From stian at redhat.com  Fri Aug  1 04:38:24 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 1 Aug 2014 04:38:24 -0400 (EDT)
Subject: [keycloak-user] Bower for keycloak.js
In-Reply-To: <CA+e=w_uFeH8_KfH6usmCNEhurzYUnXLGcgCs3aF6gX1tYFOuUg@mail.gmail.com>
References: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
	<CA+e=w_sL04yPEvKvhrwJam5nCA0iSpE_om136XE4YmSNpgGuOg@mail.gmail.com>
	<CA+e=w_s7QTuxe6zvpabq=XJdC5tCBwy0KnKe6Pv0Z=mt6Hpzrg@mail.gmail.com>
	<1530746411.21182105.1406800181152.JavaMail.zimbra@redhat.com>
	<CA+e=w_so2ZTabynsYyMqveSRLUqMHdE6gmm+abqj_dYwEtzL7g@mail.gmail.com>
	<247430225.21537460.1406824567593.JavaMail.zimbra@redhat.com>
	<CA+e=w_v3-1oyN7arn6pC2=z+VpnS-8010i1sW_3045Tte6X57w@mail.gmail.com>
	<CA+e=w_uFeH8_KfH6usmCNEhurzYUnXLGcgCs3aF6gX1tYFOuUg@mail.gmail.com>
Message-ID: <1476667183.21928558.1406882304203.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Joshua Bellamy-Henn" <josh at psidox.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Josh" <smysnk at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Thursday, 31 July, 2014 7:10:52 PM
> Subject: Re: [keycloak-user] Bower for keycloak.js
> 
> I never heard back :P

Sorry about that, been a few hectic weeks at camp Keycloak ;)

> 
> 
> On Thu, Jul 31, 2014 at 12:10 PM, Joshua Bellamy-Henn <josh at psidox.com>
> wrote:
> 
> > Woot, okay.. just making sure it's working.
> >
> >
> > On Thu, Jul 31, 2014 at 10:36 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> >
> >> I re-registered it after that though
> >>
> >> ----- Original Message -----
> >> > From: "Joshua Bellamy-Henn" <josh at psidox.com>
> >> > To: "Stian Thorgersen" <stian at redhat.com>
> >> > Cc: "Josh" <smysnk at gmail.com>, keycloak-user at lists.jboss.org
> >> > Sent: Thursday, 31 July, 2014 4:29:49 PM
> >> > Subject: Re: [keycloak-user] Bower for keycloak.js
> >> >
> >> > I went through the deletion process so shouldn't be registered anymore.
> >> >
> >> >
> >> > On Thu, Jul 31, 2014 at 3:49 AM, Stian Thorgersen <stian at redhat.com>
> >> wrote:
> >> >
> >> > > I think you got the 403 due to it already being registered.
> >> > >
> >> > > There should be two versions available 1.0-beta3 and 1.0-beta4-pre.
> >> Once
> >> > > we release 1.0.final it'll be tagged as 1.0. The 1.0-beta3 syntax
> >> should
> >> > > work as jQuery uses it ;)
> >> > >
> >> > > ----- Original Message -----
> >> > > > From: "Joshua Bellamy-Henn" <josh at psidox.com>
> >> > > > To: "Stian Thorgersen" <stian at redhat.com>
> >> > > > Cc: "Josh" <smysnk at gmail.com>, keycloak-user at lists.jboss.org
> >> > > > Sent: Wednesday, 30 July, 2014 9:13:21 PM
> >> > > > Subject: Re: [keycloak-user] Bower for keycloak.js
> >> > > >
> >> > > > So I've tried to register this package for you guys using bower:
> >> > > >
> >> > > > ~/play/keycloak-js-bower    master    14:08:22
> >> > > >
> >> > > > $ bower register keycloak git://
> >> > > github.com/keycloak/keycloak-js-bower.git
> >> > > >
> >> > > > bower keycloak#*               resolve git://
> >> > > > github.com/keycloak/keycloak-js-bower.git#*
> >> > > >
> >> > > > bower keycloak#*              checkout master
> >> > > >
> >> > > > bower keycloak#*              resolved git://
> >> > > > github.com/keycloak/keycloak-js-bower.git#923dccb251
> >> > > >
> >> > > > [?] Registering a package will make it installable via the registry
> >> (
> >> > > > https://bower.herokuapp.com), continue? Yes
> >> > > >
> >> > > > bower keycloak                register git://
> >> > > > github.com/keycloak/keycloak-js-bower.git
> >> > > >
> >> > > > bower                         EUNKNOWN Unknown error: 403
> >> > > >
> >> > > >
> >> > > > I am afraid this could be due to the version number possibly being
> >> in an
> >> > > > incorrect format.
> >> > > >
> >> > > >
> >> > > > On Mon, Jul 14, 2014 at 10:46 AM, Joshua Bellamy-Henn <
> >> josh at psidox.com>
> >> > > > wrote:
> >> > > >
> >> > > > > I removed the "keycloak" package, the name should be open for
> >> > > registration
> >> > > > > now.
> >> > > > >
> >> > > > > Still bit skeptical it will accept anything other than "x.x.x"
> >> notation
> >> > > > > for versioning but give it a try. :)
> >> > > > >
> >> > > > > - Josh
> >> > > > >
> >> > > > >
> >> > > > > On Mon, Jul 14, 2014 at 5:10 AM, Stian Thorgersen <
> >> stian at redhat.com>
> >> > > > > wrote:
> >> > > > >
> >> > > > >> Have you contacted the Bower guys to get this changed yet?
> >> > > > >>
> >> > > > >> By the way we're going to stick with the same versioning that we
> >> use
> >> > > for
> >> > > > >> Keycloak except we'll remove -final from the final release. So
> >> > > versions
> >> > > > >> would be:
> >> > > > >>
> >> > > > >> 1.0-beta4
> >> > > > >> 1.0-rc1
> >> > > > >> 1.0
> >> > > > >>
> >> > > > >> That should mean that versions such as ">=1.0" will work, and
> >> will
> >> > > only
> >> > > > >> use stable versions, while if someone wants to use a beta or rc
> >> they
> >> > > can
> >> > > > >> explicitly specify the version.
> >> > > > >>
> >> > > > >> ----- Original Message -----
> >> > > > >> > From: "Josh" <smysnk at gmail.com>
> >> > > > >> > To: "Stian Thorgersen" <stian at redhat.com>
> >> > > > >> > Cc: keycloak-user at lists.jboss.org
> >> > > > >> > Sent: Thursday, 3 July, 2014 4:46:09 PM
> >> > > > >> > Subject: Re: [keycloak-user] Bower for keycloak.js
> >> > > > >> >
> >> > > > >> > I do think there is a problem using that version format, I
> >> think I
> >> > > > >> tried it
> >> > > > >> > originally and bower was having none of it.  This could be
> >> because
> >> > > they
> >> > > > >> use
> >> > > > >> > version for auto upgrade purposes, where one can use a "~"
> >> > > character to
> >> > > > >> > prefix the version to allow upgrades in version minors in the
> >> > > bower.json
> >> > > > >> > file.
> >> > > > >> >
> >> > > > >> > eg.
> >> > > > >> >   "dependencies": {
> >> > > > >> >     "keycloak": "~0.3.12"
> >> > > > >> >   },
> >> > > > >> >
> >> > > > >> >
> >> > > > >> > I have to admit I've been pulled to the dark side a little
> >> bit, it
> >> > > do
> >> > > > >> enjoy
> >> > > > >> > npm / bower for doing javascript type build processes
> >> (sometimes a
> >> > > > >> > necessary evil).  I was never a a fan of 'grunt' but found that
> >> > > 'gulp'
> >> > > > >> is
> >> > > > >> > much better.  I have a hybrid build process in my java apps
> >> where I
> >> > > > >> > sometimes break out of maven to execute some gulp build
> >> processes.
> >> > > > >> >
> >> > > > >> > But I understand for project like keycloak 'npm / gulp' adds a
> >> lot
> >> > > of
> >> > > > >> > complexity to build process and is not desirable.
> >> > > > >> >
> >> > > > >> > I'll talk to the bower guys to get keycloak switched over to
> >> your
> >> > > fork
> >> > > > >> :D
> >> > > > >> >
> >> > > > >> >
> >> > > > >> >
> >> > > > >> > On Thu, Jul 3, 2014 at 7:08 AM, Stian Thorgersen <
> >> stian at redhat.com>
> >> > > > >> wrote:
> >> > > > >> >
> >> > > > >> > > I've pulled in your stuff to
> >> > > > >> https://github.com/keycloak/keycloak-js-bower
> >> > > > >> > >
> >> > > > >> > > I'd prefer the versions to match with Keycloak versions
> >> > > (1.0-beta-2,
> >> > > > >> > > 1.0-beta-3, 1.0-final). Do you know if that'll be a problem?
> >> > > > >> > >
> >> > > > >> > > Also, I'm going to add minification of keycloak.js to our
> >> Maven
> >> > > build.
> >> > > > >> > > We'll need it there as well + we're mainly Java/Maven guys ;)
> >> > > > >> > >
> >> > > > >> > > ----- Original Message -----
> >> > > > >> > > > From: "Josh" <smysnk at gmail.com>
> >> > > > >> > > > To: "Stian Thorgersen" <stian at redhat.com>
> >> > > > >> > > > Cc: keycloak-user at lists.jboss.org
> >> > > > >> > > > Sent: Monday, 23 June, 2014 10:38:44 PM
> >> > > > >> > > > Subject: Re: [keycloak-user] Bower for keycloak.js
> >> > > > >> > > >
> >> > > > >> > > > Looks like it's a manual process at the moment to get
> >> registry
> >> > > > >> moved to a
> >> > > > >> > > > different github endpont.  Let me know when you have the
> >> project
> >> > > > >> setup
> >> > > > >> > > and
> >> > > > >> > > > I'll contact the bower guys.
> >> > > > >> > > >
> >> > > > >> > > > - Josh
> >> > > > >> > > >
> >> > > > >> > > >
> >> > > > >> > > > On Mon, Jun 23, 2014 at 12:56 PM, Josh <smysnk at gmail.com>
> >> > > wrote:
> >> > > > >> > > >
> >> > > > >> > > > > You bet, I actually had the thought that it would be
> >> better as
> >> > > > >> part of
> >> > > > >> > > the
> >> > > > >> > > > > release cycle.  I'll have to figure out how to transfer
> >> bower
> >> > > > >> > > repositories
> >> > > > >> > > > > because there was no login required to register a bower
> >> repo
> >> > > and
> >> > > > >> > > currently
> >> > > > >> > > > > I have taken "keycloak" which would be optimal for the
> >> > > project.
> >> > > > >> > > > >
> >> > > > >> > > > >
> >> > > > >> > > > > On Mon, Jun 23, 2014 at 2:40 AM, Stian Thorgersen <
> >> > > > >> stian at redhat.com>
> >> > > > >> > > > > wrote:
> >> > > > >> > > > >
> >> > > > >> > > > >> Hi Josh,
> >> > > > >> > > > >>
> >> > > > >> > > > >> That's great - thanks for contributing this. I would
> >> like to
> >> > > > >> transfer
> >> > > > >> > > > >> this to https://github.com/keycloak though, I hope your
> >> > > happy
> >> > > > >> with
> >> > > > >> > > that.
> >> > > > >> > > > >>
> >> > > > >> > > > >> Thanks,
> >> > > > >> > > > >> Stian
> >> > > > >> > > > >>
> >> > > > >> > > > >> ----- Original Message -----
> >> > > > >> > > > >> > From: "Josh" <smysnk at gmail.com>
> >> > > > >> > > > >> > To: keycloak-user at lists.jboss.org
> >> > > > >> > > > >> > Sent: Friday, 20 June, 2014 6:30:02 PM
> >> > > > >> > > > >> > Subject: [keycloak-user] Bower for keycloak.js
> >> > > > >> > > > >> >
> >> > > > >> > > > >> > Hi guys,
> >> > > > >> > > > >> >
> >> > > > >> > > > >> > I have created a little github project to make
> >> keycloak.js
> >> > > > >> > > available to
> >> > > > >> > > > >> bower
> >> > > > >> > > > >> > package manager .
> >> > > > >> > > > >> >
> >> > > > >> > > > >> > Project here:
> >> > > > >> > > > >> > https://github.com/smysnk/keycloak-adapter-bower
> >> > > > >> > > > >> >
> >> > > > >> > > > >> > Usage:
> >> > > > >> > > > >> > $ bower install keycloak
> >> > > > >> > > > >> >
> >> > > > >> > > > >> > - Josh
> >> > > > >> > > > >> >
> >> > > > >> > > > >> >
> >> > > > >> > > > >> > _______________________________________________
> >> > > > >> > > > >> > keycloak-user mailing list
> >> > > > >> > > > >> > keycloak-user at lists.jboss.org
> >> > > > >> > > > >> >
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> > > > >> > > > >>
> >> > > > >> > > > >
> >> > > > >> > > > >
> >> > > > >> > > >
> >> > > > >> > >
> >> > > > >> >
> >> > > > >>
> >> > > > >
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
> >
> >
> 

From rodrigopsasaki at gmail.com  Fri Aug  1 13:01:01 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 1 Aug 2014 14:01:01 -0300
Subject: [keycloak-user] Datasource configuration on keycloak-server.json
Message-ID: <CANLOgwCHsdEZUt83Bb+HCHveKbnzG8-C0MDRLZGOoofSnWyUNw@mail.gmail.com>

Hi,

I noticed that now there is no persistence.xml file in
*server/src/main/resources/META-INF*

There is only a keycloak-server.json, that according to the github commit
comments, is to be used now to configure the datasources.

I'm trying to deploy it with *JBoss 7.1.1.Final* and I'm getting this error
message:

"JBAS014771: Services with missing/unavailable dependencies" =>
["jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#keycloak-default\"
*Missing[jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#keycloak-default\"]*
"]

The datasource defined in the connectionsJpa section of the JSON file
exists, i'm using the ExampleDS.

Am I missing something, or is this expected?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140801/141bb31c/attachment.html 

From stian at redhat.com  Fri Aug  1 13:12:05 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 1 Aug 2014 13:12:05 -0400 (EDT)
Subject: [keycloak-user] Datasource configuration on keycloak-server.json
In-Reply-To: <CANLOgwCHsdEZUt83Bb+HCHveKbnzG8-C0MDRLZGOoofSnWyUNw@mail.gmail.com>
References: <CANLOgwCHsdEZUt83Bb+HCHveKbnzG8-C0MDRLZGOoofSnWyUNw@mail.gmail.com>
Message-ID: <5501990.22250780.1406913125745.JavaMail.zimbra@redhat.com>

There's an issue with this on AS7 at the moment, should be fixed on Monday.

  https://issues.jboss.org/browse/KEYCLOAK-572

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 1 August, 2014 6:01:01 PM
> Subject: [keycloak-user] Datasource configuration on keycloak-server.json
> 
> Hi,
> 
> I noticed that now there is no persistence.xml file in
> server/src/main/resources/META-INF
> 
> There is only a keycloak-server.json , that according to the github commit
> comments, is to be used now to configure the datasources.
> 
> I'm trying to deploy it with JBoss 7.1.1.Final and I'm getting this error
> message:
> 
> "JBAS014771: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#keycloak-default\"
> Missing[jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#keycloak-default\"]
> "]
> 
> The datasource defined in the connectionsJpa section of the JSON file exists,
> i'm using the ExampleDS .
> 
> Am I missing something, or is this expected?
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From peterson.dean at gmail.com  Fri Aug  1 16:13:14 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 1 Aug 2014 15:13:14 -0500
Subject: [keycloak-user] User Image
Message-ID: <CAFGzvP==34p4r7HkAe9Xhy+EiGGG64uh3jo6qeMct1c76ktf=Q@mail.gmail.com>

It would be great if Keycloak had a built in mechanism for uploading and
storing a user profile image.  That way, I could just make a call to a
Keycloak REST service to get the image stored in the centrally located
keycloak server where all the other user attributes are stored.  Has
anything like that been discussed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140801/8e0e3b45/attachment.html 

From bburke at redhat.com  Fri Aug  1 18:12:50 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 01 Aug 2014 18:12:50 -0400
Subject: [keycloak-user] User Image
In-Reply-To: <CAFGzvP==34p4r7HkAe9Xhy+EiGGG64uh3jo6qeMct1c76ktf=Q@mail.gmail.com>
References: <CAFGzvP==34p4r7HkAe9Xhy+EiGGG64uh3jo6qeMct1c76ktf=Q@mail.gmail.com>
Message-ID: <53DC10E2.3060400@redhat.com>

We want to expand claims and user attribute capabilities.  I think its 
on the roadmap.  Submit a jira for feature request.  User profile image 
is one of the openid connect claims, so we'll want to support it.

Will have to be after 1.0 though.

On 8/1/2014 4:13 PM, Dean Peterson wrote:
> It would be great if Keycloak had a built in mechanism for uploading and
> storing a user profile image.  That way, I could just make a call to a
> Keycloak REST service to get the image stored in the centrally located
> keycloak server where all the other user attributes are stored.  Has
> anything like that been discussed?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From spousty at redhat.com  Fri Aug  1 19:27:56 2014
From: spousty at redhat.com (Steven Pousty)
Date: Fri, 01 Aug 2014 16:27:56 -0700
Subject: [keycloak-user] Setting up Postgresql Database with OpenShift
Message-ID: <53DC227C.1070704@redhat.com>

Is there documentation or description about how to add Postgresql as the
database behind Keycloak on OpenShift?
Do I just add a postgresql cart and then treat it the same as the other
instructions?

Thanks
Steve

From peterson.dean at gmail.com  Fri Aug  1 20:41:13 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 1 Aug 2014 19:41:13 -0500
Subject: [keycloak-user] User Image
Message-ID: <CAFGzvP=xdEMwEK8hiKGcBv7hsE3RXy7Q1P0y5r3MnMm_Qq+yNA@mail.gmail.com>

That would be great thanks!  I opened a feature request in JIRA as you
mentioned: https://issues.jboss.org/browse/KEYCLOAK-598
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140801/18cd1813/attachment.html 

From bburke at redhat.com  Mon Aug  4 08:20:17 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 04 Aug 2014 08:20:17 -0400
Subject: [keycloak-user] Setting up Postgresql Database with OpenShift
In-Reply-To: <53DC227C.1070704@redhat.com>
References: <53DC227C.1070704@redhat.com>
Message-ID: <53DF7A81.1040706@redhat.com>

Same as any other JPA datasource deployed on JBoss/Wildfly.

On 8/1/2014 7:27 PM, Steven Pousty wrote:
> Is there documentation or description about how to add Postgresql as the
> database behind Keycloak on OpenShift?
> Do I just add a postgresql cart and then treat it the same as the other
> instructions?
>
> Thanks
> Steve
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christinalau28 at icloud.com  Mon Aug  4 10:54:02 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Mon, 04 Aug 2014 10:54:02 -0400
Subject: [keycloak-user] How can I customize the New User Registration
 workflow?
In-Reply-To: <929661017.19696513.1406623650372.JavaMail.zimbra@redhat.com>
References: <E1CB5CCF-E664-4128-93DD-F91804ED3179@icloud.com>
	<929661017.19696513.1406623650372.JavaMail.zimbra@redhat.com>
Message-ID: <40A865E4-1A9E-4768-B61B-EA5A13F4BD68@icloud.com>

I looked at your examples in the audit directory and also tried out the UI to verify that I can configure the JBoss logger and saw the log entries in the admin console. 

But how do I add my own? I made a copy of your jboss-logging example but not sure where to put the jar and the configurations. Can you provide more info? Thx.


On Jul 29, 2014, at 4:47 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Not before, but you can after it's been registered. See http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/audit.html#d4e1166
> 
> Ignore the fact it's called an AuditListener, the name should have been EventListener.
> 
> ----- Original Message -----
>> From: "Christina Lau" <christinalau28 at icloud.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, 28 July, 2014 8:52:19 PM
>> Subject: [keycloak-user] How can I customize the New User Registration	workflow?
>> 
>> Is it possible to add a call to call my own code before a new user is added
>> to the system using the New User Registration form? I need to call some
>> other services when onboarding a new user. Thx.
>> 
>> Christina
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 



From christinalau28 at icloud.com  Mon Aug  4 10:59:23 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Mon, 04 Aug 2014 10:59:23 -0400
Subject: [keycloak-user] How can I customize the New User Registration
 workflow?
In-Reply-To: <929661017.19696513.1406623650372.JavaMail.zimbra@redhat.com>
References: <E1CB5CCF-E664-4128-93DD-F91804ED3179@icloud.com>
	<929661017.19696513.1406623650372.JavaMail.zimbra@redhat.com>
Message-ID: <B5A3074A-7B8C-416A-BD02-D997519E5EAF@icloud.com>

I looked at your examples in the audit directory and also tried out the UI to verify that I can configure the JBoss logger and saw the log entries in the admin console. 

But how do I add my own? I made a copy of your jboss-logging example but not sure where to put the jar and the configurations. Can you provide more info? Thx.


On Jul 29, 2014, at 4:47 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Not before, but you can after it's been registered. See http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/audit.html#d4e1166
> 
> Ignore the fact it's called an AuditListener, the name should have been EventListener.
> 
> ----- Original Message -----
>> From: "Christina Lau" <christinalau28 at icloud.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, 28 July, 2014 8:52:19 PM
>> Subject: [keycloak-user] How can I customize the New User Registration	workflow?
>> 
>> Is it possible to add a call to call my own code before a new user is added
>> to the system using the New User Registration form? I need to call some
>> other services when onboarding a new user. Thx.
>> 
>> Christina
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 



From aarondheld at gmail.com  Mon Aug  4 17:03:15 2014
From: aarondheld at gmail.com (Aaron Held)
Date: Mon, 4 Aug 2014 17:03:15 -0400
Subject: [keycloak-user] How to validate LDAP connection?
Message-ID: <CAOU6W_vAKNvUfhv7B9wgV9e4vURgz4p+7HYaBWv5qFPhmOOXWw@mail.gmail.com>

I'm setting up keycloak to test it out and having trouble setting up and
testing the LDAP input.

Is there a way to explicit test that the LDAP is setup correctly?  no
matter what I enter into the settings page I don't see anything in the logs
and I don't see any new users on the users page.

What I am looking for is a way to use our ActiveDirectory (via LDAP) as the
source.  I'm not sure if it will support roles from AD yet, but that would
be my next step.


thanks,
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140804/b8e56c50/attachment.html 

From peterson.dean at gmail.com  Mon Aug  4 23:16:33 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 4 Aug 2014 22:16:33 -0500
Subject: [keycloak-user] Docker Image error
Message-ID: <CAFGzvPmctaACjYrUSD_1RPqtwqgbFtif6JbA4T4m7bGK=KU+8w@mail.gmail.com>

I installed Docker on my Windows Server 2012 R2 machine and tried to use
the Keycloak Docker image.  I ran  "docker run -it -p 8080:8080 -p
9090:9090 jboss/keycloak" and received the following error:

java.lang.IllegalArgumentException: Failed to instantiate class
"org.jboss.logma
nager.handlers.PeriodicRotatingFileHandler" for handler "FILE"
        at
org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAc
tion.validate(AbstractPropertyConfiguration.java:119)
.
.
.
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at
org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAc
tion.validate(AbstractPropertyConfiguration.java:117)
        ... 19 more
Caused by: java.io.FileNotFoundException:
/opt/wildfly/standalone/log/server.log
 (No such file or directory)
        at java.io.FileOutputStream.open(Native Method)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:221)

Any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140804/fa221e41/attachment.html 

From mposolda at redhat.com  Tue Aug  5 05:11:19 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 05 Aug 2014 11:11:19 +0200
Subject: [keycloak-user] How to validate LDAP connection?
In-Reply-To: <CAOU6W_vAKNvUfhv7B9wgV9e4vURgz4p+7HYaBWv5qFPhmOOXWw@mail.gmail.com>
References: <CAOU6W_vAKNvUfhv7B9wgV9e4vURgz4p+7HYaBWv5qFPhmOOXWw@mail.gmail.com>
Message-ID: <53E09FB7.30205@redhat.com>

Hi,

in beta-4 version (planned to be released on Wednesday) there are some 
improvements in LDAP support, which allow you to "federate" users from 
your LDAP server and import them into your database. If you are curious, 
you can try latest Keycloak master. Note that just some users (those 
which are authenticated or explicitly searched by admin) will be 
imported from LDAP into Keycloak DB and viewable in UI. For fully import 
all LDAP users into Keycloak database, there will be sync support, but 
that will be in next version later in August .

Marek

On 4.8.2014 23:03, Aaron Held wrote:
> I'm setting up keycloak to test it out and having trouble setting up 
> and testing the LDAP input.
>
> Is there a way to explicit test that the LDAP is setup correctly?  no 
> matter what I enter into the settings page I don't see anything in the 
> logs and I don't see any new users on the users page.
>
> What I am looking for is a way to use our ActiveDirectory (via LDAP) 
> as the source.  I'm not sure if it will support roles from AD yet, but 
> that would be my next step.
>
>
> thanks,
> -Aaron
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140805/6821254d/attachment-0001.html 

From rodrigopsasaki at gmail.com  Tue Aug  5 07:38:33 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 5 Aug 2014 08:38:33 -0300
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>

Hi, just wondering, is there any prediction on when this feature will be
implemented?


On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <stian at redhat.com> wrote:

> It's planned just not implemented yet.
>
> One of the reasons was that we couldn't figure out an elegant placement
> for the remember-me checkbox.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > Subject: [keycloak-user] "Remember Me" feature on Social Login
> >
> > Hi,
> >
> > I know this doesn't exist now, but I was wondering if it is something
> that is
> > planned to be implemented, or if there's a particular reason why it
> isn't.
> >
> > Thanks!
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140805/73f1ca99/attachment.html 

From aarondheld at gmail.com  Tue Aug  5 15:22:06 2014
From: aarondheld at gmail.com (Aaron Held)
Date: Tue, 5 Aug 2014 15:22:06 -0400
Subject: [keycloak-user] How to validate LDAP connection?
In-Reply-To: <53E09FB7.30205@redhat.com>
References: <CAOU6W_vAKNvUfhv7B9wgV9e4vURgz4p+7HYaBWv5qFPhmOOXWw@mail.gmail.com>
	<53E09FB7.30205@redhat.com>
Message-ID: <CAOU6W_tmTPLuBhHULGk3SL5h=mehoqB3aghmX8APmG_PF0OnXQ@mail.gmail.com>

Thanks,

  I'll give that one a shot.

  I don't need the sync, I'm ok with a live lookup - I was just looking for
a quick way to test it out.

  The best I could come up with was to setup the LDAP server and then in
another browser try to login as different users, I could see errors in the
log.

-Aaron



On Tue, Aug 5, 2014 at 5:11 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> in beta-4 version (planned to be released on Wednesday) there are some
> improvements in LDAP support, which allow you to "federate" users from your
> LDAP server and import them into your database. If you are curious, you can
> try latest Keycloak master. Note that just some users (those which are
> authenticated or explicitly searched by admin) will be imported from LDAP
> into Keycloak DB and viewable in UI. For fully import all LDAP users into
> Keycloak database, there will be sync support, but that will be in next
> version later in August .
>
> Marek
>
>
> On 4.8.2014 23:03, Aaron Held wrote:
>
> I'm setting up keycloak to test it out and having trouble setting up and
> testing the LDAP input.
>
>  Is there a way to explicit test that the LDAP is setup correctly?  no
> matter what I enter into the settings page I don't see anything in the logs
> and I don't see any new users on the users page.
>
>  What I am looking for is a way to use our ActiveDirectory (via LDAP) as
> the source.  I'm not sure if it will support roles from AD yet, but that
> would be my next step.
>
>
>  thanks,
> -Aaron
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140805/4aea555d/attachment.html 

From bburke at redhat.com  Tue Aug  5 23:02:28 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 05 Aug 2014 23:02:28 -0400
Subject: [keycloak-user] Beta 4 released
Message-ID: <53E19AC4.7040602@redhat.com>

Hope everything is good with it.  Let me know if you find any show stoppers.

http://bill.burkecentral.com/2014/08/06/keycloak-beta-4-released/

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Wed Aug  6 02:32:29 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 06 Aug 2014 08:32:29 +0200
Subject: [keycloak-user] How to validate LDAP connection?
In-Reply-To: <CAOU6W_tmTPLuBhHULGk3SL5h=mehoqB3aghmX8APmG_PF0OnXQ@mail.gmail.com>
References: <CAOU6W_vAKNvUfhv7B9wgV9e4vURgz4p+7HYaBWv5qFPhmOOXWw@mail.gmail.com>	<53E09FB7.30205@redhat.com>
	<CAOU6W_tmTPLuBhHULGk3SL5h=mehoqB3aghmX8APmG_PF0OnXQ@mail.gmail.com>
Message-ID: <53E1CBFD.6010103@redhat.com>

You can try latest beta-4 released yesterday. And also look at updated 
documentation 
http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/user_federation.html 
. If you still having issues, you can share them and attach 
errors/stacktraces here.

Marek

On 5.8.2014 21:22, Aaron Held wrote:
> Thanks,
>
>   I'll give that one a shot.
>
>   I don't need the sync, I'm ok with a live lookup - I was just 
> looking for a quick way to test it out.
>
>   The best I could come up with was to setup the LDAP server and then 
> in another browser try to login as different users, I could see errors 
> in the log.
>
> -Aaron
>
>
>
> On Tue, Aug 5, 2014 at 5:11 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi,
>
>     in beta-4 version (planned to be released on Wednesday) there are
>     some improvements in LDAP support, which allow you to "federate"
>     users from your LDAP server and import them into your database. If
>     you are curious, you can try latest Keycloak master. Note that
>     just some users (those which are authenticated or explicitly
>     searched by admin) will be imported from LDAP into Keycloak DB and
>     viewable in UI. For fully import all LDAP users into Keycloak
>     database, there will be sync support, but that will be in next
>     version later in August .
>
>     Marek
>
>
>     On 4.8.2014 23:03, Aaron Held wrote:
>>     I'm setting up keycloak to test it out and having trouble setting
>>     up and testing the LDAP input.
>>
>>     Is there a way to explicit test that the LDAP is setup correctly?
>>      no matter what I enter into the settings page I don't see
>>     anything in the logs and I don't see any new users on the users page.
>>
>>     What I am looking for is a way to use our ActiveDirectory (via
>>     LDAP) as the source.  I'm not sure if it will support roles from
>>     AD yet, but that would be my next step.
>>
>>
>>     thanks,
>>     -Aaron
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/da783eb1/attachment.html 

From rodrigopsasaki at gmail.com  Wed Aug  6 09:58:43 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 6 Aug 2014 10:58:43 -0300
Subject: [keycloak-user] Bearer Only Application access with token
In-Reply-To: <CANLOgwC64Vh7UUOif9yaNR-8k2xoQ5x62k0uUG468_NZ2NU4uw@mail.gmail.com>
References: <CANLOgwAcbb9T4w4hu7a4+-Kbgb1xLqFkXBmWURa254P9KQzjXA@mail.gmail.com>
	<53D7B6CB.8080001@redhat.com>
	<CANLOgwCY9zEsd1SFcfzXYwkOn5spE_sZkUpx74SNhP9sWpi7MA@mail.gmail.com>
	<CFFD6940.3BB4B%vivsriva@cisco.com>
	<CANLOgwC64Vh7UUOif9yaNR-8k2xoQ5x62k0uUG468_NZ2NU4uw@mail.gmail.com>
Message-ID: <CANLOgwBJdTVryUJJb7Ri9sKS1N8yGLT-=Hh7U_gQZCS_k4tLrA@mail.gmail.com>

Is there any news on this? I tried it on beta-4 on wildfly and I still get
the same response.


On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> I made sure of all that, I just recreated everything using realm roles
> just for the sake of completeness, but I'm still getting a 403
>
>
> On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva) <
> vivsriva at cisco.com> wrote:
>
>>  Make sure you have the following settings configured for your database
>> service:
>>
>>
>>
>>
>>
>>  In the web.xml, make sure you have the security setup with the
>> appropriate user role:
>>  <?xml version="1.0" encoding="UTF-8"?>
>> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>>       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>>       version="3.0">
>>
>>  <module-name>database</module-name>
>>      <security-constraint>
>>         <web-resource-collection>
>>             <url-pattern>/*</url-pattern>
>>         </web-resource-collection>
>> <!--        <user-data-constraint>
>>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>         </user-data-constraint>  -->
>>         <auth-constraint>
>>             <role-name>user</role-name>
>>         </auth-constraint>
>>     </security-constraint>
>>
>>      <login-config>
>>         <auth-method>KEYCLOAK</auth-method>
>>         <realm-name>demo</realm-name>
>>     </login-config>
>>
>>      <security-role>
>>         <role-name>user</role-name>
>>     </security-role>
>> </web-app>
>>
>>
>>
>>   From: Rodrigo Sasaki <rodrigopsasaki at gmail.com>
>> Date: Tuesday, July 29, 2014 at 12:51 PM
>> To: Bill Burke <bburke at redhat.com>
>> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] Bearer Only Application access with token
>>
>>   It is defined under the application itself, so I it's under the scope.
>> This should be working right?
>>
>>
>> On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke at redhat.com> wrote:
>>
>>> What kind of role is it?  Is the new role defined under the
>>> "database-service" application?  If not, then you must add this role to
>>> the "database-service"'s scope in the admin console.
>>>
>>> On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>>> > Hi,
>>> >
>>> > I'm trying to secure a bearer-only application with keycloak, to access
>>> > it with access tokens, but I think I'm missing something.
>>> >
>>> > I tried it with the database-service of the unconfigured demo.
>>> >
>>> > 1. I created the user role in the application.
>>> > 2. I assigned that role to my user
>>> > 3. I copied the contents of the installation json to
>>>  > *webapp/META-INF/keycloak.json*
>>> >
>>> > {
>>> >      "realm": "demo",
>>> >      "realm-public-key":
>>> >
>>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>>> >      "bearer-only": true,
>>> >      "ssl-not-required": true,
>>> >      "resource": "database-service",
>>> >      "use-resource-role-mappings": true
>>> > }
>>> >
>>>  > 4. Set the auth-method to *KEYCLOAK* on web.xml
>>> > 5. Started the server deploying the *database-service*
>>> > 6. Generated a token using *security-admin-console* client_id and my
>>> user
>>> > 7. Submitted a GET request to /localhost:8080/database/customers/
>>> >
>>> > After these steps I get a 403 error, saying that I'm not authorized to
>>> > access the resource, wasn't this supposed to work?
>>> >
>>> > --
>>> > Rodrigo Sasaki
>>> >
>>> >
>>>  > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>>  --
>> Rodrigo Sasaki
>>
>
>
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/adcb9e8a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7FB161C8-9169-498E-BE38-35D4735A9146.png
Type: image/png
Size: 26058 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/adcb9e8a/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: F53847FE-4703-4AB3-9C06-790DC32B5A75.png
Type: image/png
Size: 15533 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/adcb9e8a/attachment-0003.png 

From bburke at redhat.com  Wed Aug  6 10:06:25 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 06 Aug 2014 10:06:25 -0400
Subject: [keycloak-user] Bearer Only Application access with token
In-Reply-To: <CANLOgwBJdTVryUJJb7Ri9sKS1N8yGLT-=Hh7U_gQZCS_k4tLrA@mail.gmail.com>
References: <CANLOgwAcbb9T4w4hu7a4+-Kbgb1xLqFkXBmWURa254P9KQzjXA@mail.gmail.com>	<53D7B6CB.8080001@redhat.com>	<CANLOgwCY9zEsd1SFcfzXYwkOn5spE_sZkUpx74SNhP9sWpi7MA@mail.gmail.com>	<CFFD6940.3BB4B%vivsriva@cisco.com>	<CANLOgwC64Vh7UUOif9yaNR-8k2xoQ5x62k0uUG468_NZ2NU4uw@mail.gmail.com>
	<CANLOgwBJdTVryUJJb7Ri9sKS1N8yGLT-=Hh7U_gQZCS_k4tLrA@mail.gmail.com>
Message-ID: <53E23661.3030008@redhat.com>

How do you obtain the token?  Access tokens are created specifically for 
the application/oauth client that intiated the token protocol.  So the 
access token will be stuffed with only the role mappings for that 
application/oauth client.  A bearer-only application doesn't need a 
scope configured because it never initiates a login.

I changed things in beta 4 to hopefully mitigate the confusion around 
"scope".  Applications have a full scope enabled by default now.

On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:
> Is there any news on this? I tried it on beta-4 on wildfly and I still
> get the same response.
>
>
> On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki
> <rodrigopsasaki at gmail.com <mailto:rodrigopsasaki at gmail.com>> wrote:
>
>     I made sure of all that, I just recreated everything using realm
>     roles just for the sake of completeness, but I'm still getting a 403
>
>
>     On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)
>     <vivsriva at cisco.com <mailto:vivsriva at cisco.com>> wrote:
>
>         Make sure you have the following settings configured for your
>         database service:
>
>
>
>
>
>         In the web.xml, make sure you have the security setup with the
>         appropriate user role:
>         <?xml version="1.0" encoding="UTF-8"?>
>         <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>         http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>                version="3.0">
>
>         <module-name>database</module-name>
>              <security-constraint>
>                  <web-resource-collection>
>                      <url-pattern>/*</url-pattern>
>                  </web-resource-collection>
>         <!--        <user-data-constraint>
>                      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>                  </user-data-constraint>  -->
>                  <auth-constraint>
>                      <role-name>user</role-name>
>                  </auth-constraint>
>              </security-constraint>
>
>              <login-config>
>                  <auth-method>KEYCLOAK</auth-method>
>                  <realm-name>demo</realm-name>
>              </login-config>
>
>              <security-role>
>                  <role-name>user</role-name>
>              </security-role>
>         </web-app>
>
>
>
>         From: Rodrigo Sasaki <rodrigopsasaki at gmail.com
>         <mailto:rodrigopsasaki at gmail.com>>
>         Date: Tuesday, July 29, 2014 at 12:51 PM
>         To: Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>>
>         Cc: "keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>"
>         <keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         Subject: Re: [keycloak-user] Bearer Only Application access with
>         token
>
>         It is defined under the application itself, so I it's under the
>         scope. This should be working right?
>
>
>         On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>> wrote:
>
>             What kind of role is it?  Is the new role defined under the
>             "database-service" application?  If not, then you must add
>             this role to
>             the "database-service"'s scope in the admin console.
>
>             On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>             > Hi,
>             >
>             > I'm trying to secure a bearer-only application with keycloak, to access
>             > it with access tokens, but I think I'm missing something.
>             >
>             > I tried it with the database-service of the unconfigured demo.
>             >
>             > 1. I created the user role in the application.
>             > 2. I assigned that role to my user
>             > 3. I copied the contents of the installation json to
>             > *webapp/META-INF/keycloak.json*
>             >
>             > {
>             >      "realm": "demo",
>             >      "realm-public-key":
>             > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>             >      "bearer-only": true,
>             >      "ssl-not-required": true,
>             >      "resource": "database-service",
>             >      "use-resource-role-mappings": true
>             > }
>             >
>             > 4. Set the auth-method to *KEYCLOAK* on web.xml
>             > 5. Started the server deploying the *database-service*
>             > 6. Generated a token using *security-admin-console* client_id and my user
>             > 7. Submitted a GET request to /localhost:8080/database/customers/
>             >
>             > After these steps I get a 403 error, saying that I'm not authorized to
>             > access the resource, wasn't this supposed to work?
>             >
>             > --
>             > Rodrigo Sasaki
>             >
>             >
>             > _______________________________________________
>             > keycloak-user mailing list
>             >keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             >https://lists.jboss.org/mailman/listinfo/keycloak-user
>             >
>
>             --
>             Bill Burke
>             JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>         --
>         Rodrigo Sasaki
>
>
>
>
>     --
>     Rodrigo Sasaki
>
>
>
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Wed Aug  6 10:21:13 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 6 Aug 2014 11:21:13 -0300
Subject: [keycloak-user] Bearer Only Application access with token
In-Reply-To: <53E2393B.2040509@redhat.com>
References: <CANLOgwAcbb9T4w4hu7a4+-Kbgb1xLqFkXBmWURa254P9KQzjXA@mail.gmail.com>
	<53D7B6CB.8080001@redhat.com>
	<CANLOgwCY9zEsd1SFcfzXYwkOn5spE_sZkUpx74SNhP9sWpi7MA@mail.gmail.com>
	<CFFD6940.3BB4B%vivsriva@cisco.com>
	<CANLOgwC64Vh7UUOif9yaNR-8k2xoQ5x62k0uUG468_NZ2NU4uw@mail.gmail.com>
	<CANLOgwBJdTVryUJJb7Ri9sKS1N8yGLT-=Hh7U_gQZCS_k4tLrA@mail.gmail.com>
	<53E23661.3030008@redhat.com>
	<CANLOgwB2m+zjdVmerVowNd49Buwt-07ZqmwBVLbdYWPCug+gKA@mail.gmail.com>
	<53E2393B.2040509@redhat.com>
Message-ID: <CANLOgwDooUBc2Qs-df3yeSUnY-Q87AzGbtV2j1H3s1c09s=L+Q@mail.gmail.com>

Oh, that was it. The client needs to have the roles from the application, I
didn't think of that.

