) from my backend application * my backend application would need a user ("application user") within the keycloak-admin realm * when accessing the management REST API, I would add an "Authorization: Bearer ..." header with the token I can obtain from .../auth/rest/realms/MY-REALM/tokens/grants/access Cheers, Nils On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke wrote: > IMO, you should not use the model directly in your applications. The > management REST API gives you full access to security metadata. Use > that. Plus, in the very near future (after beta-1 release) we'll be > implementing a cache and if you are modifying data directly, there will > be possibilities of this cache using stale data. > > On 4/15/2014 4:30 AM, Stian Thorgersen wrote: > > At some point we'll add a Java and REST api's for user management. This > will also include being able to register listeners for user events (for > example user created, user deleted, etc). > > > > In the mean time I don't see any issues with using keycloak-model-jpa > directly, especially not for read only. This API will quite likely change > between versions, and we won't support any backwards compatibility. The > "official" user management API once it's ready will be more stable, but I'm > not sure when we'll have time to implement that. > > > > ----- Original Message ----- > >> From: "Nils Preusker" > >> To: keycloak-user at lists.jboss.org > >> Sent: Tuesday, 15 April, 2014 9:22:44 AM > >> Subject: [keycloak-user] Sharing users > >> > >> Hi, I have a question regarding user management and sharing access to > the > >> keycloak database between applications. > >> > >> While the keycloak admin console can be used to manage users, other > >> applications may also need to access the user database. Is there a > >> recommended way of accomplishing this? > >> > >> I've been experimenting with adding keycloak-model-jpa to my .war as a > >> dependency and looking at the bootstrapping in > >> org.keycloak.services.resources.KeycloakApplication. However, I wasn't > able > >> to get it to work yet and have the feeling that I might be going the > wrong > >> way here. > >> > >> Any hints? > >> > >> Cheers, > >> Nils > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/9fdd9b49/attachment.html From bburke at redhat.com Tue Apr 15 10:45:26 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 15 Apr 2014 10:45:26 -0400 Subject: [keycloak-user] Sharing users In-Reply-To: References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> <534D2FD5.4090902@redhat.com> Message-ID: <534D4606.3010909@redhat.com> User information can be obtained from the IDToken within KeycloakSecurityContext. You can setup what information is in the IDToken via the claims page in each application/oauth client. For other user requests (like changing passwords), use the Account Service. Every authenticated user has permission to access this REST API by default. On 4/15/2014 10:41 AM, Nils Preusker wrote: > By management REST API you mean the API the admin console uses? > > Just to make sure I understand your suggestion correctly: > > * I would use the management REST API (same API the admin console uses) > from my backend application > * my backend application would need a user ("application user") within > the keycloak-admin realm > * when accessing the management REST API, I would add an "Authorization: > Bearer ..." header with the token I can obtain from > .../auth/rest/realms/MY-REALM/tokens/grants/access > > Cheers, > Nils > > > > On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke > wrote: > > IMO, you should not use the model directly in your applications. The > management REST API gives you full access to security metadata. Use > that. Plus, in the very near future (after beta-1 release) we'll be > implementing a cache and if you are modifying data directly, there will > be possibilities of this cache using stale data. > > On 4/15/2014 4:30 AM, Stian Thorgersen wrote: > > At some point we'll add a Java and REST api's for user > management. This will also include being able to register listeners > for user events (for example user created, user deleted, etc). > > > > In the mean time I don't see any issues with using > keycloak-model-jpa directly, especially not for read only. This API > will quite likely change between versions, and we won't support any > backwards compatibility. The "official" user management API once > it's ready will be more stable, but I'm not sure when we'll have > time to implement that. > > > > ----- Original Message ----- > >> From: "Nils Preusker" > > >> To: keycloak-user at lists.jboss.org > > >> Sent: Tuesday, 15 April, 2014 9:22:44 AM > >> Subject: [keycloak-user] Sharing users > >> > >> Hi, I have a question regarding user management and sharing > access to the > >> keycloak database between applications. > >> > >> While the keycloak admin console can be used to manage users, other > >> applications may also need to access the user database. Is there a > >> recommended way of accomplishing this? > >> > >> I've been experimenting with adding keycloak-model-jpa to my > .war as a > >> dependency and looking at the bootstrapping in > >> org.keycloak.services.resources.KeycloakApplication. However, I > wasn't able > >> to get it to work yet and have the feeling that I might be going > the wrong > >> way here. > >> > >> Any hints? > >> > >> Cheers, > >> Nils > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Tue Apr 15 11:04:48 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 15 Apr 2014 17:04:48 +0200 Subject: [keycloak-user] Sharing users In-Reply-To: <534D4606.3010909@redhat.com> References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> <534D2FD5.4090902@redhat.com> <534D4606.3010909@redhat.com> Message-ID: Hi Bill, thanks, I wasn't fully aware of the AccountService. However, we'll need to implement a user management page within our application that gives access to all users and role mappings within the realm. So I suppose I would either have to access the admin console back-end via REST with a keycloak-admin-realm user or use the JPA entities from keycloak-model-jpa directly. I would assume that this is a pretty standard use case though. After all, the only alternative would be exposing the admin console to end users. Or am I missing something? Cheers, Nils On Tue, Apr 15, 2014 at 4:45 PM, Bill Burke wrote: > User information can be obtained from the IDToken within > KeycloakSecurityContext. You can setup what information is in the > IDToken via the claims page in each application/oauth client. > > For other user requests (like changing passwords), use the Account > Service. Every authenticated user has permission to access this REST > API by default. > > On 4/15/2014 10:41 AM, Nils Preusker wrote: > > By management REST API you mean the API the admin console uses? > > > > Just to make sure I understand your suggestion correctly: > > > > * I would use the management REST API (same API the admin console uses) > > from my backend application > > * my backend application would need a user ("application user") within > > the keycloak-admin realm > > * when accessing the management REST API, I would add an "Authorization: > > Bearer ..." header with the token I can obtain from > > .../auth/rest/realms/MY-REALM/tokens/grants/access > > > > Cheers, > > Nils > > > > > > > > On Tue, Apr 15, 2014 at 3:10 PM, Bill Burke > > wrote: > > > > IMO, you should not use the model directly in your applications. The > > management REST API gives you full access to security metadata. Use > > that. Plus, in the very near future (after beta-1 release) we'll be > > implementing a cache and if you are modifying data directly, there > will > > be possibilities of this cache using stale data. > > > > On 4/15/2014 4:30 AM, Stian Thorgersen wrote: > > > At some point we'll add a Java and REST api's for user > > management. This will also include being able to register listeners > > for user events (for example user created, user deleted, etc). > > > > > > In the mean time I don't see any issues with using > > keycloak-model-jpa directly, especially not for read only. This API > > will quite likely change between versions, and we won't support any > > backwards compatibility. The "official" user management API once > > it's ready will be more stable, but I'm