Thank you again

copying back the mailing-list because I didn't reply to it by mistake


On Wed, Aug 6, 2014 at 11:18 AM, Bill Burke <bburke at redhat.com> wrote:

> The security-admin-console has a limited scope, so the access token
> doesn't get populated with the roles you desire.  A quick workaround is to
> go to the Scope page on the security-admin-console and click "Full scope
> allowed".
>
> IMO, instead, you should create an oauth client and assign the scope you
> want for that client_id.  This allows you to:
>
> * Reduce the size of the access token created for that client_id
> * Limit the roles that tokens created for that client_id can obtain.
>
> Scope is really an extra security measure.  For example, with scope, you
> can enforce that only the security-console-application can ever get get
> tokens that have admin roles within it.
>
> On 8/6/2014 10:10 AM, Rodrigo Sasaki wrote:
>
>> I get the token sending a POST using *security-admin-console* as
>> *client_id*.
>>
>>
>> The application I'm trying to access is bearer only, so I can't generate
>> a token directly for it
>>
>>
>> On Wed, Aug 6, 2014 at 11:06 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     How do you obtain the token?  Access tokens are created specifically
>> for
>>     the application/oauth client that intiated the token protocol.  So the
>>     access token will be stuffed with only the role mappings for that
>>     application/oauth client.  A bearer-only application doesn't need a
>>     scope configured because it never initiates a login.
>>
>>     I changed things in beta 4 to hopefully mitigate the confusion around
>>     "scope".  Applications have a full scope enabled by default now.
>>
>>     On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:
>>      > Is there any news on this? I tried it on beta-4 on wildfly and I
>>     still
>>      > get the same response.
>>      >
>>      >
>>      > On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki
>>      > <rodrigopsasaki at gmail.com <mailto:rodrigopsasaki at gmail.com>
>>     <mailto:rodrigopsasaki at gmail.com <mailto:rodrigopsasaki at gmail.com>>>
>>
>>     wrote:
>>      >
>>      >     I made sure of all that, I just recreated everything using
>> realm
>>      >     roles just for the sake of completeness, but I'm still
>>     getting a 403
>>      >
>>      >
>>      >     On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)
>>      >     <vivsriva at cisco.com <mailto:vivsriva at cisco.com>
>>     <mailto:vivsriva at cisco.com <mailto:vivsriva at cisco.com>>> wrote:
>>      >
>>      >         Make sure you have the following settings configured for
>> your
>>      >         database service:
>>      >
>>      >
>>      >
>>      >
>>      >
>>      >         In the web.xml, make sure you have the security setup
>>     with the
>>      >         appropriate user role:
>>      >         <?xml version="1.0" encoding="UTF-8"?>
>>      >         <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>>      >                xmlns:xsi="http://www.w3.org/
>> 2001/XMLSchema-instance"
>>      >                xsi:schemaLocation="http://
>> java.sun.com/xml/ns/javaee
>>      > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>>      >                version="3.0">
>>      >
>>      >         <module-name>database</module-name>
>>      >              <security-constraint>
>>      >                  <web-resource-collection>
>>      >                      <url-pattern>/*</url-pattern>
>>      >                  </web-resource-collection>
>>      >         <!--        <user-data-constraint>
>>      >
>>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>      >                  </user-data-constraint>  -->
>>      >                  <auth-constraint>
>>      >                      <role-name>user</role-name>
>>      >                  </auth-constraint>
>>      >              </security-constraint>
>>      >
>>      >              <login-config>
>>      >                  <auth-method>KEYCLOAK</auth-method>
>>      >                  <realm-name>demo</realm-name>
>>      >              </login-config>
>>      >
>>      >              <security-role>
>>      >                  <role-name>user</role-name>
>>      >              </security-role>
>>      >         </web-app>
>>      >
>>      >
>>      >
>>      >         From: Rodrigo Sasaki <rodrigopsasaki at gmail.com
>>     <mailto:rodrigopsasaki at gmail.com>
>>      >         <mailto:rodrigopsasaki at gmail.com
>>
>>     <mailto:rodrigopsasaki at gmail.com>>>
>>      >         Date: Tuesday, July 29, 2014 at 12:51 PM
>>      >         To: Bill Burke <bburke at redhat.com
>>     <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>
>>     <mailto:bburke at redhat.com>>>
>>      >         Cc: "keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >         <mailto:keycloak-user at lists.jboss.org
>>
>>     <mailto:keycloak-user at lists.jboss.org>>"
>>      >         <keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >         <mailto:keycloak-user at lists.jboss.org
>>
>>     <mailto:keycloak-user at lists.jboss.org>>>
>>      >         Subject: Re: [keycloak-user] Bearer Only Application
>>     access with
>>      >         token
>>      >
>>      >         It is defined under the application itself, so I it's
>>     under the
>>      >         scope. This should be working right?
>>      >
>>      >
>>      >         On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke
>>     <bburke at redhat.com <mailto:bburke at redhat.com>
>>      >         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>
>> wrote:
>>      >
>>      >             What kind of role is it?  Is the new role defined
>>     under the
>>      >             "database-service" application?  If not, then you
>>     must add
>>      >             this role to
>>      >             the "database-service"'s scope in the admin console.
>>      >
>>      >             On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>>      >             > Hi,
>>      >             >
>>      >             > I'm trying to secure a bearer-only application with
>>     keycloak, to access
>>      >             > it with access tokens, but I think I'm missing
>>     something.
>>      >             >
>>      >             > I tried it with the database-service of the
>>     unconfigured demo.
>>      >             >
>>      >             > 1. I created the user role in the application.
>>      >             > 2. I assigned that role to my user
>>      >             > 3. I copied the contents of the installation json to
>>      >             > *webapp/META-INF/keycloak.json*
>>      >             >
>>      >             > {
>>      >             >      "realm": "demo",
>>      >             >      "realm-public-key":
>>      >             >
>>     "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+
>> EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/
>> JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+
>> pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>>      >             >      "bearer-only": true,
>>      >             >      "ssl-not-required": true,
>>      >             >      "resource": "database-service",
>>      >             >      "use-resource-role-mappings": true
>>      >             > }
>>      >             >
>>      >             > 4. Set the auth-method to *KEYCLOAK* on web.xml
>>      >             > 5. Started the server deploying the
>> *database-service*
>>      >             > 6. Generated a token using *security-admin-console*
>>     client_id and my user
>>      >             > 7. Submitted a GET request to
>>     /localhost:8080/database/customers/
>>      >             >
>>      >             > After these steps I get a 403 error, saying that
>>     I'm not authorized to
>>      >             > access the resource, wasn't this supposed to work?
>>      >             >
>>      >             > --
>>      >             > Rodrigo Sasaki
>>      >             >
>>      >             >
>>      >             > _______________________________________________
>>      >             > keycloak-user mailing list
>>      >             >keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >             <mailto:keycloak-user at lists.jboss.org
>>
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >             >https://lists.jboss.org/
>> mailman/listinfo/keycloak-user
>>      >             >
>>      >
>>      >             --
>>      >             Bill Burke
>>      >             JBoss, a division of Red Hat
>>      > http://bill.burkecentral.com
>>      >             _______________________________________________
>>      >             keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      >             <mailto:keycloak-user at lists.jboss.org
>>
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>      >
>>      >
>>      >
>>      >         --
>>      >         Rodrigo Sasaki
>>      >
>>      >
>>      >
>>      >
>>      >     --
>>      >     Rodrigo Sasaki
>>      >
>>      >
>>      >
>>      >
>>      > --
>>      > Rodrigo Sasaki
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140806/819efe21/attachment-0001.html 

From spousty at redhat.com  Wed Aug  6 12:01:37 2014
From: spousty at redhat.com (Steven Pousty)
Date: Wed, 06 Aug 2014 09:01:37 -0700
Subject: [keycloak-user] How do I get just keycloak.js
Message-ID: <53E25161.3060206@redhat.com>

Hey all:
Where is the keycloak.js file? I have looked through the WAR download
and can not find it.

Why is the JS adapter not included with the WAR file?

Is it on a CDN?

Thanks
Steve

From bburke at redhat.com  Wed Aug  6 12:16:54 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 06 Aug 2014 12:16:54 -0400
Subject: [keycloak-user] How do I get just keycloak.js
In-Reply-To: <53E25161.3060206@redhat.com>
References: <53E25161.3060206@redhat.com>
Message-ID: <53E254F6.3050802@redhat.com>

GET /auth/js/keycloak.js
GET /auth/js/keycloak.min.js

Or get it through Bower:

https://github.com/keycloak/keycloak-js-bower

On 8/6/2014 12:01 PM, Steven Pousty wrote:
> Hey all:
> Where is the keycloak.js file? I have looked through the WAR download
> and can not find it.
>
> Why is the JS adapter not included with the WAR file?
>
> Is it on a CDN?
>
> Thanks
> Steve
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From spousty at redhat.com  Wed Aug  6 12:25:31 2014
From: spousty at redhat.com (Steven Pousty)
Date: Wed, 06 Aug 2014 09:25:31 -0700
Subject: [keycloak-user] How do I get just keycloak.js
In-Reply-To: <53E254F6.3050802@redhat.com>
References: <53E25161.3060206@redhat.com> <53E254F6.3050802@redhat.com>
Message-ID: <53E256FB.1070800@redhat.com>

But what if I am trying to get the JS from a different domain. Domain A
is the JS app and domain B is the Keycloak server. I also have no
interest in learning yet another tech (Bower) just to get my hands on
the JS file.

Can we not just put it somewhere nice in the zip file? Even better can
we not just put it in google or someone elses CDN?


On 08/06/2014 09:16 AM, Bill Burke wrote:
> GET /auth/js/keycloak.js
> GET /auth/js/keycloak.min.js
>
> Or get it through Bower:
>
> https://github.com/keycloak/keycloak-js-bower
>
> On 8/6/2014 12:01 PM, Steven Pousty wrote:
>> Hey all:
>> Where is the keycloak.js file? I have looked through the WAR download
>> and can not find it.
>>
>> Why is the JS adapter not included with the WAR file?
>>
>> Is it on a CDN?
>>
>> Thanks
>> Steve
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From bburke at redhat.com  Wed Aug  6 12:30:57 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 06 Aug 2014 12:30:57 -0400
Subject: [keycloak-user] How do I get just keycloak.js
In-Reply-To: <53E256FB.1070800@redhat.com>
References: <53E25161.3060206@redhat.com> <53E254F6.3050802@redhat.com>
	<53E256FB.1070800@redhat.com>
Message-ID: <53E25841.5090405@redhat.com>

Browsers allow you download javascript cross-domain, but I'll submit a 
jira to add the javascript to the adapters/ directory of the distribution.

On 8/6/2014 12:25 PM, Steven Pousty wrote:
> But what if I am trying to get the JS from a different domain. Domain A
> is the JS app and domain B is the Keycloak server. I also have no
> interest in learning yet another tech (Bower) just to get my hands on
> the JS file.
>
> Can we not just put it somewhere nice in the zip file? Even better can
> we not just put it in google or someone elses CDN?
>
>
> On 08/06/2014 09:16 AM, Bill Burke wrote:
>> GET /auth/js/keycloak.js
>> GET /auth/js/keycloak.min.js
>>
>> Or get it through Bower:
>>
>> https://github.com/keycloak/keycloak-js-bower
>>
>> On 8/6/2014 12:01 PM, Steven Pousty wrote:
>>> Hey all:
>>> Where is the keycloak.js file? I have looked through the WAR download
>>> and can not find it.
>>>
>>> Why is the JS adapter not included with the WAR file?
>>>
>>> Is it on a CDN?
>>>
>>> Thanks
>>> Steve
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From spousty at redhat.com  Wed Aug  6 12:38:32 2014
From: spousty at redhat.com (Steven Pousty)
Date: Wed, 06 Aug 2014 09:38:32 -0700
Subject: [keycloak-user] How do I get just keycloak.js
In-Reply-To: <53E25841.5090405@redhat.com>
References: <53E25161.3060206@redhat.com> <53E254F6.3050802@redhat.com>
	<53E256FB.1070800@redhat.com> <53E25841.5090405@redhat.com>
Message-ID: <53E25A08.9080609@redhat.com>

Could we also get it here?

https://developers.google.com/speed/libraries/

I am willing to do some research if we can agree to give them the latest
releases

Thanks
Steve


On 08/06/2014 09:30 AM, Bill Burke wrote:
> Browsers allow you download javascript cross-domain, but I'll submit a
> jira to add the javascript to the adapters/ directory of the
> distribution.
>
> On 8/6/2014 12:25 PM, Steven Pousty wrote:
>> But what if I am trying to get the JS from a different domain. Domain A
>> is the JS app and domain B is the Keycloak server. I also have no
>> interest in learning yet another tech (Bower) just to get my hands on
>> the JS file.
>>
>> Can we not just put it somewhere nice in the zip file? Even better can
>> we not just put it in google or someone elses CDN?
>>
>>
>> On 08/06/2014 09:16 AM, Bill Burke wrote:
>>> GET /auth/js/keycloak.js
>>> GET /auth/js/keycloak.min.js
>>>
>>> Or get it through Bower:
>>>
>>> https://github.com/keycloak/keycloak-js-bower
>>>
>>> On 8/6/2014 12:01 PM, Steven Pousty wrote:
>>>> Hey all:
>>>> Where is the keycloak.js file? I have looked through the WAR download
>>>> and can not find it.
>>>>
>>>> Why is the JS adapter not included with the WAR file?
>>>>
>>>> Is it on a CDN?
>>>>
>>>> Thanks
>>>> Steve
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>


From bruno at abstractj.org  Wed Aug  6 12:47:40 2014
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 6 Aug 2014 13:47:40 -0300
Subject: [keycloak-user] How do I get just keycloak.js
In-Reply-To: <53E256FB.1070800@redhat.com>
References: <53E25161.3060206@redhat.com> <53E254F6.3050802@redhat.com>
	<53E256FB.1070800@redhat.com>
Message-ID: <20140806164740.GB12898@abstractj.org>

You can also get it directly from GH

- wget
  https://raw.githubusercontent.com/keycloak/keycloak-js-bower/master/dist/keycloak.js
- wget
  https://raw.githubusercontent.com/keycloak/keycloak-js-bower/master/dist/keycloak.min.js

On 2014-08-06, Steven Pousty wrote:
> But what if I am trying to get the JS from a different domain. Domain A
> is the JS app and domain B is the Keycloak server. I also have no
> interest in learning yet another tech (Bower) just to get my hands on
> the JS file.
>
> Can we not just put it somewhere nice in the zip file? Even better can
> we not just put it in google or someone elses CDN?
>
>
> On 08/06/2014 09:16 AM, Bill Burke wrote:
> > GET /auth/js/keycloak.js
> > GET /auth/js/keycloak.min.js
> >
> > Or get it through Bower:
> >
> > https://github.com/keycloak/keycloak-js-bower
> >
> > On 8/6/2014 12:01 PM, Steven Pousty wrote:
> >> Hey all:
> >> Where is the keycloak.js file? I have looked through the WAR download
> >> and can not find it.
> >>
> >> Why is the JS adapter not included with the WAR file?
> >>
> >> Is it on a CDN?
> >>
> >> Thanks
> >> Steve
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
PGP: 0x84DC9914

From aarondheld at gmail.com  Thu Aug  7 11:43:19 2014
From: aarondheld at gmail.com (Aaron Held)
Date: Thu, 7 Aug 2014 11:43:19 -0400
Subject: [keycloak-user] How to validate LDAP connection?
In-Reply-To: <53E1CBFD.6010103@redhat.com>
References: <CAOU6W_vAKNvUfhv7B9wgV9e4vURgz4p+7HYaBWv5qFPhmOOXWw@mail.gmail.com>
	<53E09FB7.30205@redhat.com>
	<CAOU6W_tmTPLuBhHULGk3SL5h=mehoqB3aghmX8APmG_PF0OnXQ@mail.gmail.com>
	<53E1CBFD.6010103@redhat.com>
Message-ID: <CAOU6W_uUO7XSNyJ8LFL9=gs_-9vW8gnsdNmsfkMSXQVHGD3TMg@mail.gmail.com>

The updated LDAP screens in the new beta were exactly what I needed!

thanks for the update, I had trouble getting the LDAP settings right and
with this version I was able to watch the logs and figure it out.


On Wed, Aug 6, 2014 at 2:32 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  You can try latest beta-4 released yesterday. And also look at updated
> documentation
> http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/user_federation.html
> . If you still having issues, you can share them and attach
> errors/stacktraces here.
>
> Marek
>
>
> On 5.8.2014 21:22, Aaron Held wrote:
>
> Thanks,
>
>   I'll give that one a shot.
>
>    I don't need the sync, I'm ok with a live lookup - I was just looking
> for a quick way to test it out.
>
>    The best I could come up with was to setup the LDAP server and then in
> another browser try to login as different users, I could see errors in the
> log.
>
>  -Aaron
>
>
>
> On Tue, Aug 5, 2014 at 5:11 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  Hi,
>>
>> in beta-4 version (planned to be released on Wednesday) there are some
>> improvements in LDAP support, which allow you to "federate" users from your
>> LDAP server and import them into your database. If you are curious, you can
>> try latest Keycloak master. Note that just some users (those which are
>> authenticated or explicitly searched by admin) will be imported from LDAP
>> into Keycloak DB and viewable in UI. For fully import all LDAP users into
>> Keycloak database, there will be sync support, but that will be in next
>> version later in August .
>>
>> Marek
>>
>>
>> On 4.8.2014 23:03, Aaron Held wrote:
>>
>>  I'm setting up keycloak to test it out and having trouble setting up
>> and testing the LDAP input.
>>
>>  Is there a way to explicit test that the LDAP is setup correctly?  no
>> matter what I enter into the settings page I don't see anything in the logs
>> and I don't see any new users on the users page.
>>
>>  What I am looking for is a way to use our ActiveDirectory (via LDAP) as
>> the source.  I'm not sure if it will support roles from AD yet, but that
>> would be my next step.
>>
>>
>>  thanks,
>> -Aaron
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140807/98cd4ccc/attachment.html 

From rodrigopsasaki at gmail.com  Fri Aug  8 11:10:54 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 8 Aug 2014 12:10:54 -0300
Subject: [keycloak-user] Migration from Beta-2 to Beta-4
Message-ID: <CANLOgwDV4LSgR4v19XSNQCnHx78LjV=gy_+EeBZmAX93+2rJbQ@mail.gmail.com>

Is there a step by step on how I should proceed on migrating keycloak
versions?

I tried to simply deploy the beta-4, but I had some weird symptoms. Even
though I had the same datasource configuration, keycloak acted as though I
didn't have any data, asking me for a new password for the admin account.

I checked my mysql and everything is there, and the datasource is the same,
since the standalone.xml is the same.

I'm using the wildfly bundled on the appliance distribution.

Is there something specific I should be careful with? Or a different
procedure I should have tried?

Thanks

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140808/63572c3e/attachment-0001.html 

From mposolda at redhat.com  Fri Aug  8 12:29:53 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 08 Aug 2014 18:29:53 +0200
Subject: [keycloak-user] Migration from Beta-2 to Beta-4
In-Reply-To: <CANLOgwDV4LSgR4v19XSNQCnHx78LjV=gy_+EeBZmAX93+2rJbQ@mail.gmail.com>
References: <CANLOgwDV4LSgR4v19XSNQCnHx78LjV=gy_+EeBZmAX93+2rJbQ@mail.gmail.com>
Message-ID: <53E4FB01.9030403@redhat.com>

Hi,

I think that just deploy the new auth-server.war may not be enough... 
You may also need to update keycloak-server.json, themes in 
standalone/configuration and modules (download latest WAR distribution 
for latest files). Also it might be useful to look at 
http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/Migration_from_older_versions.html#d4e1342 
.

For migration whole database content, it might be quite tricky. Keycloak 
is still in development and format of data and DB schema has changed. 
There was quite big refactoring (like splitting the model, renaming 
tables, columns etc). AFAIK we don't officially support migration of 
data between 2 beta versions, so if you have large amount of data and 
it's the issue for you to reimport them again from external source, you 
may need to create some SQL scripts for migrating DB by yourself.

You may start with creating new MySQL DB and just configure it with 
beta-4 and fill some simple data (like create few users in Keycloak UI 
etc). Then if you look at DB, you can see the new format of data and 
what exactly has changed, so it may help you to create SQL scripts for 
migrating your old "beta-2 compatible" DB to new "beta-4 compatible" 
format.

Sorry, I don't have better advice for you ATM:-(

Marek


On 8.8.2014 17:10, Rodrigo Sasaki wrote:
> Is there a step by step on how I should proceed on migrating keycloak 
> versions?
>
> I tried to simply deploy the beta-4, but I had some weird symptoms. 
> Even though I had the same datasource configuration, keycloak acted as 
> though I didn't have any data, asking me for a new password for the 
> admin account.
>
> I checked my mysql and everything is there, and the datasource is the 
> same, since the standalone.xml is the same.
>
> I'm using the wildfly bundled on the appliance distribution.
>
> Is there something specific I should be careful with? Or a different 
> procedure I should have tried?
>
> Thanks
>
> -- 
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140808/226b9d61/attachment.html 

From rodrigopsasaki at gmail.com  Fri Aug  8 12:35:05 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 8 Aug 2014 13:35:05 -0300
Subject: [keycloak-user] Migration from Beta-2 to Beta-4
In-Reply-To: <53E4FB01.9030403@redhat.com>
References: <CANLOgwDV4LSgR4v19XSNQCnHx78LjV=gy_+EeBZmAX93+2rJbQ@mail.gmail.com>
	<53E4FB01.9030403@redhat.com>
Message-ID: <CANLOgwA4hdnDUTuHPQR3E0PmcGYFNMS2t_jXwsPJ=C-TX=eLRQ@mail.gmail.com>

That's alright, I figured it would be something like this when I saw all
the changes that happened in the model, but I had to ask before I started
doing anything.

Thank you very much, Marek


On Fri, Aug 8, 2014 at 1:29 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> I think that just deploy the new auth-server.war may not be enough... You
> may also need to update keycloak-server.json, themes in
> standalone/configuration and modules (download latest WAR distribution for
> latest files). Also it might be useful to look at
> http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/Migration_from_older_versions.html#d4e1342
> .
>
> For migration whole database content, it might be quite tricky. Keycloak
> is still in development and format of data and DB schema has changed. There
> was quite big refactoring (like splitting the model, renaming tables,
> columns etc). AFAIK we don't officially support migration of data between 2
> beta versions, so if you have large amount of data and it's the issue for
> you to reimport them again from external source, you may need to create
> some SQL scripts for migrating DB by yourself.
>
> You may start with creating new MySQL DB and just configure it with beta-4
> and fill some simple data (like create few users in Keycloak UI etc). Then
> if you look at DB, you can see the new format of data and what exactly has
> changed, so it may help you to create SQL scripts for migrating your old
> "beta-2 compatible" DB to new "beta-4 compatible" format.
>
> Sorry, I don't have better advice for you ATM :-(
>
> Marek
>
>
>
> On 8.8.2014 17:10, Rodrigo Sasaki wrote:
>
> Is there a step by step on how I should proceed on migrating keycloak
> versions?
>
>  I tried to simply deploy the beta-4, but I had some weird symptoms. Even
> though I had the same datasource configuration, keycloak acted as though I
> didn't have any data, asking me for a new password for the admin account.
>
>  I checked my mysql and everything is there, and the datasource is the
> same, since the standalone.xml is the same.
>
>  I'm using the wildfly bundled on the appliance distribution.
>
>  Is there something specific I should be careful with? Or a different
> procedure I should have tried?
>
>  Thanks
>
>  --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140808/35ae9dde/attachment.html 

From stian at redhat.com  Mon Aug 11 04:24:42 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 11 Aug 2014 04:24:42 -0400 (EDT)
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
Message-ID: <1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>

It won't be until after 1.0.final has been released, but we'll aim to add it for 1.1.

JIRA: https://issues.jboss.org/browse/KEYCLOAK-332

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 5 August, 2014 12:38:33 PM
> Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> 
> Hi, just wondering, is there any prediction on when this feature will be
> implemented?
> 
> 
> On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > It's planned just not implemented yet.
> >
> > One of the reasons was that we couldn't figure out an elegant placement
> > for the remember-me checkbox.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > > Subject: [keycloak-user] "Remember Me" feature on Social Login
> > >
> > > Hi,
> > >
> > > I know this doesn't exist now, but I was wondering if it is something
> > that is
> > > planned to be implemented, or if there's a particular reason why it
> > isn't.
> > >
> > > Thanks!
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From stian at redhat.com  Mon Aug 11 06:04:22 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 11 Aug 2014 06:04:22 -0400 (EDT)
Subject: [keycloak-user] How do I get just keycloak.js
In-Reply-To: <53E25A08.9080609@redhat.com>
References: <53E25161.3060206@redhat.com> <53E254F6.3050802@redhat.com>
	<53E256FB.1070800@redhat.com> <53E25841.5090405@redhat.com>
	<53E25A08.9080609@redhat.com>
Message-ID: <1900386108.27617241.1407751462285.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Steven Pousty" <spousty at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Wednesday, 6 August, 2014 5:38:32 PM
> Subject: Re: [keycloak-user] How do I get just keycloak.js
> 
> Could we also get it here?
> 
> https://developers.google.com/speed/libraries/
> 
> I am willing to do some research if we can agree to give them the latest
> releases

Sounds like a good idea, if you can look into it that would be great.

> 
> Thanks
> Steve
> 
> 
> On 08/06/2014 09:30 AM, Bill Burke wrote:
> > Browsers allow you download javascript cross-domain, but I'll submit a
> > jira to add the javascript to the adapters/ directory of the
> > distribution.
> >
> > On 8/6/2014 12:25 PM, Steven Pousty wrote:
> >> But what if I am trying to get the JS from a different domain. Domain A
> >> is the JS app and domain B is the Keycloak server. I also have no
> >> interest in learning yet another tech (Bower) just to get my hands on
> >> the JS file.
> >>
> >> Can we not just put it somewhere nice in the zip file? Even better can
> >> we not just put it in google or someone elses CDN?
> >>
> >>
> >> On 08/06/2014 09:16 AM, Bill Burke wrote:
> >>> GET /auth/js/keycloak.js
> >>> GET /auth/js/keycloak.min.js
> >>>
> >>> Or get it through Bower:
> >>>
> >>> https://github.com/keycloak/keycloak-js-bower
> >>>
> >>> On 8/6/2014 12:01 PM, Steven Pousty wrote:
> >>>> Hey all:
> >>>> Where is the keycloak.js file? I have looked through the WAR download
> >>>> and can not find it.
> >>>>
> >>>> Why is the JS adapter not included with the WAR file?
> >>>>
> >>>> Is it on a CDN?
> >>>>
> >>>> Thanks
> >>>> Steve
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>
> >
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stian at redhat.com  Mon Aug 11 06:46:39 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 11 Aug 2014 06:46:39 -0400 (EDT)
Subject: [keycloak-user] Setting up Postgresql Database with OpenShift
In-Reply-To: <53DC227C.1070704@redhat.com>
References: <53DC227C.1070704@redhat.com>
Message-ID: <1892117582.27739395.1407753999017.JavaMail.zimbra@redhat.com>

When creating the Keycloak gear add the postgresql add-on gear. Once it's up and running ssh to the gear, edit:

 standalone/configuration/standalone.xml

There's an example datasource for PostgreSQL already there, use this as a reference to change the KeycloakDS datasource.

I wanted to make it so that it would automatically detect if MySQL or PostgreSQL was added and configure Keycloak on first startup accordingly, but haven't had time to look at that yet.

----- Original Message -----
> From: "Steven Pousty" <spousty at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Saturday, 2 August, 2014 12:27:56 AM
> Subject: [keycloak-user] Setting up Postgresql Database with OpenShift
> 
> Is there documentation or description about how to add Postgresql as the
> database behind Keycloak on OpenShift?
> Do I just add a postgresql cart and then treat it the same as the other
> instructions?
> 
> Thanks
> Steve
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From rodrigopsasaki at gmail.com  Mon Aug 11 12:34:59 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 11 Aug 2014 13:34:59 -0300
Subject: [keycloak-user] Problem deploying JBoss AS 7 with beta 4
Message-ID: <CANLOgwCVch0u+XF6aDoLgBHhN_Rn-XrUkFAVLya3mz0JpJk8tA@mail.gmail.com>

Hi, I'm trying to deploy my web application, linking to a keycloak in
another server, this used to work until I deployed beta 4 on it.

The error I get is not very clear:

13:20:55,153 INFO  [org.keycloak.adapters.as7.KeycloakAuthenticatorValve]
(MSC service thread 1-12) **** using /WEB-INF/keycloak.json
13:20:55,160 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-12)
MSC00001: Failed to start service jboss.web.deployment.default-host./:
org.jboss.msc.service.StartException in service
jboss.web.deployment.default-host./: *JBAS018040: Failed to start context*
at
org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:95)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
[jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
[jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_60]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_60]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]

Is this something that is known? I think it might have something to do with
the *ssl-required* value on keycloak.json that has changed, but I'm not
sure.

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140811/409e9458/attachment-0001.html 

From rodrigopsasaki at gmail.com  Mon Aug 11 17:20:19 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 11 Aug 2014 18:20:19 -0300
Subject: [keycloak-user] Problem deploying JBoss AS 7 with beta 4
In-Reply-To: <CANLOgwCVch0u+XF6aDoLgBHhN_Rn-XrUkFAVLya3mz0JpJk8tA@mail.gmail.com>
References: <CANLOgwCVch0u+XF6aDoLgBHhN_Rn-XrUkFAVLya3mz0JpJk8tA@mail.gmail.com>
Message-ID: <CANLOgwCrFTGQvHwHZ5A5jPPvDvKVOJYAqN0vKJVQUfcKD5UARQ@mail.gmail.com>

The problem was that I hadn't extracted the latest adapters on my jboss, I
thought I didn't have to, since keycloak is on a remote server, my mistake.

It failed because it expected a *ssl-not-required* boolean instead of a
*ssl-required* String.

Sorry for the lack of attention.


On Mon, Aug 11, 2014 at 1:34 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> Hi, I'm trying to deploy my web application, linking to a keycloak in
> another server, this used to work until I deployed beta 4 on it.
>
> The error I get is not very clear:
>
> 13:20:55,153 INFO  [org.keycloak.adapters.as7.KeycloakAuthenticatorValve]
> (MSC service thread 1-12) **** using /WEB-INF/keycloak.json
> 13:20:55,160 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-12)
> MSC00001: Failed to start service jboss.web.deployment.default-host./:
> org.jboss.msc.service.StartException in service
> jboss.web.deployment.default-host./: *JBAS018040: Failed to start context*
>  at
> org.jboss.as.web.deployment.WebDeploymentService.start(WebDeploymentService.java:95)
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
> [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
>  at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
> [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
>  at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_60]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_60]
>  at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]
>
> Is this something that is known? I think it might have something to do
> with the *ssl-required* value on keycloak.json that has changed, but I'm
> not sure.
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140811/11b77b88/attachment.html 

From rodrigopsasaki at gmail.com  Tue Aug 12 08:47:28 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 12 Aug 2014 09:47:28 -0300
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>

I was wondering, could you give me some pointers so I could try and
implement this myself? I was looking at the mechanics on the already
implemented feature, for username + password login, and I saw that I have
to set a cookie, which I'd have todo on
*SocialResource.redirectToProviderAuth*

But I couldn't figure out how it uses the remember me cookie to evaluate
and authenticate the user on the next access. I'm looking into it now, but
anything you can help me with would be great, if it interests you.


On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <stian at redhat.com> wrote:

> It won't be until after 1.0.final has been released, but we'll aim to add
> it for 1.1.
>
> JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 5 August, 2014 12:38:33 PM
> > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> >
> > Hi, just wondering, is there any prediction on when this feature will be
> > implemented?
> >
> >
> > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > It's planned just not implemented yet.
> > >
> > > One of the reasons was that we couldn't figure out an elegant placement
> > > for the remember-me checkbox.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > > > Subject: [keycloak-user] "Remember Me" feature on Social Login
> > > >
> > > > Hi,
> > > >
> > > > I know this doesn't exist now, but I was wondering if it is something
> > > that is
> > > > planned to be implemented, or if there's a particular reason why it
> > > isn't.
> > > >
> > > > Thanks!
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/f0571b85/attachment.html 

From stian at redhat.com  Tue Aug 12 09:23:02 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 12 Aug 2014 09:23:02 -0400 (EDT)
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
Message-ID: <1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>

Basically what's needed is:

  * Add a remember me option for social - this is non-trivial as atm social logins are links so needs to be changed to submitting a form
  * Set the login cookie in SocialResource.redirectToProviderAuth if this remember me check-box is set

Reading the cookie is already handled, as it should set the same cookie as the "regular" login does.

If you'd like to do this that would be great :)

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 12 August, 2014 1:47:28 PM
> Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> 
> I was wondering, could you give me some pointers so I could try and
> implement this myself? I was looking at the mechanics on the already
> implemented feature, for username + password login, and I saw that I have
> to set a cookie, which I'd have todo on
> *SocialResource.redirectToProviderAuth*
> 
> But I couldn't figure out how it uses the remember me cookie to evaluate
> and authenticate the user on the next access. I'm looking into it now, but
> anything you can help me with would be great, if it interests you.
> 
> 
> On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > It won't be until after 1.0.final has been released, but we'll aim to add
> > it for 1.1.
> >
> > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
> > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> > >
> > > Hi, just wondering, is there any prediction on when this feature will be
> > > implemented?
> > >
> > >
> > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > It's planned just not implemented yet.
> > > >
> > > > One of the reasons was that we couldn't figure out an elegant placement
> > > > for the remember-me checkbox.
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > > > > Subject: [keycloak-user] "Remember Me" feature on Social Login
> > > > >
> > > > > Hi,
> > > > >
> > > > > I know this doesn't exist now, but I was wondering if it is something
> > > > that is
> > > > > planned to be implemented, or if there's a particular reason why it
> > > > isn't.
> > > > >
> > > > > Thanks!
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Tue Aug 12 09:49:19 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 12 Aug 2014 10:49:19 -0300
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
	<1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>

So you're saying I have to change the HTML pages to make it submit a form?

I really don't understand how the interface works on Keycloak, could you
tell me the name of the file that handles the login page, if I understood
correctly. And I'll study it on from there.


On Tue, Aug 12, 2014 at 10:23 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Basically what's needed is:
>
>   * Add a remember me option for social - this is non-trivial as atm
> social logins are links so needs to be changed to submitting a form
>   * Set the login cookie in SocialResource.redirectToProviderAuth if this
> remember me check-box is set
>
> Reading the cookie is already handled, as it should set the same cookie as
> the "regular" login does.
>
> If you'd like to do this that would be great :)
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 12 August, 2014 1:47:28 PM
> > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> >
> > I was wondering, could you give me some pointers so I could try and
> > implement this myself? I was looking at the mechanics on the already
> > implemented feature, for username + password login, and I saw that I have
> > to set a cookie, which I'd have todo on
> > *SocialResource.redirectToProviderAuth*
> >
> > But I couldn't figure out how it uses the remember me cookie to evaluate
> > and authenticate the user on the next access. I'm looking into it now,
> but
> > anything you can help me with would be great, if it interests you.
> >
> >
> > On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > It won't be until after 1.0.final has been released, but we'll aim to
> add
> > > it for 1.1.
> > >
> > > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
> > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> > > >
> > > > Hi, just wondering, is there any prediction on when this feature
> will be
> > > > implemented?
> > > >
> > > >
> > > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <stian at redhat.com>
> > > wrote:
> > > >
> > > > > It's planned just not implemented yet.
> > > > >
> > > > > One of the reasons was that we couldn't figure out an elegant
> placement
> > > > > for the remember-me checkbox.
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > > > > > Subject: [keycloak-user] "Remember Me" feature on Social Login
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I know this doesn't exist now, but I was wondering if it is
> something
> > > > > that is
> > > > > > planned to be implemented, or if there's a particular reason why
> it
> > > > > isn't.
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > --
> > > > > > Rodrigo Sasaki
> > > > > >
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/8939d81b/attachment-0001.html 

From stian at redhat.com  Tue Aug 12 11:27:01 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 12 Aug 2014 11:27:01 -0400 (EDT)
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
	<1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
	<CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>
Message-ID: <1311646271.28995650.1407857221821.JavaMail.zimbra@redhat.com>

The login form is:

  ./forms/common-themes/src/main/resources/theme/login/base/login.ftl

It's FreeMarker templates. FIY as we're close to releasing 1.0.final we can't add this to master until after.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 12 August, 2014 2:49:19 PM
> Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> 
> So you're saying I have to change the HTML pages to make it submit a form?
> 
> I really don't understand how the interface works on Keycloak, could you
> tell me the name of the file that handles the login page, if I understood
> correctly. And I'll study it on from there.
> 
> 
> On Tue, Aug 12, 2014 at 10:23 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Basically what's needed is:
> >
> >   * Add a remember me option for social - this is non-trivial as atm
> > social logins are links so needs to be changed to submitting a form
> >   * Set the login cookie in SocialResource.redirectToProviderAuth if this
> > remember me check-box is set
> >
> > Reading the cookie is already handled, as it should set the same cookie as
> > the "regular" login does.
> >
> > If you'd like to do this that would be great :)
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 12 August, 2014 1:47:28 PM
> > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> > >
> > > I was wondering, could you give me some pointers so I could try and
> > > implement this myself? I was looking at the mechanics on the already
> > > implemented feature, for username + password login, and I saw that I have
> > > to set a cookie, which I'd have todo on
> > > *SocialResource.redirectToProviderAuth*
> > >
> > > But I couldn't figure out how it uses the remember me cookie to evaluate
> > > and authenticate the user on the next access. I'm looking into it now,
> > but
> > > anything you can help me with would be great, if it interests you.
> > >
> > >
> > > On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > It won't be until after 1.0.final has been released, but we'll aim to
> > add
> > > > it for 1.1.
> > > >
> > > > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
> > > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> > > > >
> > > > > Hi, just wondering, is there any prediction on when this feature
> > will be
> > > > > implemented?
> > > > >
> > > > >
> > > > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <stian at redhat.com>
> > > > wrote:
> > > > >
> > > > > > It's planned just not implemented yet.
> > > > > >
> > > > > > One of the reasons was that we couldn't figure out an elegant
> > placement
> > > > > > for the remember-me checkbox.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > > > > > > Subject: [keycloak-user] "Remember Me" feature on Social Login
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I know this doesn't exist now, but I was wondering if it is
> > something
> > > > > > that is
> > > > > > > planned to be implemented, or if there's a particular reason why
> > it
> > > > > > isn't.
> > > > > > >
> > > > > > > Thanks!
> > > > > > >
> > > > > > > --
> > > > > > > Rodrigo Sasaki
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From John.Schneider at carrier.utc.com  Tue Aug 12 11:40:49 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Tue, 12 Aug 2014 15:40:49 +0000
Subject: [keycloak-user] Direct Access Grants & 'Client Credentials' OAuth2
	grant type
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018D5D98@UUSNWE3K.na.utcmail.com>

Hi everyone,

I've been evaluating the "Direct Access Grants" functionality of Keycloak.  Overall, I think I can make it work for my use cases, but I do have a couple of concerns.