not sure when we'll have > > time to implement that. > > > > > > ----- Original Message ----- > > >> From: "Nils Preusker" > > > > >> To: keycloak-user at lists.jboss.org > > > > >> Sent: Tuesday, 15 April, 2014 9:22:44 AM > > >> Subject: [keycloak-user] Sharing users > > >> > > >> Hi, I have a question regarding user management and sharing > > access to the > > >> keycloak database between applications. > > >> > > >> While the keycloak admin console can be used to manage users, > other > > >> applications may also need to access the user database. Is there > a > > >> recommended way of accomplishing this? > > >> > > >> I've been experimenting with adding keycloak-model-jpa to my > > .war as a > > >> dependency and looking at the bootstrapping in > > >> org.keycloak.services.resources.KeycloakApplication. However, I > > wasn't able > > >> to get it to work yet and have the feeling that I might be going > > the wrong > > >> way here. > > >> > > >> Any hints? > > >> > > >> Cheers, > > >> Nils > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/388f09d7/attachment-0001.html From bburke at redhat.com Tue Apr 15 11:43:35 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 15 Apr 2014 11:43:35 -0400 Subject: [keycloak-user] Sharing users In-Reply-To: References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> <534D2FD5.4090902@redhat.com> <534D4606.3010909@redhat.com> Message-ID: <534D53A7.2090601@redhat.com> On 4/15/2014 11:04 AM, Nils Preusker wrote: > Hi Bill, > > thanks, I wasn't fully aware of the AccountService. However, we'll need > to implement a user management page within our application that gives > access to all users and role mappings within the realm. So I suppose I > would either have to access the admin console back-end via REST with a > keycloak-admin-realm user or use the JPA entities from > keycloak-model-jpa directly. > > I would assume that this is a pretty standard use case though. After > all, the only alternative would be exposing the admin console to end > users. Or am I missing something? > The Aerogear UPS project is bundling Keycloak with it. They are rebranding the admin console and allowing Aerogear admins to access the admin console. Its up to you, but why recreate what we already have in Keycloak? Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Tue Apr 15 12:34:49 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 15 Apr 2014 18:34:49 +0200 Subject: [keycloak-user] Sharing users In-Reply-To: <534D53A7.2090601@redhat.com> References: <693872090.5685635.1397550657581.JavaMail.zimbra@redhat.com> <534D2FD5.4090902@redhat.com> <534D4606.3010909@redhat.com> <534D53A7.2090601@redhat.com> Message-ID: Interesting, thanks for the info! On Tue, Apr 15, 2014 at 5:43 PM, Bill Burke wrote: > > > On 4/15/2014 11:04 AM, Nils Preusker wrote: > > Hi Bill, > > > > thanks, I wasn't fully aware of the AccountService. However, we'll need > > to implement a user management page within our application that gives > > access to all users and role mappings within the realm. So I suppose I > > would either have to access the admin console back-end via REST with a > > keycloak-admin-realm user or use the JPA entities from > > keycloak-model-jpa directly. > > > > I would assume that this is a pretty standard use case though. After > > all, the only alternative would be exposing the admin console to end > > users. Or am I missing something? > > > > The Aerogear UPS project is bundling Keycloak with it. They are > rebranding the admin console and allowing Aerogear admins to access the > admin console. Its up to you, but why recreate what we already have in > Keycloak? > > Bill > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140415/93288511/attachment.html From n.preusker at gmail.com Tue Apr 22 06:55:33 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 22 Apr 2014 12:55:33 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing Message-ID: Hi guys, I'm just setting up an integration test project for our application and I'm wondering what's the best way to bootstrap keycloak within it. I'm using arquillian for testing and I'm using the maven-dependency-plugin and maven-resources-plugin to put together a wildfly instance with the keycloak-wildfly-adapter. So far, that approach works nicely. However, I'm not quite sure yet how to go about * importing a realm and * creating a bearer/ access token to use in the test cases One approach would be to deploy the auth-server.war (is there a mvn repository to pull it from?), POST the realm to the respective URL of the admin console and do the authentication the same way (POST http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). Alternatively, I suppose I could deploy a small helper war or jar that accesses the core services of keycloak to import the realm and create test access tokens (some convenience method like "createLogin()" in a test utility that is deployed with shrink wrap maybe). Which option do you recommend or is there a third one that I'm missing? Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140422/e702ec13/attachment.html From mposolda at redhat.com Wed Apr 23 03:25:48 2014 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 23 Apr 2014 09:25:48 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: References: Message-ID: <53576AFC.7000400@redhat.com> Hi Nils, On 22.4.2014 12:55, Nils Preusker wrote: > Hi guys, > > I'm just setting up an integration test project for our application > and I'm wondering what's the best way to bootstrap keycloak within it. > > I'm using arquillian for testing and I'm using the > maven-dependency-plugin and maven-resources-plugin to put together a > wildfly instance with the keycloak-wildfly-adapter. > > So far, that approach works nicely. However, I'm not quite sure yet > how to go about > > * importing a realm and > * creating a bearer/ access token to use in the test cases > > One approach would be to deploy the auth-server.war (is there a mvn > repository to pull it from?), POST the realm to the respective URL of > the admin console and do the authentication the same way (POST > http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). Looks like it's not. The WAR is here just for Alpha1 https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ but not for later releases, which looks like a bug IMO. Can you create JIRA for it? I think it won't be bad if release will include all the artifacts including docs and distribution stuff (like WAR and full Wildfly appliance) > > Alternatively, I suppose I could deploy a small helper war or jar that > accesses the core services of keycloak to import the realm and create > test access tokens (some convenience method like "createLogin()" in a > test utility that is deployed with shrink wrap maybe). > > Which option do you recommend or is there a third one that I'm missing? Maybe it will be interesting for you that we have integration testsuite https://github.com/keycloak/keycloak/tree/master/testsuite/integration . This testsuite is using embedded Undertow server and it programmatically deploys Keycloak server on it. You can take a look at KeycloakServer class and also at individual tests to see how it works. The point is that it's embedded, so test classes have access to KeycloakSessionFactory inside KeycloakSetup actions and so they can directly use the model API to setup needed things. For example in LoginTest, you can see that there is some setup action, which creates new user with usage of Keycloak model API: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 and then there is selenium test, which verifies that this user is able to login: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 Maybe you can reuse some parts of our testsuite and programmaticaly deploy Keycloak server in similar way like it's done here (not sure if it's possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If you still don't have access to Keycloak model API, you can maybe write some selenium utils, which will do needed setup in KC admin console UI... Another alternative might be that you will use 2 servers in your testsuite. Your wildfly server with adapter installed will be on localhost:8080 (you have it already running) and KC server will be on localhost:8081 (You can directly reuse our testsuite for setup this). Good luck and let me know if still