Chapter 12 of the documentation compares Keycloak's Direct Access Grants functionality to OAuth2's "Resource Owner Password Credentials Grant."  However, if I understand the specification correctly, this grant type is only for using the resource owner's credentials.  What if we can't authorize using the resource owner credentials, but need to authorize the client itself using the client id and secret alone?  For this, we need support for the "Client Credentials Grant".  Is this planned for Keycloak 1.0?

By adding the required "grant_type" parameter to the "tokens/grants/access" service endpoint, it seems like both the "password" and "client_credentials" could be supported, with the "client_credentials" grant type simply not requiring the username and password form parameters in the POST.   Thoughts on this?

Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/1600227b/attachment.html 

From rodrigopsasaki at gmail.com  Tue Aug 12 12:08:12 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 12 Aug 2014 13:08:12 -0300
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <1311646271.28995650.1407857221821.JavaMail.zimbra@redhat.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
	<1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
	<CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>
	<1311646271.28995650.1407857221821.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwAu2vY_MzoU9gOPs8ki7_3ZAmQ3RLtUH2H4Cd6VivQZKg@mail.gmail.com>

It's no problem, if I can come up with a suitable solution, I'll submit a
PR and you can add it whenever it fits the schedule, I'm just pursuing this
because it's one of the few things that we still need before we migrate
everything.


On Tue, Aug 12, 2014 at 12:27 PM, Stian Thorgersen <stian at redhat.com> wrote:

> The login form is:
>
>   ./forms/common-themes/src/main/resources/theme/login/base/login.ftl
>
> It's FreeMarker templates. FIY as we're close to releasing 1.0.final we
> can't add this to master until after.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 12 August, 2014 2:49:19 PM
> > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> >
> > So you're saying I have to change the HTML pages to make it submit a
> form?
> >
> > I really don't understand how the interface works on Keycloak, could you
> > tell me the name of the file that handles the login page, if I understood
> > correctly. And I'll study it on from there.
> >
> >
> > On Tue, Aug 12, 2014 at 10:23 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > Basically what's needed is:
> > >
> > >   * Add a remember me option for social - this is non-trivial as atm
> > > social logins are links so needs to be changed to submitting a form
> > >   * Set the login cookie in SocialResource.redirectToProviderAuth if
> this
> > > remember me check-box is set
> > >
> > > Reading the cookie is already handled, as it should set the same
> cookie as
> > > the "regular" login does.
> > >
> > > If you'd like to do this that would be great :)
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, 12 August, 2014 1:47:28 PM
> > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> > > >
> > > > I was wondering, could you give me some pointers so I could try and
> > > > implement this myself? I was looking at the mechanics on the already
> > > > implemented feature, for username + password login, and I saw that I
> have
> > > > to set a cookie, which I'd have todo on
> > > > *SocialResource.redirectToProviderAuth*
> > > >
> > > > But I couldn't figure out how it uses the remember me cookie to
> evaluate
> > > > and authenticate the user on the next access. I'm looking into it
> now,
> > > but
> > > > anything you can help me with would be great, if it interests you.
> > > >
> > > >
> > > > On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <stian at redhat.com>
> > > wrote:
> > > >
> > > > > It won't be until after 1.0.final has been released, but we'll aim
> to
> > > add
> > > > > it for 1.1.
> > > > >
> > > > > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
> > > > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social
> Login
> > > > > >
> > > > > > Hi, just wondering, is there any prediction on when this feature
> > > will be
> > > > > > implemented?
> > > > > >
> > > > > >
> > > > > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <
> stian at redhat.com>
> > > > > wrote:
> > > > > >
> > > > > > > It's planned just not implemented yet.
> > > > > > >
> > > > > > > One of the reasons was that we couldn't figure out an elegant
> > > placement
> > > > > > > for the remember-me checkbox.
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > > To: keycloak-user at lists.jboss.org
> > > > > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> > > > > > > > Subject: [keycloak-user] "Remember Me" feature on Social
> Login
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I know this doesn't exist now, but I was wondering if it is
> > > something
> > > > > > > that is
> > > > > > > > planned to be implemented, or if there's a particular reason
> why
> > > it
> > > > > > > isn't.
> > > > > > > >
> > > > > > > > Thanks!
> > > > > > > >
> > > > > > > > --
> > > > > > > > Rodrigo Sasaki
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > keycloak-user mailing list
> > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rodrigo Sasaki
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/e4cd7c63/attachment.html 

From bburke at redhat.com  Tue Aug 12 12:13:21 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 12 Aug 2014 12:13:21 -0400
Subject: [keycloak-user] Direct Access Grants & 'Client Credentials'
 OAuth2 grant type
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD7018D5D98@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD7018D5D98@UUSNWE3K.na.utcmail.com>
Message-ID: <53EA3D21.7060609@redhat.com>

Right now we require you to create a user and give permissions to that 
user.  Not sure if we'll add client credentials grant as it would 
require having role mappings for clients and applications.

On 8/12/2014 11:40 AM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
> Hi everyone,
>
> I?ve been evaluating the ?Direct Access Grants? functionality of
> Keycloak.  Overall, I think I can make it work for my use cases, but I
> do have a couple of concerns.
>
> Chapter 12 of the documentation compares Keycloak?s Direct Access Grants
> functionality to OAuth2?s ?Resource Owner Password Credentials Grant.?
> However, if I understand the specification correctly, this grant type is
> only for using the resource owner?s credentials.  What if we can?t
> authorize using the resource owner credentials, but need to authorize
> the client itself using the client id and secret alone?  For this, we
> need support for the ?Client Credentials Grant?.  Is this planned for
> Keycloak 1.0?
>
> By adding the required ?grant_type? parameter to the
> ?tokens/grants/access? service endpoint, it seems like both the
> ?password? and ?client_credentials? could be supported, with the
> ?client_credentials? grant type simply not requiring the username and
> password form parameters in the POST.   Thoughts on this?
>
> Thanks,
>
> John
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From John.Schneider at carrier.utc.com  Tue Aug 12 12:32:34 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Tue, 12 Aug 2014 16:32:34 +0000
Subject: [keycloak-user] Direct Access Grants & 'Client
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018D5E12@UUSNWE3K.na.utcmail.com>

Not sure if I follow you Bill.  Don't we already have scope (role) assignment capabilities for both OAuth Clients and Applications?





Date: Tue, 12 Aug 2014 12:13:21 -0400

From: Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>>

Subject: Re: [keycloak-user] Direct Access Grants & 'Client

                Credentials' OAuth2 grant type

To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

Message-ID: <53EA3D21.7060609 at redhat.com<mailto:53EA3D21.7060609 at redhat.com>>

Content-Type: text/plain; charset=windows-1252; format=flowed



Right now we require you to create a user and give permissions to that user.  Not sure if we'll add client credentials grant as it would require having role mappings for clients and applications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/8c6e013f/attachment.html 

From n.preusker at gmail.com  Tue Aug 12 13:01:33 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Tue, 12 Aug 2014 18:01:33 +0100
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <45BBF5B2-8A80-4D5F-B56D-B8CF186ACF0D@gmail.com>
References: <CA+HCLu9kMp2ZVV754R8TdR+FtfV+Eb=tMcT1MnjMzcc2RAV=4Q@mail.gmail.com>
	<5387A0D2.7090107@redhat.com>
	<CA+HCLu9ZJOOBF515pxR1d2nCnHR4cEYo3Ub44pBn3i8OJxRkiQ@mail.gmail.com>
	<5388AC35.8090906@redhat.com>
	<CA+HCLu8+prDRWXhKCXdO65gwfoYM0K5Q5=DMq8VE=BBGePCh+A@mail.gmail.com>
	<5388D875.5030405@redhat.com>
	<CA+HCLu_nCnMvt4tZjCUe4OYGy3NE=ivOSPiPowcxEQmOf2-FkQ@mail.gmail.com>
	<538A2F02.3090303@redhat.com>
	<CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>
	<538B0E4E.7010806@redhat.com>
	<45BBF5B2-8A80-4D5F-B56D-B8CF186ACF0D@gmail.com>
Message-ID: <CA+HCLu-XACV6yPaPM7xTteZh0N6r_5cXqU=qwtdYD7vfADDOaQ@mail.gmail.com>

Hi Bill,

it's been a while since we discussed this but I thought I'd add my question
to this thread since it is related. I'm now looking into authorizing
requests based on domain specific permissions.

Here's the use case:
We have one war that serves as a REST-back-end for a JavaScript
application. We've successfully secured the application (AngularJS with
keycloak.js in the front-end, WAR on Wildfly 8 with JAX-RS/ RestEasy in the
back-end) with keycloak (beta-2). Now, instead of using the role mapping in
the OAuth token, we'd like to be able to determine the users' role mappings
based on a path parameter in the HTTP request to the REST-back-end.

For example, if the URL is '/my-app/1/some-resource', we need to check
whether the user has an account in 'my-app 1' (which is an entry in the
applications database) and add the respective roles (also from the
applications database), if the URL is /my-app/2/... the same needs to
happen for 'my-app 2' etc.

The idea would be to add some kind of security interceptor which extracts
the keycloak user id, matches the id to the domain user (user from e.g.
my-app 1), and adds the role mapping of the domain user. Since we'd like to
continue using the EJB annotations (RolesAllowed etc.), we'd need to make
sure those domain users' roles are propagated to the security context.

So the question is, would you recommend extending the keycloak login
module? Or can you think of an easier way like e.g. a web filter?

Cheers!
Nils













My question is whether to extend the wildfly adapter (KeycloakLoginModule)
or to


On Sun, Jun 1, 2014 at 5:57 PM, Nils Preusker <n.preusker at gmail.com> wrote:

> Hi Bill,
>
> The more I think about it the more it makes sense to me that the tenant or
> application instance is indeed part of the applications data model and not
> part of keycloak. Especially since we want to add tenants at runtime, it
> wouldn't be possible to have a check without hitting the db.
>
> About cross realm users, I totally agree! I also don't like the idea and
> I'm hoping and guessing that we won't really need it in the end.
>
> Thanks for the discussion!
> Nils
>
> > On 01 Jun 2014, at 13:28, Bill Burke <bburke at redhat.com> wrote:
> >
> > We already support some form of multi-tenancy.  One keycloak server can
> > serve up multiple realms.
> >
> >
> > For multitenant-apps was thinking of a app or service that needs to
> > support multiple isolated realms.
> >
> > For bearer-only services, there would just be a list of realms that are
> > supported and the keycloak adapter would just look into the bearer token
> > to know which realm to validate the token with.  For browser apps, they
> > need to be able to know which realm you are authenticating against, so I
> > thought the desired realm would be extracted from the URL.
> >
> > I balk at your use-case because I don't like the idea of cross-realm
> users.
> >
> >
> >> On 6/1/2014 4:02 AM, Nils Preusker wrote:
> >> The only issue is that we might need to be able to assign different
> >> roles to the same user in different application instances.
> >
> > What you could do, is not use the keycloak adapter and just hand code
> > your interactions via our oauth client api.  Then your application
> > service could figure out which realm and application instance the user
> > was logging however it wanted and and pass that information along when
> > you start the oauth protocol flow.  Following me?
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/14255e0a/attachment.html 

From j.kamal at ymail.com  Tue Aug 12 13:47:44 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Tue, 12 Aug 2014 10:47:44 -0700
Subject: [keycloak-user] Pre-requistes for Non-interactive Realm,
	Application, User setup in Keycloak
In-Reply-To: <1407522962.93197.YahooMailNeo@web120205.mail.ne1.yahoo.com>
References: <1407522962.93197.YahooMailNeo@web120205.mail.ne1.yahoo.com> 
Message-ID: <1407865664.98724.YahooMailNeo@web120204.mail.ne1.yahoo.com>

Not sure why this message didn't reach the user list!!





________________________________
 From: Kamal Jagadevan <j.kamal at ymail.com>
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
Sent: Friday, August 8, 2014 2:36 PM
Subject: Pre-requistes for Non-interactive Realm, Application, User setup in Keycloak
 


Hello,

? I am quite aware that REST API is the only way for non-interactive integration to setup Realm, Application, and Users in Keycloak.
Having said that even before invoking desired api,? we need Client ID (Account), Client Secret, Username and password (after resetting) to obtain the access token. 


1. what is the best way to obtain these values for subsequent API invocations? 

2. I observed there is a mechanism to upload a JSON file with Realm configuration but how can I export it at the first place.

Please share your thoughts.

Best
Kamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140812/ba2121f3/attachment-0001.html 

From rodrigopsasaki at gmail.com  Wed Aug 13 12:37:35 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 13 Aug 2014 13:37:35 -0300
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <CANLOgwAu2vY_MzoU9gOPs8ki7_3ZAmQ3RLtUH2H4Cd6VivQZKg@mail.gmail.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
	<1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
	<CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>
	<1311646271.28995650.1407857221821.JavaMail.zimbra@redhat.com>
	<CANLOgwAu2vY_MzoU9gOPs8ki7_3ZAmQ3RLtUH2H4Cd6VivQZKg@mail.gmail.com>
Message-ID: <CANLOgwBxX-Hq_=QE75T5kdDHgxXcZ79juQhuWN2sQSXaZoFkLA@mail.gmail.com>

Should I set another cookie aswell? I tried it, I created the remember me
cookie correctly when logging in through twitter and it didn't work. Here
are the steps I took:

1. Opened browser without any cookies and history. Tried accessing:
http://localhost:9080/customer-portal/customers/view.jsp
2. Server asked for authentication, I proceeded to login using Twitter and
selecting the remember me checkbox. (KEYCLOAK_REMEMBER_ME cookie was
created)
3. Closed the browser and reopened it. Accessed twitter, and after logging
in I opened the same url (
http://localhost:9080/customer-portal/customers/view.jsp)

System asked me to login again, even though the cookie was there. Did I
miss something?

I see this message being printed on the console:

13:33:08,603 INFO  [org.keycloak.services.managers.AuthenticationManager]
(http--127.0.0.1-9080-14) authenticateIdentityCookie
13:33:08,603 INFO  [org.keycloak.services.managers.AuthenticationManager]
(http--127.0.0.1-9080-14) authenticateCookie could not find cookie:
KEYCLOAK_IDENTITY


On Tue, Aug 12, 2014 at 1:08 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> It's no problem, if I can come up with a suitable solution, I'll submit a
> PR and you can add it whenever it fits the schedule, I'm just pursuing this
> because it's one of the few things that we still need before we migrate
> everything.
>
>
> On Tue, Aug 12, 2014 at 12:27 PM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> The login form is:
>>
>>   ./forms/common-themes/src/main/resources/theme/login/base/login.ftl
>>
>> It's FreeMarker templates. FIY as we're close to releasing 1.0.final we
>> can't add this to master until after.
>>
>> ----- Original Message -----
>> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > To: "Stian Thorgersen" <stian at redhat.com>
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Tuesday, 12 August, 2014 2:49:19 PM
>> > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
>> >
>> > So you're saying I have to change the HTML pages to make it submit a
>> form?
>> >
>> > I really don't understand how the interface works on Keycloak, could you
>> > tell me the name of the file that handles the login page, if I
>> understood
>> > correctly. And I'll study it on from there.
>> >
>> >
>> > On Tue, Aug 12, 2014 at 10:23 AM, Stian Thorgersen <stian at redhat.com>
>> wrote:
>> >
>> > > Basically what's needed is:
>> > >
>> > >   * Add a remember me option for social - this is non-trivial as atm
>> > > social logins are links so needs to be changed to submitting a form
>> > >   * Set the login cookie in SocialResource.redirectToProviderAuth if
>> this
>> > > remember me check-box is set
>> > >
>> > > Reading the cookie is already handled, as it should set the same
>> cookie as
>> > > the "regular" login does.
>> > >
>> > > If you'd like to do this that would be great :)
>> > >
>> > > ----- Original Message -----
>> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > > > To: "Stian Thorgersen" <stian at redhat.com>
>> > > > Cc: keycloak-user at lists.jboss.org
>> > > > Sent: Tuesday, 12 August, 2014 1:47:28 PM
>> > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
>> > > >
>> > > > I was wondering, could you give me some pointers so I could try and
>> > > > implement this myself? I was looking at the mechanics on the already
>> > > > implemented feature, for username + password login, and I saw that
>> I have
>> > > > to set a cookie, which I'd have todo on
>> > > > *SocialResource.redirectToProviderAuth*
>> > > >
>> > > > But I couldn't figure out how it uses the remember me cookie to
>> evaluate
>> > > > and authenticate the user on the next access. I'm looking into it
>> now,
>> > > but
>> > > > anything you can help me with would be great, if it interests you.
>> > > >
>> > > >
>> > > > On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <stian at redhat.com
>> >
>> > > wrote:
>> > > >
>> > > > > It won't be until after 1.0.final has been released, but we'll
>> aim to
>> > > add
>> > > > > it for 1.1.
>> > > > >
>> > > > > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
>> > > > >
>> > > > > ----- Original Message -----
>> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
>> > > > > > Cc: keycloak-user at lists.jboss.org
>> > > > > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
>> > > > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social
>> Login
>> > > > > >
>> > > > > > Hi, just wondering, is there any prediction on when this feature
>> > > will be
>> > > > > > implemented?
>> > > > > >
>> > > > > >
>> > > > > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <
>> stian at redhat.com>
>> > > > > wrote:
>> > > > > >
>> > > > > > > It's planned just not implemented yet.
>> > > > > > >
>> > > > > > > One of the reasons was that we couldn't figure out an elegant
>> > > placement
>> > > > > > > for the remember-me checkbox.
>> > > > > > >
>> > > > > > > ----- Original Message -----
>> > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > > > > > > > To: keycloak-user at lists.jboss.org
>> > > > > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
>> > > > > > > > Subject: [keycloak-user] "Remember Me" feature on Social
>> Login
>> > > > > > > >
>> > > > > > > > Hi,
>> > > > > > > >
>> > > > > > > > I know this doesn't exist now, but I was wondering if it is
>> > > something
>> > > > > > > that is
>> > > > > > > > planned to be implemented, or if there's a particular
>> reason why
>> > > it
>> > > > > > > isn't.
>> > > > > > > >
>> > > > > > > > Thanks!
>> > > > > > > >
>> > > > > > > > --
>> > > > > > > > Rodrigo Sasaki
>> > > > > > > >
>> > > > > > > > _______________________________________________
>> > > > > > > > keycloak-user mailing list
>> > > > > > > > keycloak-user at lists.jboss.org
>> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > --
>> > > > > > Rodrigo Sasaki
>> > > > > >
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Rodrigo Sasaki
>> > > >
>> > >
>> >
>> >
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>>
>
>
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140813/18253f43/attachment.html 

From Clifton.Lee at uftwf.org  Wed Aug 13 14:54:04 2014
From: Clifton.Lee at uftwf.org (Clifton Lee)
Date: Wed, 13 Aug 2014 18:54:04 +0000
Subject: [keycloak-user] Adding Extra Account Attributes/Fields
Message-ID: <1BA49D9525169A4D93AC895F9D513F16087C69@UFTWFEXMBX02.UFTMASTERAD.ORG>

Hi, quick question: is it possible to add custom account attributes (e.g. internal employee number, assigned-department) through the interface?  Or would I have to somehow modify the IDToken class to add these extra attributes?

Thanks and Keycloak looks great.



*******************************************************************************
The views, opinions, and judgments expressed in this message are solely those of the author. The message contents have not been reviewed or approved by the UFT Welfare Fund.
*******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140813/4e9c8426/attachment.html 

From bburke at redhat.com  Wed Aug 13 15:19:57 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 13 Aug 2014 15:19:57 -0400
Subject: [keycloak-user] Adding Extra Account Attributes/Fields
In-Reply-To: <1BA49D9525169A4D93AC895F9D513F16087C69@UFTWFEXMBX02.UFTMASTERAD.ORG>
References: <1BA49D9525169A4D93AC895F9D513F16087C69@UFTWFEXMBX02.UFTMASTERAD.ORG>
Message-ID: <53EBBA5D.9000609@redhat.com>

Not yet.  It is planned though after 1.0 release.

On 8/13/2014 2:54 PM, Clifton Lee wrote:
> Hi, quick question: is it possible to add custom account attributes
> (e.g. internal employee number, assigned-department) through the
> interface?  Or would I have to somehow modify the IDToken class to add
> these extra attributes?
>
> Thanks and Keycloak looks great.
>
> *******************************************************************************
>
>
> The views, opinions, and judgments expressed in this message are solely
> those of the author. The message contents have not been reviewed or
> approved by the UFT Welfare Fund.
>
> *******************************************************************************
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From gcollis at iinet.net.au  Wed Aug 13 20:09:04 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Thu, 14 Aug 2014 10:09:04 +1000
Subject: [keycloak-user] Issue with login-config KEYCLOAK
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C87@SWANS20.fitzroy01.local>

I have the Keycloak auth war successfully running and have been able to create Realms, Users, Apps.

I now want to redirect the login from webapp to Keycloak.

I have followed the  instructions to add the JBoss Adapter here:-
http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/ch07.html#d4e547

I am using JBoss EAP 6.1
I added the modules by unzipping the adapters into ${JBOSS_HOME}/modules

I have updated the standalone.xml files to add the extension
<extension module="org.keycloak.keycloak-as7-subsystem"/>
I have added the subsystem
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>

I have added the security domain
                <security-domain name="keycloak">
                  <authentication>
                    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
                  </authentication>
                </security-domain>

Yet my webapp won't deploy as it cannot find KEYCLOAK.
JBWEB001034: Cannot configure an authenticator for method KEYCLOAK
   <login-config>
     <auth-method>KEYCLOAK</auth-method>
     <realm-name>demo</realm-name>
   </login-config>

I have also used Keycloak to create the keycloak.json and put it in my WEB-INF folder.

Any ideas on the steps I may have missed.

Thanks,

Graeme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140814/f4b3e6e6/attachment-0001.html 

From gcollis at iinet.net.au  Wed Aug 13 22:14:52 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Thu, 14 Aug 2014 12:14:52 +1000
Subject: [keycloak-user] Issue with login-config KEYCLOAK
In-Reply-To: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C87@SWANS20.fitzroy01.local>
References: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C87@SWANS20.fitzroy01.local>
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C89@SWANS20.fitzroy01.local>

Fixed. I modified the wrong file. I changed standalone.xml instead of for my environment I need to change standalone-full.xml.

User error!

Thanks, Graeme

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Graeme Collis
Sent: Thursday, 14 August 2014 10:09 AM
To: 'keycloak-user at lists.jboss.org'
Subject: [keycloak-user] Issue with login-config KEYCLOAK

I have the Keycloak auth war successfully running and have been able to create Realms, Users, Apps.

I now want to redirect the login from webapp to Keycloak.

I have followed the  instructions to add the JBoss Adapter here:-
http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/ch07.html#d4e547

I am using JBoss EAP 6.1
I added the modules by unzipping the adapters into ${JBOSS_HOME}/modules

I have updated the standalone.xml files to add the extension
<extension module="org.keycloak.keycloak-as7-subsystem"/>
I have added the subsystem
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>

I have added the security domain
                <security-domain name="keycloak">
                  <authentication>
                    <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
                  </authentication>
                </security-domain>

Yet my webapp won't deploy as it cannot find KEYCLOAK.
JBWEB001034: Cannot configure an authenticator for method KEYCLOAK
   <login-config>
     <auth-method>KEYCLOAK</auth-method>
     <realm-name>demo</realm-name>
   </login-config>

I have also used Keycloak to create the keycloak.json and put it in my WEB-INF folder.

Any ideas on the steps I may have missed.

Thanks,

Graeme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140814/4a3bf4e3/attachment.html 

From bburke at redhat.com  Thu Aug 14 11:01:25 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 14 Aug 2014 11:01:25 -0400
Subject: [keycloak-user] Issue with login-config KEYCLOAK
In-Reply-To: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C89@SWANS20.fitzroy01.local>
References: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C87@SWANS20.fitzroy01.local>
	<337CB56A25624D4185E961FFB48AA00F04C50D5A8C89@SWANS20.fitzroy01.local>
Message-ID: <53ECCF45.3060903@redhat.com>

My favorite bugs!!!

On 8/13/2014 10:14 PM, Graeme Collis wrote:
> Fixed. I modified the wrong file. I changed standalone.xml instead of
> for my environment I need to change standalone-full.xml.
>
> User error!
>
> Thanks, Graeme
>
> *From:*keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Graeme Collis
> *Sent:* Thursday, 14 August 2014 10:09 AM
> *To:* 'keycloak-user at lists.jboss.org'
> *Subject:* [keycloak-user] Issue with login-config KEYCLOAK
>
> I have the Keycloak auth war successfully running and have been able to
> create Realms, Users, Apps.
>
> I now want to redirect the login from webapp to Keycloak.
>
> I have followed the  instructions to add the JBoss Adapter here:-
>
> http://docs.jboss.org/keycloak/docs/1.0-beta-4/userguide/html/ch07.html#d4e547
>
> I am using JBoss EAP 6.1
>
> I added the modules by unzipping the adapters into ${JBOSS_HOME}/modules
>
> I have updated the standalone.xml files to add the extension
>
> <extension module="org.keycloak.keycloak-as7-subsystem"/>
>
> I have added the subsystem
>
> <subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>
>
> I have added the security domain
>
>                  <security-domain name="keycloak">
>
>                    <authentication>
>
>                      <login-module
> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>
>                    </authentication>
>
>                  </security-domain>
>
> Yet my webapp won?t deploy as it cannot find KEYCLOAK.
>
> JBWEB001034: Cannot configure an authenticator for method KEYCLOAK
>
> <login-config>
>
> <auth-method>KEYCLOAK</auth-method>
>
> <realm-name>_demo_</realm-name>
>
> </login-config>
>
> I have also used Keycloak to create the keycloak.json and put it in my
> WEB-INF folder.
>
> Any ideas on the steps I may have missed.
>
> Thanks,
>
> **
>
> *Graeme*
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From j.kamal at ymail.com  Thu Aug 14 14:08:09 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Thu, 14 Aug 2014 11:08:09 -0700
Subject: [keycloak-user] Alternative ways to reset password
Message-ID: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>

Hello,
? Are there any alternative ways like command line or shortcuts to update the Realm settings or user settings in Keycloak.
Though it is possible to set it up through Admin console but trying to avoid the setup steps through UI.

Looks like during application bootstrap these are few settings like admin password to be reset & Direct Grant API access being disabled.
Is there any other better way to modify other than UI or directly updating them in database.



Please let us know. This is critical for our post install steps while integrating with Keycloak.


Thanks
Kamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140814/81dcc157/attachment.html 

From bburke at redhat.com  Thu Aug 14 14:38:42 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 14 Aug 2014 14:38:42 -0400
Subject: [keycloak-user] Alternative ways to reset password
In-Reply-To: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>
References: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>
Message-ID: <53ED0232.8070201@redhat.com>

There is a REST admin api. There's an example in the distro.  RESTdoclet 
too for the api.

On 8/14/2014 2:08 PM, Kamal Jagadevan wrote:
> Hello,
>    Are there any alternative ways like command line or shortcuts to
> update the Realm settings or user settings in Keycloak.
> Though it is possible to set it up through Admin console but trying to
> avoid the setup steps through UI.
>
> Looks like during application bootstrap these are few settings like
> admin password to be reset & Direct Grant API access being disabled.
> Is there any other better way to modify other than UI or directly
> updating them in database.
>
>
> Please let us know. This is critical for our post install steps while
> integrating with Keycloak.
>
> Thanks
> Kamal
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Thu Aug 14 14:38:51 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 14 Aug 2014 15:38:51 -0300
Subject: [keycloak-user] Alternative ways to reset password
In-Reply-To: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>
References: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>
Message-ID: <CANLOgwB9ZoS24w-EvdqBAW+dpDC_DfrZVRCE+W88j9pJubvnTg@mail.gmail.com>

I believe I can help you with this one. The Keycloak team can correct me if
I say anything inaccurate.

There is an admin-client bundled with Keycloak that can be used to access
the Keycloak REST API, it's basically a Java REST client for the REST API
that they provide and is documented here:
http://docs.jboss.org/keycloak/docs/1.0-beta-4/rest-api/overview-index.html

Basically what you need is an OAuthClient or an Application, and a User and
you can alter information like you requested.

The source is here:
https://github.com/keycloak/keycloak/tree/master/integration/admin-client
And you can add it as a maven dependency as well:
http://maven-repository.com/artifact/org.keycloak/keycloak-admin-client/1.0-beta-4


On Thu, Aug 14, 2014 at 3:08 PM, Kamal Jagadevan <j.kamal at ymail.com> wrote:

> Hello,
>   Are there any alternative ways like command line or shortcuts to update
> the Realm settings or user settings in Keycloak.
> Though it is possible to set it up through Admin console but trying to
> avoid the setup steps through UI.
>
> Looks like during application bootstrap these are few settings like admin
> password to be reset & Direct Grant API access being disabled.
> Is there any other better way to modify other than UI or directly updating
> them in database.
>
>
> Please let us know. This is critical for our post install steps while
> integrating with Keycloak.
>
> Thanks
> Kamal
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140814/88c11034/attachment-0001.html 

From gcollis at iinet.net.au  Fri Aug 15 02:45:21 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Fri, 15 Aug 2014 16:45:21 +1000
Subject: [keycloak-user] logout workflow
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C8C@SWANS20.fitzroy01.local>

I am writing an application that uses Errai and Keycloak.

I am able to login successfully and get all my user details and roles.
When I logout, I call the authenticationService to logout and then redirect to login url.

The issue with this is then the login page is not shown, the filters somehow pick up that the user is cached and re-authenticates with the same user and comes straight back into the app.

When I logout the following is called:-
  public void logout() {
      securityContext.invalidateCache();
      authService.call( new RemoteCallback<Void>() {
          @Override
          public void callback( Void response ) {
              redirect( GWT.getHostPageBaseURL() + "app-login" );
          }
      }, new BusErrorCallback() {
          @Override
          public boolean error( Message message, Throwable throwable ) {
              Window.alert( "Logout failed: " + throwable );
              return true;
          }
      } ).logout();
  }

Under the covers the logout calls the KeycloakAthenticationService.logout(). Following through in debug all this does is set the securityContext to null.

I added the invalidateCache as an attempt to clear the cache but that did not work. I think I'm just not understanding the flow.

I have a GWT module page(/provider-ui.html) which is the only page of the app.
I have a /app-login URL which is used by the filters to redirect to Keycloak and redirect back to the GWT page after authentication.

My web.xml looks like this:-
  <filter>
    <filter-name>ErraiLoginRedirectFilter</filter-name>
    <init-param>
      <param-name>redirectLocation</param-name>
      <param-value>/provider-ui.html</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>ErraiLoginRedirectFilter</filter-name>
    <url-pattern>/app-login</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>ErraiUserCookieFilter</filter-name>
    <url-pattern>/provider-ui.html</url-pattern>
  </filter-mapping>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/app-login</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
   <login-config>
     <auth-method>KEYCLOAK</auth-method>
     <realm-name>demo</realm-name>
   </login-config>
  <security-role>
    <role-name>user</role-name>
  </security-role>
  <security-role>
    <role-name>admin</role-name>
  </security-role>

Any pointers of the direction I should take to solve this?

Thanks, Graeme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140815/8d7ddc98/attachment-0001.html 

From bburke at redhat.com  Fri Aug 15 09:07:32 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 15 Aug 2014 09:07:32 -0400
Subject: [keycloak-user] logout workflow
In-Reply-To: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C8C@SWANS20.fitzroy01.local>
References: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C8C@SWANS20.fitzroy01.local>
Message-ID: <53EE0614.3040800@redhat.com>

I really don't know anything about Errai.  I don't know what 
"KeycloakAuthenticationService" class is.  There is not one in our codebase.

Logout requires a *browser* redirect back to the auth server's logout URL:

GET /realms/{name}/tokens/logout?redirect_uri={encodedURI}

Sounds like you are not doing this.  What is probably happening is that 
you are invalidating the session of your Web application, you are being 
redirected to Keycloak because the web app has been logged out, keycloak 
sees that you are already logged in (via the cookie the auth server 
sends), creates a new token, then redirects you back.

You can also make a background REST invocation to:

GET /realms/{name}/tokens/logout?session_state={session_state}

And this will logout the SSO session.  This background REST API has been 
removed in master though.  In RC1, this background REST invocation 
requires you to authenticate by sending a refresh token to logout the 
SSO session.

POST /realms/{name}/tokens/logout
Content-Type: application/x-www-formencoded-whatever

refresh_token=2341234h2134l1kj241234

Hope that helps.  Other than that, dont' know much about Errai and 
really can't help you.



On 8/15/2014 2:45 AM, Graeme Collis wrote:
> I am writing an application that uses Errai and Keycloak.
>
> I am able to login successfully and get all my user details and roles.
>
> When I logout, I call the authenticationService to logout and then
> redirect to login url.
>
> The issue with this is then the login page is not shown, the filters
> somehow pick up that the user is cached and re-authenticates with the
> same user and comes straight back into the app.
>
> When I logout the following is called:-
>
> *public**void*logout() {
>
>        securityContext.invalidateCache();
>
> authService.call( *new*RemoteCallback<Void>() {
>
> @Override
>
> *public**void*callback( Void response ) {
>
> /redirect/( GWT./getHostPageBaseURL/() + "app-login");
>
>            }
>
>        }, *new*BusErrorCallback() {
>
> @Override
>
> *public**boolean*error( Message message, Throwable throwable ) {
>
>                Window./alert/( "Logout failed: "+ throwable );
>
> *return**true*;
>
>            }
>
>        } ).logout();
>
>    }
>
> Under the covers the logout calls the
> KeycloakAthenticationService.logout(). Following through in debug all
> this does is set the securityContext to null.
>
> I added the invalidateCache as an attempt to clear the cache but that
> did not work. I think I?m just not understanding the flow.
>
> I have a GWT module page(/provider-ui.html) which is the only page of
> the app.
>
> I have a /app-login URL which is used by the filters to redirect to
> Keycloak and redirect back to the GWT page after authentication.
>
> My web.xml looks like this:-
>
> <filter>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <init-param>
>
> <param-name>redirectLocation</param-name>
>
> <param-value>/provider-ui.html</param-value>
>
> </init-param>
>
> </filter>
>
> <filter-mapping>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </filter-mapping>
>
> <filter-mapping>
>
> <filter-name>_ErraiUserCookieFilter_</filter-name>
>
> <url-pattern>/provider-ui.html</url-pattern>
>
> </filter-mapping>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>Login</web-resource-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>*</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>KEYCLOAK</auth-method>
>
> <realm-name>_demo_</realm-name>
>
> </login-config>
>
> <security-role>
>
> <role-name>user</role-name>
>
> </security-role>
>
> <security-role>
>
> <role-name>_admin_</role-name>
>
> </security-role>
>
> Any pointers of the direction I should take to solve this?
>
> Thanks, Graeme
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Fri Aug 15 10:35:46 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 15 Aug 2014 11:35:46 -0300
Subject: [keycloak-user] Multiple login screens
Message-ID: <CANLOgwBzg5Syjem64js+mE_VMu86WiM+gTJJRZ4XLc0J-jF4Ew@mail.gmail.com>

Hi, I was wondering if there is a plan to implement multiple login screens.
We have the need for more than one type of login screen here, for different
flows, and I imagine we're not the only ones who will be interested in such
a feature.

Something that allows you to select between the screens you created for a
given style, and have one by default maybe.

Any thoughts?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140815/43483d88/attachment.html 

From j.kamal at ymail.com  Fri Aug 15 14:40:56 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Fri, 15 Aug 2014 11:40:56 -0700
Subject: [keycloak-user] Alternative ways to reset password
In-Reply-To: <CANLOgwB9ZoS24w-EvdqBAW+dpDC_DfrZVRCE+W88j9pJubvnTg@mail.gmail.com>
References: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>
	<CANLOgwB9ZoS24w-EvdqBAW+dpDC_DfrZVRCE+W88j9pJubvnTg@mail.gmail.com>
Message-ID: <1408128056.10505.YahooMailNeo@web120206.mail.ne1.yahoo.com>

Thank you Rodrigo!!?
Can you please clarify the following?

1. Admin-client is that something released in beta4 release, is that right?
2. In order to use REST API in a out of box Keycloak service, don't you need Username, password and either public client id or combination of client id and secret.
3. Also for the 1st time login, you may need to change the admin password. can this be done through this Admin client
4. By default the Direct Grant access API is disabled for the "master" realm, can this also be modified through Admin client.

My use case is Keycloak will be part of our product and all the 1st time setting +configuration should be done during installation step without end user logging into keycloak admin console.


Currently I am inclined towards using a ?JSON to import a new realm that our product can use which are pre-configured with appropriate values. Not sure if there is any other better way of dealing with it.

Best
Kamal



________________________________
 From: Rodrigo Sasaki <rodrigopsasaki at gmail.com>
To: Kamal Jagadevan <j.kamal at ymail.com> 
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
Sent: Thursday, August 14, 2014 2:38 PM
Subject: Re: [keycloak-user] Alternative ways to reset password
 


I believe I can help you with this one. The Keycloak team can correct me if I say anything inaccurate.

There is an admin-client bundled with Keycloak that can be used to access the Keycloak REST API, it's basically a Java REST client for the REST API that they provide and is documented here:?http://docs.jboss.org/keycloak/docs/1.0-beta-4/rest-api/overview-index.html

Basically what you need is an OAuthClient or an Application, and a User and you can alter information like you requested.

The source is here:?https://github.com/keycloak/keycloak/tree/master/integration/admin-client
And you can add it as a maven dependency as well:?http://maven-repository.com/artifact/org.keycloak/keycloak-admin-client/1.0-beta-4



On Thu, Aug 14, 2014 at 3:08 PM, Kamal Jagadevan <j.kamal at ymail.com> wrote:


>
>
>Hello,
>? Are there any alternative ways like command line or shortcuts to update the Realm settings or user settings in Keycloak.
>Though it is possible to set it up through Admin console but trying to avoid the setup steps through UI.
>
>
>Looks like during application bootstrap these are few settings like admin password to be reset & Direct Grant API access being disabled.
>Is there any other better way to modify other than UI or directly updating them in database.
>
>
>
>
>
>Please let us know. This is critical for our post install steps while integrating with Keycloak.
>
>
>
>Thanks
>Kamal
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140815/d0ce063a/attachment.html 

From peterson.dean at gmail.com  Sat Aug 16 15:25:07 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 16 Aug 2014 12:25:07 -0700
Subject: [keycloak-user] Replacing ExampleDS database is much more difficult
Message-ID: <CAFGzvPmAZjqb44hNyiNz6nJPzqGPRXG1DVdNO_wRu0crOcjGwg@mail.gmail.com>

I have changed the database many times in the past to point to a real
database such as ms-sql and mysql.  However, I am not able to figure out
how to do that with the latest versions.  It seems there are multiple
persistence.xml files buried in the lib directory rather than in the
auth-server.war or keycloak-server project.  Even though I modify
keycloak-server.json file to point to my container managed datasource, when
I start the server I keep getting the same error about missing the default
ExampleDS datasource.  What changed?  The documentation seems to be quite
outdated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140816/c2f8acf4/attachment.html 

From peterson.dean at gmail.com  Sat Aug 16 16:22:52 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 16 Aug 2014 13:22:52 -0700
Subject: [keycloak-user] I have tried everything
Message-ID: <CAFGzvPnTL0B9j9zFmPaKkCjnAC9fAXnaBCRgCr0L7ujk6QXB3A@mail.gmail.com>

I get the following stack trace no matter what I do.  I have removed every
reference to ExampleDS I can find and it still complains about it.  I want
to use my database: java:jboss/datasources/ui_users but nothing I do will
make it attempt to use anything but ExampleDS.  I have rebuilt the
individual projects after removing every reference to ExampleDS and it
still tries to use ExampleDS.  It is like a virus that keeps popping up.
 Before, there was a persistence.xml file right in the keycloak-server
project I could modify to point directly to the jndi name of my choosinge.
 Now the configuration seems to be spread out between the four corners of
the earth.  Please don't make this more difficult to use.  I like all the
features but I would much rather have fewer features and have the focus of
your team be on quality and simplicity.

13:16:31,156 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-3) JBAS010400: Bound data source
[java:jboss/datasources/ui_users]
13:16:31,246 INFO  [org.jboss.as.server] (Controller Boot Thread)
JBAS018559: Deployed "mysql-connector-java-5.1.32-bin.jar" (runtime-name :
"mysql-connector-java-5.1.32-bin.jar")
13:16:31,444 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015961: Http
management interface listening on http://127.0.0.1:9990/management
13:16:31,445 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015951:
Admin console listening on http://127.0.0.1:9990
13:16:31,446 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874:
WildFly 8.1.0.Final "Kenny" started in 5394ms - Started 218 of 273 services
(89 services are lazy, passive or on-demand)
13:17:03,193 INFO  [org.jboss.as.repository] (management-handler-thread -
1) JBAS014900: Content added at location
C:\wildfly\standalone\data\content\0a\5ec72c18d0ad2b335b409fc50946b4924c89c3\content
13:17:03,206 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-7) JBAS015876: Starting deployment of "keycloak-server.war"
(runtime-name: "keycloak-server.war")
13:17:06,032 INFO  [org.jboss.as.jpa] (MSC service thread 1-2) JBAS011401:
Read persistence.xml for keycloak-default
13:17:06,249 WARN  [org.jboss.as.dependency.private] (MSC service thread
1-2) JBAS018567: Deployment "deployment.keycloak-server.war" is using a
private module ("org.apache.httpcomponents:main") which may be changed or
removed in future versions without notice.
13:17:06,250 WARN  [org.jboss.as.dependency.private] (MSC service thread
1-2) JBAS018567: Deployment "deployment.keycloak-server.war" is using a
private module ("org.apache.httpcomponents:main") which may be changed or
removed in future versions without notice.
13:17:06,253 WARN  [org.jboss.as.dependency.private] (MSC service thread
1-2) JBAS018567: Deployment "deployment.keycloak-server.war" is using a
private module ("org.codehaus.jackson.jackson-core-asl:main") which may be
changed or removed in future versions without notice.
13:17:06,254 WARN  [org.jboss.as.dependency.private] (MSC service thread
1-2) JBAS018567: Deployment "deployment.keycloak-server.war" is using a
private module ("org.codehaus.jackson.jackson-core-asl:main") which may be
changed or removed in future versions without notice.
13:17:06,256 WARN  [org.jboss.as.dependency.private] (MSC service thread
1-2) JBAS018567: Deployment "deployment.keycloak-server.war" is using a
private module ("org.codehaus.jackson.jackson-mapper-asl:main") which may
be changed or removed in future versions without notice.
13:17:06,256 WARN  [org.jboss.as.dependency.private] (MSC service thread
1-2) JBAS018567: Deployment "deployment.keycloak-server.war" is using a
private module ("org.codehaus.jackson.jackson-mapper-asl:main") which may
be changed or removed in future versions without notice.
13:17:06,474 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) JBAS014613: Operation ("deploy") failed -
address: ([("deployment" => "keycloak-server.war")]) - failure description:
{"JBAS014771: Services with missing/unavailable dependencies" =>
["jboss.naming.context.java.module.auth.auth.DefaultDataSource is missing
[jboss.naming.context.java.jboss.datasources.ExampleDS]"]}
13:17:06,477 ERROR [org.jboss.as.server] (management-handler-thread - 1)
JBAS015870: Deploy of deployment "keycloak-server.war" was rolled back with
the following failure message: {"JBAS014771: Services with
missing/unavailable dependencies" =>
["jboss.naming.context.java.module.auth.auth.DefaultDataSource is missing
[jboss.naming.context.java.jboss.datasources.ExampleDS]"]}
13:17:06,526 INFO  [org.hibernate.validator.internal.util.Version] (MSC
service thread 1-2) HV000001: Hibernate Validator 5.1.0.Final
13:17:07,026 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-8) JBAS015877: Stopped deployment keycloak-server.war (runtime-name:
keycloak-server.war) in 548ms
13:17:07,040 INFO  [org.jboss.as.controller] (management-handler-thread -
1) JBAS014774: Service status report
JBAS014775:    New missing/unsatisfied dependencies:
      service
jboss.deployment.unit."keycloak-server.war".component."com.sun.faces.config.ConfigureListener".CREATE
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".component."com.sun.faces.config.ConfigureListener".START]
      service
jboss.deployment.unit."keycloak-server.war".component."com.sun.faces.config.ConfigureListener".JndiBindingsService
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".jndiDependencyService]
      service
jboss.deployment.unit."keycloak-server.war".component."com.sun.faces.config.ConfigureListener".START
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".deploymentCompleteService,
service
jboss.undertow.deployment.default-server.default-host./auth.UndertowDeploymentInfoService]
      service
jboss.deployment.unit."keycloak-server.war".component."javax.faces.webapp.FacetTag".JndiBindingsService
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".jndiDependencyService]
      service
jboss.deployment.unit."keycloak-server.war".component."javax.faces.webapp.FacetTag".START
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".deploymentCompleteService,
service
jboss.undertow.deployment.default-server.default-host./auth.UndertowDeploymentInfoService,
service jboss.undertow.deployment.default-server.default-host./auth]
      service
jboss.deployment.unit."keycloak-server.war".component."javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV".CREATE
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".component."javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV".START]
      service
jboss.deployment.unit."keycloak-server.war".component."javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV".JndiBindingsService
(missing) dependents: [service
jboss.deployment.unit."keycloak-server.war".jndiDependencyService]
      service
jboss.deployment.unit."keycloak-server.war".component."javax.servlet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140816/f4e31a60/attachment-0001.html 

From peterson.dean at gmail.com  Sat Aug 16 20:05:53 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 16 Aug 2014 17:05:53 -0700
Subject: [keycloak-user] I have tried everything
Message-ID: <CAFGzvPkx1B2MDjoB3J_S6JcrREHN8-w1c7vdTsq9gCXjeecs+A@mail.gmail.com>

Ok, I figured it out.  I just replaced java:jboss/datasources/KeycloakDS
with my own settings rather than create a new jndi datasource with a
different name.  In the past I was able to change the jndi name to
java:jboss/datasources/ui_users and make a few updates to persistence.xml.
 The new way is arguably easier.  Now that I know to just replace
KeycloakDS with my own settings I do not need to change anything else.  Am
I correct in assuming this is how things work going forward?  It seems I
cannot delete ExampleDS either without causing problems though.  The
current documentation is also misleading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140816/00cc438b/attachment.html 

From gcollis at iinet.net.au  Sat Aug 16 23:31:15 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Sun, 17 Aug 2014 13:31:15 +1000
Subject: [keycloak-user] Multiple login screens
In-Reply-To: <CANLOgwBzg5Syjem64js+mE_VMu86WiM+gTJJRZ4XLc0J-jF4Ew@mail.gmail.com>
References: <CANLOgwBzg5Syjem64js+mE_VMu86WiM+gTJJRZ4XLc0J-jF4Ew@mail.gmail.com>
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C8E@SWANS20.fitzroy01.local>

I?m also interested in this.

My use-case is that I have different groups of users in my application who see different themes(ie: images, colors, etc) depending on department.

So in my app I check the which department the user belongs to and dynamically change things. The departments though are using the same *REALM* as far as the application security is concerned.

Things are a little chicken and egg though because the themes depend on the users. I actually can make the different departments use a different URL to login.

If my application used different realms I could set up individual themes for the realm but my grouping is more like a sub realm.

Just my vote.

Regards, Graeme Collis

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Rodrigo Sasaki
Sent: Saturday, 16 August 2014 12:36 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Multiple login screens

Hi, I was wondering if there is a plan to implement multiple login screens. We have the need for more than one type of login screen here, for different flows, and I imagine we're not the only ones who will be interested in such a feature.

Something that allows you to select between the screens you created for a given style, and have one by default maybe.

Any thoughts?

--
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140817/e04fb269/attachment.html 

From bburke at redhat.com  Sun Aug 17 11:20:54 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 17 Aug 2014 11:20:54 -0400
Subject: [keycloak-user] Multiple login screens
In-Reply-To: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C8E@SWANS20.fitzroy01.local>
References: <CANLOgwBzg5Syjem64js+mE_VMu86WiM+gTJJRZ4XLc0J-jF4Ew@mail.gmail.com>
	<337CB56A25624D4185E961FFB48AA00F04C50D5A8C8E@SWANS20.fitzroy01.local>
Message-ID: <53F0C856.1070402@redhat.com>

So, we need a login interceptor that can change the theme per request.

On 8/16/2014 11:31 PM, Graeme Collis wrote:
> I?m also interested in this.
>
> My use-case is that I have different groups of users in my application
> who see different themes(ie: images, colors, etc) depending on department.
>
> So in my app I check the which department the user belongs to and
> dynamically change things. The departments though are using the same
> **REALM** as far as the application security is concerned.
>
> Things are a little chicken and egg though because the themes depend on
> the users. I actually can make the different departments use a different
> URL to login.
>
> If my application used different realms I could set up individual themes
> for the realm but my grouping is more like a sub realm.
>
> Just my vote.
>
> Regards, Graeme Collis
>
> *From:*keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Rodrigo Sasaki
> *Sent:* Saturday, 16 August 2014 12:36 AM
> *To:* keycloak-user at lists.jboss.org
> *Subject:* [keycloak-user] Multiple login screens
>
> Hi, I was wondering if there is a plan to implement multiple login
> screens. We have the need for more than one type of login screen here,
> for different flows, and I imagine we're not the only ones who will be
> interested in such a feature.
>
> Something that allows you to select between the screens you created for
> a given style, and have one by default maybe.
>
> Any thoughts?
>
> --
>
> Rodrigo Sasaki
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christinalau28 at icloud.com  Mon Aug 18 10:58:42 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Mon, 18 Aug 2014 10:58:42 -0400
Subject: [keycloak-user] How to connect Keycloak Server to JBoss EAP 6.x
Message-ID: <ADA9005B-A6DB-46B6-A075-6F9E5C082E7A@icloud.com>

Hi, the doc and preconfigured demo seems to suggest it is possible to deploy my applications on EAP 6.x and secured by Keycloak by configuring adapters.

However, I can?t figure out how. Questions:

After unzipping the jars and updating standalone.xml, do I need to start up both EAP and Keycloak servers?

In step 2 of the readme, it seems to suggest that I only need to start up EAP 6.x, but then I cannot get to the /auth/admin URL to import the test realm.

If I have to start up 2 servers, how do I connect the two servers? I don?t see any doc that talks about ports or any URL etc. Thx.

Christina

From rodrigopsasaki at gmail.com  Mon Aug 18 13:16:35 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 18 Aug 2014 14:16:35 -0300
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <CANLOgwBxX-Hq_=QE75T5kdDHgxXcZ79juQhuWN2sQSXaZoFkLA@mail.gmail.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<652626286.19751482.1406634900650.JavaMail.zimbra@redhat.com>
	<CANLOgwB1e9jKTjd3xJbL5HJtxs0nwRENRtVeROy=EoVx44PWMw@mail.gmail.com>
	<1530290205.27523092.1407745482279.JavaMail.zimbra@redhat.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
	<1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
	<CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>
	<1311646271.28995650.1407857221821.JavaMail.zimbra@redhat.com>
	<CANLOgwAu2vY_MzoU9gOPs8ki7_3ZAmQ3RLtUH2H4Cd6VivQZKg@mail.gmail.com>
	<CANLOgwBxX-Hq_=QE75T5kdDHgxXcZ79juQhuWN2sQSXaZoFkLA@mail.gmail.com>
Message-ID: <CANLOgwCXQAwbA+56FFhHntXASt9eQu2GAs0xXhVaygO07H42WQ@mail.gmail.com>

I found a way I think is correct, please let me know if anything I did is
wrong.

I send the request as POST with the remember_me in the form parameters, if
it comes marked, I create a cookie, and handle all the audit calls just as
it is on the normal login, and I send the remember_me value to the social
provider, and retrieve it on the callback method.

In the callback method, I set whatever comes from the remember_me value on
the last parameter of the createUserSession method.

Is this the correct flow?


On Wed, Aug 13, 2014 at 1:37 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> Should I set another cookie aswell? I tried it, I created the remember me
> cookie correctly when logging in through twitter and it didn't work. Here
> are the steps I took:
>
> 1. Opened browser without any cookies and history. Tried accessing:
> http://localhost:9080/customer-portal/customers/view.jsp
> 2. Server asked for authentication, I proceeded to login using Twitter and
> selecting the remember me checkbox. (KEYCLOAK_REMEMBER_ME cookie was
> created)
> 3. Closed the browser and reopened it. Accessed twitter, and after logging
> in I opened the same url (
> http://localhost:9080/customer-portal/customers/view.jsp)
>
> System asked me to login again, even though the cookie was there. Did I
> miss something?
>
> I see this message being printed on the console:
>
> 13:33:08,603 INFO  [org.keycloak.services.managers.AuthenticationManager]
> (http--127.0.0.1-9080-14) authenticateIdentityCookie
> 13:33:08,603 INFO  [org.keycloak.services.managers.AuthenticationManager]
> (http--127.0.0.1-9080-14) authenticateCookie could not find cookie:
> KEYCLOAK_IDENTITY
>
>
> On Tue, Aug 12, 2014 at 1:08 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
> wrote:
>
>> It's no problem, if I can come up with a suitable solution, I'll submit a
>> PR and you can add it whenever it fits the schedule, I'm just pursuing this
>> because it's one of the few things that we still need before we migrate
>> everything.
>>
>>
>> On Tue, Aug 12, 2014 at 12:27 PM, Stian Thorgersen <stian at redhat.com>
>> wrote:
>>
>>> The login form is:
>>>
>>>   ./forms/common-themes/src/main/resources/theme/login/base/login.ftl
>>>
>>> It's FreeMarker templates. FIY as we're close to releasing 1.0.final we
>>> can't add this to master until after.
>>>
>>> ----- Original Message -----
>>> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>> > To: "Stian Thorgersen" <stian at redhat.com>
>>> > Cc: keycloak-user at lists.jboss.org
>>> > Sent: Tuesday, 12 August, 2014 2:49:19 PM
>>> > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
>>> >
>>> > So you're saying I have to change the HTML pages to make it submit a
>>> form?
>>> >
>>> > I really don't understand how the interface works on Keycloak, could
>>> you
>>> > tell me the name of the file that handles the login page, if I
>>> understood
>>> > correctly. And I'll study it on from there.
>>> >
>>> >
>>> > On Tue, Aug 12, 2014 at 10:23 AM, Stian Thorgersen <stian at redhat.com>
>>> wrote:
>>> >
>>> > > Basically what's needed is:
>>> > >
>>> > >   * Add a remember me option for social - this is non-trivial as atm
>>> > > social logins are links so needs to be changed to submitting a form
>>> > >   * Set the login cookie in SocialResource.redirectToProviderAuth if
>>> this
>>> > > remember me check-box is set
>>> > >
>>> > > Reading the cookie is already handled, as it should set the same
>>> cookie as
>>> > > the "regular" login does.
>>> > >
>>> > > If you'd like to do this that would be great :)
>>> > >
>>> > > ----- Original Message -----
>>> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>> > > > To: "Stian Thorgersen" <stian at redhat.com>
>>> > > > Cc: keycloak-user at lists.jboss.org
>>> > > > Sent: Tuesday, 12 August, 2014 1:47:28 PM
>>> > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
>>> > > >
>>> > > > I was wondering, could you give me some pointers so I could try and
>>> > > > implement this myself? I was looking at the mechanics on the
>>> already
>>> > > > implemented feature, for username + password login, and I saw that
>>> I have
>>> > > > to set a cookie, which I'd have todo on
>>> > > > *SocialResource.redirectToProviderAuth*
>>> > > >
>>> > > > But I couldn't figure out how it uses the remember me cookie to
>>> evaluate
>>> > > > and authenticate the user on the next access. I'm looking into it
>>> now,
>>> > > but
>>> > > > anything you can help me with would be great, if it interests you.
>>> > > >
>>> > > >
>>> > > > On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <
>>> stian at redhat.com>
>>> > > wrote:
>>> > > >
>>> > > > > It won't be until after 1.0.final has been released, but we'll
>>> aim to
>>> > > add
>>> > > > > it for 1.1.
>>> > > > >
>>> > > > > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
>>> > > > >
>>> > > > > ----- Original Message -----
>>> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
>>> > > > > > Cc: keycloak-user at lists.jboss.org
>>> > > > > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
>>> > > > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social
>>> Login
>>> > > > > >
>>> > > > > > Hi, just wondering, is there any prediction on when this
>>> feature
>>> > > will be
>>> > > > > > implemented?
>>> > > > > >
>>> > > > > >
>>> > > > > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <
>>> stian at redhat.com>
>>> > > > > wrote:
>>> > > > > >
>>> > > > > > > It's planned just not implemented yet.
>>> > > > > > >
>>> > > > > > > One of the reasons was that we couldn't figure out an elegant
>>> > > placement
>>> > > > > > > for the remember-me checkbox.
>>> > > > > > >
>>> > > > > > > ----- Original Message -----
>>> > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>> > > > > > > > To: keycloak-user at lists.jboss.org
>>> > > > > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
>>> > > > > > > > Subject: [keycloak-user] "Remember Me" feature on Social
>>> Login
>>> > > > > > > >
>>> > > > > > > > Hi,
>>> > > > > > > >
>>> > > > > > > > I know this doesn't exist now, but I was wondering if it is
>>> > > something
>>> > > > > > > that is
>>> > > > > > > > planned to be implemented, or if there's a particular
>>> reason why
>>> > > it
>>> > > > > > > isn't.
>>> > > > > > > >
>>> > > > > > > > Thanks!
>>> > > > > > > >
>>> > > > > > > > --
>>> > > > > > > > Rodrigo Sasaki
>>> > > > > > > >
>>> > > > > > > > _______________________________________________
>>> > > > > > > > keycloak-user mailing list
>>> > > > > > > > keycloak-user at lists.jboss.org
>>> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > > > > > >
>>> > > > > >
>>> > > > > >
>>> > > > > >
>>> > > > > > --
>>> > > > > > Rodrigo Sasaki
>>> > > > > >
>>> > > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > > --
>>> > > > Rodrigo Sasaki
>>> > > >
>>> > >
>>> >
>>> >
>>> >
>>> > --
>>> > Rodrigo Sasaki
>>> >
>>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>
>
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140818/566aae71/attachment-0001.html 

From gcollis at iinet.net.au  Mon Aug 18 23:54:27 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Tue, 19 Aug 2014 13:54:27 +1000
Subject: [keycloak-user] How to connect Keycloak Server to JBoss EAP 6.x
In-Reply-To: <ADA9005B-A6DB-46B6-A075-6F9E5C082E7A@icloud.com>
References: <ADA9005B-A6DB-46B6-A075-6F9E5C082E7A@icloud.com>
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C93@SWANS20.fitzroy01.local>

It depends on your deployment.

If you run Keycloak as an appliance(which is a full JBoss AS + keycloak as a web application war) and your other app in it's own version of JBoss then you will be trying to run 2 JBoss AS on the same system. At that stage the 2 JBoss AS's will definitely need different settings for ports in the configuration (standalone.xml or standalone-full.xml).

If you run Keycloak server just as a war within your application server then you only need 1 JBoss AS. It will happily run Keycloak and your application co-located in the same JBoss EAP.

So if you are in the second situation then.

1. Unzip keycloak-eap6-adapter-dist.zip to your modules directory.
2. Change standalone.xml(or standalone-full.xml) to add the extension and the keycloak subsystem as per 7.2.1 of the userguide.
3. Optionally add a security-domain for keycloak if you need to secure EJBS.
4. Deploy the Keycloak war to you deployment folders as per 3.2 of the userguide.

The restart JBoss EAP.
This will both bring up the Keycloak server and allow you web app to use the login-config KEYCLOAK in it's web.xml.
    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>this is ignored currently/realm-name>
    </login-config>

Without the adapters installed  the auth-method will not be found.
See 7.2.2 of the userguide

Regards, Graeme

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Christina Lau
Sent: Tuesday, 19 August 2014 12:59 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] How to connect Keycloak Server to JBoss EAP 6.x

Hi, the doc and preconfigured demo seems to suggest it is possible to deploy my applications on EAP 6.x and secured by Keycloak by configuring adapters.

However, I can't figure out how. Questions:

After unzipping the jars and updating standalone.xml, do I need to start up both EAP and Keycloak servers?

In step 2 of the readme, it seems to suggest that I only need to start up EAP 6.x, but then I cannot get to the /auth/admin URL to import the test realm.

If I have to start up 2 servers, how do I connect the two servers? I don't see any doc that talks about ports or any URL etc. Thx.

Christina
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From email.marc at gmail.com  Tue Aug 19 00:20:33 2014
From: email.marc at gmail.com (Marc R)
Date: Mon, 18 Aug 2014 23:20:33 -0500
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
Message-ID: <CALq72CpLFt=bJ288=t0GqnhkaQY7aQsB7ui-nQWq4RS8hcseTQ@mail.gmail.com>

Hi,

I am interested in using Keycloak to secure an existing application running
on AWS Elasticbeanstalk on Tomcat 7. I plan to deploy the Keycloak Server
on Wildfly on Openshift which seems to be well documented, but I am having
a little more trouble finding information about setting things up on the
Tomcat side.

I see a tomcat7 adapter on GitHub [1], but I don't see the corresponding
binaries when I download the Keycloak distribution. I also don't see any
information on how to install and configure the adapter and I am a total
novice as far as servlet security is concerned.

Could someone point me to the quickest way to get up an running with this?
I presume it is not fully supported yet but I figure somebody most have
tried it out by now and could help short circuit the process for me.

How different is it from the EAP configuration given that EAP uses tomcat
as well? I figure that the adapter installation process differs since
tomcat doesn't use subsytems or a standalone.xml file.


[1]
https://github.com/keycloak/keycloak/tree/master/integration/tomcat7/adapter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140818/49d9a28a/attachment.html 

From bburke at redhat.com  Tue Aug 19 01:11:56 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 19 Aug 2014 01:11:56 -0400
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
In-Reply-To: <CALq72CpLFt=bJ288=t0GqnhkaQY7aQsB7ui-nQWq4RS8hcseTQ@mail.gmail.com>
References: <CALq72CpLFt=bJ288=t0GqnhkaQY7aQsB7ui-nQWq4RS8hcseTQ@mail.gmail.com>
Message-ID: <53F2DC9C.1020108@redhat.com>

Tomcat 7 adapter is unfinished.  Sorry.

On 8/19/2014 12:20 AM, Marc R wrote:
> Hi,
>
> I am interested in using Keycloak to secure an existing application
> running on AWS Elasticbeanstalk on Tomcat 7. I plan to deploy the
> Keycloak Server on Wildfly on Openshift which seems to be well
> documented, but I am having a little more trouble finding information
> about setting things up on the Tomcat side.
>
> I see a tomcat7 adapter on GitHub [1], but I don't see the corresponding
> binaries when I download the Keycloak distribution. I also don't see any
> information on how to install and configure the adapter and I am a total
> novice as far as servlet security is concerned.
>
> Could someone point me to the quickest way to get up an running with
> this?  I presume it is not fully supported yet but I figure somebody
> most have tried it out by now and could help short circuit the process
> for me.
>
> How different is it from the EAP configuration given that EAP uses
> tomcat as well? I figure that the adapter installation process differs
> since tomcat doesn't use subsytems or a standalone.xml file.
>
>
> [1]
> https://github.com/keycloak/keycloak/tree/master/integration/tomcat7/adapter
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christinalau28 at icloud.com  Tue Aug 19 11:39:21 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Tue, 19 Aug 2014 11:39:21 -0400
Subject: [keycloak-user] How to connect Keycloak Server to JBoss EAP 6.x
Message-ID: <CBE0BF1E-9E83-4E1A-8D60-73882B0C328F@icloud.com>

Thanks Graeme. Is it possible to do option 1? That is have a Keycloak server and a EAP server and somehow use Keycloak to secure WARs deployed on EAP 6.1?

Christina

From bburke at redhat.com  Tue Aug 19 11:47:42 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 19 Aug 2014 11:47:42 -0400
Subject: [keycloak-user] How to connect Keycloak Server to JBoss EAP 6.x
In-Reply-To: <CBE0BF1E-9E83-4E1A-8D60-73882B0C328F@icloud.com>
References: <CBE0BF1E-9E83-4E1A-8D60-73882B0C328F@icloud.com>
Message-ID: <53F3719E.4060400@redhat.com>

You can install Keycloak Auth Server on:

* Wildfly - this is the application dist
* JBoss EAP 6.1, 6.2, 6.3, you have to use the war-dist and follow the 
directions there.
* JBoss AS 7

Your applications can live inside the same server as the auth server, or 
on other machines.  We currently only have adapters and tight 
integration with:

JBoss AS 7
JBoss EAP 6.x
Wildfly

We'll be adding more adapters later on for Tomcat, Jetty, and others.

On 8/19/2014 11:39 AM, Christina Lau wrote:
> Thanks Graeme. Is it possible to do option 1? That is have a Keycloak server and a EAP server and somehow use Keycloak to secure WARs deployed on EAP 6.1?
>
> Christina
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From gcollis at iinet.net.au  Wed Aug 20 00:08:49 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Wed, 20 Aug 2014 14:08:49 +1000
Subject: [keycloak-user] logout workflow
In-Reply-To: <53EE0614.3040800@redhat.com>
References: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C8C@SWANS20.fitzroy01.local>
	<53EE0614.3040800@redhat.com>
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C50D5A8C98@SWANS20.fitzroy01.local>

Bill,

I have found a workaround for my issue and will bring it up on the Errai site but just to help if others hit this.

I found out that the redirect to Keycloak login did not go through after logout (ie essentially let you stratight back into the app) because the jsessionid Cookie has been set somewhere and not cleared on the methods that call logout. I haven't yet traced it all the way through to find out where it is set so where it should be unset.

My workaround is to remove the Cookie after I logout from Keycloak and before I redirect to a logged out page.

Because Errai is using GWT I can use :-
		String sessionId = Cookies.getCookie("JSESSIONID");
		if ( sessionId != null ) {
			Cookies.setCookie("JSESSIONID", sessionId, new Date());
		}

Regards, Graeme


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Friday, 15 August 2014 11:08 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] logout workflow

I really don't know anything about Errai.  I don't know what "KeycloakAuthenticationService" class is.  There is not one in our codebase.

Logout requires a *browser* redirect back to the auth server's logout URL:

GET /realms/{name}/tokens/logout?redirect_uri={encodedURI}

Sounds like you are not doing this.  What is probably happening is that you are invalidating the session of your Web application, you are being redirected to Keycloak because the web app has been logged out, keycloak sees that you are already logged in (via the cookie the auth server sends), creates a new token, then redirects you back.

You can also make a background REST invocation to:

GET /realms/{name}/tokens/logout?session_state={session_state}

And this will logout the SSO session.  This background REST API has been removed in master though.  In RC1, this background REST invocation requires you to authenticate by sending a refresh token to logout the SSO session.

POST /realms/{name}/tokens/logout
Content-Type: application/x-www-formencoded-whatever

refresh_token=2341234h2134l1kj241234

Hope that helps.  Other than that, dont' know much about Errai and really can't help you.



On 8/15/2014 2:45 AM, Graeme Collis wrote:
> I am writing an application that uses Errai and Keycloak.
>
> I am able to login successfully and get all my user details and roles.
>
> When I logout, I call the authenticationService to logout and then
> redirect to login url.
>
> The issue with this is then the login page is not shown, the filters
> somehow pick up that the user is cached and re-authenticates with the
> same user and comes straight back into the app.
>
> When I logout the following is called:-
>
> *public**void*logout() {
>
>        securityContext.invalidateCache();
>
> authService.call( *new*RemoteCallback<Void>() {
>
> @Override
>
> *public**void*callback( Void response ) {
>
> /redirect/( GWT./getHostPageBaseURL/() + "app-login");
>
>            }
>
>        }, *new*BusErrorCallback() {
>
> @Override
>
> *public**boolean*error( Message message, Throwable throwable ) {
>
>                Window./alert/( "Logout failed: "+ throwable );
>
> *return**true*;
>
>            }
>
>        } ).logout();
>
>    }
>
> Under the covers the logout calls the
> KeycloakAthenticationService.logout(). Following through in debug all
> this does is set the securityContext to null.
>
> I added the invalidateCache as an attempt to clear the cache but that
> did not work. I think I'm just not understanding the flow.
>
> I have a GWT module page(/provider-ui.html) which is the only page of
> the app.
>
> I have a /app-login URL which is used by the filters to redirect to
> Keycloak and redirect back to the GWT page after authentication.
>
> My web.xml looks like this:-
>
> <filter>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <init-param>
>
> <param-name>redirectLocation</param-name>
>
> <param-value>/provider-ui.html</param-value>
>
> </init-param>
>
> </filter>
>
> <filter-mapping>
>
> <filter-name>ErraiLoginRedirectFilter</filter-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </filter-mapping>
>
> <filter-mapping>
>
> <filter-name>_ErraiUserCookieFilter_</filter-name>
>
> <url-pattern>/provider-ui.html</url-pattern>
>
> </filter-mapping>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>Login</web-resource-name>
>
> <url-pattern>/_app_-login</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>*</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>KEYCLOAK</auth-method>
>
> <realm-name>_demo_</realm-name>
>
> </login-config>
>
> <security-role>
>
> <role-name>user</role-name>
>
> </security-role>
>
> <security-role>
>
> <role-name>_admin_</role-name>
>
> </security-role>
>
> Any pointers of the direction I should take to solve this?
>
> Thanks, Graeme
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From christinalau28 at icloud.com  Wed Aug 20 12:12:40 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Wed, 20 Aug 2014 12:12:40 -0400
Subject: [keycloak-user] Exported realm cannot be imported
Message-ID: <0A6CFC6F-99A7-43E7-85A9-4D9DB01078CF@icloud.com>


I exported a realm I created on beta-4 using this command:

./standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=dsgapi.json -Dkeycloak.migration.realmName=DSG_API

I then try to import it into another new instance. However I got this error. Any idea? Is this possible? I can send the json file if it helps.


12:08:10,574 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-26) SQL Error: 23505, SQLState: 23505
12:08:10,574 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-26) Unique index or primary key violation: "UK_B71CJLBENV945RB6GCON438AT_INDEX_7 ON PUBLIC.CLIENT(REALM_ID, NAME) VALUES ( /* key:17 */ null, null, null, null, null, 'security-admin-console', null, null, null, null, null, null, null, null, 'cc0823c1-dab8-4f17-9b23-b04708d3b523')"; SQL statement:
insert into CLIENT (ALLOWED_CLAIMS_MASK, ENABLED, FULL_SCOPE_ALLOWED, NAME, NOT_BEFORE, PUBLIC_CLIENT, REALM_ID, SECRET, BASE_URL, BEARER_ONLY, MANAGEMENT_URL, SURROGATE_AUTH_REQUIRED, DTYPE, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'ApplicationEntity', ?) [23505-173]
12:08:10,576 INFO  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-26) HHH000010: On release of batch it still contained JDBC statements
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140820/97884dfe/attachment-0001.html 

From bburke at redhat.com  Wed Aug 20 13:21:56 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 20 Aug 2014 13:21:56 -0400
Subject: [keycloak-user] Exported realm cannot be imported
In-Reply-To: <0A6CFC6F-99A7-43E7-85A9-4D9DB01078CF@icloud.com>
References: <0A6CFC6F-99A7-43E7-85A9-4D9DB01078CF@icloud.com>
Message-ID: <53F4D934.8070909@redhat.com>

Somebody else reported this and I couldn't reproduce.

Did you forget the -Dkeycloak.migration.strategy=OVERWRITE_EXISTING flag 
when you imported?

On 8/20/2014 12:12 PM, Christina Lau wrote:
>
> I exported a realm I created on beta-4 using this command:
>
> ./standalone.sh -Dkeycloak.migration.action=export
> -Dkeycloak.migration.provider=singleFile
> -Dkeycloak.migration.file=dsgapi.json -Dkeycloak.migration.realmName=DSG_API
>
> I then try to import it into another new instance. However I got this
> error. Any idea? Is this possible? I can send the json file if it helps.
>
>
> 12:08:10,574 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> (default task-26) SQL Error: 23505, SQLState: 23505
> 12:08:10,574 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> (default task-26) Unique index or primary key violation:
> "UK_B71CJLBENV945RB6GCON438AT_INDEX_7 ON PUBLIC.CLIENT(REALM_ID, NAME)
> VALUES ( /* key:17 */ null, null, null, null, null,
> 'security-admin-console', null, null, null, null, null, null, null,
> null, 'cc0823c1-dab8-4f17-9b23-b04708d3b523')"; SQL statement:
> insert into CLIENT (ALLOWED_CLAIMS_MASK, ENABLED, FULL_SCOPE_ALLOWED,
> NAME, NOT_BEFORE, PUBLIC_CLIENT, REALM_ID, SECRET, BASE_URL,
> BEARER_ONLY, MANAGEMENT_URL, SURROGATE_AUTH_REQUIRED, DTYPE, ID) values
> (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'ApplicationEntity', ?) [23505-173]
> 12:08:10,576
> INFO  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl]
> (default task-26) HHH000010: On release of batch it still contained JDBC
> statements
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From adisari06 at yahoo.com  Wed Aug 20 13:42:18 2014
From: adisari06 at yahoo.com (Adil Arif)
Date: Wed, 20 Aug 2014 10:42:18 -0700
Subject: [keycloak-user] HTTPS domain behaviour for Keycloak
Message-ID: <1408556538.15047.YahooMailNeo@web121302.mail.ne1.yahoo.com>

Keycloak requires HTTPS when connecting to auth-server.war that is deployed to a JBoss EAP 
6.3 domain with a server group that has more than 1 server. Is that an 
expected behaviour or a bug? I notice this behaviour isn't present in 
beta 3.? Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140820/638e21b0/attachment.html 

From bburke at redhat.com  Wed Aug 20 14:13:09 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 20 Aug 2014 14:13:09 -0400
Subject: [keycloak-user] HTTPS domain behaviour for Keycloak
In-Reply-To: <1408556538.15047.YahooMailNeo@web121302.mail.ne1.yahoo.com>
References: <1408556538.15047.YahooMailNeo@web121302.mail.ne1.yahoo.com>
Message-ID: <53F4E535.3060208@redhat.com>

Keycloak has 3 modes for SSL:

'none' - SSL is not required
'external' - SSL is not required for localhost, 127.0.0.1 and private IP 
addresses i.e. 198.162.x.x, 10.10.x.x
'all requests' = SSL is required for all IP addresses

The default is 'external'.  You can change it under settings of the realm.

On 8/20/2014 1:42 PM, Adil Arif wrote:
> Keycloak requires HTTPS when connecting to auth-server.war that is
> deployed to a JBoss EAP 6.3 domain with a server group that has more
> than 1 server. Is that an expected behaviour or a bug? I notice this
> behaviour isn't present in beta 3.  Thanks!
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christinalau28 at icloud.com  Wed Aug 20 14:25:58 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Wed, 20 Aug 2014 14:25:58 -0400
Subject: [keycloak-user] Exported realm cannot be imported
Message-ID: <45154EFF-260C-4902-8315-5EC6D4CBFAD7@icloud.com>

I did not use a command line to import, I use the UI ?import realm?, similar to your example after a new install.

From bburke at redhat.com  Wed Aug 20 14:36:03 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 20 Aug 2014 14:36:03 -0400
Subject: [keycloak-user] Exported realm cannot be imported
In-Reply-To: <45154EFF-260C-4902-8315-5EC6D4CBFAD7@icloud.com>
References: <45154EFF-260C-4902-8315-5EC6D4CBFAD7@icloud.com>
Message-ID: <53F4EA93.7030407@redhat.com>

You need to use the command line.

On 8/20/2014 2:25 PM, Christina Lau wrote:
> I did not use a command line to import, I use the UI ?import realm?, similar to your example after a new install.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Aug 20 16:20:10 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 20 Aug 2014 16:20:10 -0400
Subject: [keycloak-user] 1.0 RC 1 released
Message-ID: <53F502FA.6030103@redhat.com>

We're getting closer to 1.0.Final and are still scheduled for a final 
release 2nd week of September.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From spousty at redhat.com  Wed Aug 20 16:21:52 2014
From: spousty at redhat.com (Steven Pousty)
Date: Wed, 20 Aug 2014 13:21:52 -0700
Subject: [keycloak-user] 1.0 RC 1 released
In-Reply-To: <53F502FA.6030103@redhat.com>
References: <53F502FA.6030103@redhat.com>
Message-ID: <53F50360.1090805@redhat.com>

This is awesome - Has the OpenShift cartridge been updated?
Thanks
Steve
On 08/20/2014 01:20 PM, Bill Burke wrote:
> We're getting closer to 1.0.Final and are still scheduled for a final 
> release 2nd week of September.
>


From bburke at redhat.com  Wed Aug 20 16:25:42 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 20 Aug 2014 16:25:42 -0400
Subject: [keycloak-user] 1.0 RC 1 released
In-Reply-To: <53F50360.1090805@redhat.com>
References: <53F502FA.6030103@redhat.com> <53F50360.1090805@redhat.com>
Message-ID: <53F50446.2010608@redhat.com>

No, I'm not exactly sure how to do it and don't want to screw it up when 
Stian isn't here.