having issues. Btw. we don't have any integration tests for admin console and real AS7 and Wildfly adapters AFAIK. So it would be nice if you can share your work once you have your testsuite up and running:-) Marek > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/01e342e7/attachment.html From n.preusker at gmail.com Wed Apr 23 05:25:06 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Wed, 23 Apr 2014 11:25:06 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: <53576AFC.7000400@redhat.com> References: <53576AFC.7000400@redhat.com> Message-ID: Thanks Marek, I've created a JIRA issue about the missing war in the maven repo: https://issues.jboss.org/browse/KEYCLOAK-424 I'll have a look at the integration test suite and let you know what I came up with. Cheers, Nils On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda wrote: > Hi Nils, > > > On 22.4.2014 12:55, Nils Preusker wrote: > > Hi guys, > > I'm just setting up an integration test project for our application and > I'm wondering what's the best way to bootstrap keycloak within it. > > I'm using arquillian for testing and I'm using the > maven-dependency-plugin and maven-resources-plugin to put together a > wildfly instance with the keycloak-wildfly-adapter. > > So far, that approach works nicely. However, I'm not quite sure yet how > to go about > > * importing a realm and > * creating a bearer/ access token to use in the test cases > > One approach would be to deploy the auth-server.war (is there a mvn > repository to pull it from?), POST the realm to the respective URL of the > admin console and do the authentication the same way (POST > http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). > > Looks like it's not. The WAR is here just for Alpha1 > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/but not for later releases, which looks like a bug IMO. Can you create JIRA > for it? I think it won't be bad if release will include all the artifacts > including docs and distribution stuff (like WAR and full Wildfly appliance) > > > Alternatively, I suppose I could deploy a small helper war or jar that > accesses the core services of keycloak to import the realm and create test > access tokens (some convenience method like "createLogin()" in a test > utility that is deployed with shrink wrap maybe). > > Which option do you recommend or is there a third one that I'm missing? > > Maybe it will be interesting for you that we have integration testsuite > https://github.com/keycloak/keycloak/tree/master/testsuite/integration . > This testsuite is using embedded Undertow server and it programmatically > deploys Keycloak server on it. You can take a look at KeycloakServer class > and also at individual tests to see how it works. The point is that it's > embedded, so test classes have access to KeycloakSessionFactory inside > KeycloakSetup actions and so they can directly use the model API to setup > needed things. > > For example in LoginTest, you can see that there is some setup action, > which creates new user with usage of Keycloak model API: > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54and then there is selenium test, which verifies that this user is able to > login: > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 > > Maybe you can reuse some parts of our testsuite and programmaticaly deploy > Keycloak server in similar way like it's done here (not sure if it's > possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If you > still don't have access to Keycloak model API, you can maybe write some > selenium utils, which will do needed setup in KC admin console UI... > > Another alternative might be that you will use 2 servers in your > testsuite. Your wildfly server with adapter installed will be on > localhost:8080 (you have it already running) and KC server will be on > localhost:8081 (You can directly reuse our testsuite for setup this). > > Good luck and let me know if still having issues. Btw. we don't have any > integration tests for admin console and real AS7 and Wildfly adapters > AFAIK. So it would be nice if you can share your work once you have your > testsuite up and running :-) > > Marek > > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/f0454222/attachment-0001.html From n.preusker at gmail.com Wed Apr 23 06:43:56 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Wed, 23 Apr 2014 12:43:56 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: References: <53576AFC.7000400@redhat.com> Message-ID: Another question regarding keycloak artifacts in maven, shouldn't "keycloak-wildfly-adapter-dist" also be available? At least this would make it much easier to create a maven configuration that bootstraps a Wildfly instance with the keycloak adapter. I've looked at the integration test suite and find the approach quite nice. However, in order to re-use it I would currently have to duplicate most of the code (KeycloakServer, AbstractKeycloakRule etc.) since it is in the test directory of the keycloak-testsuite-integration module. So I thought I'd do the following: * create an integration-test module * bootstrap Wildfly with the wildfly adapter installed with the maven-dependency-plugin and maven-resources-plugin (currently struggling with the missing artifacts in the repo here so I installed it locally for now...) * deploy the auth-server.war/ keycloak-server.war and the archives I want to test in an arquillian test case (@Deploy...) That's where I'm at right now. I guess the next step would be to get the KeycloakSessionFactory in order to add a test realm programmatically. However, I just realized that it might be better (and easier) to just bootstrap an embedded Keycloak instance (no server, just the core services) and use it to create a test realm and create tokens that can be used in the test cases. After all, I just need a way to generate bearer tokens to make HTTP requests to the wars I would like to test. Any thoughts on how I could best accomplish that? Cheers, Nils On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker wrote: > Thanks Marek, I've created a JIRA issue about the missing war in the maven > repo: https://issues.jboss.org/browse/KEYCLOAK-424 > > I'll have a look at the integration test suite and let you know what I > came up with. > > Cheers, > Nils > > > On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda wrote: > >> Hi Nils, >> >> >> On 22.4.2014 12:55, Nils Preusker wrote: >> >> Hi guys, >> >> I'm just setting up an integration test project for our application and >> I'm wondering what's the best way to bootstrap keycloak within it. >> >> I'm using arquillian for testing and I'm using the >> maven-dependency-plugin and maven-resources-plugin to put together a >> wildfly instance with the keycloak-wildfly-adapter. >> >> So far, that approach works nicely. However, I'm not quite sure yet how >> to go about >> >> * importing a realm and >> * creating a bearer/ access token to use in the test cases >> >> One approach would be to deploy the auth-server.war (is there a mvn >> repository to pull it from?), POST the realm to the respective URL of the >> admin console and do the authentication the same way (POST >> http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). >> >> Looks like it's not. The WAR is here just for Alpha1 >> https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/but not for later releases, which looks like a bug IMO. Can you create JIRA >> for it? I think it won't be bad if release will include all the artifacts >> including docs and distribution stuff (like WAR and full Wildfly appliance) >> >> >> Alternatively, I suppose I could deploy a small helper war or jar that >> accesses the core services of keycloak to import the realm and create test >> access tokens (some convenience method like "createLogin()" in a test >> utility that is deployed with shrink wrap maybe). >> >> Which option do you recommend or is there a third one that I'm missing? >> >> Maybe it will be interesting for you that we have integration testsuite >> https://github.com/keycloak/keycloak/tree/master/testsuite/integration . >> This testsuite is using embedded Undertow server and it programmatically >> deploys Keycloak server on it. You can take a look at KeycloakServer class >> and also at individual tests to see how it works. The point is that it's >> embedded, so test classes