On 8/20/2014 4:21 PM, Steven Pousty wrote:
> This is awesome - Has the OpenShift cartridge been updated?
> Thanks
> Steve
> On 08/20/2014 01:20 PM, Bill Burke wrote:
>> We're getting closer to 1.0.Final and are still scheduled for a final
>> release 2nd week of September.
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christinalau28 at icloud.com  Wed Aug 20 20:45:17 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Wed, 20 Aug 2014 20:45:17 -0400
Subject: [keycloak-user] Exported realm cannot be imported
Message-ID: <2CD8E933-5091-48A2-B7E2-509F5DC4E30F@icloud.com>

I tried again from command line and got exactly the same error.
./standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=dsgapi.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING

20:40:09,393 INFO  [org.keycloak.exportimport.util.ImportUtils] (MSC service thread 1-15) Realm 'DSG_API' already exists. Removing it before import
20:40:09,558 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (MSC service thread 1-15) SQL Error: 23505, SQLState: 23505
20:40:09,559 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (MSC service thread 1-15) Unique index or primary key violation: "UK_ORVSDMLA56612EAEFIQ6WL5OI_INDEX_4 ON PUBLIC.REALM(NAME) VALUES ( /* 73 */ 'DSG_API' )"; SQL statement:
insert into REALM (ACCESS_CODE_LIFESPAN, USER_ACTION_LIFESPAN, ACCESS_TOKEN_LIFESPAN, ACCOUNT_THEME, ADMIN_THEME, AUDIT_ENABLED, AUDIT_EXPIRATION, BRUTE_FORCE_PROTECTED, EMAIL_THEME, ENABLED, FAILURE_FACTOR, LOGIN_THEME, MASTER_ADMIN_APP, MAX_DELTA_TIME, MAX_FAILURE_WAIT, MINIMUM_QUICK_LOGIN_WAIT, NAME, NOT_BEFORE, PASSWORD_CRED_GRANT_ALLOWED, PASSWORD_POLICY, PRIVATE_KEY, PUBLIC_KEY, QUICK_LOGIN_CHECK, REGISTRATION_ALLOWED, REMEMBER_ME, RESET_PASSWORD_ALLOWED, SOCIAL, SSL_REQUIRED, SSO_IDLE_TIMEOUT, SSO_MAX_LIFESPAN, UPDATE_PROFILE_ON_SOC_LOGIN, VERIFY_EMAIL, WAIT_INCREMENT_SECONDS, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-173]
20:40:09,560 INFO  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (MSC service thread 1-15) HHH000010: On release of batch it still contained JDBC statements
20:40:09,569 ERROR [org.keycloak.exportimport.ExportImportManager] (MSC service thread 1-15) Error during export/import: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement
	at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) [keycloak-connections-jpa-1.0-beta-4.jar:]
	at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) [keycloak-connections-jpa-1.0-beta-4.jar:]
	at com.sun.proxy.$Proxy88.flush(Unknown Source)
	at org.keycloak.models.jpa.JpaRealmProvider.createRealm(JpaRealmProvider.java:45) [keycloak-model-jpa-1.0-beta-4.jar:]
	at org.keycloak.models.cache.DefaultCacheRealmProvider.createRealm(DefaultCacheRealmProvider.java:161) [keycloak-invalidation-cache-model-1.0-beta-4.jar:]
	at org.keycloak.exportimport.util.ImportUtils.importRealm(ImportUtils.java:64) [keycloak-export-import-api-1.0-beta-4.jar:]
	at org.keycloak.exportimport.util.ImportUtils.importFromStream(ImportUtils.java:165) [keycloak-export-import-api-1.0-beta-4.jar:]
	at org.keycloak.exportimport.singlefile.SingleFileImportProvider$1.run(SingleFileImportProvider.java:43) [keycloak-export-import-single-file-1.0-beta-4.jar:]
	at org.keycloak.exportimport.util.ExportImportUtils.runJobInTransaction(ExportImportUtils.java:27) [keycloak-export-import-api-1.0-beta-4.jar:]
	at org.keycloak.exportimport.singlefile.SingleFileImportProvider.importModel(SingleFileImportProvider.java:38) [keycloak-export-import-single-file-1.0-beta-4.jar:]
	at org.keycloak.exportimport.ExportImportManager.checkExportImport(ExportImportManager.java:49) [keycloak-export-import-api-1.0-beta-4.jar:]
	at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:82) [keycloak-services-1.0-beta-4.jar:]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.7.0_55]
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) [rt.jar:1.7.0_55]
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [rt.jar:1.7.0_55]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:526) [rt.jar:1.7.0_55]
	at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2175) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) [resteasy-jaxrs-3.0.8.Final.jar:]
	at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:214) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:119) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:505) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_55]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_55]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]
Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement
	at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683) [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338) [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
	at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown Source) [:1.7.0_55]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]
	at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) [keycloak-connections-jpa-1.0-beta-4.jar:]
	... 30 more
Caused by: org.hibernate.exception.ConstraintViolationException: could not execute statement
	at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:129) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:190) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3124) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3581) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:104) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:349) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1222) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335) [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
	... 34 more
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "UK_ORVSDMLA56612EAEFIQ6WL5OI_INDEX_4 ON PUBLIC.REALM(NAME) VALUES ( /* 73 */ 'DSG_API' )"; SQL statement:
insert into REALM (ACCESS_CODE_LIFESPAN, USER_ACTION_LIFESPAN, ACCESS_TOKEN_LIFESPAN, ACCOUNT_THEME, ADMIN_THEME, AUDIT_ENABLED, AUDIT_EXPIRATION, BRUTE_FORCE_PROTECTED, EMAIL_THEME, ENABLED, FAILURE_FACTOR, LOGIN_THEME, MASTER_ADMIN_APP, MAX_DELTA_TIME, MAX_FAILURE_WAIT, MINIMUM_QUICK_LOGIN_WAIT, NAME, NOT_BEFORE, PASSWORD_CRED_GRANT_ALLOWED, PASSWORD_POLICY, PRIVATE_KEY, PUBLIC_KEY, QUICK_LOGIN_CHECK, REGISTRATION_ALLOWED, REMEMBER_ME, RESET_PASSWORD_ALLOWED, SOCIAL, SSL_REQUIRED, SSO_IDLE_TIMEOUT, SSO_MAX_LIFESPAN, UPDATE_PROFILE_ON_SOC_LOGIN, VERIFY_EMAIL, WAIT_INCREMENT_SECONDS, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-173]
	at org.h2.message.DbException.getJdbcSQLException(DbException.java:331)
	at org.h2.message.DbException.get(DbException.java:171)
	at org.h2.message.DbException.get(DbException.java:148)
	at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)
	at org.h2.index.PageBtree.find(PageBtree.java:121)
	at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)
	at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)
	at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:95)
	at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:86)
	at org.h2.table.RegularTable.addRow(RegularTable.java:125)
	at org.h2.command.dml.Insert.insertRows(Insert.java:127)
	at org.h2.command.dml.Insert.update(Insert.java:86)
	at org.h2.command.CommandContainer.update(CommandContainer.java:79)
	at org.h2.command.Command.executeUpdate(Command.java:235)
	at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)
	at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)
	at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:493)
	at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:187) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
	... 44 more

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140820/3247758c/attachment-0001.html 

From bburke at redhat.com  Wed Aug 20 22:09:24 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 20 Aug 2014 22:09:24 -0400
Subject: [keycloak-user] Exported realm cannot be imported
In-Reply-To: <2CD8E933-5091-48A2-B7E2-509F5DC4E30F@icloud.com>
References: <2CD8E933-5091-48A2-B7E2-509F5DC4E30F@icloud.com>
Message-ID: <53F554D4.1050905@redhat.com>

Any way you could send me the json file?

On 8/20/2014 8:45 PM, Christina Lau wrote:
> I tried again from command line and got exactly the same error.
> ./standalone.sh -Dkeycloak.migration.action=import
> -Dkeycloak.migration.provider=singleFile
> -Dkeycloak.migration.file=dsgapi.json
> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>
> 20:40:09,393 INFO  [org.keycloak.exportimport.util.ImportUtils] (MSC
> service thread 1-15) Realm 'DSG_API' already exists. Removing it before
> import
> 20:40:09,558 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> (MSC service thread 1-15) SQL Error: 23505, SQLState: 23505
> 20:40:09,559 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> (MSC service thread 1-15) Unique index or primary key violation:
> "UK_ORVSDMLA56612EAEFIQ6WL5OI_INDEX_4 ON PUBLIC.REALM(NAME) VALUES ( /*
> 73 */ 'DSG_API' )"; SQL statement:
> insert into REALM (ACCESS_CODE_LIFESPAN, USER_ACTION_LIFESPAN,
> ACCESS_TOKEN_LIFESPAN, ACCOUNT_THEME, ADMIN_THEME, AUDIT_ENABLED,
> AUDIT_EXPIRATION, BRUTE_FORCE_PROTECTED, EMAIL_THEME, ENABLED,
> FAILURE_FACTOR, LOGIN_THEME, MASTER_ADMIN_APP, MAX_DELTA_TIME,
> MAX_FAILURE_WAIT, MINIMUM_QUICK_LOGIN_WAIT, NAME, NOT_BEFORE,
> PASSWORD_CRED_GRANT_ALLOWED, PASSWORD_POLICY, PRIVATE_KEY, PUBLIC_KEY,
> QUICK_LOGIN_CHECK, REGISTRATION_ALLOWED, REMEMBER_ME,
> RESET_PASSWORD_ALLOWED, SOCIAL, SSL_REQUIRED, SSO_IDLE_TIMEOUT,
> SSO_MAX_LIFESPAN, UPDATE_PROFILE_ON_SOC_LOGIN, VERIFY_EMAIL,
> WAIT_INCREMENT_SECONDS, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
> [23505-173]
> 20:40:09,560 INFO
> [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (MSC
> service thread 1-15) HHH000010: On release of batch it still contained
> JDBC statements
> 20:40:09,569 ERROR [org.keycloak.exportimport.ExportImportManager] (MSC
> service thread 1-15) Error during export/import:
> org.keycloak.models.ModelDuplicateException:
> javax.persistence.PersistenceException:
> org.hibernate.exception.ConstraintViolationException: could not execute
> statement
> at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40)
> [keycloak-connections-jpa-1.0-beta-4.jar:]
> at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)
> [keycloak-connections-jpa-1.0-beta-4.jar:]
> at com.sun.proxy.$Proxy88.flush(Unknown Source)
> at
> org.keycloak.models.jpa.JpaRealmProvider.createRealm(JpaRealmProvider.java:45)
> [keycloak-model-jpa-1.0-beta-4.jar:]
> at
> org.keycloak.models.cache.DefaultCacheRealmProvider.createRealm(DefaultCacheRealmProvider.java:161)
> [keycloak-invalidation-cache-model-1.0-beta-4.jar:]
> at
> org.keycloak.exportimport.util.ImportUtils.importRealm(ImportUtils.java:64)
> [keycloak-export-import-api-1.0-beta-4.jar:]
> at
> org.keycloak.exportimport.util.ImportUtils.importFromStream(ImportUtils.java:165)
> [keycloak-export-import-api-1.0-beta-4.jar:]
> at
> org.keycloak.exportimport.singlefile.SingleFileImportProvider$1.run(SingleFileImportProvider.java:43)
> [keycloak-export-import-single-file-1.0-beta-4.jar:]
> at
> org.keycloak.exportimport.util.ExportImportUtils.runJobInTransaction(ExportImportUtils.java:27)
> [keycloak-export-import-api-1.0-beta-4.jar:]
> at
> org.keycloak.exportimport.singlefile.SingleFileImportProvider.importModel(SingleFileImportProvider.java:38)
> [keycloak-export-import-single-file-1.0-beta-4.jar:]
> at
> org.keycloak.exportimport.ExportImportManager.checkExportImport(ExportImportManager.java:49)
> [keycloak-export-import-api-1.0-beta-4.jar:]
> at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:82)
> [keycloak-services-1.0-beta-4.jar:]
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> [rt.jar:1.7.0_55]
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> [rt.jar:1.7.0_55]
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> [rt.jar:1.7.0_55]
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> [rt.jar:1.7.0_55]
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2175)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:214)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:119)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:505)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_55]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_55]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]
> Caused by: javax.persistence.PersistenceException:
> org.hibernate.exception.ConstraintViolationException: could not execute
> statement
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)
> [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)
> [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)
> [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)
> [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
> at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown Source) [:1.7.0_55]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_55]
> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]
> at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)
> [keycloak-connections-jpa-1.0-beta-4.jar:]
> ... 30 more
> Caused by: org.hibernate.exception.ConstraintViolationException: could
> not execute statement
> at
> org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:129)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:190)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3124)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3581)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:104)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:349) [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1222)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)
> [hibernate-entitymanager-4.3.5.Final.jar:4.3.5.Final]
> ... 34 more
> Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
> violation: "UK_ORVSDMLA56612EAEFIQ6WL5OI_INDEX_4 ON PUBLIC.REALM(NAME)
> VALUES ( /* 73 */ 'DSG_API' )"; SQL statement:
> insert into REALM (ACCESS_CODE_LIFESPAN, USER_ACTION_LIFESPAN,
> ACCESS_TOKEN_LIFESPAN, ACCOUNT_THEME, ADMIN_THEME, AUDIT_ENABLED,
> AUDIT_EXPIRATION, BRUTE_FORCE_PROTECTED, EMAIL_THEME, ENABLED,
> FAILURE_FACTOR, LOGIN_THEME, MASTER_ADMIN_APP, MAX_DELTA_TIME,
> MAX_FAILURE_WAIT, MINIMUM_QUICK_LOGIN_WAIT, NAME, NOT_BEFORE,
> PASSWORD_CRED_GRANT_ALLOWED, PASSWORD_POLICY, PRIVATE_KEY, PUBLIC_KEY,
> QUICK_LOGIN_CHECK, REGISTRATION_ALLOWED, REMEMBER_ME,
> RESET_PASSWORD_ALLOWED, SOCIAL, SSL_REQUIRED, SSO_IDLE_TIMEOUT,
> SSO_MAX_LIFESPAN, UPDATE_PROFILE_ON_SOC_LOGIN, VERIFY_EMAIL,
> WAIT_INCREMENT_SECONDS, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
> [23505-173]
> at org.h2.message.DbException.getJdbcSQLException(DbException.java:331)
> at org.h2.message.DbException.get(DbException.java:171)
> at org.h2.message.DbException.get(DbException.java:148)
> at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)
> at org.h2.index.PageBtree.find(PageBtree.java:121)
> at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)
> at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)
> at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:95)
> at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:86)
> at org.h2.table.RegularTable.addRow(RegularTable.java:125)
> at org.h2.command.dml.Insert.insertRows(Insert.java:127)
> at org.h2.command.dml.Insert.update(Insert.java:86)
> at org.h2.command.CommandContainer.update(CommandContainer.java:79)
> at org.h2.command.Command.executeUpdate(Command.java:235)
> at
> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)
> at
> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)
> at
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:493)
> at
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:187)
> [hibernate-core-4.3.5.Final.jar:4.3.5.Final]
> ... 44 more
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From John.Schneider at carrier.utc.com  Thu Aug 21 10:22:33 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Thu, 21 Aug 2014 14:22:33 +0000
Subject: [keycloak-user] "Client Credentials" OAuth2 flow
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018E2944@UUSNWE3K.na.utcmail.com>

Hi Bill,

Any chance you can squeeze in support for the "Client Credentials" OAuth2 flow before the 1.0 release?  In your last message on this subject you mentioned something about not having role assignments at the client level, but I didn't understand as it seems this is already supported.  Can you please explain further?

If this can't be done by the 1.0 release, then I suggest at least making the "grant_type" parameter be required in the "grants/access" endpoint, to be compliant with the OAuth spec and to set the foundation for future "Client Credentials" flow support.

Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140821/cc28c995/attachment.html 

From bburke at redhat.com  Thu Aug 21 10:41:13 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 21 Aug 2014 10:41:13 -0400
Subject: [keycloak-user] "Client Credentials" OAuth2 flow
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD7018E2944@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD7018E2944@UUSNWE3K.na.utcmail.com>
Message-ID: <53F60509.7090705@redhat.com>

Scope is not a role mapping for clients.  It is the roles a client is 
allowed to ask for from the user.

On 8/21/2014 10:22 AM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
> John
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From John.Schneider at carrier.utc.com  Thu Aug 21 13:44:08 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Thu, 21 Aug 2014 17:44:08 +0000
Subject: [keycloak-user] SSO Session Idle Timeout for Direct Grants
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018E29CB@UUSNWE3K.na.utcmail.com>

Hi,

I'm finding that access tokens and refresh tokens are being invalidated after the setting in the "SSO Session Idle Timeout" has elapsed for the direct-grant API.  Considering the direct-grant API enables browser-less application-to-application security, I'm not convinced that this is the right approach for many use cases.  For reliable authorization and access token validation, it basically requires setting the "SSO Session Idle Timeout" to the value of the Access Token timeout, which for many use cases will be measured in hours or even days.

Is there a good reason that "SSO Session Idle Timeout" should even be considered for direct-grants?

Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140821/711b9679/attachment.html 

From bburke at redhat.com  Thu Aug 21 17:34:16 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 21 Aug 2014 17:34:16 -0400
Subject: [keycloak-user] SSO Session Idle Timeout for Direct Grants
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD7018E29CB@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD7018E29CB@UUSNWE3K.na.utcmail.com>
Message-ID: <53F665D8.9000303@redhat.com>

I don't agree...

Your application should be checking for token timeouts and performing a 
refresh.  The response from direct-grant gives you a refresh token as 
well as an access token as well as a timeout (which you could check from 
the access token).

Since you have a refresh token, you can refresh the access token.  You 
still want the same setup:  Short access token lifespan 
(seconds/minutes) with a longer refresh timeout minutes/hours.  This is 
for revocation checks, permission changes, etc.

I could set up a different SSO timeout/access token timeout for grant 
requests if you want, but that would have to be after 1.0.final.



On 8/21/2014 1:44 PM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
> Hi,
>
> I?m finding that access tokens and refresh tokens are being invalidated
> after the setting in the ?SSO Session Idle Timeout? has elapsed for the
> direct-grant API.  Considering the direct-grant API enables browser-less
> application-to-application security, I?m not convinced that this is the
> right approach for many use cases.  For reliable authorization and
> access token validation, it basically requires setting the ?SSO Session
> Idle Timeout? to the value of the Access Token timeout, which for many
> use cases will be measured in hours or even days.
>
> Is there a good reason that ?SSO Session Idle Timeout? should even be
> considered for direct-grants?
>
> Thanks,
>
> John
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From John.Schneider at carrier.utc.com  Fri Aug 22 09:52:47 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Fri, 22 Aug 2014 13:52:47 +0000
Subject: [keycloak-user] SSO Session Idle Timeout for Direct
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018E2A9A@UUSNWE3K.na.utcmail.com>

My application is checking the access token timeout and refreshing it if expired. The thing is, the tokens are being invalidated after the SSO session timeout.  So if I have the access token timeout set to 4 hours, and the SSO timeout set to 15 minutes, the access token and refresh tokens are both invalidated after only 15 minutes.





Date: Thu, 21 Aug 2014 17:34:16 -0400

From: Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>>

Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct

                Grants

To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

Message-ID: <53F665D8.9000303 at redhat.com<mailto:53F665D8.9000303 at redhat.com>>

Content-Type: text/plain; charset=windows-1252; format=flowed



I don't agree...



Your application should be checking for token timeouts and performing a

refresh.  The response from direct-grant gives you a refresh token as

well as an access token as well as a timeout (which you could check from

the access token).



Since you have a refresh token, you can refresh the access token.  You

still want the same setup:  Short access token lifespan

(seconds/minutes) with a longer refresh timeout minutes/hours.  This is

for revocation checks, permission changes, etc.



I could set up a different SSO timeout/access token timeout for grant

requests if you want, but that would have to be after 1.0.final.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140822/e815d87d/attachment.html 

From viniciusnaka at gmail.com  Fri Aug 22 15:29:10 2014
From: viniciusnaka at gmail.com (Vinicius Nakayama)
Date: Fri, 22 Aug 2014 16:29:10 -0300
Subject: [keycloak-user] CSS design by Application
Message-ID: <CAKEe7QWr8Xbr6RghyQoj3KRQMW4L44fnFP=DoxsoHzcPVDVeeA@mail.gmail.com>

Hi,

I created one realm with many applications associated. I would like to know
if it is possible to find out which app that was called in my
page(login.ftl)?

For example:

When some app from my realm is called, I discover the app that was called
and I show login page with specific css for it.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140822/f2a69f1e/attachment.html 

From christinalau28 at icloud.com  Sun Aug 24 10:06:39 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Sun, 24 Aug 2014 10:06:39 -0400
Subject: [keycloak-user] Unable to start Keycloak beta on AWS VM - HTTPS
	required
Message-ID: <415D0D95-2FB9-4ABB-B426-14F8E55990C2@icloud.com>

I am unable to start Keycloak beta 4 on EC2. When I clicked on the Admin Console, I got HTTPS required.

I did the same configuration changes (standalone.xml) for Keycloak beta 3 and it worked on EC2. 

What else do I need to configure for beta 4?

Here is the URLs:

Beta 4 doesn?t work: 
http://54.88.95.99:8080/auth/

Beta 3 works:
http://54.84.240.18:8080/auth/

Christina 

From rodrigopsasaki at gmail.com  Sun Aug 24 10:34:30 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Sun, 24 Aug 2014 11:34:30 -0300
Subject: [keycloak-user] Unable to start Keycloak beta on AWS VM - HTTPS
	required
In-Reply-To: <415D0D95-2FB9-4ABB-B426-14F8E55990C2@icloud.com>
References: <415D0D95-2FB9-4ABB-B426-14F8E55990C2@icloud.com>
Message-ID: <CANLOgwCqgraAXamwktUpYwT5f844mCDSM-2toMVgsosnYmyY-A@mail.gmail.com>

Beta 4 now has different options on the "ssl-required" option

The default used to be ssl disabled, but now it's "external-only" so all
external requests should access via ssl

You should try opening it directly from your ec2 instance via localhost to
change that
On Aug 24, 2014 11:06 AM, "Christina Lau" <christinalau28 at icloud.com> wrote:

> I am unable to start Keycloak beta 4 on EC2. When I clicked on the Admin
> Console, I got HTTPS required.
>
> I did the same configuration changes (standalone.xml) for Keycloak beta 3
> and it worked on EC2.
>
> What else do I need to configure for beta 4?
>
> Here is the URLs:
>
> Beta 4 doesn?t work:
> http://54.88.95.99:8080/auth/
>
> Beta 3 works:
> http://54.84.240.18:8080/auth/
>
> Christina
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140824/64f97a4a/attachment.html 

From n.preusker at gmail.com  Mon Aug 25 04:18:19 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Mon, 25 Aug 2014 10:18:19 +0200
Subject: [keycloak-user] i18n in log-in forms etc.
Message-ID: <CA+HCLu95OYxzqR84_DSmqhP-FUAKEvJKY0J4U7UB6WVFpx3zwA@mail.gmail.com>

Hi everyone,

I saw that there is already a JIRA issue for this, but I was wondering
whether there are any plans to add support for i18n in keyclaok themes?

Here's the issue: https://issues.jboss.org/browse/KEYCLOAK-301

To be more precise, we'd need to provide different messages and labels in
log-in and registration templates based on the browser language.

Cheers,
Nils
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140825/236984f4/attachment.html 

From stian at redhat.com  Tue Aug 26 02:49:33 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 02:49:33 -0400 (EDT)
Subject: [keycloak-user] "Remember Me" feature on Social Login
In-Reply-To: <CANLOgwCXQAwbA+56FFhHntXASt9eQu2GAs0xXhVaygO07H42WQ@mail.gmail.com>
References: <CANLOgwAtuHT1dvyofbAziUGfyKZsJao-Noc9Jeq6TGHY7ppWPA@mail.gmail.com>
	<CANLOgwAL+s0+WAb03Vf=A_p2wFLpotdDj5JfjcTKOahiTF2wsA@mail.gmail.com>
	<1945582835.28870107.1407849782076.JavaMail.zimbra@redhat.com>
	<CANLOgwAL3SwaqwEpgmL25UE_PTOjaUetTXieGumbdeObi+=Pwg@mail.gmail.com>
	<1311646271.28995650.1407857221821.JavaMail.zimbra@redhat.com>
	<CANLOgwAu2vY_MzoU9gOPs8ki7_3ZAmQ3RLtUH2H4Cd6VivQZKg@mail.gmail.com>
	<CANLOgwBxX-Hq_=QE75T5kdDHgxXcZ79juQhuWN2sQSXaZoFkLA@mail.gmail.com>
	<CANLOgwCXQAwbA+56FFhHntXASt9eQu2GAs0xXhVaygO07H42WQ@mail.gmail.com>
Message-ID: <225297464.38317870.1409035773821.JavaMail.zimbra@redhat.com>

Sorry for late response, I've been on holiday.

Sounds about right. The remember_me value should be passed to the social provider with putClientAttribute (see SocialProvider L311). As long as you set remember me on the user session OAuthFlow.redirectAccessCode should create the cookie for you in the SocialResource callback.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 18 August, 2014 7:16:35 PM
> Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> 
> I found a way I think is correct, please let me know if anything I did is
> wrong.
> 
> I send the request as POST with the remember_me in the form parameters, if
> it comes marked, I create a cookie, and handle all the audit calls just as
> it is on the normal login, and I send the remember_me value to the social
> provider, and retrieve it on the callback method.
> 
> In the callback method, I set whatever comes from the remember_me value on
> the last parameter of the createUserSession method.
> 
> Is this the correct flow?
> 
> 
> On Wed, Aug 13, 2014 at 1:37 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
> wrote:
> 
> > Should I set another cookie aswell? I tried it, I created the remember me
> > cookie correctly when logging in through twitter and it didn't work. Here
> > are the steps I took:
> >
> > 1. Opened browser without any cookies and history. Tried accessing:
> > http://localhost:9080/customer-portal/customers/view.jsp
> > 2. Server asked for authentication, I proceeded to login using Twitter and
> > selecting the remember me checkbox. (KEYCLOAK_REMEMBER_ME cookie was
> > created)
> > 3. Closed the browser and reopened it. Accessed twitter, and after logging
> > in I opened the same url (
> > http://localhost:9080/customer-portal/customers/view.jsp)
> >
> > System asked me to login again, even though the cookie was there. Did I
> > miss something?
> >
> > I see this message being printed on the console:
> >
> > 13:33:08,603 INFO  [org.keycloak.services.managers.AuthenticationManager]
> > (http--127.0.0.1-9080-14) authenticateIdentityCookie
> > 13:33:08,603 INFO  [org.keycloak.services.managers.AuthenticationManager]
> > (http--127.0.0.1-9080-14) authenticateCookie could not find cookie:
> > KEYCLOAK_IDENTITY
> >
> >
> > On Tue, Aug 12, 2014 at 1:08 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
> > wrote:
> >
> >> It's no problem, if I can come up with a suitable solution, I'll submit a
> >> PR and you can add it whenever it fits the schedule, I'm just pursuing
> >> this
> >> because it's one of the few things that we still need before we migrate
> >> everything.
> >>
> >>
> >> On Tue, Aug 12, 2014 at 12:27 PM, Stian Thorgersen <stian at redhat.com>
> >> wrote:
> >>
> >>> The login form is:
> >>>
> >>>   ./forms/common-themes/src/main/resources/theme/login/base/login.ftl
> >>>
> >>> It's FreeMarker templates. FIY as we're close to releasing 1.0.final we
> >>> can't add this to master until after.
> >>>
> >>> ----- Original Message -----
> >>> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>> > To: "Stian Thorgersen" <stian at redhat.com>
> >>> > Cc: keycloak-user at lists.jboss.org
> >>> > Sent: Tuesday, 12 August, 2014 2:49:19 PM
> >>> > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> >>> >
> >>> > So you're saying I have to change the HTML pages to make it submit a
> >>> form?
> >>> >
> >>> > I really don't understand how the interface works on Keycloak, could
> >>> you
> >>> > tell me the name of the file that handles the login page, if I
> >>> understood
> >>> > correctly. And I'll study it on from there.
> >>> >
> >>> >
> >>> > On Tue, Aug 12, 2014 at 10:23 AM, Stian Thorgersen <stian at redhat.com>
> >>> wrote:
> >>> >
> >>> > > Basically what's needed is:
> >>> > >
> >>> > >   * Add a remember me option for social - this is non-trivial as atm
> >>> > > social logins are links so needs to be changed to submitting a form
> >>> > >   * Set the login cookie in SocialResource.redirectToProviderAuth if
> >>> this
> >>> > > remember me check-box is set
> >>> > >
> >>> > > Reading the cookie is already handled, as it should set the same
> >>> cookie as
> >>> > > the "regular" login does.
> >>> > >
> >>> > > If you'd like to do this that would be great :)
> >>> > >
> >>> > > ----- Original Message -----
> >>> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>> > > > To: "Stian Thorgersen" <stian at redhat.com>
> >>> > > > Cc: keycloak-user at lists.jboss.org
> >>> > > > Sent: Tuesday, 12 August, 2014 1:47:28 PM
> >>> > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social Login
> >>> > > >
> >>> > > > I was wondering, could you give me some pointers so I could try and
> >>> > > > implement this myself? I was looking at the mechanics on the
> >>> already
> >>> > > > implemented feature, for username + password login, and I saw that
> >>> I have
> >>> > > > to set a cookie, which I'd have todo on
> >>> > > > *SocialResource.redirectToProviderAuth*
> >>> > > >
> >>> > > > But I couldn't figure out how it uses the remember me cookie to
> >>> evaluate
> >>> > > > and authenticate the user on the next access. I'm looking into it
> >>> now,
> >>> > > but
> >>> > > > anything you can help me with would be great, if it interests you.
> >>> > > >
> >>> > > >
> >>> > > > On Mon, Aug 11, 2014 at 5:24 AM, Stian Thorgersen <
> >>> stian at redhat.com>
> >>> > > wrote:
> >>> > > >
> >>> > > > > It won't be until after 1.0.final has been released, but we'll
> >>> aim to
> >>> > > add
> >>> > > > > it for 1.1.
> >>> > > > >
> >>> > > > > JIRA: https://issues.jboss.org/browse/KEYCLOAK-332
> >>> > > > >
> >>> > > > > ----- Original Message -----
> >>> > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>> > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> >>> > > > > > Cc: keycloak-user at lists.jboss.org
> >>> > > > > > Sent: Tuesday, 5 August, 2014 12:38:33 PM
> >>> > > > > > Subject: Re: [keycloak-user] "Remember Me" feature on Social
> >>> Login
> >>> > > > > >
> >>> > > > > > Hi, just wondering, is there any prediction on when this
> >>> feature
> >>> > > will be
> >>> > > > > > implemented?
> >>> > > > > >
> >>> > > > > >
> >>> > > > > > On Tue, Jul 29, 2014 at 8:55 AM, Stian Thorgersen <
> >>> stian at redhat.com>
> >>> > > > > wrote:
> >>> > > > > >
> >>> > > > > > > It's planned just not implemented yet.
> >>> > > > > > >
> >>> > > > > > > One of the reasons was that we couldn't figure out an elegant
> >>> > > placement
> >>> > > > > > > for the remember-me checkbox.
> >>> > > > > > >
> >>> > > > > > > ----- Original Message -----
> >>> > > > > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>> > > > > > > > To: keycloak-user at lists.jboss.org
> >>> > > > > > > > Sent: Tuesday, 29 July, 2014 12:15:15 PM
> >>> > > > > > > > Subject: [keycloak-user] "Remember Me" feature on Social
> >>> Login
> >>> > > > > > > >
> >>> > > > > > > > Hi,
> >>> > > > > > > >
> >>> > > > > > > > I know this doesn't exist now, but I was wondering if it is
> >>> > > something
> >>> > > > > > > that is
> >>> > > > > > > > planned to be implemented, or if there's a particular
> >>> reason why
> >>> > > it
> >>> > > > > > > isn't.
> >>> > > > > > > >
> >>> > > > > > > > Thanks!
> >>> > > > > > > >
> >>> > > > > > > > --
> >>> > > > > > > > Rodrigo Sasaki
> >>> > > > > > > >
> >>> > > > > > > > _______________________________________________
> >>> > > > > > > > keycloak-user mailing list
> >>> > > > > > > > keycloak-user at lists.jboss.org
> >>> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> > > > > > >
> >>> > > > > >
> >>> > > > > >
> >>> > > > > >
> >>> > > > > > --
> >>> > > > > > Rodrigo Sasaki
> >>> > > > > >
> >>> > > > >
> >>> > > >
> >>> > > >
> >>> > > >
> >>> > > > --
> >>> > > > Rodrigo Sasaki
> >>> > > >
> >>> > >
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Rodrigo Sasaki
> >>> >
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From stian at redhat.com  Tue Aug 26 03:01:54 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 03:01:54 -0400 (EDT)
Subject: [keycloak-user] Direct Access Grants & 'Client Credentials'
 OAuth2 grant type
In-Reply-To: <53EA3D21.7060609@redhat.com>
References: <D5998B55A61D334EA803FEB70395CFD7018D5D98@UUSNWE3K.na.utcmail.com>
	<53EA3D21.7060609@redhat.com>
Message-ID: <1996913209.38328360.1409036514905.JavaMail.zimbra@redhat.com>

It would make sense for us to add something similar to Google's service account (https://developers.google.com/accounts/docs/OAuth2ServiceAccount). It let's you create a special "user" that is associated with an application, and you can authenticate the client/user at the same time with one set of credentials.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 12 August, 2014 6:13:21 PM
> Subject: Re: [keycloak-user] Direct Access Grants & 'Client Credentials' OAuth2 grant type
> 
> Right now we require you to create a user and give permissions to that
> user.  Not sure if we'll add client credentials grant as it would
> require having role mappings for clients and applications.
> 
> On 8/12/2014 11:40 AM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote:
> > Hi everyone,
> >
> > I?ve been evaluating the ?Direct Access Grants? functionality of
> > Keycloak.  Overall, I think I can make it work for my use cases, but I
> > do have a couple of concerns.
> >
> > Chapter 12 of the documentation compares Keycloak?s Direct Access Grants
> > functionality to OAuth2?s ?Resource Owner Password Credentials Grant.?
> > However, if I understand the specification correctly, this grant type is
> > only for using the resource owner?s credentials.  What if we can?t
> > authorize using the resource owner credentials, but need to authorize
> > the client itself using the client id and secret alone?  For this, we
> > need support for the ?Client Credentials Grant?.  Is this planned for
> > Keycloak 1.0?
> >
> > By adding the required ?grant_type? parameter to the
> > ?tokens/grants/access? service endpoint, it seems like both the
> > ?password? and ?client_credentials? could be supported, with the
> > ?client_credentials? grant type simply not requiring the username and
> > password form parameters in the POST.   Thoughts on this?
> >
> > Thanks,
> >
> > John
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From stian at redhat.com  Tue Aug 26 03:07:16 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 03:07:16 -0400 (EDT)
Subject: [keycloak-user] Direct Access Grants & 'Client
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD7018D5E12@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD7018D5E12@UUSNWE3K.na.utcmail.com>
Message-ID: <1614615766.38330050.1409036836321.JavaMail.zimbra@redhat.com>

Scope is what roles an application is permitted to ask for, while role mappings for a user is what roles are actually granted.

For example an application could have a scope one role A and B, but only have a role mapping on role A. On its own the application only has access to role A, while if acting on behalf of a user that has both role A and B the application would have both roles.

----- Original Message -----
> From: "John DODGE CONSULTING SERVICES Schneider, LLC" <John.Schneider at carrier.utc.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 12 August, 2014 6:32:34 PM
> Subject: Re: [keycloak-user] Direct Access Grants & 'Client
> 
> 
> 
> Not sure if I follow you Bill. Don?t we already have scope (role) assignment
> capabilities for both OAuth Clients and Applications?
> 
> 
> 
> 
> 
> Date: Tue, 12 Aug 2014 12:13:21 -0400
> 
> From: Bill Burke < bburke at redhat.com >
> 
> Subject: Re: [keycloak-user] Direct Access Grants & 'Client
> 
> Credentials' OAuth2 grant type
> 
> To: keycloak-user at lists.jboss.org
> 
> Message-ID: < 53EA3D21.7060609 at redhat.com >
> 
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> 
> 
> Right now we require you to create a user and give permissions to that user.
> Not sure if we'll add client credentials grant as it would require having
> role mappings for clients and applications.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Tue Aug 26 03:32:09 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 03:32:09 -0400 (EDT)
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <CA+HCLu-XACV6yPaPM7xTteZh0N6r_5cXqU=qwtdYD7vfADDOaQ@mail.gmail.com>
References: <CA+HCLu9kMp2ZVV754R8TdR+FtfV+Eb=tMcT1MnjMzcc2RAV=4Q@mail.gmail.com>
	<5388D875.5030405@redhat.com>
	<CA+HCLu_nCnMvt4tZjCUe4OYGy3NE=ivOSPiPowcxEQmOf2-FkQ@mail.gmail.com>
	<538A2F02.3090303@redhat.com>
	<CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>
	<538B0E4E.7010806@redhat.com>
	<45BBF5B2-8A80-4D5F-B56D-B8CF186ACF0D@gmail.com>
	<CA+HCLu-XACV6yPaPM7xTteZh0N6r_5cXqU=qwtdYD7vfADDOaQ@mail.gmail.com>
Message-ID: <2118246264.38347680.1409038329737.JavaMail.zimbra@redhat.com>

This sounds like a feature that our adapter should provide so I would say if you can come up with a decent way to add it, then we'd probably be more than happy to pull it in.