have access to KeycloakSessionFactory inside >> KeycloakSetup actions and so they can directly use the model API to setup >> needed things. >> >> For example in LoginTest, you can see that there is some setup action, >> which creates new user with usage of Keycloak model API: >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54and then there is selenium test, which verifies that this user is able to >> login: >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 >> >> Maybe you can reuse some parts of our testsuite and programmaticaly >> deploy Keycloak server in similar way like it's done here (not sure if it's >> possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If you >> still don't have access to Keycloak model API, you can maybe write some >> selenium utils, which will do needed setup in KC admin console UI... >> >> Another alternative might be that you will use 2 servers in your >> testsuite. Your wildfly server with adapter installed will be on >> localhost:8080 (you have it already running) and KC server will be on >> localhost:8081 (You can directly reuse our testsuite for setup this). >> >> Good luck and let me know if still having issues. Btw. we don't have any >> integration tests for admin console and real AS7 and Wildfly adapters >> AFAIK. So it would be nice if you can share your work once you have your >> testsuite up and running :-) >> >> Marek >> >> >> Cheers, >> Nils >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/34ca7f70/attachment.html From n.preusker at gmail.com Wed Apr 23 06:49:41 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Wed, 23 Apr 2014 12:49:41 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: References: <53576AFC.7000400@redhat.com> Message-ID: I created another JIRA issue for keycloak-wildfly-adapter-dist: https://issues.jboss.org/browse/KEYCLOAK-425 On Wed, Apr 23, 2014 at 12:43 PM, Nils Preusker wrote: > Another question regarding keycloak artifacts in maven, shouldn't > "keycloak-wildfly-adapter-dist" also be available? At least this would make > it much easier to create a maven configuration that bootstraps a Wildfly > instance with the keycloak adapter. > > I've looked at the integration test suite and find the approach quite > nice. However, in order to re-use it I would currently have to duplicate > most of the code (KeycloakServer, AbstractKeycloakRule etc.) since it is in > the test directory of the keycloak-testsuite-integration module. > > So I thought I'd do the following: > > * create an integration-test module > * bootstrap Wildfly with the wildfly adapter installed with the > maven-dependency-plugin and maven-resources-plugin (currently struggling > with the missing artifacts in the repo here so I installed it locally for > now...) > * deploy the auth-server.war/ keycloak-server.war and the archives I want > to test in an arquillian test case (@Deploy...) > > That's where I'm at right now. I guess the next step would be to get the > KeycloakSessionFactory in order to add a test realm programmatically. > > However, I just realized that it might be better (and easier) to just > bootstrap an embedded Keycloak instance (no server, just the core services) > and use it to create a test realm and create tokens that can be used in the > test cases. After all, I just need a way to generate bearer tokens to make > HTTP requests to the wars I would like to test. Any thoughts on how I could > best accomplish that? > > Cheers, > Nils > > > > > On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker wrote: > >> Thanks Marek, I've created a JIRA issue about the missing war in the >> maven repo: https://issues.jboss.org/browse/KEYCLOAK-424 >> >> I'll have a look at the integration test suite and let you know what I >> came up with. >> >> Cheers, >> Nils >> >> >> On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda wrote: >> >>> Hi Nils, >>> >>> >>> On 22.4.2014 12:55, Nils Preusker wrote: >>> >>> Hi guys, >>> >>> I'm just setting up an integration test project for our application >>> and I'm wondering what's the best way to bootstrap keycloak within it. >>> >>> I'm using arquillian for testing and I'm using the >>> maven-dependency-plugin and maven-resources-plugin to put together a >>> wildfly instance with the keycloak-wildfly-adapter. >>> >>> So far, that approach works nicely. However, I'm not quite sure yet >>> how to go about >>> >>> * importing a realm and >>> * creating a bearer/ access token to use in the test cases >>> >>> One approach would be to deploy the auth-server.war (is there a mvn >>> repository to pull it from?), POST the realm to the respective URL of the >>> admin console and do the authentication the same way (POST >>> http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). >>> >>> Looks like it's not. The WAR is here just for Alpha1 >>> https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/but not for later releases, which looks like a bug IMO. Can you create JIRA >>> for it? I think it won't be bad if release will include all the artifacts >>> including docs and distribution stuff (like WAR and full Wildfly appliance) >>> >>> >>> Alternatively, I suppose I could deploy a small helper war or jar that >>> accesses the core services of keycloak to import the realm and create test >>> access tokens (some convenience method like "createLogin()" in a test >>> utility that is deployed with shrink wrap maybe). >>> >>> Which option do you recommend or is there a third one that I'm missing? >>> >>> Maybe it will be interesting for you that we have integration testsuite >>> https://github.com/keycloak/keycloak/tree/master/testsuite/integration. This testsuite is using embedded Undertow server and it programmatically >>> deploys Keycloak server on it. You can take a look at KeycloakServer class >>> and also at individual tests to see how it works. The point is that it's >>> embedded, so test classes have access to KeycloakSessionFactory inside >>> KeycloakSetup actions and so they can directly use the model API to setup >>> needed things. >>> >>> For example in LoginTest, you can see that there is some setup action, >>> which creates new user with usage of Keycloak model API: >>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54and then there is selenium test, which verifies that this user is able to >>> login: >>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 >>> >>> Maybe you can reuse some parts of our testsuite and programmaticaly >>> deploy Keycloak server in similar way like it's done here (not sure if it's >>> possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If you >>> still don't have access to Keycloak model API, you can maybe write some >>> selenium utils, which will do needed setup in KC admin console UI... >>> >>> Another alternative might be that you will use 2 servers in your >>> testsuite. Your wildfly server with adapter installed will be on >>> localhost:8080 (you have it already running) and KC server will be on >>> localhost:8081 (You can directly reuse our testsuite for setup this). >>> >>> Good luck and let me know if still having issues. Btw. we don't have any >>> integration tests for admin console and real AS7 and Wildfly adapters >>> AFAIK. So it would be nice if you can share your work once you have your >>> testsuite up and running :-) >>> >>> Marek >>> >>> >>> Cheers, >>> Nils >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/344ec2bf/attachment-0001.html From stian at redhat.com Wed Apr 23 06:58:49 2014 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 23 Apr 2014 06:58:49 -0400 (EDT) Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: References: <53576AFC.7000400@redhat.com> Message-ID: <97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> In the future we may move our testsuite to Arquillian, as this makes it possible for us to test the actual distribution of Keycloak (on WildFly) rather than a "custom" server. For testing bearer-only services, you're right the simplest solution would be to just create tokens manually. Have a look at https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java, which does exactly that. ----- Original Message ----- > From: "Nils Preusker" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 23 April, 2014 11:43:56 AM > Subject: Re: [keycloak-user] bootstrapping of keycloak for integration testing > > Another