We could enable multi-tenancy support in keycloak.json by allowing multiple sets of configs with one or more url-patterns to match what config to use. For example:

[
  {
    "realm" : "example", 
    "resource" : "app1",
    ...
    "url-pattern" : [ "/app1/*", "/myapp/*" ]
  },
  {
    "realm" : "example2", 
    "resource" : "app2", 
    ...
    "url-pattern" : [ "http://app2.org/*" ]
  }
]

----- Original Message -----
> From: "Nils Preusker" <n.preusker at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 12 August, 2014 7:01:33 PM
> Subject: Re: [keycloak-user] Multitenancy for WAR
> 
> Hi Bill,
> 
> it's been a while since we discussed this but I thought I'd add my question
> to this thread since it is related. I'm now looking into authorizing
> requests based on domain specific permissions.
> 
> Here's the use case:
> We have one war that serves as a REST-back-end for a JavaScript application.
> We've successfully secured the application (AngularJS with keycloak.js in
> the front-end, WAR on Wildfly 8 with JAX-RS/ RestEasy in the back-end) with
> keycloak (beta-2). Now, instead of using the role mapping in the OAuth
> token, we'd like to be able to determine the users' role mappings based on a
> path parameter in the HTTP request to the REST-back-end.
> 
> For example, if the URL is '/my-app/1/some-resource', we need to check
> whether the user has an account in 'my-app 1' (which is an entry in the
> applications database) and add the respective roles (also from the
> applications database), if the URL is /my-app/2/... the same needs to happen
> for 'my-app 2' etc.
> 
> The idea would be to add some kind of security interceptor which extracts the
> keycloak user id, matches the id to the domain user (user from e.g. my-app
> 1), and adds the role mapping of the domain user. Since we'd like to
> continue using the EJB annotations (RolesAllowed etc.), we'd need to make
> sure those domain users' roles are propagated to the security context.
> 
> So the question is, would you recommend extending the keycloak login module?
> Or can you think of an easier way like e.g. a web filter?
> 
> Cheers!
> Nils
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> My question is whether to extend the wildfly adapter (KeycloakLoginModule) or
> to
> 
> 
> On Sun, Jun 1, 2014 at 5:57 PM, Nils Preusker < n.preusker at gmail.com > wrote:
> 
> 
> Hi Bill,
> 
> The more I think about it the more it makes sense to me that the tenant or
> application instance is indeed part of the applications data model and not
> part of keycloak. Especially since we want to add tenants at runtime, it
> wouldn't be possible to have a check without hitting the db.
> 
> About cross realm users, I totally agree! I also don't like the idea and I'm
> hoping and guessing that we won't really need it in the end.
> 
> Thanks for the discussion!
> Nils
> 
> > On 01 Jun 2014, at 13:28, Bill Burke < bburke at redhat.com > wrote:
> > 
> > We already support some form of multi-tenancy. One keycloak server can
> > serve up multiple realms.
> > 
> > 
> > For multitenant-apps was thinking of a app or service that needs to
> > support multiple isolated realms.
> > 
> > For bearer-only services, there would just be a list of realms that are
> > supported and the keycloak adapter would just look into the bearer token
> > to know which realm to validate the token with. For browser apps, they
> > need to be able to know which realm you are authenticating against, so I
> > thought the desired realm would be extracted from the URL.
> > 
> > I balk at your use-case because I don't like the idea of cross-realm users.
> > 
> > 
> >> On 6/1/2014 4:02 AM, Nils Preusker wrote:
> >> The only issue is that we might need to be able to assign different
> >> roles to the same user in different application instances.
> > 
> > What you could do, is not use the keycloak adapter and just hand code
> > your interactions via our oauth client api. Then your application
> > service could figure out which realm and application instance the user
> > was logging however it wanted and and pass that information along when
> > you start the oauth protocol flow. Following me?
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From n.preusker at gmail.com  Tue Aug 26 03:45:55 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Tue, 26 Aug 2014 09:45:55 +0200
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <2118246264.38347680.1409038329737.JavaMail.zimbra@redhat.com>
References: <CA+HCLu9kMp2ZVV754R8TdR+FtfV+Eb=tMcT1MnjMzcc2RAV=4Q@mail.gmail.com>
	<5388D875.5030405@redhat.com>
	<CA+HCLu_nCnMvt4tZjCUe4OYGy3NE=ivOSPiPowcxEQmOf2-FkQ@mail.gmail.com>
	<538A2F02.3090303@redhat.com>
	<CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>
	<538B0E4E.7010806@redhat.com>
	<45BBF5B2-8A80-4D5F-B56D-B8CF186ACF0D@gmail.com>
	<CA+HCLu-XACV6yPaPM7xTteZh0N6r_5cXqU=qwtdYD7vfADDOaQ@mail.gmail.com>
	<2118246264.38347680.1409038329737.JavaMail.zimbra@redhat.com>
Message-ID: <CA+HCLu-vqwtQjKocsVQmmEPWcH+P-KieoCCcV6Qz2uH-FhKbhw@mail.gmail.com>

Hi Stian,

thanks for your reply. We've actually come up with a totally different
approach in the meantime. We now ask our back-end for a domain specific
token every time an object that requires a custom role mapping is selected
in the UI. We then replace the token in keycloak.js. The back-end uses
keycloak-core in order to create tokens (inspired by
https://github.com/liveoak-io/liveoak/blob/master/modules/keycloak/src/test/java/io/liveoak/keycloak/TokenUtil.java
).

Cheers,
Nils


On Tue, Aug 26, 2014 at 9:32 AM, Stian Thorgersen <stian at redhat.com> wrote:

> This sounds like a feature that our adapter should provide so I would say
> if you can come up with a decent way to add it, then we'd probably be more
> than happy to pull it in.
>
> We could enable multi-tenancy support in keycloak.json by allowing
> multiple sets of configs with one or more url-patterns to match what config
> to use. For example:
>
> [
>   {
>     "realm" : "example",
>     "resource" : "app1",
>     ...
>     "url-pattern" : [ "/app1/*", "/myapp/*" ]
>   },
>   {
>     "realm" : "example2",
>     "resource" : "app2",
>     ...
>     "url-pattern" : [ "http://app2.org/*" ]
>   }
> ]
>
> ----- Original Message -----
> > From: "Nils Preusker" <n.preusker at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 12 August, 2014 7:01:33 PM
> > Subject: Re: [keycloak-user] Multitenancy for WAR
> >
> > Hi Bill,
> >
> > it's been a while since we discussed this but I thought I'd add my
> question
> > to this thread since it is related. I'm now looking into authorizing
> > requests based on domain specific permissions.
> >
> > Here's the use case:
> > We have one war that serves as a REST-back-end for a JavaScript
> application.
> > We've successfully secured the application (AngularJS with keycloak.js in
> > the front-end, WAR on Wildfly 8 with JAX-RS/ RestEasy in the back-end)
> with
> > keycloak (beta-2). Now, instead of using the role mapping in the OAuth
> > token, we'd like to be able to determine the users' role mappings based
> on a
> > path parameter in the HTTP request to the REST-back-end.
> >
> > For example, if the URL is '/my-app/1/some-resource', we need to check
> > whether the user has an account in 'my-app 1' (which is an entry in the
> > applications database) and add the respective roles (also from the
> > applications database), if the URL is /my-app/2/... the same needs to
> happen
> > for 'my-app 2' etc.
> >
> > The idea would be to add some kind of security interceptor which
> extracts the
> > keycloak user id, matches the id to the domain user (user from e.g.
> my-app
> > 1), and adds the role mapping of the domain user. Since we'd like to
> > continue using the EJB annotations (RolesAllowed etc.), we'd need to make
> > sure those domain users' roles are propagated to the security context.
> >
> > So the question is, would you recommend extending the keycloak login
> module?
> > Or can you think of an easier way like e.g. a web filter?
> >
> > Cheers!
> > Nils
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > My question is whether to extend the wildfly adapter
> (KeycloakLoginModule) or
> > to
> >
> >
> > On Sun, Jun 1, 2014 at 5:57 PM, Nils Preusker < n.preusker at gmail.com >
> wrote:
> >
> >
> > Hi Bill,
> >
> > The more I think about it the more it makes sense to me that the tenant
> or
> > application instance is indeed part of the applications data model and
> not
> > part of keycloak. Especially since we want to add tenants at runtime, it
> > wouldn't be possible to have a check without hitting the db.
> >
> > About cross realm users, I totally agree! I also don't like the idea and
> I'm
> > hoping and guessing that we won't really need it in the end.
> >
> > Thanks for the discussion!
> > Nils
> >
> > > On 01 Jun 2014, at 13:28, Bill Burke < bburke at redhat.com > wrote:
> > >
> > > We already support some form of multi-tenancy. One keycloak server can
> > > serve up multiple realms.
> > >
> > >
> > > For multitenant-apps was thinking of a app or service that needs to
> > > support multiple isolated realms.
> > >
> > > For bearer-only services, there would just be a list of realms that are
> > > supported and the keycloak adapter would just look into the bearer
> token
> > > to know which realm to validate the token with. For browser apps, they
> > > need to be able to know which realm you are authenticating against, so
> I
> > > thought the desired realm would be extracted from the URL.
> > >
> > > I balk at your use-case because I don't like the idea of cross-realm
> users.
> > >
> > >
> > >> On 6/1/2014 4:02 AM, Nils Preusker wrote:
> > >> The only issue is that we might need to be able to assign different
> > >> roles to the same user in different application instances.
> > >
> > > What you could do, is not use the keycloak adapter and just hand code
> > > your interactions via our oauth client api. Then your application
> > > service could figure out which realm and application instance the user
> > > was logging however it wanted and and pass that information along when
> > > you start the oauth protocol flow. Following me?
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140826/d0889078/attachment-0001.html 

From stian at redhat.com  Tue Aug 26 04:01:00 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 04:01:00 -0400 (EDT)
Subject: [keycloak-user] Pre-requistes for Non-interactive Realm,
	Application, User setup in Keycloak
In-Reply-To: <1407865664.98724.YahooMailNeo@web120204.mail.ne1.yahoo.com>
References: <1407522962.93197.YahooMailNeo@web120205.mail.ne1.yahoo.com>
	<1407865664.98724.YahooMailNeo@web120204.mail.ne1.yahoo.com>
Message-ID: <1766339108.38372774.1409040060689.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Kamal Jagadevan" <j.kamal at ymail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 12 August, 2014 7:47:44 PM
> Subject: Re: [keycloak-user] Pre-requistes for Non-interactive Realm,	Application, User setup in Keycloak
> 
> Not sure why this message didn't reach the user list!!
> 
> 
> 
> 
> From: Kamal Jagadevan <j.kamal at ymail.com>
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Sent: Friday, August 8, 2014 2:36 PM
> Subject: Pre-requistes for Non-interactive Realm, Application, User setup in
> Keycloak
> 
> Hello,
> 
> I am quite aware that REST API is the only way for non-interactive
> integration to setup Realm, Application, and Users in Keycloak.
> Having said that even before invoking desired api, we need Client ID
> (Account), Client Secret, Username and password (after resetting) to obtain
> the access token.
> 
> 1. what is the best way to obtain these values for subsequent API
> invocations?

Atm there's two options:

1. Manually through the admin console
2. Set the required client id/secret in a import file to bootstrap KC with an initial realm + client (you can also import this at startup with -Dkeycloak.import=<import json file>)

> 2. I observed there is a mechanism to upload a JSON file with Realm
> configuration but how can I export it at the first place.

http://docs.jboss.org/keycloak/docs/1.0-rc-1/userguide/html/export-import.html

> 
> Please share your thoughts.
> 
> Best
> Kamal
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Aug 26 05:07:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 05:07:26 -0400 (EDT)
Subject: [keycloak-user] Alternative ways to reset password
In-Reply-To: <1408128056.10505.YahooMailNeo@web120206.mail.ne1.yahoo.com>
References: <1408039689.84163.YahooMailNeo@web120202.mail.ne1.yahoo.com>
	<CANLOgwB9ZoS24w-EvdqBAW+dpDC_DfrZVRCE+W88j9pJubvnTg@mail.gmail.com>
	<1408128056.10505.YahooMailNeo@web120206.mail.ne1.yahoo.com>
Message-ID: <621961083.38413045.1409044046217.JavaMail.zimbra@redhat.com>

This is a use-case we'll need to support. We have to be able to bootstrap a server without requiring using the admin console. However, it's not supported atm and we're not going to until at least until 1.1.

Your best option at the moment is to use to JSON import approach you're inclining towards ;)

Answers to your questions inline

----- Original Message -----
> From: "Kamal Jagadevan" <j.kamal at ymail.com>
> To: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 15 August, 2014 8:40:56 PM
> Subject: Re: [keycloak-user] Alternative ways to reset password
> 
> Thank you Rodrigo!!
> Can you please clarify the following?
> 
> 1. Admin-client is that something released in beta4 release, is that right?

It's in RC1

> 2. In order to use REST API in a out of box Keycloak service, don't you need
> Username, password and either public client id or combination of client id
> and secret.

Yes

> 3. Also for the 1st time login, you may need to change the admin password.
> can this be done through this Admin client

No

> 4. By default the Direct Grant access API is disabled for the "master" realm,
> can this also be modified through Admin client.

Yes, but you need it enabled to be able to use the admin client in the first place

> 
> My use case is Keycloak will be part of our product and all the 1st time
> setting +configuration should be done during installation step without end
> user logging into keycloak admin console.
> 
> 
> Currently I am inclined towards using a JSON to import a new realm that our
> product can use which are pre-configured with appropriate values. Not sure
> if there is any other better way of dealing with it.
> 
> Best
> Kamal
> 
> 
> 
> From: Rodrigo Sasaki <rodrigopsasaki at gmail.com>
> To: Kamal Jagadevan <j.kamal at ymail.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Sent: Thursday, August 14, 2014 2:38 PM
> Subject: Re: [keycloak-user] Alternative ways to reset password
> 
> I believe I can help you with this one. The Keycloak team can correct me if I
> say anything inaccurate.
> 
> There is an admin-client bundled with Keycloak that can be used to access the
> Keycloak REST API, it's basically a Java REST client for the REST API that
> they provide and is documented here:
> http://docs.jboss.org/keycloak/docs/1.0-beta-4/rest-api/overview-index.html
> 
> Basically what you need is an OAuthClient or an Application, and a User and
> you can alter information like you requested.
> 
> The source is here:
> https://github.com/keycloak/keycloak/tree/master/integration/admin-client
> And you can add it as a maven dependency as well:
> http://maven-repository.com/artifact/org.keycloak/keycloak-admin-client/1.0-beta-4
> 
> 
> On Thu, Aug 14, 2014 at 3:08 PM, Kamal Jagadevan < j.kamal at ymail.com > wrote:
> 
> 
> 
> 
> 
> Hello,
> Are there any alternative ways like command line or shortcuts to update the
> Realm settings or user settings in Keycloak.
> Though it is possible to set it up through Admin console but trying to avoid
> the setup steps through UI.
> 
> Looks like during application bootstrap these are few settings like admin
> password to be reset & Direct Grant API access being disabled.
> Is there any other better way to modify other than UI or directly updating
> them in database.
> 
> 
> Please let us know. This is critical for our post install steps while
> integrating with Keycloak.
> 
> Thanks
> Kamal
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Aug 26 05:36:16 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 05:36:16 -0400 (EDT)
Subject: [keycloak-user] I have tried everything
In-Reply-To: <CAFGzvPkx1B2MDjoB3J_S6JcrREHN8-w1c7vdTsq9gCXjeecs+A@mail.gmail.com>
References: <CAFGzvPkx1B2MDjoB3J_S6JcrREHN8-w1c7vdTsq9gCXjeecs+A@mail.gmail.com>
Message-ID: <1768031734.38430402.1409045776607.JavaMail.zimbra@redhat.com>

You should not need the ExampleDS and you should also be able to change the name of the datasource by editing keycloak-server.json.

I'll look into this. Are you deploying to AS7 or WildFly? How are you deploying (war-dist, appliance-dist, or building your own war?).

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Sunday, 17 August, 2014 2:05:53 AM
> Subject: Re: [keycloak-user] I have tried everything
> 
> Ok, I figured it out. I just replaced java:jboss/datasources/KeycloakDS with
> my own settings rather than create a new jndi datasource with a different
> name. In the past I was able to change the jndi name to
> java:jboss/datasources/ui_users and make a few updates to persistence.xml.
> The new way is arguably easier. Now that I know to just replace KeycloakDS
> with my own settings I do not need to change anything else. Am I correct in
> assuming this is how things work going forward? It seems I cannot delete
> ExampleDS either without causing problems though. The current documentation
> is also misleading.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Aug 26 05:38:29 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 05:38:29 -0400 (EDT)
Subject: [keycloak-user] Multiple login screens
In-Reply-To: <53F0C856.1070402@redhat.com>
References: <CANLOgwBzg5Syjem64js+mE_VMu86WiM+gTJJRZ4XLc0J-jF4Ew@mail.gmail.com>
	<337CB56A25624D4185E961FFB48AA00F04C50D5A8C8E@SWANS20.fitzroy01.local>
	<53F0C856.1070402@redhat.com>
Message-ID: <1640288186.38431526.1409045909590.JavaMail.zimbra@redhat.com>

We could let an application override what theme is used? Also, we could add a query param that for the login screen that lets you set the theme.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Sunday, 17 August, 2014 5:20:54 PM
> Subject: Re: [keycloak-user] Multiple login screens
> 
> So, we need a login interceptor that can change the theme per request.
> 
> On 8/16/2014 11:31 PM, Graeme Collis wrote:
> > I?m also interested in this.
> >
> > My use-case is that I have different groups of users in my application
> > who see different themes(ie: images, colors, etc) depending on department.
> >
> > So in my app I check the which department the user belongs to and
> > dynamically change things. The departments though are using the same
> > **REALM** as far as the application security is concerned.
> >
> > Things are a little chicken and egg though because the themes depend on
> > the users. I actually can make the different departments use a different
> > URL to login.
> >
> > If my application used different realms I could set up individual themes
> > for the realm but my grouping is more like a sub realm.
> >
> > Just my vote.
> >
> > Regards, Graeme Collis
> >
> > *From:*keycloak-user-bounces at lists.jboss.org
> > [mailto:keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Rodrigo
> > Sasaki
> > *Sent:* Saturday, 16 August 2014 12:36 AM
> > *To:* keycloak-user at lists.jboss.org
> > *Subject:* [keycloak-user] Multiple login screens
> >
> > Hi, I was wondering if there is a plan to implement multiple login
> > screens. We have the need for more than one type of login screen here,
> > for different flows, and I imagine we're not the only ones who will be
> > interested in such a feature.
> >
> > Something that allows you to select between the screens you created for
> > a given style, and have one by default maybe.
> >
> > Any thoughts?
> >
> > --
> >
> > Rodrigo Sasaki
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From stian at redhat.com  Tue Aug 26 07:53:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 07:53:21 -0400 (EDT)
Subject: [keycloak-user] i18n in log-in forms etc.
In-Reply-To: <CA+HCLu95OYxzqR84_DSmqhP-FUAKEvJKY0J4U7UB6WVFpx3zwA@mail.gmail.com>
References: <CA+HCLu95OYxzqR84_DSmqhP-FUAKEvJKY0J4U7UB6WVFpx3zwA@mail.gmail.com>
Message-ID: <1985349411.38499629.1409054001220.JavaMail.zimbra@redhat.com>

We plan to support this soon, but it won't be until after 1.0.final is released

----- Original Message -----
> From: "Nils Preusker" <n.preusker at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 25 August, 2014 10:18:19 AM
> Subject: [keycloak-user] i18n in log-in forms etc.
> 
> Hi everyone,
> 
> I saw that there is already a JIRA issue for this, but I was wondering
> whether there are any plans to add support for i18n in keyclaok themes?
> 
> Here's the issue: https://issues.jboss.org/browse/KEYCLOAK-301
> 
> To be more precise, we'd need to provide different messages and labels in
> log-in and registration templates based on the browser language.
> 
> Cheers,
> Nils
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Aug 26 08:03:50 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 08:03:50 -0400 (EDT)
Subject: [keycloak-user] Unable to start Keycloak beta on AWS VM -
	HTTPS	required
In-Reply-To: <CANLOgwCqgraAXamwktUpYwT5f844mCDSM-2toMVgsosnYmyY-A@mail.gmail.com>
References: <415D0D95-2FB9-4ABB-B426-14F8E55990C2@icloud.com>
	<CANLOgwCqgraAXamwktUpYwT5f844mCDSM-2toMVgsosnYmyY-A@mail.gmail.com>
Message-ID: <1157746576.38515059.1409054630508.JavaMail.zimbra@redhat.com>

In beta 4 we changed the defaults to required SSL. In the past ssl wasn't required, now it's required if you're not accessing the server from a local IP address.

You can either enable SSL on AWS (highly recommended!) or change the settings through the admin console (you'll need to either use an SSL tunnel or https to do this though).

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Christina Lau" <christinalau28 at icloud.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Sunday, 24 August, 2014 4:34:30 PM
> Subject: Re: [keycloak-user] Unable to start Keycloak beta on AWS VM - HTTPS	required
> 
> 
> 
> Beta 4 now has different options on the "ssl-required" option
> 
> The default used to be ssl disabled, but now it's "external-only" so all
> external requests should access via ssl
> 
> You should try opening it directly from your ec2 instance via localhost to
> change that
> On Aug 24, 2014 11:06 AM, "Christina Lau" < christinalau28 at icloud.com >
> wrote:
> 
> 
> I am unable to start Keycloak beta 4 on EC2. When I clicked on the Admin
> Console, I got HTTPS required.
> 
> I did the same configuration changes (standalone.xml) for Keycloak beta 3 and
> it worked on EC2.
> 
> What else do I need to configure for beta 4?
> 
> Here is the URLs:
> 
> Beta 4 doesn?t work:
> http://54.88.95.99:8080/auth/
> 
> Beta 3 works:
> http://54.84.240.18:8080/auth/
> 
> Christina
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Tue Aug 26 08:05:14 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 08:05:14 -0400 (EDT)
Subject: [keycloak-user] CSS design by Application
In-Reply-To: <CAKEe7QWr8Xbr6RghyQoj3KRQMW4L44fnFP=DoxsoHzcPVDVeeA@mail.gmail.com>
References: <CAKEe7QWr8Xbr6RghyQoj3KRQMW4L44fnFP=DoxsoHzcPVDVeeA@mail.gmail.com>
Message-ID: <995644985.38519315.1409054714834.JavaMail.zimbra@redhat.com>

That's not possible ATM. If you create a JIRA we can look at adding it though.

----- Original Message -----
> From: "Vinicius Nakayama" <viniciusnaka at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 22 August, 2014 9:29:10 PM
> Subject: [keycloak-user] CSS design by Application
> 
> Hi,
> 
> I created one realm with many applications associated. I would like to know
> if it is possible to find out which app that was called in my
> page(login.ftl)?
> 
> For example:
> 
> When some app from my realm is called, I discover the app that was called and
> I show login page with specific css for it.
> 
> Thanks in advance.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Aug 26 08:34:44 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 08:34:44 -0400 (EDT)
Subject: [keycloak-user] SSO Session Idle Timeout for Direct
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD7018E2A9A@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD7018E2A9A@UUSNWE3K.na.utcmail.com>
Message-ID: <2117519485.38547481.1409056484460.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "John DODGE CONSULTING SERVICES Schneider, LLC" <John.Schneider at carrier.utc.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 22 August, 2014 3:52:47 PM
> Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> 
> 
> My application is checking the access token timeout and refreshing it if
> expired. The thing is, the tokens are being invalidated after the SSO
> session timeout. So if I have the access token timeout set to 4 hours, and
> the SSO timeout set to 15 minutes, the access token and refresh tokens are
> both invalidated after only 15 minutes.

It doesn't really make much sense to have idle timeout shorter than access token timeout. For example in your case above the user session is logged out after 15 min, but an application can still access services using the token for nearly another 4 hours.

> 
> 
> 
> 
> 
> Date: Thu, 21 Aug 2014 17:34:16 -0400
> 
> From: Bill Burke < bburke at redhat.com >
> 
> Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> Grants
> 
> To: keycloak-user at lists.jboss.org
> 
> Message-ID: < 53F665D8.9000303 at redhat.com >
> 
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> 
> 
> I don't agree...
> 
> 
> 
> Your application should be checking for token timeouts and performing a
> 
> refresh. The response from direct-grant gives you a refresh token as
> 
> well as an access token as well as a timeout (which you could check from
> 
> the access token).
> 
> 
> 
> Since you have a refresh token, you can refresh the access token. You
> 
> still want the same setup: Short access token lifespan
> 
> (seconds/minutes) with a longer refresh timeout minutes/hours. This is
> 
> for revocation checks, permission changes, etc.
> 
> 
> 
> I could set up a different SSO timeout/access token timeout for grant
> 
> requests if you want, but that would have to be after 1.0.final.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From John.Schneider at carrier.utc.com  Tue Aug 26 09:27:54 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Tue, 26 Aug 2014 13:27:54 +0000
Subject: [keycloak-user] SSO Session Idle Timeout for Direct
In-Reply-To: <2117519485.38547481.1409056484460.JavaMail.zimbra@redhat.com>
References: <D5998B55A61D334EA803FEB70395CFD7018E2A9A@UUSNWE3K.na.utcmail.com>
	<2117519485.38547481.1409056484460.JavaMail.zimbra@redhat.com>
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018E3148@UUSNWE3K.na.utcmail.com>

Hi Stian,

It does make sense when you have two distinct sets of "users", one of which does not include people.  In our case, we have people at a keyboard that we want to timeout after about 15 minutes of inactivity, and we also have external applications running in the background that have no need for a user session per-se and execute many REST service invocations for the same service over several hours.  The applications are active the whole time, but not interacting with the OAuth server.  

If you want to keep things this way, I don't think it's a good idea, but  please at least put in a validation in the admin UI with a warning of "access token timeout should not be less than SSO session idle timeout". 

Thanks,
John

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: Tuesday, August 26, 2014 8:35 AM
To: Schneider, John DODGE CONSULTING SERVICES, LLC
Cc: keycloak-user at lists.jboss.org
Subject: [External] Re: [keycloak-user] SSO Session Idle Timeout for Direct



----- Original Message -----
> From: "John DODGE CONSULTING SERVICES Schneider, LLC" 
> <John.Schneider at carrier.utc.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 22 August, 2014 3:52:47 PM
> Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> 
> 
> My application is checking the access token timeout and refreshing it 
> if expired. The thing is, the tokens are being invalidated after the 
> SSO session timeout. So if I have the access token timeout set to 4 
> hours, and the SSO timeout set to 15 minutes, the access token and 
> refresh tokens are both invalidated after only 15 minutes.

It doesn't really make much sense to have idle timeout shorter than access token timeout. For example in your case above the user session is logged out after 15 min, but an application can still access services using the token for nearly another 4 hours.

> 
> 
> 
> 
> 
> Date: Thu, 21 Aug 2014 17:34:16 -0400
> 
> From: Bill Burke < bburke at redhat.com >
> 
> Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> Grants
> 
> To: keycloak-user at lists.jboss.org
> 
> Message-ID: < 53F665D8.9000303 at redhat.com >
> 
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> 
> 
> I don't agree...
> 
> 
> 
> Your application should be checking for token timeouts and performing 
> a
> 
> refresh. The response from direct-grant gives you a refresh token as
> 
> well as an access token as well as a timeout (which you could check 
> from
> 
> the access token).
> 
> 
> 
> Since you have a refresh token, you can refresh the access token. You
> 
> still want the same setup: Short access token lifespan
> 
> (seconds/minutes) with a longer refresh timeout minutes/hours. This is
> 
> for revocation checks, permission changes, etc.
> 
> 
> 
> I could set up a different SSO timeout/access token timeout for grant
> 
> requests if you want, but that would have to be after 1.0.final.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Tue Aug 26 10:14:00 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 26 Aug 2014 10:14:00 -0400 (EDT)
Subject: [keycloak-user] SSO Session Idle Timeout for Direct
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD7018E3148@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD7018E2A9A@UUSNWE3K.na.utcmail.com>
	<2117519485.38547481.1409056484460.JavaMail.zimbra@redhat.com>
	<D5998B55A61D334EA803FEB70395CFD7018E3148@UUSNWE3K.na.utcmail.com>
Message-ID: <1689122998.38644001.1409062440477.JavaMail.zimbra@redhat.com>

It's recommended to keep access token timeout low (minutes rather than hours). However, I agree in your case for the background apps there's no need for the SSO idle timeout. Adding an option to disable SSO idle timeout for direct access makes sense, not sure if that should be realm wide or app specific though.

----- Original Message -----
> From: "John DODGE CONSULTING SERVICES Schneider, LLC" <John.Schneider at carrier.utc.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 26 August, 2014 3:27:54 PM
> Subject: RE: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> Hi Stian,
> 
> It does make sense when you have two distinct sets of "users", one of which
> does not include people.  In our case, we have people at a keyboard that we
> want to timeout after about 15 minutes of inactivity, and we also have
> external applications running in the background that have no need for a user
> session per-se and execute many REST service invocations for the same
> service over several hours.  The applications are active the whole time, but
> not interacting with the OAuth server.
> 
> If you want to keep things this way, I don't think it's a good idea, but
> please at least put in a validation in the admin UI with a warning of
> "access token timeout should not be less than SSO session idle timeout".
> 
> Thanks,
> John
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: Tuesday, August 26, 2014 8:35 AM
> To: Schneider, John DODGE CONSULTING SERVICES, LLC
> Cc: keycloak-user at lists.jboss.org
> Subject: [External] Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> 
> 
> ----- Original Message -----
> > From: "John DODGE CONSULTING SERVICES Schneider, LLC"
> > <John.Schneider at carrier.utc.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 22 August, 2014 3:52:47 PM
> > Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> > 
> > 
> > 
> > My application is checking the access token timeout and refreshing it
> > if expired. The thing is, the tokens are being invalidated after the
> > SSO session timeout. So if I have the access token timeout set to 4
> > hours, and the SSO timeout set to 15 minutes, the access token and
> > refresh tokens are both invalidated after only 15 minutes.
> 
> It doesn't really make much sense to have idle timeout shorter than access
> token timeout. For example in your case above the user session is logged out
> after 15 min, but an application can still access services using the token
> for nearly another 4 hours.
> 
> > 
> > 
> > 
> > 
> > 
> > Date: Thu, 21 Aug 2014 17:34:16 -0400
> > 
> > From: Bill Burke < bburke at redhat.com >
> > 
> > Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> > 
> > Grants
> > 
> > To: keycloak-user at lists.jboss.org
> > 
> > Message-ID: < 53F665D8.9000303 at redhat.com >
> > 
> > Content-Type: text/plain; charset=windows-1252; format=flowed
> > 
> > 
> > 
> > I don't agree...
> > 
> > 
> > 
> > Your application should be checking for token timeouts and performing
> > a
> > 
> > refresh. The response from direct-grant gives you a refresh token as
> > 
> > well as an access token as well as a timeout (which you could check
> > from
> > 
> > the access token).
> > 
> > 
> > 
> > Since you have a refresh token, you can refresh the access token. You
> > 
> > still want the same setup: Short access token lifespan
> > 
> > (seconds/minutes) with a longer refresh timeout minutes/hours. This is
> > 
> > for revocation checks, permission changes, etc.
> > 
> > 
> > 
> > I could set up a different SSO timeout/access token timeout for grant
> > 
> > requests if you want, but that would have to be after 1.0.final.
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From John.Schneider at carrier.utc.com  Tue Aug 26 10:49:50 2014
From: John.Schneider at carrier.utc.com (Schneider, John            DODGE CONSULTING SERVICES, LLC)
Date: Tue, 26 Aug 2014 14:49:50 +0000
Subject: [keycloak-user] SSO Session Idle Timeout for Direct
In-Reply-To: <1689122998.38644001.1409062440477.JavaMail.zimbra@redhat.com>
References: <D5998B55A61D334EA803FEB70395CFD7018E2A9A@UUSNWE3K.na.utcmail.com>
	<2117519485.38547481.1409056484460.JavaMail.zimbra@redhat.com>
	<D5998B55A61D334EA803FEB70395CFD7018E3148@UUSNWE3K.na.utcmail.com>
	<1689122998.38644001.1409062440477.JavaMail.zimbra@redhat.com>
Message-ID: <D5998B55A61D334EA803FEB70395CFD7018E3184@UUSNWE3K.na.utcmail.com>

For my uses cases, a realm-wide setting would be great.   A client-specific setting would be OK too.  But with respect to an application-specific setting, we're actually not registering any applications in Keycloak as we're securing a mix of services on platforms not supported by Keycloak.  We're writing libraries on these platforms to validate access tokens using the new "validate" Keycloak endpoint.

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: Tuesday, August 26, 2014 10:14 AM
To: Schneider, John DODGE CONSULTING SERVICES, LLC
Cc: keycloak-user at lists.jboss.org
Subject: [External] Re: [keycloak-user] SSO Session Idle Timeout for Direct

It's recommended to keep access token timeout low (minutes rather than hours). However, I agree in your case for the background apps there's no need for the SSO idle timeout. Adding an option to disable SSO idle timeout for direct access makes sense, not sure if that should be realm wide or app specific though.

----- Original Message -----
> From: "John DODGE CONSULTING SERVICES Schneider, LLC" 
> <John.Schneider at carrier.utc.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 26 August, 2014 3:27:54 PM
> Subject: RE: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> Hi Stian,
> 
> It does make sense when you have two distinct sets of "users", one of 
> which does not include people.  In our case, we have people at a 
> keyboard that we want to timeout after about 15 minutes of inactivity, 
> and we also have external applications running in the background that 
> have no need for a user session per-se and execute many REST service 
> invocations for the same service over several hours.  The applications 
> are active the whole time, but not interacting with the OAuth server.
> 
> If you want to keep things this way, I don't think it's a good idea, 
> but please at least put in a validation in the admin UI with a warning 
> of "access token timeout should not be less than SSO session idle timeout".
> 
> Thanks,
> John
> 
> -----Original Message-----
> From: Stian Thorgersen [mailto:stian at redhat.com]
> Sent: Tuesday, August 26, 2014 8:35 AM
> To: Schneider, John DODGE CONSULTING SERVICES, LLC
> Cc: keycloak-user at lists.jboss.org
> Subject: [External] Re: [keycloak-user] SSO Session Idle Timeout for 
> Direct
> 
> 
> 
> ----- Original Message -----
> > From: "John DODGE CONSULTING SERVICES Schneider, LLC"
> > <John.Schneider at carrier.utc.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 22 August, 2014 3:52:47 PM
> > Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> > 
> > 
> > 
> > My application is checking the access token timeout and refreshing 
> > it if expired. The thing is, the tokens are being invalidated after 
> > the SSO session timeout. So if I have the access token timeout set 
> > to 4 hours, and the SSO timeout set to 15 minutes, the access token 
> > and refresh tokens are both invalidated after only 15 minutes.
> 
> It doesn't really make much sense to have idle timeout shorter than 
> access token timeout. For example in your case above the user session 
> is logged out after 15 min, but an application can still access 
> services using the token for nearly another 4 hours.
> 
> > 
> > 
> > 
> > 
> > 
> > Date: Thu, 21 Aug 2014 17:34:16 -0400
> > 
> > From: Bill Burke < bburke at redhat.com >
> > 
> > Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> > 
> > Grants
> > 
> > To: keycloak-user at lists.jboss.org
> > 
> > Message-ID: < 53F665D8.9000303 at redhat.com >
> > 
> > Content-Type: text/plain; charset=windows-1252; format=flowed
> > 
> > 
> > 
> > I don't agree...
> > 
> > 
> > 
> > Your application should be checking for token timeouts and 
> > performing a
> > 
> > refresh. The response from direct-grant gives you a refresh token as
> > 
> > well as an access token as well as a timeout (which you could check 
> > from
> > 
> > the access token).
> > 
> > 
> > 
> > Since you have a refresh token, you can refresh the access token. 
> > You
> > 
> > still want the same setup: Short access token lifespan
> > 
> > (seconds/minutes) with a longer refresh timeout minutes/hours. This 
> > is
> > 
> > for revocation checks, permission changes, etc.
> > 
> > 
> > 
> > I could set up a different SSO timeout/access token timeout for 
> > grant
> > 
> > requests if you want, but that would have to be after 1.0.final.
> > 
> > 
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From n.preusker at gmail.com  Tue Aug 26 12:08:07 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Tue, 26 Aug 2014 18:08:07 +0200
Subject: [keycloak-user] i18n in log-in forms etc.
In-Reply-To: <1985349411.38499629.1409054001220.JavaMail.zimbra@redhat.com>
References: <CA+HCLu95OYxzqR84_DSmqhP-FUAKEvJKY0J4U7UB6WVFpx3zwA@mail.gmail.com>
	<1985349411.38499629.1409054001220.JavaMail.zimbra@redhat.com>
Message-ID: <CA+HCLu9pU3oyyR2t2e5tE13D6So4Jn0Ln4umCSLoZczu=KPNSg@mail.gmail.com>

Cool, thanks for your reply! I'll just keep watching the JIRA issue then.

Cheers,
Nils


On Tue, Aug 26, 2014 at 1:53 PM, Stian Thorgersen <stian at redhat.com> wrote:

> We plan to support this soon, but it won't be until after 1.0.final is
> released
>
> ----- Original Message -----
> > From: "Nils Preusker" <n.preusker at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 25 August, 2014 10:18:19 AM
> > Subject: [keycloak-user] i18n in log-in forms etc.
> >
> > Hi everyone,
> >
> > I saw that there is already a JIRA issue for this, but I was wondering
> > whether there are any plans to add support for i18n in keyclaok themes?
> >
> > Here's the issue: https://issues.jboss.org/browse/KEYCLOAK-301
> >
> > To be more precise, we'd need to provide different messages and labels in
> > log-in and registration templates based on the browser language.
> >
> > Cheers,
> > Nils
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140826/bd48af29/attachment.html 

From christinalau28 at icloud.com  Tue Aug 26 14:55:11 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Tue, 26 Aug 2014 14:55:11 -0400
Subject: [keycloak-user] How to get the state parm to create a valid
	redirect url?
Message-ID: <E378FBA1-2276-4187-AC55-1E986464F358@icloud.com>

I am trying to integrate Keycloak, RestEasy and Swagger. I got most of the stuff to work with the exception of a redirect URL problem.

The scenario is if I am not yet authorized to a Restful service, then in Swagger, I can click on their authorize button and that is supposed to bring me to the Keycloak login screen. I am basically doing what is described in this article if that helps: 

http://developers-blog.helloreverb.com/enabling-oauth-with-swagger/

The problem I am facing is: It seems for Keycloak redirect to work, there is a state parameter. For example, this works:

http://localhost:8080/auth/realms/DSG_API/tokens/login?client_id=dsgapi&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fdsgapi%2Fblueprints%2F&state=319%2F75ebc1c8-a530-4a3d-b69f-480e96b69b68&login=true

How do I programmatically get this state parameter?

Christina

From christinalau28 at icloud.com  Tue Aug 26 16:20:21 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Tue, 26 Aug 2014 16:20:21 -0400
Subject: [keycloak-user] Unable to start Keycloak beta on AWS VM -
	HTTPS	required
Message-ID: <759CBD22-981B-4E64-B546-7AF96CD064F6@icloud.com>

Thx. I was able to zip up my laptop version and ssh over to make it work (i.e. bring up admin console). With RHEL VMs, there is no easy way to bring up a local browser so the old defaults were more convenient for those that do dev/test in the cloud.

From stian at redhat.com  Wed Aug 27 02:08:51 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 27 Aug 2014 02:08:51 -0400 (EDT)
Subject: [keycloak-user] Unable to start Keycloak beta on AWS VM
	-	HTTPS	required
In-Reply-To: <759CBD22-981B-4E64-B546-7AF96CD064F6@icloud.com>
References: <759CBD22-981B-4E64-B546-7AF96CD064F6@icloud.com>
Message-ID: <261540225.39078942.1409119731885.JavaMail.zimbra@redhat.com>

Yep, the old approach was more convenient. With local VMs you'll most likely be using a IP address in the range that we permit non-https to when set to external (http://en.wikipedia.org/wiki/Private_network). For PaaS (i.e. OpenShift) the provider usually sets up https for you so it's not a problem, but I guess the remaining issue is for IaaS (i.e. AWS). If there's demand for it we could add some mechanism to disable it for dev without having to use the admin console.