question regarding keycloak artifacts in maven, shouldn't > "keycloak-wildfly-adapter-dist" also be available? At least this would make > it much easier to create a maven configuration that bootstraps a Wildfly > instance with the keycloak adapter. > > I've looked at the integration test suite and find the approach quite nice. > However, in order to re-use it I would currently have to duplicate most of > the code (KeycloakServer, AbstractKeycloakRule etc.) since it is in the test > directory of the keycloak-testsuite-integration module. > > So I thought I'd do the following: > > * create an integration-test module > * bootstrap Wildfly with the wildfly adapter installed with the > maven-dependency-plugin and maven-resources-plugin (currently struggling > with the missing artifacts in the repo here so I installed it locally for > now...) > * deploy the auth-server.war/ keycloak-server.war and the archives I want to > test in an arquillian test case (@Deploy...) > > That's where I'm at right now. I guess the next step would be to get the > KeycloakSessionFactory in order to add a test realm programmatically. > > However, I just realized that it might be better (and easier) to just > bootstrap an embedded Keycloak instance (no server, just the core services) > and use it to create a test realm and create tokens that can be used in the > test cases. After all, I just need a way to generate bearer tokens to make > HTTP requests to the wars I would like to test. Any thoughts on how I could > best accomplish that? > > Cheers, > Nils > > > > > On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker < n.preusker at gmail.com > > wrote: > > > > Thanks Marek, I've created a JIRA issue about the missing war in the maven > repo: https://issues.jboss.org/browse/KEYCLOAK-424 > > I'll have a look at the integration test suite and let you know what I came > up with. > > Cheers, > Nils > > > On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda < mposolda at redhat.com > wrote: > > > > Hi Nils, > > > On 22.4.2014 12:55, Nils Preusker wrote: > > > > Hi guys, > > I'm just setting up an integration test project for our application and I'm > wondering what's the best way to bootstrap keycloak within it. > > I'm using arquillian for testing and I'm using the maven-dependency-plugin > and maven-resources-plugin to put together a wildfly instance with the > keycloak-wildfly-adapter. > > So far, that approach works nicely. However, I'm not quite sure yet how to go > about > > * importing a realm and > * creating a bearer/ access token to use in the test cases > > One approach would be to deploy the auth-server.war (is there a mvn > repository to pull it from?), POST the realm to the respective URL of the > admin console and do the authentication the same way (POST > http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access ). > Looks like it's not. The WAR is here just for Alpha1 > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ > but not for later releases, which looks like a bug IMO. Can you create JIRA > for it? I think it won't be bad if release will include all the artifacts > including docs and distribution stuff (like WAR and full Wildfly appliance) > > > > > > Alternatively, I suppose I could deploy a small helper war or jar that > accesses the core services of keycloak to import the realm and create test > access tokens (some convenience method like "createLogin()" in a test > utility that is deployed with shrink wrap maybe). > > Which option do you recommend or is there a third one that I'm missing? > Maybe it will be interesting for you that we have integration testsuite > https://github.com/keycloak/keycloak/tree/master/testsuite/integration . > This testsuite is using embedded Undertow server and it programmatically > deploys Keycloak server on it. You can take a look at KeycloakServer class > and also at individual tests to see how it works. The point is that it's > embedded, so test classes have access to KeycloakSessionFactory inside > KeycloakSetup actions and so they can directly use the model API to setup > needed things. > > For example in LoginTest, you can see that there is some setup action, which > creates new user with usage of Keycloak model API: > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 > and then there is selenium test, which verifies that this user is able to > login: > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 > > Maybe you can reuse some parts of our testsuite and programmaticaly deploy > Keycloak server in similar way like it's done here (not sure if it's > possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If you > still don't have access to Keycloak model API, you can maybe write some > selenium utils, which will do needed setup in KC admin console UI... > > Another alternative might be that you will use 2 servers in your testsuite. > Your wildfly server with adapter installed will be on localhost:8080 (you > have it already running) and KC server will be on localhost:8081 (You can > directly reuse our testsuite for setup this). > > Good luck and let me know if still having issues. Btw. we don't have any > integration tests for admin console and real AS7 and Wildfly adapters AFAIK. > So it would be nice if you can share your work once you have your testsuite > up and running :-) > > Marek > > > > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From n.preusker at gmail.com Wed Apr 23 07:12:53 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Wed, 23 Apr 2014 13:12:53 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: <97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> References: <53576AFC.7000400@redhat.com> <97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> Message-ID: <7BD4B3DB-8409-4F9F-9CB1-DCAAF19DBE65@gmail.com> Great, thanks for the link Stian! -- Blog: www.nilspreusker.de > On Apr 23, 2014, at 12:58, Stian Thorgersen wrote: > > In the future we may move our testsuite to Arquillian, as this makes it possible for us to test the actual distribution of Keycloak (on WildFly) rather than a "custom" server. > > For testing bearer-only services, you're right the simplest solution would be to just create tokens manually. Have a look at https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java, which does exactly that. > > ----- Original Message ----- >> From: "Nils Preusker" >> To: keycloak-user at lists.jboss.org >> Sent: Wednesday, 23 April, 2014 11:43:56 AM >> Subject: Re: [keycloak-user] bootstrapping of keycloak for integration testing >> >> Another question regarding keycloak artifacts in maven, shouldn't >> "keycloak-wildfly-adapter-dist" also be available? At least this would make >> it much easier to create a maven configuration that bootstraps a Wildfly >> instance with the keycloak adapter. >> >> I've looked at the integration test suite and find the approach quite nice. >> However, in order to re-use it I would currently have to duplicate most of >> the code (KeycloakServer, AbstractKeycloakRule etc.) since it is in the test >> directory of the keycloak-testsuite-integration module. >> >> So I thought I'd do the following: >> >> * create an integration-test module >> * bootstrap Wildfly with the wildfly adapter installed with the >> maven-dependency-plugin and maven-resources-plugin (currently struggling >> with the missing artifacts in the repo here so I installed it locally for >> now...) >> * deploy the auth-server.war/ keycloak-server.war and the archives I want to >> test in an arquillian test case (@Deploy...) >> >> That's where I'm at right now. I guess the next step would be to get the >> KeycloakSessionFactory in order to add a test realm programmatically. >> >> However, I just realized that it might be better (and easier) to just >> bootstrap an embedded Keycloak instance (no server, just the core services) >> and use it to create a test realm and create tokens that can be used in the >> test cases. After all, I just need a way to generate bearer tokens to make >> HTTP requests to the wars I would like to test. Any thoughts on how I could >> best accomplish that? >> >> Cheers, >> Nils >> >> >> >> >> On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker < n.preusker at gmail.com > >> wrote: >> >> >> >> Thanks Marek, I've created a JIRA issue about the missing war in the maven >> repo: https://issues.jboss.org/browse/KEYCLOAK-424 >> >> I'll have a look at the integration test suite and let you know what I came >> up with. >> >> Cheers, >> Nils >> >> >> On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda < mposolda at redhat.com > wrote: >> >> >> >> Hi Nils, >> >> >> On 22.4.2014 12:55, Nils Preusker wrote: >> >> >> >> Hi guys, >> >> I'm just setting up an integration test project for our application and I'm >> wondering what's the best way to bootstrap keycloak within it. >> >> I'm using arquillian for testing and I'm using the maven-dependency-plugin >> and maven-resources-plugin to put together a wildfly instance with the >> keycloak-wildfly-adapter. >> >> So far, that approach works nicely. However, I'm not quite sure yet how to go >> about >> >> * importing a realm and >> * creating a bearer/ access token to use in the test cases >> >> One approach would be to deploy the auth-server.war (is there a mvn >> repository to pull it from?), POST the realm to the respective URL of the >> admin console and do the authentication the same way (POST >> http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access ). >> Looks like it's not. The WAR is here just for Alpha1 >> https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ >> but not for later releases, which looks like a bug IMO. Can you create JIRA >> for it? I think it won't be bad if release will include all the artifacts >> including docs and distribution stuff (like WAR and full Wildfly appliance) >> >> >> >> >> >> Alternatively, I suppose I could deploy a small helper war or jar that >> accesses the core services of keycloak to import the realm and create test >> access tokens (some convenience method like "createLogin()" in a test >> utility that is deployed with shrink wrap maybe). >> >> Which option do you recommend or is there a third one that I'm missing? >> Maybe it will be interesting for you that we have integration testsuite >> https://github.com/keycloak/keycloak/tree/master/testsuite/integration . >> This testsuite is using embedded Undertow server and it programmatically >> deploys Keycloak server on it. You can take a look at KeycloakServer class >> and also at individual tests to see how it works. The point is that it's >> embedded, so test classes have access to KeycloakSessionFactory inside >> KeycloakSetup actions and so they can directly use the model API to setup >> needed things. >> >> For example in LoginTest, you can see that there is some setup action, which >> creates new user with usage of Keycloak model API: >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 >> and then there is selenium test, which verifies that this user is able to >> login: >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 >> >> Maybe you can reuse some parts of our testsuite and programmaticaly deploy >> Keycloak server in similar way like it's done here (not sure if it's >> possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If you >> still don't have access to Keycloak model API, you can maybe write some >> selenium utils, which will do needed setup in KC admin console UI... >> >> Another alternative might be that you will use 2 servers in your testsuite. >> Your wildfly server with adapter installed will be on localhost:8080 (you >> have it already running) and KC server will be on localhost:8081 (You can >> directly reuse our testsuite for setup this). >> >> Good luck and let me know if still having issues. Btw. we don't have any >> integration tests for admin console and real AS7 and Wildfly adapters AFAIK. >> So it would be nice if you can share your work once you have your testsuite >> up and running :-) >> >> Marek >> >> >> >> >> Cheers, >> Nils >> >> >> _______________________________________________ >> keycloak-user mailing list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From kamalakannan.j at gmail.com Wed Apr 23 14:06:49 2014 From: kamalakannan.j at gmail.com (Kamalakannan J) Date: Wed, 23 Apr 2014 14:06:49 -0400 Subject: [keycloak-user] API to add/update users in KeyCloak Message-ID: Hello, We are in the process of identifying the feasibility to integrate our JBOSS AS7 application with KeyCloak application for the OAUTH requirements. In the process, we are in a stage to identify a right way to -> ADD/UPDATE Users from our application to KeyCloak application (without using UI) -> Also during the setup process we would like to add realm, register all the clients that uses our service to KeyCloak Application(without using UI). >From archives, it looks like there are some ways possible but it is not clear though there are no REST API endpoints at the moment. Please help -Kamal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/4b77d469/attachment.html From bburke at redhat.com Wed Apr 23 14:24:15 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 23 Apr 2014 14:24:15 -0400 Subject: [keycloak-user] API to add/update users in KeyCloak In-Reply-To: References: Message-ID: <5358054F.8020306@redhat.com> On 4/23/2014 2:06 PM, Kamalakannan J wrote: > > Hello, > We are in the process of identifying the feasibility to integrate our > JBOSS AS7 application with KeyCloak application for the OAUTH > requirements. In the process, we are in a stage to identify a right way to > -> ADD/UPDATE Users from our application to KeyCloak application > (without using UI) > -> Also during the setup process we would like to add realm, register > all the clients that uses our service to KeyCloak Application(without > using UI). > > > From archives, it looks like there are some ways possible but it is not > clear though there are no REST API endpoints at the moment. > There is a full admin REST api, although undocumented. The admin console UI is built on top of it. You can invoke on it using a bearer token which you can obtain by "Resource Owner Password Credentials Grant" [1] invoked /auth/rest/realms/keycloak-admin/tokens/grants/access "keycloak-admin" is the master domain that manages the admin REST interface for all realms. The admin rest interface starts at: /auth/rest/admin/realms/{realm-name} You'll have to look at the source code for all REST endpoints, sorry. I haven't documented it yet. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Wed Apr 23 17:12:01 2014 From: ungarida at gmail.com (Davide Ungari) Date: Wed, 23 Apr 2014 23:12:01 +0200 Subject: [keycloak-user] How to secure JAX-RS service based on reasteasy running on undertow In-Reply-To: References: <534CFBCB.3030808@redhat.com> Message-ID: Hi Marek, I did the proxy as suggested by you. Now I'm another step forward the authentication works but non the authorization. I will open another thread. Thanks. -- Davide On Tue, Apr 15, 2014 at 11:51 AM, Davide Ungari wrote: > Hi Marek, > I started thinking to a public REST API because I want to offer this > service also to third parties, but I see your point. > I must organize in a different way the authentication of my frontend and > then the authentication of third parties. > > Thank for your suggestions are very welcome. > > > -- > Davide > > > On Tue, Apr 15, 2014 at 11:28 AM, Marek Posolda wrote: > >> Hi Davide, >> >> I would suggest to change your flow a bit. You have frontend JEE servlet >> application, which is authenticated with Keycloak. So I think that you >> don't need any Keycloak accessTokens to be shared with your AngularJS >> dashboard at all. I would suggest that your AngularJS dashboard won't >> communicate directly with your JAX-RS backend application, but instead it >> will communicate just with your servlet JEE application, which will then >> re-send request to JAX-RS application with the usage of >> KeycloakSecurityContext as shown in the customer-portal example. So >> assuming that your frontend application is on >> "http://localhost:8080/frontend" and >> your JAX-RS is at "http://localhost:8080/backend"you can do: >> >> 1- The user call http://.../frontend >> >> 2- The frontend server redirects to the keycloak login >> >> 3- Keycloak authenticates the user and redirects to frontend server >> >> 4- The frontend server serves the AngularJS dashboard but NOT injecting the token (So angularJS and your browser don't have direct access to token at all) >> >> 5- User clicks to something in AngularJS app, which will send request to http://localhost:8080/frontend/someEndpoint >> >> 6- Frontend will re-send