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 26 August, 2014 10:20:21 PM
> Subject: Re: [keycloak-user] Unable to start Keycloak beta on AWS VM -	HTTPS	required
> 
> Thx. I was able to zip up my laptop version and ssh over to make it work
> (i.e. bring up admin console). With RHEL VMs, there is no easy way to bring
> up a local browser so the old defaults were more convenient for those that
> do dev/test in the cloud.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From juraci at kroehling.de  Wed Aug 27 03:11:13 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Wed, 27 Aug 2014 09:11:13 +0200
Subject: [keycloak-user] Docker Image error
In-Reply-To: <CAFGzvPmctaACjYrUSD_1RPqtwqgbFtif6JbA4T4m7bGK=KU+8w@mail.gmail.com>
References: <CAFGzvPmctaACjYrUSD_1RPqtwqgbFtif6JbA4T4m7bGK=KU+8w@mail.gmail.com>
Message-ID: <53FD8491.1030102@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dean,

I don't have a Windows server to test it, so, would you be able to
join #jboss-docker or #keycloak on freenode when you are available for
some troubleshooting? I am jpkroehling there. The first question would
be: do you see the same issue when booting the official WildFly image?

https://registry.hub.docker.com/u/jboss/wildfly/

Best,
Juca.

On 08/05/2014 05:16 AM, Dean Peterson wrote:
> I installed Docker on my Windows Server 2012 R2 machine and tried
> to use the Keycloak Docker image.  I ran  "docker run -it -p
> 8080:8080 -p 9090:9090 jboss/keycloak" and received the following
> error:
> 
> java.lang.IllegalArgumentException: Failed to instantiate class 
> "org.jboss.logma nager.handlers.PeriodicRotatingFileHandler" for
> handler "FILE" at 
> org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAc
>
> 
tion.validate(AbstractPropertyConfiguration.java:119)
> . . . at
> java.lang.reflect.Constructor.newInstance(Constructor.java:526) at 
> org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAc
>
> 
tion.validate(AbstractPropertyConfiguration.java:117)
> ... 19 more Caused by: java.io.FileNotFoundException: 
> /opt/wildfly/standalone/log/server.log (No such file or directory) 
> at java.io.FileOutputStream.open(Native Method) at
> java.io.FileOutputStream.<init>(FileOutputStream.java:221)
> 
> Any ideas?
> 
> 
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJT/YSRAAoJEDnJtskdmzLMs7cH/jDWLMPMOI13N1zUUzrA5pt2
KYJOgJktYSbWUC0Z6w89hFWYkRnchsoeG6wpsdAEkHMLVYr5zKtYeohf1lU9BsAp
ODUo08yrdRqPxmLvMzc6HiimUXeKRrO2Jl36WrIQUMXy+ga1u/1MDiBRlI6hqdbD
sC+hgV0hqsiTUAexAMPPjHD20V1VLH7Rxm/CKVDs4lIt+eIftQCqxN/FgOi+kf0N
xrjdM6/DELqbF5HPy94ZXMGWEnV7OE0pO89Q95liWJHNDf/uPtYktyC4KUZflYdi
ICfMu+TwNRszj4gfMei1WDnlVterjuFU2vsnJtauTUXB7Cnhl1rrfg9eRlFt1gA=
=tgm9
-----END PGP SIGNATURE-----

From stian at redhat.com  Wed Aug 27 05:25:31 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 27 Aug 2014 05:25:31 -0400 (EDT)
Subject: [keycloak-user] Last release candidate before final
In-Reply-To: <1994603101.39183045.1409131481337.JavaMail.zimbra@redhat.com>
Message-ID: <244405983.39183513.1409131531861.JavaMail.zimbra@redhat.com>

All,

We aim to release RC-2 on Friday. This will hopefully be the last release candidate before 1.0.final is released, so please if you have any issues with RC-1 let us now asap.

Regards,
Stian

From evanthomjd at gmail.com  Wed Aug 27 14:47:36 2014
From: evanthomjd at gmail.com (Evan Thompson)
Date: Wed, 27 Aug 2014 14:47:36 -0400
Subject: [keycloak-user] Password Hashing
Message-ID: <CAJVY_4--ahwXrh7JXpBsZyRG2dxU=QYP0bpcqnFJj6Q2M69HcA@mail.gmail.com>

Howdy,

I've been looking into Keycloak and have a question in regards to password
hashing. I came across a closed JIRA item that discusses supporting bcrypt,
but the comments just state that improved password hashing has already been
added. I guess my question is what exactly does Keycloak provide/support in
terms of password encryption and is it configurable.

Cheers,

Evan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140827/32d893e4/attachment.html 

From stian at redhat.com  Thu Aug 28 00:40:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 28 Aug 2014 00:40:21 -0400 (EDT)
Subject: [keycloak-user] Password Hashing
In-Reply-To: <CAJVY_4--ahwXrh7JXpBsZyRG2dxU=QYP0bpcqnFJj6Q2M69HcA@mail.gmail.com>
References: <CAJVY_4--ahwXrh7JXpBsZyRG2dxU=QYP0bpcqnFJj6Q2M69HcA@mail.gmail.com>
Message-ID: <102148577.39923736.1409200821690.JavaMail.zimbra@redhat.com>

Keycloak uses PBKDF2 to hash passwords with a configurable number of iterations.

----- Original Message -----
> From: "Evan Thompson" <evanthomjd at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 27 August, 2014 8:47:36 PM
> Subject: [keycloak-user] Password Hashing
> 
> Howdy,
> 
> I've been looking into Keycloak and have a question in regards to password
> hashing. I came across a closed JIRA item that discusses supporting bcrypt,
> but the comments just state that improved password hashing has already been
> added. I guess my question is what exactly does Keycloak provide/support in
> terms of password encryption and is it configurable.
> 
> Cheers,
> 
> Evan
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From j.kamal at ymail.com  Thu Aug 28 00:43:06 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Thu, 28 Aug 2014 04:43:06 -0000
Subject: [keycloak-user] Pre-requistes for Non-interactive Realm, Application,
	User setup in Keycloak
Message-ID: <1407522962.93197.YahooMailNeo@web120205.mail.ne1.yahoo.com>

Hello,

? I am quite aware that REST API is the only way for non-interactive integration to setup Realm, Application, and Users in Keycloak.
Having said that even before invoking desired api,? we need Client ID (Account), Client Secret, Username and password (after resetting) to obtain the access token. 


1. what is the best way to obtain these values for subsequent API invocations? 

2. I observed there is a mechanism to upload a JSON file with Realm configuration but how can I export it at the first place.

Please share your thoughts.

Best
Kamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140828/22c8b724/attachment.html 

From stian at redhat.com  Thu Aug 28 05:56:54 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 28 Aug 2014 05:56:54 -0400 (EDT)
Subject: [keycloak-user] I have tried everything
In-Reply-To: <1768031734.38430402.1409045776607.JavaMail.zimbra@redhat.com>
References: <CAFGzvPkx1B2MDjoB3J_S6JcrREHN8-w1c7vdTsq9gCXjeecs+A@mail.gmail.com>
	<1768031734.38430402.1409045776607.JavaMail.zimbra@redhat.com>
Message-ID: <2099662624.40066477.1409219814477.JavaMail.zimbra@redhat.com>

I've tested this now and it seems to work fine.

To use a different datasource to KeycloakDS you just need to change it in:
 
  standalone/configuration/keycloak-server.json

To remove the ExampleDS datasource you need to remove the datasource definition from standalone.xml, and also remove (or change) the datasource attribute of default-bindings:

  <default-bindings context-service="java:jboss/ee/concurrency/context/default" datasource="java:jboss/datasources/ExampleDS" ...

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Dean Peterson" <peterson.dean at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 26 August, 2014 11:36:16 AM
> Subject: Re: [keycloak-user] I have tried everything
> 
> You should not need the ExampleDS and you should also be able to change the
> name of the datasource by editing keycloak-server.json.
> 
> I'll look into this. Are you deploying to AS7 or WildFly? How are you
> deploying (war-dist, appliance-dist, or building your own war?).
> 
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Sunday, 17 August, 2014 2:05:53 AM
> > Subject: Re: [keycloak-user] I have tried everything
> > 
> > Ok, I figured it out. I just replaced java:jboss/datasources/KeycloakDS
> > with
> > my own settings rather than create a new jndi datasource with a different
> > name. In the past I was able to change the jndi name to
> > java:jboss/datasources/ui_users and make a few updates to persistence.xml.
> > The new way is arguably easier. Now that I know to just replace KeycloakDS
> > with my own settings I do not need to change anything else. Am I correct in
> > assuming this is how things work going forward? It seems I cannot delete
> > ExampleDS either without causing problems though. The current documentation
> > is also misleading.
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stian at redhat.com  Thu Aug 28 06:01:08 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 28 Aug 2014 06:01:08 -0400 (EDT)
Subject: [keycloak-user] 1.0 RC 1 released
In-Reply-To: <53F50360.1090805@redhat.com>
References: <53F502FA.6030103@redhat.com> <53F50360.1090805@redhat.com>
Message-ID: <1014493962.40068459.1409220068655.JavaMail.zimbra@redhat.com>

OpenShift cartridge is now updated to 1.0 RC-1

----- Original Message -----
> From: "Steven Pousty" <spousty at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org, keycloak-user at lists.jboss.org
> Sent: Wednesday, 20 August, 2014 10:21:52 PM
> Subject: Re: [keycloak-user] 1.0 RC 1 released
> 
> This is awesome - Has the OpenShift cartridge been updated?
> Thanks
> Steve
> On 08/20/2014 01:20 PM, Bill Burke wrote:
> > We're getting closer to 1.0.Final and are still scheduled for a final
> > release 2nd week of September.
> >
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From peterson.dean at gmail.com  Thu Aug 28 09:33:50 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 28 Aug 2014 08:33:50 -0500
Subject: [keycloak-user] I have tried everything
In-Reply-To: <2099662624.40066477.1409219814477.JavaMail.zimbra@redhat.com>
References: <CAFGzvPkx1B2MDjoB3J_S6JcrREHN8-w1c7vdTsq9gCXjeecs+A@mail.gmail.com>
	<1768031734.38430402.1409045776607.JavaMail.zimbra@redhat.com>
	<2099662624.40066477.1409219814477.JavaMail.zimbra@redhat.com>
Message-ID: <CAFGzvPnPMQWD9Hn8_7kp-U5pEvpjeMG5b7VJPnGZJoJDtfbLsQ@mail.gmail.com>

Ok, great!  I tried the appliance and I built my own.  I did remove it as a
datasource definition and I modified the keycloak-server.json file but I
must have missed removing the <default-bindings.....      That must not get
removed when removing ExampleDS using the admin console.  I am surprised I
didn't do a search for ExampleDS past datasources in standalone.xml to find
the default-bindings section; that was silly.  Anyway, thanks for looking
into it.


On Thu, Aug 28, 2014 at 4:56 AM, Stian Thorgersen <stian at redhat.com> wrote:

> I've tested this now and it seems to work fine.
>
> To use a different datasource to KeycloakDS you just need to change it in:
>
>   standalone/configuration/keycloak-server.json
>
> To remove the ExampleDS datasource you need to remove the datasource
> definition from standalone.xml, and also remove (or change) the datasource
> attribute of default-bindings:
>
>   <default-bindings
> context-service="java:jboss/ee/concurrency/context/default"
> datasource="java:jboss/datasources/ExampleDS" ...
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Dean Peterson" <peterson.dean at gmail.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 26 August, 2014 11:36:16 AM
> > Subject: Re: [keycloak-user] I have tried everything
> >
> > You should not need the ExampleDS and you should also be able to change
> the
> > name of the datasource by editing keycloak-server.json.
> >
> > I'll look into this. Are you deploying to AS7 or WildFly? How are you
> > deploying (war-dist, appliance-dist, or building your own war?).
> >
> > ----- Original Message -----
> > > From: "Dean Peterson" <peterson.dean at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Sunday, 17 August, 2014 2:05:53 AM
> > > Subject: Re: [keycloak-user] I have tried everything
> > >
> > > Ok, I figured it out. I just replaced java:jboss/datasources/KeycloakDS
> > > with
> > > my own settings rather than create a new jndi datasource with a
> different
> > > name. In the past I was able to change the jndi name to
> > > java:jboss/datasources/ui_users and make a few updates to
> persistence.xml.
> > > The new way is arguably easier. Now that I know to just replace
> KeycloakDS
> > > with my own settings I do not need to change anything else. Am I
> correct in
> > > assuming this is how things work going forward? It seems I cannot
> delete
> > > ExampleDS either without causing problems though. The current
> documentation
> > > is also misleading.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140828/ef90fb64/attachment.html 

From rodrigopsasaki at gmail.com  Thu Aug 28 09:51:17 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 28 Aug 2014 10:51:17 -0300
Subject: [keycloak-user] Authenticate user without using login page
In-Reply-To: <2092751170.20453860.1406728125335.JavaMail.zimbra@redhat.com>
References: <CANLOgwCwfU5CbYX7jwbnOagYndnQ67mwpc5ahb0W-D+y2e2kpg@mail.gmail.com>
	<455123582.18060022.1406295044131.JavaMail.zimbra@redhat.com>
	<456387541.18067244.1406295524609.JavaMail.zimbra@redhat.com>
	<CANLOgwCTGNR9hLpqqkRtvRUm1DnKgNNwTw0jnezU98fB-DG5Dw@mail.gmail.com>
	<CANLOgwDGXiTDqqr16t=kCqGT2GSmd1=M6kQAQnSW1ojEAtKtGw@mail.gmail.com>
	<CANLOgwC=REwCLDt8FUzYQ8G6fctAR8LjBHFtgG8ypTD_Pbw5zA@mail.gmail.com>
	<185873083.20441868.1406726950922.JavaMail.zimbra@redhat.com>
	<53D8F558.5050902@redhat.com>
	<2092751170.20453860.1406728125335.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwA6R1AkZTTuyiFhrfwZ0BNzkym5Mgehx5Uu6nmdhJW7CQ@mail.gmail.com>

Coming back to this, I have a quick question. What would be the best way
for me to create a valid login URL dynamically?

when we try to access a protected resource, the login page comes up,
authenticates the user and it all works fine, but when I try to fabricate a
loginUrl to the redirect_uri that I need it to go after we encounter some
problems that I think may be related to the state variable, although I'm
not sure. I get Error 400 sometimes, which isn't very clear.

Is there a guideline for this?


On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Yes, login_hint is one of the optional request parameters supported by
> OpenID Connect
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> rodrigopsasaki at gmail.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 30 July, 2014 2:38:32 PM
> > Subject: Re: [keycloak-user] Authenticate user without using login page
> >
> > OpenID Connect protocol is used to implement this?
> >
> > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > > Added login_hint query param. It can be used with keycloak.js with
> either:
> > >
> > >    keycloak.login({ loginHint: 'username' })
> > >
> > > or
> > >
> > >    keycloak.createLoginUrl({ loginHint: 'username' })
> > >
> > > ----- Original Message -----
> > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >> To: "Stian Thorgersen" <stian at redhat.com>
> > >> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > >> Sent: Friday, 25 July, 2014 6:11:47 PM
> > >> Subject: Re: [keycloak-user] Authenticate user without using login
> page
> > >>
> > >> It all worked great with the iframe, if I style it properly and use
> that
> > >> login_hint it should be perfect.
> > >>
> > >> Now how should I go about developing/using this login_hint? Are there
> any
> > >> tips on this, or is it something that you plan on including
> yourselves?
> > >>
> > >>
> > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> rodrigopsasaki at gmail.com>
> > >> wrote:
> > >>
> > >>> Just one more thing that wasn't completely clear to me.
> > >>>
> > >>> if I add a login page on an iframe, the user will be logged
> normally? Or
> > >>> would I have to get a token and keep managing it?
> > >>>
> > >>>
> > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> > >>> <rodrigopsasaki at gmail.com
> > >>>> wrote:
> > >>>
> > >>>> That idea actually sounds amazing, I didn't look into keycloak.js
> yet,
> > >>>> but I'll see if I can get it working before I think about styling.
> > >>>>
> > >>>> Thank you very much!
> > >>>>
> > >>>>
> > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <
> stian at redhat.com>
> > >>>> wrote:
> > >>>>
> > >>>>> I think we could quite easily add support for embedding the login
> page
> > >>>>> to keycloak.js. Rough idea:
> > >>>>>
> > >>>>> 1. Set an option on keycloak.js to use embedded login form. Would
> also
> > >>>>> require setting an id for a div where the form should be embedded.
> > >>>>> 2. When clicking on login instead of redirecting it would render an
> > >>>>> iframe element inside the configured div with the src of the iframe
> > >>>>> being
> > >>>>> the login page on Keycloak
> > >>>>> 3. The redirect-uri would be a special url on Keycloak that
> renders a
> > >>>>> similar page to the iframe session page that allows posting a
> message
> > >>>>> back
> > >>>>> to keycloak.js containing the code
> > >>>>> 4. Now keycloak.js can swap the code as usual
> > >>>>>
> > >>>>> One thing is that we'd probably need an additional styling of the
> login
> > >>>>> form, as you would want the login page to display differently when
> > >>>>> embedded
> > >>>>> compared to when you redirect to it.
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>> To: "Bill Burke" <bburke at redhat.com>
> > >>>>>> Cc: keycloak-user at lists.jboss.org
> > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> > >>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
> > >>>>>> page
> > >>>>>>
> > >>>>>> The cookies should be set fine, as the iframe would contain the
> login
> > >>>>> page
> > >>>>>> directly from Keycloak.
> > >>>>>>
> > >>>>>> It would redirect to a special page on the app that after
> extracting
> > >>>>> the code
> > >>>>>> would close the popup.
> > >>>>>>
> > >>>>>> ----- Original Message -----
> > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
> > >>>>>>> <rodrigopsasaki at gmail.com>
> > >>>>>>> Cc: keycloak-user at lists.jboss.org
> > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> login
> > >>>>> page
> > >>>>>>>
> > >>>>>>> not sure this will work with SSO.  I'm not sure CORS requests can
> > >>>>> deal
> > >>>>>>> with cookies.
> > >>>>>>>
> > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > >>>>>>>> What about using an iframe in the popup to include the login
> form
> > >>>>> from
> > >>>>>>>> Keycloak?
> > >>>>>>>>
> > >>>>>>>> You can send a HTTP POST to
> > >>>>> /auth-server/<realm>/tokens/grants/access
> > >>>>>>>> with
> > >>>>>>>> client id/secret and username/password and get a token back.
> With
> > >>>>>>>> keycloak.js you can give it this token, not sure how/if this
> flow
> > >>>>> works
> > >>>>>>>> with the server-side (Undertow) adapter.
> > >>>>>>>>
> > >>>>>>>> ----- Original Message -----
> > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > >>>>> keycloak-user at lists.jboss.org
> > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> > >>>>> login page
> > >>>>>>>>>
> > >>>>>>>>> Actually, the main problem is one of the flows where the
> password
> > >>>>>>>>> request
> > >>>>>>>>> appears in a popup, there's no redirect at all, and one of the
> > >>>>> things
> > >>>>>>>>> that
> > >>>>>>>>> were agreed upon when decided to change the authentication
> > >>>>> provider, was
> > >>>>>>>>> that nothing would be altered in the user experience.
> > >>>>>>>>>
> > >>>>>>>>> So I really have to try and make keycloak "fit in" in these
> > >>>>> particular
> > >>>>>>>>> scenarios, they are not used as much as the ones where we'll
> use
> > >>>>> the
> > >>>>>>>>> keycloak login page with our own style, but I do have to make
> > >>>>> them work.
> > >>>>>>>>>
> > >>>>>>>>> When you say I could use direct grant to get a token, would
> that
> > >>>>> count
> > >>>>>>>>> as
> > >>>>>>>>> the same as an user logging in? It's not really clear to me
> right
> > >>>>> now
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > >>>>> stian at redhat.com>
> > >>>>>>>>> wrote:
> > >>>>>>>>>
> > >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> > >>>>>>>>>>
> > >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> > >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> > >>>>>>>>>>      a) If user doesn't exist in KC (you can use admin
> endpoints
> > >>>>> to
> > >>>>>>>>>>      check
> > >>>>>>>>>> this) redirect to registration page on KC with email already
> > >>>>> entered
> > >>>>>>>>>>      b) If user does exist in KC redirect to login page again
> > >>>>> with email
> > >>>>>>>>>> already entered
> > >>>>>>>>>> 3. Redirect back to app
> > >>>>>>>>>>
> > >>>>>>>>>> ----- Original Message -----
> > >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
> <
> > >>>>>>>>>> rodrigopsasaki at gmail.com>
> > >>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> > >>>>> login
> > >>>>>>>>>>> page
> > >>>>>>>>>>>
> > >>>>>>>>>>> It is because their first login screen is just something
> asking
> > >>>>> for an
> > >>>>>>>>>>> email.  If the email doesn't exist as a user, they want a
> > >>>>> redirect to
> > >>>>>>>>>>> the register page.
> > >>>>>>>>>>>
> > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a token.
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> I'd like to know why redirecting to the login form, when
> > >>>>> styled to
> > >>>>>>>>>> match
> > >>>>>>>>>>>> your website, and using login_hint to pre-fill
> username/email
> > >>>>> doesn't
> > >>>>>>>>>>>> work. Maybe there's something we can do so that you can
> still
> > >>>>> use the
> > >>>>>>>>>>>> "proper" flow?
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> ----- Original Message -----
> > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > >>>>> keycloak-user at lists.jboss.org
> > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> using
> > >>>>> login
> > >>>>>>>>>> page
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's being a
> huge
> > >>>>>>>>>> showstopper
> > >>>>>>>>>>>>> so
> > >>>>>>>>>>>>> far, I just have to ask.
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other benefits
> > >>>>> that the
> > >>>>>>>>>>>>> Keycloak login page provides me, would there be a way for
> me
> > >>>>> to do
> > >>>>>>>>>> what I
> > >>>>>>>>>>>>> want?
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > >>>>> stian at redhat.com>
> > >>>>>>>>>>>>> wrote:
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>> We could add support for login_hint query param so you can
> > >>>>> have the
> > >>>>>>>>>>>>>> username/email field on the login form pre-filled for the
> > >>>>> user, so
> > >>>>>>>>>> once a
> > >>>>>>>>>>>>>> user has to authenticate you redirect to login on KC and
> all
> > >>>>> they
> > >>>>>>>>>> would
> > >>>>>>>>>>>>>> have to do is enter their password.
> > >>>>>>>>>>>>>>
> > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,
> multi-factor
> > >>>>>>>>>>>>>> support,
> > >>>>>>>>>>>>>> required actions, recover password, etc, etc, etc..
> > >>>>>>>>>>>>>>
> > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login forms
> that
> > >>>>> can be
> > >>>>>>>>>>>>>> templated using either just css or even FreeMarker
> templates
> > >>>>> if you
> > >>>>>>>>>> need
> > >>>>>>>>>>>>>> a
> > >>>>>>>>>>>>>> lot of customization, so you should be able to make the
> > >>>>> login form
> > >>>>>>>>>>>>>> integrate well with your website.
> > >>>>>>>>>>>>>>
> > >>>>>>>>>>>>>> ----- Original Message -----
> > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > >>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > >>>>> using login
> > >>>>>>>>>> page
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> You think there could be a way to do this within keycloak
> > >>>>> itself?
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > >>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
> > >>>>>>>>>>>>>>> wrote:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> I'll give you an example:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> We have a situation in our website where we only ask for
> the
> > >>>>>>>>>>>>>>> user's
> > >>>>>>>>>>>>>> e-mail,
> > >>>>>>>>>>>>>>> and he can go on with the flow.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify that
> this
> > >>>>> is an
> > >>>>>>>>>> e-mail
> > >>>>>>>>>>>>>> that
> > >>>>>>>>>>>>>>> we already have in our user database, we ask him for his
> > >>>>> password,
> > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this e-mail is
> new,
> > >>>>> we
> > >>>>>>>>>> redirect
> > >>>>>>>>>>>>>> him
> > >>>>>>>>>>>>>>> to a page where he can register himself, and after that
> > >>>>> continue
> > >>>>>>>>>>>>>>> on.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't like to
> have
> > >>>>> to
> > >>>>>>>>>> redirect
> > >>>>>>>>>>>>>> him to
> > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow that we
> > >>>>> designed.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > >>>>> bburke at redhat.com >
> > >>>>>>>>>> wrote:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> If you have to do it this way, please let us know why.
> > >>>>> Maybe we
> > >>>>>>>>>>>>>>> can
> > >>>>>>>>>>>>>> solve the
> > >>>>>>>>>>>>>>> issue within keycloak itself.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want to
> handle
> > >>>>> my own
> > >>>>>>>>>> login
> > >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > >>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto:
> rodrigopsasaki at gmail.
> > >>>>> com >>
> > >>>>>>>>>> wrote:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which is why
> we're
> > >>>>> mostly
> > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> It's just that we have cases that are so specific, that
> it
> > >>>>> would
> > >>>>>>>>>>>>>>> be
> > >>>>>>>>>>>>>>> better to authenticate the user in a different manner,
> > >>>>> create the
> > >>>>>>>>>>>>>>> user session and everything, without redirecting.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > >>>>> bburke at redhat.com
> > >>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO, you are
> > >>>>> missing
> > >>>>>>>>>>>>>>> out on
> > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> * SSO
> > >>>>>>>>>>>>>>> * forgot password
> > >>>>>>>>>>>>>>> * admin forced credential reset/setup
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> Login pages can be styled however you like to look like
> your
> > >>>>>>>>>>>>>>> application.
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> There is a REST api for obtaining an access token. Here
> is
> > >>>>> an
> > >>>>>>>>>>>>>>> example:
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> https://github.com/keycloak/
> keycloak/blob/master/examples/
> > >>>>>>>>>>>>>>> demo-template/admin-access- app/src/main/java/org/
> > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without having
> to
> > >>>>>>>>>>>>>>> input username
> > >>>>>>>>>>>>>>>> and password on the login page?
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> For example:
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> Say there's a situation in my application where I
> request
> > >>>>> the
> > >>>>>>>>>>>>>>> user for
> > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like to
> redirect
> > >>>>>>>>>>>>>>> that to the
> > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would there be
> a
> > >>>>> way
> > >>>>>>>>>>>>>>> for me to
> > >>>>>>>>>>>>>>>> do that?
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> ______________________________ _________________
> > >>>>>>>>>>>>>>>> keycloak-user mailing list
> > >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > >>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > >>>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>> Bill Burke
> > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > >>>>>>>>>>>>>>> ______________________________ _________________
> > >>>>>>>>>>>>>>> keycloak-user mailing list
> > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.
> > >>>>>>>>>> jboss.org >
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>> Bill Burke
> > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> --
> > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>>>>>>>
> > >>>>>>>>>>>>>>> _______________________________________________
> > >>>>>>>>>>>>>>> keycloak-user mailing list
> > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > >>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>>> --
> > >>>>>>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>>> --
> > >>>>>>>>>>> Bill Burke
> > >>>>>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>>>>> http://bill.burkecentral.com
> > >>>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> --
> > >>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>
> > >>>>>>>
> > >>>>>>> --
> > >>>>>>> Bill Burke
> > >>>>>>> JBoss, a division of Red Hat
> > >>>>>>> http://bill.burkecentral.com
> > >>>>>>>
> > >>>>>> _______________________________________________
> > >>>>>> keycloak-user mailing list
> > >>>>>> keycloak-user at lists.jboss.org
> > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>>
> > >>>>> _______________________________________________
> > >>>>> keycloak-user mailing list
> > >>>>> keycloak-user at lists.jboss.org
> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Rodrigo Sasaki
> > >>>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Rodrigo Sasaki
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Rodrigo Sasaki
> > >>
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140828/f1d26909/attachment-0001.html 

From evanthomjd at gmail.com  Thu Aug 28 10:30:19 2014
From: evanthomjd at gmail.com (Evan Thompson)
Date: Thu, 28 Aug 2014 10:30:19 -0400
Subject: [keycloak-user] Password Hashing
In-Reply-To: <102148577.39923736.1409200821690.JavaMail.zimbra@redhat.com>
References: <CAJVY_4--ahwXrh7JXpBsZyRG2dxU=QYP0bpcqnFJj6Q2M69HcA@mail.gmail.com>
	<102148577.39923736.1409200821690.JavaMail.zimbra@redhat.com>
Message-ID: <CAJVY_48-hJRciGnXB+poo67M4-9saU+Labe4pEXrANMixOvEbg@mail.gmail.com>

Thanks for the quick response. I do have one follow up question. I was
further examining the data modal and saw that in the Credential table there
is a Salt column. I was wondering if that value accounts for the entire
salt used when encrypting the password or is only part of it.

Thank you once again,

Cheers,
Evan


On Thu, Aug 28, 2014 at 12:40 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Keycloak uses PBKDF2 to hash passwords with a configurable number of
> iterations.
>
> ----- Original Message -----
> > From: "Evan Thompson" <evanthomjd at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 27 August, 2014 8:47:36 PM
> > Subject: [keycloak-user] Password Hashing
> >
> > Howdy,
> >
> > I've been looking into Keycloak and have a question in regards to
> password
> > hashing. I came across a closed JIRA item that discusses supporting
> bcrypt,
> > but the comments just state that improved password hashing has already
> been
> > added. I guess my question is what exactly does Keycloak provide/support
> in
> > terms of password encryption and is it configurable.
> >
> > Cheers,
> >
> > Evan
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140828/2c079f51/attachment.html 

From evanthomjd at gmail.com  Thu Aug 28 10:33:44 2014
From: evanthomjd at gmail.com (Evan Thompson)
Date: Thu, 28 Aug 2014 10:33:44 -0400
Subject: [keycloak-user] SAML Support
Message-ID: <CAJVY_4_ya+HtFSYLXWRoJmVSAySJtNupO8znuawfGGB7bYvArA@mail.gmail.com>

Howdy,

I've seen on the Keycloak website that there are plans to support SAML and
there is a JIRA ticket  (KEYCLOAK-315
<https://issues.jboss.org/browse/KEYCLOAK-315>) that lists the fix version
of 1.1-beta-1. I was wondering if this is firm deadline or just a rough
estimate.

Thank you for your time,

Evan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140828/6f36c970/attachment.html 

From stian at redhat.com  Fri Aug 29 02:44:58 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 29 Aug 2014 02:44:58 -0400 (EDT)
Subject: [keycloak-user] Password Hashing
In-Reply-To: <CAJVY_48-hJRciGnXB+poo67M4-9saU+Labe4pEXrANMixOvEbg@mail.gmail.com>
References: <CAJVY_4--ahwXrh7JXpBsZyRG2dxU=QYP0bpcqnFJj6Q2M69HcA@mail.gmail.com>
	<102148577.39923736.1409200821690.JavaMail.zimbra@redhat.com>
	<CAJVY_48-hJRciGnXB+poo67M4-9saU+Labe4pEXrANMixOvEbg@mail.gmail.com>
Message-ID: <288264296.40729850.1409294698384.JavaMail.zimbra@redhat.com>

That's the entire salt. We create a new salt for each password.

----- Original Message -----
> From: "Evan Thompson" <evanthomjd at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 28 August, 2014 4:30:19 PM
> Subject: Re: [keycloak-user] Password Hashing
> 
> Thanks for the quick response. I do have one follow up question. I was
> further examining the data modal and saw that in the Credential table there
> is a Salt column. I was wondering if that value accounts for the entire
> salt used when encrypting the password or is only part of it.
> 
> Thank you once again,
> 
> Cheers,
> Evan
> 
> 
> On Thu, Aug 28, 2014 at 12:40 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Keycloak uses PBKDF2 to hash passwords with a configurable number of
> > iterations.
> >
> > ----- Original Message -----
> > > From: "Evan Thompson" <evanthomjd at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 27 August, 2014 8:47:36 PM
> > > Subject: [keycloak-user] Password Hashing
> > >
> > > Howdy,
> > >
> > > I've been looking into Keycloak and have a question in regards to
> > password
> > > hashing. I came across a closed JIRA item that discusses supporting
> > bcrypt,
> > > but the comments just state that improved password hashing has already
> > been
> > > added. I guess my question is what exactly does Keycloak provide/support
> > in
> > > terms of password encryption and is it configurable.
> > >
> > > Cheers,
> > >
> > > Evan
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From stian at redhat.com  Fri Aug 29 02:46:42 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 29 Aug 2014 02:46:42 -0400 (EDT)
Subject: [keycloak-user] Authenticate user without using login page
In-Reply-To: <CANLOgwA6R1AkZTTuyiFhrfwZ0BNzkym5Mgehx5Uu6nmdhJW7CQ@mail.gmail.com>
References: <CANLOgwCwfU5CbYX7jwbnOagYndnQ67mwpc5ahb0W-D+y2e2kpg@mail.gmail.com>
	<CANLOgwCTGNR9hLpqqkRtvRUm1DnKgNNwTw0jnezU98fB-DG5Dw@mail.gmail.com>
	<CANLOgwDGXiTDqqr16t=kCqGT2GSmd1=M6kQAQnSW1ojEAtKtGw@mail.gmail.com>
	<CANLOgwC=REwCLDt8FUzYQ8G6fctAR8LjBHFtgG8ypTD_Pbw5zA@mail.gmail.com>
	<185873083.20441868.1406726950922.JavaMail.zimbra@redhat.com>
	<53D8F558.5050902@redhat.com>
	<2092751170.20453860.1406728125335.JavaMail.zimbra@redhat.com>
	<CANLOgwA6R1AkZTTuyiFhrfwZ0BNzkym5Mgehx5Uu6nmdhJW7CQ@mail.gmail.com>
Message-ID: <2056374389.40730250.1409294802169.JavaMail.zimbra@redhat.com>

Which adapter are you using?