this to http://localhost:8080/backend/someBackendEndpoint similarly as shown in examples, which will ensure that frontend application will attach Bearer token to the request >> >> 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. >> >> So your frontend app will be defacto proxy between AngularJS and "backend" JAX-RS application. With this design, you won't see any CORS related issues, which you currently have. And also you won't need to solve things like >> refreshing tokens etc. as this is done automatically by adapter of JEE frontend application. So that's my suggestion. >> >> Marek >> >> >> >> On 15.4.2014 01:43, Davide Ungari wrote: >> >> Hi Bill,it's a mixed approach, maybe this is confusing you. >> >> > I don't understand what the flow is below. In your flow above you said >> > your server is making a call to the backend service with the token and >> > is authenticated correctly, right? >> >> My frontend is a WAR running on Tomcat and it is secured by keycloak. >> >> > What I don't understand is what you are doing below. Are you saying you > have a Browser client (Javascript) making a call to your backend? >> >> The WAR serves also an AngularJS dashboard, in this dashboard I "inject" the token from the server but then I make client side calls. >> >> The flow is: >> >> 1- The user call http://.../dashboard >> >> 2- The frontend server redirects to the keycloak login >> >> 3- Keycloak authenticates the user and redirects to frontend server >> >> 4- The frontend server serves the AngularJS dashboard injecting the token >> >> 5- The client side dashboard makes ajax calls to the backend to load data >> >> At point 5 I see my backend is logging that the call is AUTHENTICATED but on client side I see the response is failing. >> >> -- >> Davide >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/38957f6d/attachment.html From ungarida at gmail.com Wed Apr 23 17:34:29 2014 From: ungarida at gmail.com (Davide Ungari) Date: Wed, 23 Apr 2014 23:34:29 +0200 Subject: [keycloak-user] How to authorize JAX-RS service based on reasteasy Message-ID: Hi everybody, I followed some suggestion and now I made authentication works as follow: 1- The user call http://.../frontend 2- The frontend server redirects to the keycloak login 3- Keycloak authenticates the user and redirects to frontend server 4- The frontend server serves the AngularJS dashboard 5- User clicks to something in AngularJS app, which will send request to http://localhost:8080/frontend/someEndpoint 6- Frontend will re-send this to http://localhost:8080/backend/someBackendEndpoint 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. Now I would like to add authorization to backend api, so I added @RolesAllowed ("role") but it does not work: 2014-04-23 23:17:10,694|WARN |core.ExceptionHandler|failed to execute javax.ws.rs.ForbiddenException: HTTP 403 Forbidden at org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:256) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:242) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:229) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) I found out that the realmAccess is null and debugging I thinks the problem is during authentication when in org.keycloak.RSATokenVerifier at line: token = input.readJsonContent(AccessToken.class); What do you think? What am I doing wrong this time? Thanks. -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140423/c1050d14/attachment.html From bburke at redhat.com Wed Apr 23 17:43:17 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 23 Apr 2014 17:43:17 -0400 Subject: [keycloak-user] How to authorize JAX-RS service based on reasteasy In-Reply-To: References: Message-ID: <535833F5.3030806@redhat.com> Where are your roles defined? At the realm level? At the application level? If they are defined at the realm level you need to define a scope for the application. Go to the admin console. The application link for your front-end application. Go to the scope menu item and add the realm roles to the scope for the front-end application. Build and deploy the preconfigured demo and view the realm in the admin console. You will see a similar setup where the "customer-portal" and "product-portal" apps have their scope set to the realm level roles. Scope is the set of roles an application or oauth client is allowed to ask for. On 4/23/2014 5:34 PM, Davide Ungari wrote: > Hi everybody, > I followed some suggestion and now I made authentication works as follow: > > 1- The user callhttp://.../frontend > > 2- The frontend server redirects to the keycloak login > > 3- Keycloak authenticates the user and redirects to frontend server > > 4- The frontend server serves the AngularJS dashboard > > 5- User clicks to something in AngularJS app, which will send request tohttp://localhost:8080/frontend/someEndpoint > > 6- Frontend will re-send this tohttp://localhost:8080/backend/someBackendEndpoint > > 7- After backend request is done and received in "frontend" app, it will resend it back to AngularJS with all the data. > > > Now I would like to add authorization to backend api, so I added > @RolesAllowed ("role") but it does not work: > 2014-04-23 23:17:10,694|WARN |core.ExceptionHandler|failed to execute > javax.ws.rs.ForbiddenException: HTTP 403 Forbidden > at > org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:256) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:242) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:229) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > I found out that the realmAccess is null and debugging I thinks the > problem is during authentication when in org.keycloak.RSATokenVerifier > at line: > token = input.readJsonContent(AccessToken.class); > > What do you think? What am I doing wrong this time? > > Thanks. > > > > > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Wed Apr 23 18:12:32 2014 From: ungarida at gmail.com (Davide Ungari) Date: Thu, 24 Apr 2014 00:12:32 +0200 Subject: [keycloak-user] How to authorize JAX-RS service based on reasteasy Message-ID: Hi Bill, the roles are defined at realm level. Frontend and backend applications have a scope mapping with assigned roles "user" under the menu "Realm Roles". > Where are your roles defined? At the realm level? At the application > level? If they are defined at the realm level you need to define a > scope for the application. Go to the admin console. The application > link for your front-end application. Go to the scope menu item and add > the realm roles to the scope for the front-end application> Build and deploy the preconfigured demo and view the realm in the admin > console. You will see a similar setup where the "customer-portal" and > "product-portal" apps have their scope set to the realm level roles.> Scope is the set of roles an application or oauth client is allowed to > ask for. -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140424/0a6359ab/attachment.html From bburke at redhat.com Thu Apr 24 07:45:18 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 24 Apr 2014 07:45:18 -0400 Subject: [keycloak-user] How to authorize JAX-RS service based on reasteasy In-Reply-To: References: Message-ID: <5358F94E.8020003@redhat.com> Last question is. Does the user have the correct role mappings? On 4/23/2014 6:12 PM, Davide Ungari wrote: > Hi Bill, > the roles are defined at realm level. Frontend and backend applications > have a scope mapping with assigned roles "user" under the menu "Realm > Roles". > >> Where are your roles defined? At the realm level? At the application >> level? If they are defined at the realm level you need to define a >> scope for the application. Go to the admin console. The application >> link for your front-end application. Go to the scope menu item and add >> the realm roles to the scope for the front-end application >> Build and deploy the preconfigured demo and view the realm in the admin >> console. You will see a similar setup where the "customer-portal" and >> "product-portal" apps have their scope set to the realm level roles. >> Scope is the set of roles an application or oauth client is allowed to >> ask for. > > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ungarida at gmail.com Thu Apr 24 09:14:14 2014 From: ungarida at gmail.com (Davide Ungari) Date: Thu, 24 Apr 2014 15:14:14 +0200 Subject: [keycloak-user] How to authorize JAX-RS service based on reasteasy Message-ID: Hi Bill, I have a unique user with the roles "administrator,user" and infact on frontend application is working, the backend is not. I'm working on domain level. The backend is a JAX-RS (resteasy) service running on an embedded undertown instance. I configured resteasy using resteasy.role.based.security=true and the annotation @RolesAllowed("user") on the method. Now in order to proceed with development I replaced the annotation with @ PermitAll. Thanks for your time! -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140424/f5a7afa7/attachment.html From n.preusker at gmail.com Thu Apr 24 11:05:52 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Thu, 24 Apr 2014 17:05:52 +0200 Subject: [keycloak-user] bootstrapping of keycloak for integration testing In-Reply-To: <7BD4B3DB-8409-4F9F-9CB1-DCAAF19DBE65@gmail.com> References: <53576AFC.7000400@redhat.com> <97025869.9379494.1398250729890.JavaMail.zimbra@redhat.com> <7BD4B3DB-8409-4F9F-9CB1-DCAAF19DBE65@gmail.com> Message-ID: Hi guys, just a quick question about https://issues.jboss.org/browse/KEYCLOAK-425(keycloak-wildfly-adapter-dist-1.0-alpha-3.zip not in JBoss Maven Repository). Would you agree that this should be fixed/ the adapter should be in the maven repo, or should I just create the keycloak wildfly adapter myself with the maven dependency plugin in the build of my integration test project? If you are planning to fix it, can you give an estimate when it will be available? Cheers, Nils On Wed, Apr 23, 2014 at 1:12 PM, Nils Preusker wrote: > Great, thanks for the link Stian! > > -- > Blog: www.nilspreusker.de > > > On Apr 23, 2014, at 12:58, Stian Thorgersen wrote: > > > > In the future we may move our testsuite to Arquillian, as this makes it > possible for us to test the actual distribution of Keycloak (on WildFly) > rather than a "custom" server. > > > > For testing bearer-only services, you're right the simplest solution > would be to just create tokens manually. Have a look at > https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java, > which does exactly that. > > > > ----- Original Message ----- > >> From: "Nils Preusker" > >> To: keycloak-user at lists.jboss.org > >> Sent: Wednesday, 23 April, 2014 11:43:56 AM > >> Subject: Re: [keycloak-user] bootstrapping of keycloak for integration > testing > >> > >> Another question regarding keycloak artifacts in maven, shouldn't > >> "keycloak-wildfly-adapter-dist" also be available? At least this would > make > >> it much easier to create a maven configuration that bootstraps a Wildfly > >> instance with the keycloak adapter. > >> > >> I've looked at the integration test suite and find the approach quite > nice. > >> However, in order to re-use it I would currently have to duplicate most > of > >> the code (KeycloakServer, AbstractKeycloakRule etc.) since it is in the > test > >> directory of the keycloak-testsuite-integration module. > >> > >> So I thought I'd do the following: > >> > >> * create an integration-test module > >> * bootstrap Wildfly with the wildfly adapter installed with the > >> maven-dependency-plugin and maven-resources-plugin (currently struggling > >> with the missing artifacts in the repo here so I installed it locally > for > >> now...) > >> * deploy the auth-server.war/ keycloak-server.war and the archives I > want to > >> test in an arquillian test case (@Deploy...) > >> > >> That's where I'm at right now. I guess the next step would be to get the > >> KeycloakSessionFactory in order to add a test realm programmatically. > >> > >> However, I just realized that it might be better (and easier) to just > >> bootstrap an embedded Keycloak instance (no server, just the core > services) > >> and use it to create a test realm and create tokens that can be used in > the > >> test cases. After all, I just need a way to generate bearer tokens to > make > >> HTTP requests to the wars I would like to test. Any thoughts on how I > could > >> best accomplish that? > >> > >> Cheers, > >> Nils > >> > >> > >> > >> > >> On Wed, Apr 23, 2014 at 11:25 AM, Nils Preusker < n.preusker at gmail.com> > >> wrote: > >> > >> > >> > >> Thanks Marek, I've created a JIRA issue about the missing war in the > maven > >> repo: https://issues.jboss.org/browse/KEYCLOAK-424 > >> > >> I'll have a look at the integration test suite and let you know what I > came > >> up with. > >> > >> Cheers, > >> Nils > >> > >> > >> On Wed, Apr 23, 2014 at 9:25 AM, Marek Posolda < mposolda at redhat.com > > wrote: > >> > >> > >> > >> Hi Nils, > >> > >> > >> On 22.4.2014 12:55, Nils Preusker wrote: > >> > >> > >> > >> Hi guys, > >> > >> I'm just setting up an integration test project for our application and > I'm > >> wondering what's the best way to bootstrap keycloak within it. > >> > >> I'm using arquillian for testing and I'm using the > maven-dependency-plugin > >> and maven-resources-plugin to put together a wildfly instance with the > >> keycloak-wildfly-adapter. > >> > >> So far, that approach works nicely. However, I'm not quite sure yet how > to go > >> about > >> > >> * importing a realm and > >> * creating a bearer/ access token to use in the test cases > >> > >> One approach would be to deploy the auth-server.war (is there a mvn > >> repository to pull it from?), POST the realm to the respective URL of > the > >> admin console and do the authentication the same way (POST > >> http://localhost:8080/auth/rest/realms/TestRealm/tokens/grants/access). > >> Looks like it's not. The WAR is here just for Alpha1 > >> > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/keycloak-server/1.0-alpha-1-12062013/ > >> but not for later releases, which looks like a bug IMO. Can you create > JIRA > >> for it? I think it won't be bad if release will include all the > artifacts > >> including docs and distribution stuff (like WAR and full Wildfly > appliance) > >> > >> > >> > >> > >> > >> Alternatively, I suppose I could deploy a small helper war or jar that > >> accesses the core services of keycloak to import the realm and create > test > >> access tokens (some convenience method like "createLogin()" in a test > >> utility that is deployed with shrink wrap maybe). > >> > >> Which option do you recommend or is there a third one that I'm missing? > >> Maybe it will be interesting for you that we have integration testsuite > >> https://github.com/keycloak/keycloak/tree/master/testsuite/integration. > >> This testsuite is using embedded Undertow server and it programmatically > >> deploys Keycloak server on it. You can take a look at KeycloakServer > class > >> and also at individual tests to see how it works. The point is that it's > >> embedded, so test classes have access to KeycloakSessionFactory inside > >> KeycloakSetup actions and so they can directly use the model API to > setup > >> needed things. > >> > >> For example in LoginTest, you can see that there is some setup action, > which > >> creates new user with usage of Keycloak model API: > >> > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L54 > >> and then there is selenium test, which verifies that this user is able > to > >> login: > >> > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/forms/LoginTest.java#L114 > >> > >> Maybe you can reuse some parts of our testsuite and programmaticaly > deploy > >> Keycloak server in similar way like it's done here (not sure if it's > >> possible with Arquillian+Shrinkwrap+Wildfly, but I assume that yes). If > you > >> still don't have access to Keycloak model API, you can maybe write some > >> selenium utils, which will do needed setup in KC admin console UI... > >> > >> Another alternative might be that you will use 2 servers in your > testsuite. > >> Your wildfly server with adapter installed will be on localhost:8080 > (you > >> have it already running) and KC server will be on localhost:8081 (You > can > >> directly reuse our testsuite for setup this). > >> > >> Good luck and let me know if still having issues. Btw. we don't have any > >> integration tests for admin console and real AS7 and Wildfly adapters > AFAIK. > >> So it would be nice if you can share your work once you have your > testsuite > >> up and running :-) > >> > >> Marek > >> > >> > >> > >> > >> Cheers, > >> Nils > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140424/37a62c53/attachment.html