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Thursday, 28 August, 2014 3:51:17 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
> 
> Coming back to this, I have a quick question. What would be the best way
> for me to create a valid login URL dynamically?
> 
> when we try to access a protected resource, the login page comes up,
> authenticates the user and it all works fine, but when I try to fabricate a
> loginUrl to the redirect_uri that I need it to go after we encounter some
> problems that I think may be related to the state variable, although I'm
> not sure. I get Error 400 sometimes, which isn't very clear.
> 
> Is there a guideline for this?
> 
> 
> On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Yes, login_hint is one of the optional request parameters supported by
> > OpenID Connect
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> > rodrigopsasaki at gmail.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 30 July, 2014 2:38:32 PM
> > > Subject: Re: [keycloak-user] Authenticate user without using login page
> > >
> > > OpenID Connect protocol is used to implement this?
> > >
> > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > > > Added login_hint query param. It can be used with keycloak.js with
> > either:
> > > >
> > > >    keycloak.login({ loginHint: 'username' })
> > > >
> > > > or
> > > >
> > > >    keycloak.createLoginUrl({ loginHint: 'username' })
> > > >
> > > > ----- Original Message -----
> > > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > >> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > >> Sent: Friday, 25 July, 2014 6:11:47 PM
> > > >> Subject: Re: [keycloak-user] Authenticate user without using login
> > page
> > > >>
> > > >> It all worked great with the iframe, if I style it properly and use
> > that
> > > >> login_hint it should be perfect.
> > > >>
> > > >> Now how should I go about developing/using this login_hint? Are there
> > any
> > > >> tips on this, or is it something that you plan on including
> > yourselves?
> > > >>
> > > >>
> > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> > rodrigopsasaki at gmail.com>
> > > >> wrote:
> > > >>
> > > >>> Just one more thing that wasn't completely clear to me.
> > > >>>
> > > >>> if I add a login page on an iframe, the user will be logged
> > normally? Or
> > > >>> would I have to get a token and keep managing it?
> > > >>>
> > > >>>
> > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> > > >>> <rodrigopsasaki at gmail.com
> > > >>>> wrote:
> > > >>>
> > > >>>> That idea actually sounds amazing, I didn't look into keycloak.js
> > yet,
> > > >>>> but I'll see if I can get it working before I think about styling.
> > > >>>>
> > > >>>> Thank you very much!
> > > >>>>
> > > >>>>
> > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <
> > stian at redhat.com>
> > > >>>> wrote:
> > > >>>>
> > > >>>>> I think we could quite easily add support for embedding the login
> > page
> > > >>>>> to keycloak.js. Rough idea:
> > > >>>>>
> > > >>>>> 1. Set an option on keycloak.js to use embedded login form. Would
> > also
> > > >>>>> require setting an id for a div where the form should be embedded.
> > > >>>>> 2. When clicking on login instead of redirecting it would render an
> > > >>>>> iframe element inside the configured div with the src of the iframe
> > > >>>>> being
> > > >>>>> the login page on Keycloak
> > > >>>>> 3. The redirect-uri would be a special url on Keycloak that
> > renders a
> > > >>>>> similar page to the iframe session page that allows posting a
> > message
> > > >>>>> back
> > > >>>>> to keycloak.js containing the code
> > > >>>>> 4. Now keycloak.js can swap the code as usual
> > > >>>>>
> > > >>>>> One thing is that we'd probably need an additional styling of the
> > login
> > > >>>>> form, as you would want the login page to display differently when
> > > >>>>> embedded
> > > >>>>> compared to when you redirect to it.
> > > >>>>>
> > > >>>>> ----- Original Message -----
> > > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > > >>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > >>>>>> Cc: keycloak-user at lists.jboss.org
> > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
> > > >>>>>> page
> > > >>>>>>
> > > >>>>>> The cookies should be set fine, as the iframe would contain the
> > login
> > > >>>>> page
> > > >>>>>> directly from Keycloak.
> > > >>>>>>
> > > >>>>>> It would redirect to a special page on the app that after
> > extracting
> > > >>>>> the code
> > > >>>>>> would close the popup.
> > > >>>>>>
> > > >>>>>> ----- Original Message -----
> > > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
> > > >>>>>>> <rodrigopsasaki at gmail.com>
> > > >>>>>>> Cc: keycloak-user at lists.jboss.org
> > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> > login
> > > >>>>> page
> > > >>>>>>>
> > > >>>>>>> not sure this will work with SSO.  I'm not sure CORS requests can
> > > >>>>> deal
> > > >>>>>>> with cookies.
> > > >>>>>>>
> > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > >>>>>>>> What about using an iframe in the popup to include the login
> > form
> > > >>>>> from
> > > >>>>>>>> Keycloak?
> > > >>>>>>>>
> > > >>>>>>>> You can send a HTTP POST to
> > > >>>>> /auth-server/<realm>/tokens/grants/access
> > > >>>>>>>> with
> > > >>>>>>>> client id/secret and username/password and get a token back.
> > With
> > > >>>>>>>> keycloak.js you can give it this token, not sure how/if this
> > flow
> > > >>>>> works
> > > >>>>>>>> with the server-side (Undertow) adapter.
> > > >>>>>>>>
> > > >>>>>>>> ----- Original Message -----
> > > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > >>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > >>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > >>>>> keycloak-user at lists.jboss.org
> > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> > > >>>>> login page
> > > >>>>>>>>>
> > > >>>>>>>>> Actually, the main problem is one of the flows where the
> > password
> > > >>>>>>>>> request
> > > >>>>>>>>> appears in a popup, there's no redirect at all, and one of the
> > > >>>>> things
> > > >>>>>>>>> that
> > > >>>>>>>>> were agreed upon when decided to change the authentication
> > > >>>>> provider, was
> > > >>>>>>>>> that nothing would be altered in the user experience.
> > > >>>>>>>>>
> > > >>>>>>>>> So I really have to try and make keycloak "fit in" in these
> > > >>>>> particular
> > > >>>>>>>>> scenarios, they are not used as much as the ones where we'll
> > use
> > > >>>>> the
> > > >>>>>>>>> keycloak login page with our own style, but I do have to make
> > > >>>>> them work.
> > > >>>>>>>>>
> > > >>>>>>>>> When you say I could use direct grant to get a token, would
> > that
> > > >>>>> count
> > > >>>>>>>>> as
> > > >>>>>>>>> the same as an user logging in? It's not really clear to me
> > right
> > > >>>>> now
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > > >>>>> stian at redhat.com>
> > > >>>>>>>>> wrote:
> > > >>>>>>>>>
> > > >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> > > >>>>>>>>>>
> > > >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> > > >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> > > >>>>>>>>>>      a) If user doesn't exist in KC (you can use admin
> > endpoints
> > > >>>>> to
> > > >>>>>>>>>>      check
> > > >>>>>>>>>> this) redirect to registration page on KC with email already
> > > >>>>> entered
> > > >>>>>>>>>>      b) If user does exist in KC redirect to login page again
> > > >>>>> with email
> > > >>>>>>>>>> already entered
> > > >>>>>>>>>> 3. Redirect back to app
> > > >>>>>>>>>>
> > > >>>>>>>>>> ----- Original Message -----
> > > >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > >>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
> > <
> > > >>>>>>>>>> rodrigopsasaki at gmail.com>
> > > >>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> > > >>>>> login
> > > >>>>>>>>>>> page
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> It is because their first login screen is just something
> > asking
> > > >>>>> for an
> > > >>>>>>>>>>> email.  If the email doesn't exist as a user, they want a
> > > >>>>> redirect to
> > > >>>>>>>>>>> the register page.
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a token.
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> I'd like to know why redirecting to the login form, when
> > > >>>>> styled to
> > > >>>>>>>>>> match
> > > >>>>>>>>>>>> your website, and using login_hint to pre-fill
> > username/email
> > > >>>>> doesn't
> > > >>>>>>>>>>>> work. Maybe there's something we can do so that you can
> > still
> > > >>>>> use the
> > > >>>>>>>>>>>> "proper" flow?
> > > >>>>>>>>>>>>
> > > >>>>>>>>>>>> ----- Original Message -----
> > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > >>>>> keycloak-user at lists.jboss.org
> > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > using
> > > >>>>> login
> > > >>>>>>>>>> page
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's being a
> > huge
> > > >>>>>>>>>> showstopper
> > > >>>>>>>>>>>>> so
> > > >>>>>>>>>>>>> far, I just have to ask.
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other benefits
> > > >>>>> that the
> > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a way for
> > me
> > > >>>>> to do
> > > >>>>>>>>>> what I
> > > >>>>>>>>>>>>> want?
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > > >>>>> stian at redhat.com>
> > > >>>>>>>>>>>>> wrote:
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>> We could add support for login_hint query param so you can
> > > >>>>> have the
> > > >>>>>>>>>>>>>> username/email field on the login form pre-filled for the
> > > >>>>> user, so
> > > >>>>>>>>>> once a
> > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on KC and
> > all
> > > >>>>> they
> > > >>>>>>>>>> would
> > > >>>>>>>>>>>>>> have to do is enter their password.
> > > >>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,
> > multi-factor
> > > >>>>>>>>>>>>>> support,
> > > >>>>>>>>>>>>>> required actions, recover password, etc, etc, etc..
> > > >>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login forms
> > that
> > > >>>>> can be
> > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker
> > templates
> > > >>>>> if you
> > > >>>>>>>>>> need
> > > >>>>>>>>>>>>>> a
> > > >>>>>>>>>>>>>> lot of customization, so you should be able to make the
> > > >>>>> login form
> > > >>>>>>>>>>>>>> integrate well with your website.
> > > >>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>> ----- Original Message -----
> > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > >>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > > >>>>> using login
> > > >>>>>>>>>> page
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> You think there could be a way to do this within keycloak
> > > >>>>> itself?
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > > >>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
> > > >>>>>>>>>>>>>>> wrote:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> I'll give you an example:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> We have a situation in our website where we only ask for
> > the
> > > >>>>>>>>>>>>>>> user's
> > > >>>>>>>>>>>>>> e-mail,
> > > >>>>>>>>>>>>>>> and he can go on with the flow.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify that
> > this
> > > >>>>> is an
> > > >>>>>>>>>> e-mail
> > > >>>>>>>>>>>>>> that
> > > >>>>>>>>>>>>>>> we already have in our user database, we ask him for his
> > > >>>>> password,
> > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this e-mail is
> > new,
> > > >>>>> we
> > > >>>>>>>>>> redirect
> > > >>>>>>>>>>>>>> him
> > > >>>>>>>>>>>>>>> to a page where he can register himself, and after that
> > > >>>>> continue
> > > >>>>>>>>>>>>>>> on.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't like to
> > have
> > > >>>>> to
> > > >>>>>>>>>> redirect
> > > >>>>>>>>>>>>>> him to
> > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow that we
> > > >>>>> designed.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > > >>>>> bburke at redhat.com >
> > > >>>>>>>>>> wrote:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know why.
> > > >>>>> Maybe we
> > > >>>>>>>>>>>>>>> can
> > > >>>>>>>>>>>>>> solve the
> > > >>>>>>>>>>>>>>> issue within keycloak itself.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want to
> > handle
> > > >>>>> my own
> > > >>>>>>>>>> login
> > > >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > > >>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto:
> > rodrigopsasaki at gmail.
> > > >>>>> com >>
> > > >>>>>>>>>> wrote:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which is why
> > we're
> > > >>>>> mostly
> > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> It's just that we have cases that are so specific, that
> > it
> > > >>>>> would
> > > >>>>>>>>>>>>>>> be
> > > >>>>>>>>>>>>>>> better to authenticate the user in a different manner,
> > > >>>>> create the
> > > >>>>>>>>>>>>>>> user session and everything, without redirecting.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > > >>>>> bburke at redhat.com
> > > >>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO, you are
> > > >>>>> missing
> > > >>>>>>>>>>>>>>> out on
> > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> * SSO
> > > >>>>>>>>>>>>>>> * forgot password
> > > >>>>>>>>>>>>>>> * admin forced credential reset/setup
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> Login pages can be styled however you like to look like
> > your
> > > >>>>>>>>>>>>>>> application.
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access token. Here
> > is
> > > >>>>> an
> > > >>>>>>>>>>>>>>> example:
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> https://github.com/keycloak/
> > keycloak/blob/master/examples/
> > > >>>>>>>>>>>>>>> demo-template/admin-access- app/src/main/java/org/
> > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without having
> > to
> > > >>>>>>>>>>>>>>> input username
> > > >>>>>>>>>>>>>>>> and password on the login page?
> > > >>>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>> For example:
> > > >>>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>> Say there's a situation in my application where I
> > request
> > > >>>>> the
> > > >>>>>>>>>>>>>>> user for
> > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like to
> > redirect
> > > >>>>>>>>>>>>>>> that to the
> > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would there be
> > a
> > > >>>>> way
> > > >>>>>>>>>>>>>>> for me to
> > > >>>>>>>>>>>>>>>> do that?
> > > >>>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>> ______________________________ _________________
> > > >>>>>>>>>>>>>>>> keycloak-user mailing list
> > > >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > >>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > > >>>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>> Bill Burke
> > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > >>>>>>>>>>>>>>> ______________________________ _________________
> > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto:
> > keycloak-user at lists.
> > > >>>>>>>>>> jboss.org >
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>> Bill Burke
> > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> --
> > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>>> _______________________________________________
> > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > >>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>>> --
> > > >>>>>>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>>>>>
> > > >>>>>>>>>>>
> > > >>>>>>>>>>> --
> > > >>>>>>>>>>> Bill Burke
> > > >>>>>>>>>>> JBoss, a division of Red Hat
> > > >>>>>>>>>>> http://bill.burkecentral.com
> > > >>>>>>>>>>>
> > > >>>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>> --
> > > >>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>
> > > >>>>>>>
> > > >>>>>>> --
> > > >>>>>>> Bill Burke
> > > >>>>>>> JBoss, a division of Red Hat
> > > >>>>>>> http://bill.burkecentral.com
> > > >>>>>>>
> > > >>>>>> _______________________________________________
> > > >>>>>> keycloak-user mailing list
> > > >>>>>> keycloak-user at lists.jboss.org
> > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>>>>>
> > > >>>>> _______________________________________________
> > > >>>>> keycloak-user mailing list
> > > >>>>> keycloak-user at lists.jboss.org
> > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Rodrigo Sasaki
> > > >>>>
> > > >>>
> > > >>>
> > > >>>
> > > >>> --
> > > >>> Rodrigo Sasaki
> > > >>>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Rodrigo Sasaki
> > > >>
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From stian at redhat.com  Fri Aug 29 02:54:44 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 29 Aug 2014 02:54:44 -0400 (EDT)
Subject: [keycloak-user] SAML Support
In-Reply-To: <CAJVY_4_ya+HtFSYLXWRoJmVSAySJtNupO8znuawfGGB7bYvArA@mail.gmail.com>
References: <CAJVY_4_ya+HtFSYLXWRoJmVSAySJtNupO8znuawfGGB7bYvArA@mail.gmail.com>
Message-ID: <1103365271.40733157.1409295284457.JavaMail.zimbra@redhat.com>

SAML is one of the main features planned for 1.1, so it's very unlikely it's not going to be included.

----- Original Message -----
> From: "Evan Thompson" <evanthomjd at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 28 August, 2014 4:33:44 PM
> Subject: [keycloak-user] SAML Support
> 
> Howdy,
> 
> I've seen on the Keycloak website that there are plans to support SAML and
> there is a JIRA ticket ( KEYCLOAK-315 ) that lists the fix version of
> 1.1-beta-1. I was wondering if this is firm deadline or just a rough
> estimate.
> 
> Thank you for your time,
> 
> Evan
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Fri Aug 29 10:09:41 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 29 Aug 2014 11:09:41 -0300
Subject: [keycloak-user] Authenticate user without using login page
In-Reply-To: <1410195858.40918657.1409314376303.JavaMail.zimbra@redhat.com>
References: <CANLOgwCwfU5CbYX7jwbnOagYndnQ67mwpc5ahb0W-D+y2e2kpg@mail.gmail.com>
	<CANLOgwC=REwCLDt8FUzYQ8G6fctAR8LjBHFtgG8ypTD_Pbw5zA@mail.gmail.com>
	<185873083.20441868.1406726950922.JavaMail.zimbra@redhat.com>
	<53D8F558.5050902@redhat.com>
	<2092751170.20453860.1406728125335.JavaMail.zimbra@redhat.com>
	<CANLOgwA6R1AkZTTuyiFhrfwZ0BNzkym5Mgehx5Uu6nmdhJW7CQ@mail.gmail.com>
	<2056374389.40730250.1409294802169.JavaMail.zimbra@redhat.com>
	<CANLOgwBWHcaQxg_CbvuGt6aiktwPSZ9FXD6_eNwM8ZM9gpjGCg@mail.gmail.com>
	<1410195858.40918657.1409314376303.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwD2U4SuEUAV95YtqRiJ4ctE0YQA4CekFEPCB-Cx1zmHww@mail.gmail.com>

Not really I think, the thing is I wanted to use the *login_hint* feature,
but I don't think it will be possible based on what you said now, is that
correct?

PS: added back the mailing list because I excluded it from the previous
e-mail by mistake


On Fri, Aug 29, 2014 at 9:12 AM, Stian Thorgersen <stian at redhat.com> wrote:

> You can't create the login url yourself at the moment, this is because the
> adapter sets a cookie to store the state variable so it can check it in the
> callback.
>
> You can call HttpServletRequest.authenticate, which will redirect to the
> login after setting the state cookie. Does that work for you?
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Friday, 29 August, 2014 1:07:22 PM
> > Subject: Re: [keycloak-user] Authenticate user without using login page
> >
> > I'm using the JBoss AS7 adapter
> > On Aug 29, 2014 3:46 AM, "Stian Thorgersen" <stian at redhat.com> wrote:
> >
> > > Which adapter are you using?
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 28 August, 2014 3:51:17 PM
> > > > Subject: Re: [keycloak-user] Authenticate user without using login
> page
> > > >
> > > > Coming back to this, I have a quick question. What would be the best
> way
> > > > for me to create a valid login URL dynamically?
> > > >
> > > > when we try to access a protected resource, the login page comes up,
> > > > authenticates the user and it all works fine, but when I try to
> > > fabricate a
> > > > loginUrl to the redirect_uri that I need it to go after we encounter
> some
> > > > problems that I think may be related to the state variable, although
> I'm
> > > > not sure. I get Error 400 sometimes, which isn't very clear.
> > > >
> > > > Is there a guideline for this?
> > > >
> > > >
> > > > On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian at redhat.com
> >
> > > wrote:
> > > >
> > > > > Yes, login_hint is one of the optional request parameters
> supported by
> > > > > OpenID Connect
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> > > > > rodrigopsasaki at gmail.com>
> > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > Sent: Wednesday, 30 July, 2014 2:38:32 PM
> > > > > > Subject: Re: [keycloak-user] Authenticate user without using
> login
> > > page
> > > > > >
> > > > > > OpenID Connect protocol is used to implement this?
> > > > > >
> > > > > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > > > > > > Added login_hint query param. It can be used with keycloak.js
> with
> > > > > either:
> > > > > > >
> > > > > > >    keycloak.login({ loginHint: 'username' })
> > > > > > >
> > > > > > > or
> > > > > > >
> > > > > > >    keycloak.createLoginUrl({ loginHint: 'username' })
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > >> Cc: "Bill Burke" <bburke at redhat.com>,
> > > keycloak-user at lists.jboss.org
> > > > > > >> Sent: Friday, 25 July, 2014 6:11:47 PM
> > > > > > >> Subject: Re: [keycloak-user] Authenticate user without using
> login
> > > > > page
> > > > > > >>
> > > > > > >> It all worked great with the iframe, if I style it properly
> and
> > > use
> > > > > that
> > > > > > >> login_hint it should be perfect.
> > > > > > >>
> > > > > > >> Now how should I go about developing/using this login_hint?
> Are
> > > there
> > > > > any
> > > > > > >> tips on this, or is it something that you plan on including
> > > > > yourselves?
> > > > > > >>
> > > > > > >>
> > > > > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> > > > > rodrigopsasaki at gmail.com>
> > > > > > >> wrote:
> > > > > > >>
> > > > > > >>> Just one more thing that wasn't completely clear to me.
> > > > > > >>>
> > > > > > >>> if I add a login page on an iframe, the user will be logged
> > > > > normally? Or
> > > > > > >>> would I have to get a token and keep managing it?
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> > > > > > >>> <rodrigopsasaki at gmail.com
> > > > > > >>>> wrote:
> > > > > > >>>
> > > > > > >>>> That idea actually sounds amazing, I didn't look into
> > > keycloak.js
> > > > > yet,
> > > > > > >>>> but I'll see if I can get it working before I think about
> > > styling.
> > > > > > >>>>
> > > > > > >>>> Thank you very much!
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <
> > > > > stian at redhat.com>
> > > > > > >>>> wrote:
> > > > > > >>>>
> > > > > > >>>>> I think we could quite easily add support for embedding the
> > > login
> > > > > page
> > > > > > >>>>> to keycloak.js. Rough idea:
> > > > > > >>>>>
> > > > > > >>>>> 1. Set an option on keycloak.js to use embedded login form.
> > > Would
> > > > > also
> > > > > > >>>>> require setting an id for a div where the form should be
> > > embedded.
> > > > > > >>>>> 2. When clicking on login instead of redirecting it would
> > > render an
> > > > > > >>>>> iframe element inside the configured div with the src of
> the
> > > iframe
> > > > > > >>>>> being
> > > > > > >>>>> the login page on Keycloak
> > > > > > >>>>> 3. The redirect-uri would be a special url on Keycloak that
> > > > > renders a
> > > > > > >>>>> similar page to the iframe session page that allows
> posting a
> > > > > message
> > > > > > >>>>> back
> > > > > > >>>>> to keycloak.js containing the code
> > > > > > >>>>> 4. Now keycloak.js can swap the code as usual
> > > > > > >>>>>
> > > > > > >>>>> One thing is that we'd probably need an additional styling
> of
> > > the
> > > > > login
> > > > > > >>>>> form, as you would want the login page to display
> differently
> > > when
> > > > > > >>>>> embedded
> > > > > > >>>>> compared to when you redirect to it.
> > > > > > >>>>>
> > > > > > >>>>> ----- Original Message -----
> > > > > > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > > > > > >>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > > > > >>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> > > > > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without
> using
> > > login
> > > > > > >>>>>> page
> > > > > > >>>>>>
> > > > > > >>>>>> The cookies should be set fine, as the iframe would
> contain
> > > the
> > > > > login
> > > > > > >>>>> page
> > > > > > >>>>>> directly from Keycloak.
> > > > > > >>>>>>
> > > > > > >>>>>> It would redirect to a special page on the app that after
> > > > > extracting
> > > > > > >>>>> the code
> > > > > > >>>>>> would close the popup.
> > > > > > >>>>>>
> > > > > > >>>>>> ----- Original Message -----
> > > > > > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > > > > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> Sasaki"
> > > > > > >>>>>>> <rodrigopsasaki at gmail.com>
> > > > > > >>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> > > > > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> using
> > > > > login
> > > > > > >>>>> page
> > > > > > >>>>>>>
> > > > > > >>>>>>> not sure this will work with SSO.  I'm not sure CORS
> > > requests can
> > > > > > >>>>> deal
> > > > > > >>>>>>> with cookies.
> > > > > > >>>>>>>
> > > > > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > > > > >>>>>>>> What about using an iframe in the popup to include the
> login
> > > > > form
> > > > > > >>>>> from
> > > > > > >>>>>>>> Keycloak?
> > > > > > >>>>>>>>
> > > > > > >>>>>>>> You can send a HTTP POST to
> > > > > > >>>>> /auth-server/<realm>/tokens/grants/access
> > > > > > >>>>>>>> with
> > > > > > >>>>>>>> client id/secret and username/password and get a token
> back.
> > > > > With
> > > > > > >>>>>>>> keycloak.js you can give it this token, not sure how/if
> this
> > > > > flow
> > > > > > >>>>> works
> > > > > > >>>>>>>> with the server-side (Undertow) adapter.
> > > > > > >>>>>>>>
> > > > > > >>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > >>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > >>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> > > > > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > > using
> > > > > > >>>>> login page
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> Actually, the main problem is one of the flows where
> the
> > > > > password
> > > > > > >>>>>>>>> request
> > > > > > >>>>>>>>> appears in a popup, there's no redirect at all, and
> one of
> > > the
> > > > > > >>>>> things
> > > > > > >>>>>>>>> that
> > > > > > >>>>>>>>> were agreed upon when decided to change the
> authentication
> > > > > > >>>>> provider, was
> > > > > > >>>>>>>>> that nothing would be altered in the user experience.
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> So I really have to try and make keycloak "fit in" in
> these
> > > > > > >>>>> particular
> > > > > > >>>>>>>>> scenarios, they are not used as much as the ones where
> > > we'll
> > > > > use
> > > > > > >>>>> the
> > > > > > >>>>>>>>> keycloak login page with our own style, but I do have
> to
> > > make
> > > > > > >>>>> them work.
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> When you say I could use direct grant to get a token,
> would
> > > > > that
> > > > > > >>>>> count
> > > > > > >>>>>>>>> as
> > > > > > >>>>>>>>> the same as an user logging in? It's not really clear
> to me
> > > > > right
> > > > > > >>>>> now
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > > > > > >>>>> stian at redhat.com>
> > > > > > >>>>>>>>> wrote:
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> > > > > > >>>>>>>>>>
> > > > > > >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> > > > > > >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> > > > > > >>>>>>>>>>      a) If user doesn't exist in KC (you can use admin
> > > > > endpoints
> > > > > > >>>>> to
> > > > > > >>>>>>>>>>      check
> > > > > > >>>>>>>>>> this) redirect to registration page on KC with email
> > > already
> > > > > > >>>>> entered
> > > > > > >>>>>>>>>>      b) If user does exist in KC redirect to login
> page
> > > again
> > > > > > >>>>> with email
> > > > > > >>>>>>>>>> already entered
> > > > > > >>>>>>>>>> 3. Redirect back to app
> > > > > > >>>>>>>>>>
> > > > > > >>>>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > > > > >>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> > > Sasaki"
> > > > > <
> > > > > > >>>>>>>>>> rodrigopsasaki at gmail.com>
> > > > > > >>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > > > > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> without
> > > using
> > > > > > >>>>> login
> > > > > > >>>>>>>>>>> page
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>> It is because their first login screen is just
> something
> > > > > asking
> > > > > > >>>>> for an
> > > > > > >>>>>>>>>>> email.  If the email doesn't exist as a user, they
> want a
> > > > > > >>>>> redirect to
> > > > > > >>>>>>>>>>> the register page.
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > > > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a
> token.
> > > > > > >>>>>>>>>>>>
> > > > > > >>>>>>>>>>>> I'd like to know why redirecting to the login form,
> when
> > > > > > >>>>> styled to
> > > > > > >>>>>>>>>> match
> > > > > > >>>>>>>>>>>> your website, and using login_hint to pre-fill
> > > > > username/email
> > > > > > >>>>> doesn't
> > > > > > >>>>>>>>>>>> work. Maybe there's something we can do so that you
> can
> > > > > still
> > > > > > >>>>> use the
> > > > > > >>>>>>>>>>>> "proper" flow?
> > > > > > >>>>>>>>>>>>
> > > > > > >>>>>>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > > > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> without
> > > > > using
> > > > > > >>>>> login
> > > > > > >>>>>>>>>> page
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's
> being a
> > > > > huge
> > > > > > >>>>>>>>>> showstopper
> > > > > > >>>>>>>>>>>>> so
> > > > > > >>>>>>>>>>>>> far, I just have to ask.
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other
> > > benefits
> > > > > > >>>>> that the
> > > > > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a
> way
> > > for
> > > > > me
> > > > > > >>>>> to do
> > > > > > >>>>>>>>>> what I
> > > > > > >>>>>>>>>>>>> want?
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > > > > > >>>>> stian at redhat.com>
> > > > > > >>>>>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> We could add support for login_hint query param so
> > > you can
> > > > > > >>>>> have the
> > > > > > >>>>>>>>>>>>>> username/email field on the login form pre-filled
> for
> > > the
> > > > > > >>>>> user, so
> > > > > > >>>>>>>>>> once a
> > > > > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on
> KC
> > > and
> > > > > all
> > > > > > >>>>> they
> > > > > > >>>>>>>>>> would
> > > > > > >>>>>>>>>>>>>> have to do is enter their password.
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,
> > > > > multi-factor
> > > > > > >>>>>>>>>>>>>> support,
> > > > > > >>>>>>>>>>>>>> required actions, recover password, etc, etc,
> etc..
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login
> forms
> > > > > that
> > > > > > >>>>> can be
> > > > > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker
> > > > > templates
> > > > > > >>>>> if you
> > > > > > >>>>>>>>>> need
> > > > > > >>>>>>>>>>>>>> a
> > > > > > >>>>>>>>>>>>>> lot of customization, so you should be able to
> make
> > > the
> > > > > > >>>>> login form
> > > > > > >>>>>>>>>>>>>> integrate well with your website.
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
> >
> > > > > > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > > > > >>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > > > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > > without
> > > > > > >>>>> using login
> > > > > > >>>>>>>>>> page
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> You think there could be a way to do this within
> > > keycloak
> > > > > > >>>>> itself?
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > > > > > >>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
> > > > > > >>>>>>>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> I'll give you an example:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> We have a situation in our website where we only
> ask
> > > for
> > > > > the
> > > > > > >>>>>>>>>>>>>>> user's
> > > > > > >>>>>>>>>>>>>> e-mail,
> > > > > > >>>>>>>>>>>>>>> and he can go on with the flow.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify
> that
> > > > > this
> > > > > > >>>>> is an
> > > > > > >>>>>>>>>> e-mail
> > > > > > >>>>>>>>>>>>>> that
> > > > > > >>>>>>>>>>>>>>> we already have in our user database, we ask him
> for
> > > his
> > > > > > >>>>> password,
> > > > > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this
> e-mail
> > > is
> > > > > new,
> > > > > > >>>>> we
> > > > > > >>>>>>>>>> redirect
> > > > > > >>>>>>>>>>>>>> him
> > > > > > >>>>>>>>>>>>>>> to a page where he can register himself, and
> after
> > > that
> > > > > > >>>>> continue
> > > > > > >>>>>>>>>>>>>>> on.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't
> like to
> > > > > have
> > > > > > >>>>> to
> > > > > > >>>>>>>>>> redirect
> > > > > > >>>>>>>>>>>>>> him to
> > > > > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow
> that
> > > we
> > > > > > >>>>> designed.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > > > > > >>>>> bburke at redhat.com >
> > > > > > >>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > > > > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know
> > > why.
> > > > > > >>>>> Maybe we
> > > > > > >>>>>>>>>>>>>>> can
> > > > > > >>>>>>>>>>>>>> solve the
> > > > > > >>>>>>>>>>>>>>> issue within keycloak itself.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want
> to
> > > > > handle
> > > > > > >>>>> my own
> > > > > > >>>>>>>>>> login
> > > > > > >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto:
> > > > > rodrigopsasaki at gmail.
> > > > > > >>>>> com >>
> > > > > > >>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which
> is why
> > > > > we're
> > > > > > >>>>> mostly
> > > > > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> It's just that we have cases that are so
> specific,
> > > that
> > > > > it
> > > > > > >>>>> would
> > > > > > >>>>>>>>>>>>>>> be
> > > > > > >>>>>>>>>>>>>>> better to authenticate the user in a different
> > > manner,
> > > > > > >>>>> create the
> > > > > > >>>>>>>>>>>>>>> user session and everything, without redirecting.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > > > > > >>>>> bburke at redhat.com
> > > > > > >>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO,
> you
> > > are
> > > > > > >>>>> missing
> > > > > > >>>>>>>>>>>>>>> out on
> > > > > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> * SSO
> > > > > > >>>>>>>>>>>>>>> * forgot password
> > > > > > >>>>>>>>>>>>>>> * admin forced credential reset/setup
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> Login pages can be styled however you like to
> look
> > > like
> > > > > your
> > > > > > >>>>>>>>>>>>>>> application.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access
> token.
> > > Here
> > > > > is
> > > > > > >>>>> an
> > > > > > >>>>>>>>>>>>>>> example:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> https://github.com/keycloak/
> > > > > keycloak/blob/master/examples/
> > > > > > >>>>>>>>>>>>>>> demo-template/admin-access-
> app/src/main/java/org/
> > > > > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > > > > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without
> > > having
> > > > > to
> > > > > > >>>>>>>>>>>>>>> input username
> > > > > > >>>>>>>>>>>>>>>> and password on the login page?
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> For example:
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> Say there's a situation in my application where
> I
> > > > > request
> > > > > > >>>>> the
> > > > > > >>>>>>>>>>>>>>> user for
> > > > > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like
> to
> > > > > redirect
> > > > > > >>>>>>>>>>>>>>> that to the
> > > > > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would
> > > there be
> > > > > a
> > > > > > >>>>> way
> > > > > > >>>>>>>>>>>>>>> for me to
> > > > > > >>>>>>>>>>>>>>>> do that?
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > >>>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > > > > >>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> https://lists.jboss.org/
> > > mailman/listinfo/keycloak-user
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto:
> > > > > keycloak-user at lists.
> > > > > > >>>>>>>>>> jboss.org >
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> https://lists.jboss.org/
> > > mailman/listinfo/keycloak-user
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> _______________________________________________
> > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > > > > >>>>>>>>>>>>>>>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>> --
> > > > > > >>>>>>>>>>> Bill Burke
> > > > > > >>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> --
> > > > > > >>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>
> > > > > > >>>>>>> --
> > > > > > >>>>>>> Bill Burke
> > > > > > >>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>
> > > > > > >>>>>> _______________________________________________
> > > > > > >>>>>> keycloak-user mailing list
> > > > > > >>>>>> keycloak-user at lists.jboss.org
> > > > > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >>>>>>
> > > > > > >>>>> _______________________________________________
> > > > > > >>>>> keycloak-user mailing list
> > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >>>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> --
> > > > > > >>>> Rodrigo Sasaki
> > > > > > >>>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> --
> > > > > > >>> Rodrigo Sasaki
> > > > > > >>>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> --
> > > > > > >> Rodrigo Sasaki
> > > > > > >>
> > > > > >
> > > > > > --
> > > > > > Bill Burke
> > > > > > JBoss, a division of Red Hat
> > > > > > http://bill.burkecentral.com
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > >
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140829/c7f6f6b6/attachment-0001.html 

From christinalau28 at icloud.com  Fri Aug 29 10:49:52 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Fri, 29 Aug 2014 10:49:52 -0400
Subject: [keycloak-user] Email verified doesn't seem to work using REST API
Message-ID: <A78E075D-D15D-45BD-85CD-286C936ED04B@icloud.com>

Hi, I have my realm enabled for email verification. When I registered a new user using the UI dialog, the user gets an email notification.

However, if I use the REST API to create a new user, even though I set emailVerified to true, the new user that gets added correctly didn?t get an email notification.

Is there an additional REST API I need to call? I can?t find that in the doc. Or is this supposed to be implicit and in that case a bug? Or am I missing some more setup? Thx?

Christina



From stian at redhat.com  Fri Aug 29 10:55:59 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 29 Aug 2014 10:55:59 -0400 (EDT)
Subject: [keycloak-user] Email verified doesn't seem to work using REST
 API
In-Reply-To: <A78E075D-D15D-45BD-85CD-286C936ED04B@icloud.com>
References: <A78E075D-D15D-45BD-85CD-286C936ED04B@icloud.com>
Message-ID: <1686344060.41069982.1409324159125.JavaMail.zimbra@redhat.com>

When you're creating a user through the rest api with emailVerified set to true you're saying the email is verified, not that it needs to be verified.

To make the user verify the email you need to set "Verify email" to ON in the admin console under Settings -> Login. The next time the user logs he will be requested to verify the email.

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 29 August, 2014 4:49:52 PM
> Subject: [keycloak-user] Email verified doesn't seem to work using REST API
> 
> Hi, I have my realm enabled for email verification. When I registered a new
> user using the UI dialog, the user gets an email notification.
> 
> However, if I use the REST API to create a new user, even though I set
> emailVerified to true, the new user that gets added correctly didn?t get an
> email notification.
> 
> Is there an additional REST API I need to call? I can?t find that in the doc.
> Or is this supposed to be implicit and in that case a bug? Or am I missing
> some more setup? Thx?
> 
> Christina
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From christinalau28 at icloud.com  Fri Aug 29 11:04:38 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Fri, 29 Aug 2014 11:04:38 -0400
Subject: [keycloak-user] Email verified doesn't seem to work using REST
	API
In-Reply-To: <1686344060.41069982.1409324159125.JavaMail.zimbra@redhat.com>
References: <A78E075D-D15D-45BD-85CD-286C936ED04B@icloud.com>
	<1686344060.41069982.1409324159125.JavaMail.zimbra@redhat.com>
Message-ID: <00D44C2A-B258-431B-B183-D0094A3A4EB0@icloud.com>

I have already set the "Verify email" to On in the admin console under Settings -> Login. That is why I am getting the email for a new user that registers via the UI New User button.

However, I am not getting the same behaviour when I am using the REST API. Is it possible to get the same behaviour?


On Aug 29, 2014, at 10:55 AM, Stian Thorgersen <stian at redhat.com> wrote:

> When you're creating a user through the rest api with emailVerified set to true you're saying the email is verified, not that it needs to be verified.
> 
> To make the user verify the email you need to set "Verify email" to ON in the admin console under Settings -> Login. The next time the user logs he will be requested to verify the email.
> 
> ----- Original Message -----
>> From: "Christina Lau" <christinalau28 at icloud.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Friday, 29 August, 2014 4:49:52 PM
>> Subject: [keycloak-user] Email verified doesn't seem to work using REST API
>> 
>> Hi, I have my realm enabled for email verification. When I registered a new
>> user using the UI dialog, the user gets an email notification.
>> 
>> However, if I use the REST API to create a new user, even though I set
>> emailVerified to true, the new user that gets added correctly didn?t get an
>> email notification.
>> 
>> Is there an additional REST API I need to call? I can?t find that in the doc.
>> Or is this supposed to be implicit and in that case a bug? Or am I missing
>> some more setup? Thx?
>> 
>> Christina
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 



From stian at redhat.com  Fri Aug 29 11:09:33 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 29 Aug 2014 11:09:33 -0400 (EDT)
Subject: [keycloak-user] Email verified doesn't seem to work using REST
 API
In-Reply-To: <00D44C2A-B258-431B-B183-D0094A3A4EB0@icloud.com>
References: <A78E075D-D15D-45BD-85CD-286C936ED04B@icloud.com>
	<1686344060.41069982.1409324159125.JavaMail.zimbra@redhat.com>
	<00D44C2A-B258-431B-B183-D0094A3A4EB0@icloud.com>
Message-ID: <1770594942.41091446.1409324973914.JavaMail.zimbra@redhat.com>

As I said you are actually setting the users email has verified when you set emailVerified to true, and the email won't be sent until the user tries to login.

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 29 August, 2014 5:04:38 PM
> Subject: Re: [keycloak-user] Email verified doesn't seem to work using REST API
> 
> I have already set the "Verify email" to On in the admin console under
> Settings -> Login. That is why I am getting the email for a new user that
> registers via the UI New User button.
> 
> However, I am not getting the same behaviour when I am using the REST API. Is
> it possible to get the same behaviour?
> 
> 
> On Aug 29, 2014, at 10:55 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > When you're creating a user through the rest api with emailVerified set to
> > true you're saying the email is verified, not that it needs to be
> > verified.
> > 
> > To make the user verify the email you need to set "Verify email" to ON in
> > the admin console under Settings -> Login. The next time the user logs he
> > will be requested to verify the email.
> > 
> > ----- Original Message -----
> >> From: "Christina Lau" <christinalau28 at icloud.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Friday, 29 August, 2014 4:49:52 PM
> >> Subject: [keycloak-user] Email verified doesn't seem to work using REST
> >> API
> >> 
> >> Hi, I have my realm enabled for email verification. When I registered a
> >> new
> >> user using the UI dialog, the user gets an email notification.
> >> 
> >> However, if I use the REST API to create a new user, even though I set
> >> emailVerified to true, the new user that gets added correctly didn?t get
> >> an
> >> email notification.
> >> 
> >> Is there an additional REST API I need to call? I can?t find that in the
> >> doc.
> >> Or is this supposed to be implicit and in that case a bug? Or am I missing
> >> some more setup? Thx?
> >> 
> >> Christina
> >> 
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> 
>


From bburke at redhat.com  Fri Aug 29 11:16:40 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 29 Aug 2014 11:16:40 -0400
Subject: [keycloak-user] SAML Support
In-Reply-To: <1103365271.40733157.1409295284457.JavaMail.zimbra@redhat.com>
References: <CAJVY_4_ya+HtFSYLXWRoJmVSAySJtNupO8znuawfGGB7bYvArA@mail.gmail.com>
	<1103365271.40733157.1409295284457.JavaMail.zimbra@redhat.com>
Message-ID: <54009958.9030001@redhat.com>

SAML is at the top of my todo list after 1.0.final release.  What kind 
of support do you need?  First iteration would include support for SAML 
clients.  LAter on 2.0 timeframe, we were thinking of adding support to 
delegate to a SAML provider, like we do for social login, but saml instead.

On 8/29/2014 2:54 AM, Stian Thorgersen wrote:
> SAML is one of the main features planned for 1.1, so it's very unlikely it's not going to be included.
>
> ----- Original Message -----
>> From: "Evan Thompson" <evanthomjd at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 28 August, 2014 4:33:44 PM
>> Subject: [keycloak-user] SAML Support
>>
>> Howdy,
>>
>> I've seen on the Keycloak website that there are plans to support SAML and
>> there is a JIRA ticket ( KEYCLOAK-315 ) that lists the fix version of
>> 1.1-beta-1. I was wondering if this is firm deadline or just a rough
>> estimate.
>>
>> Thank you for your time,
>>
>> Evan
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kotychok at gmail.com  Sun Aug 31 06:01:33 2014
From: kotychok at gmail.com (=?UTF-8?B?0KHQtdGA0LPRltC5INCU0LfRjtCx0ZbQvQ==?=)
Date: Sun, 31 Aug 2014 13:01:33 +0300
Subject: [keycloak-user] access to IDM form java EJB
Message-ID: <CAEg-TvnbbL5XdVgSK5ct3JnmyFogf-dniFYnGzKX_2uJV_brYw@mail.gmail.com>

Good afternoon.
My English is not very good, so just apologize. I really liked your project
Keycloak. I've had a number of questions on it, in which I ask your help.
So ...
1 How REST interface through JSApp create user with specified password. In
my case I "PUT" reset-password and get a "Access to the specified resource
has been forbidden", but without password is ok.
2 How to check in Stateless EJB which role belongs to a particular user,
get his ID, etc. That access to users IDM from the business code.
Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140831/7e350f4d/attachment.html 

From alarik at zwift.com  Sun Aug 31 13:14:35 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Sun, 31 Aug 2014 13:14:35 -0400
Subject: [keycloak-user] Fwd: Documentation question
In-Reply-To: <CAKTx7M64_5WisXB90CqsRcbZyHFxtsBb6GgNGDBV-0aLr=JFhA@mail.gmail.com>
References: <CAKTx7M64_5WisXB90CqsRcbZyHFxtsBb6GgNGDBV-0aLr=JFhA@mail.gmail.com>
Message-ID: <CAKTx7M4wLh2kihwVP23z7WeMnMn0BU+nGzdRf0k5-DX5XRD7EA@mail.gmail.com>

I am trying to understand this sentence from section 2.2.1 of the User
Guide:

"The role mappings contained within the token are the union between the set
of user role mappings and the permission scope of the application/oauth
client."

See:
http://docs.jboss.org/keycloak/docs/1.0-rc-1/userguide/html/Overview.html#d4e63

Should this perhaps read the "intersection between" rather than the "union
between"?  I guess I am trying to understand if it is the union of the two
sets or the intersection between the two sets.  My guess, based on the rest
of the paragraph, is that it is the intersection between the two sets.

Thanks,

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140831/95a2484f/attachment.html 

From bburke at redhat.com  Sun Aug 31 13:29:24 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 31 Aug 2014 13:29:24 -0400
Subject: [keycloak-user] Fwd: Documentation question
In-Reply-To: <CAKTx7M4wLh2kihwVP23z7WeMnMn0BU+nGzdRf0k5-DX5XRD7EA@mail.gmail.com>
References: <CAKTx7M64_5WisXB90CqsRcbZyHFxtsBb6GgNGDBV-0aLr=JFhA@mail.gmail.com>
	<CAKTx7M4wLh2kihwVP23z7WeMnMn0BU+nGzdRf0k5-DX5XRD7EA@mail.gmail.com>
Message-ID: <54035B74.6080402@redhat.com>

Yes, intersection.  Sorry...brain fart.

On 8/31/2014 1:14 PM, Alarik Myrin wrote:
> I am trying to understand this sentence from section 2.2.1 of the User
> Guide:
>
> "The role mappings contained within the token are the union between the
> set of user role mappings and the permission scope of the
> application/oauth client."
>
> See:
> http://docs.jboss.org/keycloak/docs/1.0-rc-1/userguide/html/Overview.html#d4e63
>
> Should this perhaps read the "intersection between" rather than the
> "union between"?  I guess I am trying to understand if it is the union
> of the two sets or the intersection between the two sets.  My guess,
> based on the rest of the paragraph, is that it is the intersection
> between the two sets.
>
> Thanks,
>
> Alarik
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com