From n.preusker at gmail.com  Sun Jun  1 04:02:38 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Sun, 1 Jun 2014 10:02:38 +0200
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <538A2F02.3090303@redhat.com>
References: <CA+HCLu9kMp2ZVV754R8TdR+FtfV+Eb=tMcT1MnjMzcc2RAV=4Q@mail.gmail.com>
	<5387A0D2.7090107@redhat.com>
	<CA+HCLu9ZJOOBF515pxR1d2nCnHR4cEYo3Ub44pBn3i8OJxRkiQ@mail.gmail.com>
	<5388AC35.8090906@redhat.com>
	<CA+HCLu8+prDRWXhKCXdO65gwfoYM0K5Q5=DMq8VE=BBGePCh+A@mail.gmail.com>
	<5388D875.5030405@redhat.com>
	<CA+HCLu_nCnMvt4tZjCUe4OYGy3NE=ivOSPiPowcxEQmOf2-FkQ@mail.gmail.com>
	<538A2F02.3090303@redhat.com>
Message-ID: <CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>

I guess that would work. It does add some load to the database, since we'll
have to check permissions on domain object level, but that will be
necessary in some form anyway (i.e. user may modify objects of type X only
if they belong to him etc.).

The only issue is that we might need to be able to assign different roles
to the same user in different application instances. I don't really see a
way to implement that with the suggested approach. However, I'm also not
really sure we'll need it and we could have the customer create two users
if the roles are different anyway.

Just out of curiosity and since it is briefly mentioned in the user guide,
what is your understanding of multitenancy and what are the use cases you
are planning to support? ("Multitenancy support. You can host and manage
multiple realms for multiple organizations.")

Cheers,
Nils



On Sat, May 31, 2014 at 9:35 PM, Bill Burke <bburke at redhat.com> wrote:

> It just seems to me that tenant is a concept specific to your
> application and not the security model.  Why can't a realm manage
> multiple instances?
>
> On 5/31/2014 2:59 PM, Nils Preusker wrote:
> > Hi Bill,
> >
> > our use case is as follows: we are developing an application that is
> > deployed as a software as a service solution. Each customer gets their
> > own "application instance", but all instances are served by the same
> > WAR. Since some customers have several instances (i.e. for departments
> > or divisions), it would not be accurate to say customer = realm. So we
> > need another level, which is what I mean when I say tenant. The users
> > would then be sub-elements of the tenants. However, there is one special
> > scenario: some customers wish to have the same users in multiple tenants.
> >
> > Finally, we want to be able to add customers and instances (or tenants)
> > at runtime.
> >
> > Mapped to my sketch from before, customers could be represented by realm
> > (if there is multi-realm support), "application instances" are tenants
> > and users can be created both on realm and on tenant level.
> >
> > What do you think?
> >
> > Cheers,
> > Nils
> >
> >
> > On Fri, May 30, 2014 at 9:13 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> >
> >     Why do you need to add realms at runtime?  You haven't adequately
> >     described your use case.
> >
> >     On 5/30/2014 2:12 PM, Nils Preusker wrote:
> >      > Hi Bill,
> >      >
> >      > I guess you are right, there isn't really a difference. It would
> >     just be
> >      > important to be able to add realms at runtime. Are you suggesting
> to
> >      > have nested realms (just replacing tenant with realm in my
> previous
> >      > example)?
> >      >
> >      > Does that make more sense?
> >      > Cheers,
> >      > Nils
> >      >
> >      >
> >      > On Fri, May 30, 2014 at 6:05 PM, Bill Burke <bburke at redhat.com
> >     <mailto:bburke at redhat.com>
> >      > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
> >      >
> >      >     I don't what the different between a tenant and a realm would
> >     be in your
> >      >     example.
> >      >
> >      >     On 5/30/2014 5:28 AM, Nils Preusker wrote:
> >      >      > Hi Bill,
> >      >      >
> >      >      > what I was thinking of was tenants as nested element
> >     within a realm.
> >      >      >
> >      >      > We'd like to be able to add tenants at runtime. That's
> >     where I see a
> >      >      > problem with multi-realm support, since realms are
> >     "hardcoded" in the
> >      >      > keycloak.json. So if you add a realm in the admin-console,
> >     with
> >      >      > multi-realm support you'd still have to modify the
> >     deployed WAR by
> >      >      > adding the new realm to the keycloak.json file.
> >      >      >
> >      >      > I was thinking of a structure like this:
> >      >      >
> >      >      > |- realm
> >      >      > |  |-users
> >      >      > |     |-realm-level-user-1
> >      >      > |     |-...
> >      >      > |-tenants
> >      >      > |  |-tenant-1
> >      >      > |  |  |-users
> >      >      > |  |  |  |-tenant-level-user-1
> >      >      > |  |  |  |-...
> >      >      >
> >      >      > Let me know what you think!
> >      >      > Cheers,
> >      >      > Nils
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      > On Thu, May 29, 2014 at 11:04 PM, Bill Burke
> >     <bburke at redhat.com <mailto:bburke at redhat.com>
> >      >     <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
> >      >      > <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
> >     <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
> >      >      >
> >      >      >     Somebody else was asking for this feature.  We may
> have to
> >      >     add it beta 2
> >      >      >     even though I wanted to have a feature freeze.
> >      >      >
> >      >      >     How did you expect it to work?  One guy wanted to
> discover
> >      >     realm per
> >      >      >     request via parsing the URL.  Another guy just wanted
> >     multi-realm
> >      >      >     support for bearer-only services.
> >      >      >
> >      >      >
> >      >      >     On 5/29/2014 4:54 PM, Nils Preusker wrote:
> >      >      >      > Hi,
> >      >      >      >
> >      >      >      > first of all, congrats on the beta 1 release!
> >      >      >      >
> >      >      >      > Here's my question: I have a WAR with a REST API
> >     that I'm
> >      >      >     securing with
> >      >      >      > Keycloak. Now I'd like to add multitenancy support.
> >      >      >      >
> >      >      >      > If I understand the concept in keycloak correctly,
> >     I would
> >      >      >     somehow have
> >      >      >      > to have several realms in the keycloak.json and the
> >     web.xml of
> >      >      >     the war,
> >      >      >      > right? However there is just one realm-name
> >     attribute in the
> >      >      >     web.xml and
> >      >      >      > the structure of keycloak.json also looks like it is
> >      >     intended for one
> >      >      >      > realm. Am I missing something?
> >      >      >      >
> >      >      >      > Cheers,
> >      >      >      > Nils
> >      >      >      >
> >      >      >      >
> >      >      >      >
> >      >      >      >
> >      >      >      > _______________________________________________
> >      >      >      > keycloak-user mailing list
> >      >      >      > keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >      >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>>
> >      >      >      >
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >      >      >
> >      >      >
> >      >      >     --
> >      >      >     Bill Burke
> >      >      >     JBoss, a division of Red Hat
> >      >      > http://bill.burkecentral.com
> >      >      >     _______________________________________________
> >      >      >     keycloak-user mailing list
> >      >      > keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >      >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>>
> >      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >      >
> >      >      >
> >      >      >
> >      >      >
> >      >      > _______________________________________________
> >      >      > keycloak-user mailing list
> >      >      > keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >      >
> >      >
> >      >     --
> >      >     Bill Burke
> >      >     JBoss, a division of Red Hat
> >      > http://bill.burkecentral.com
> >      >     _______________________________________________
> >      >     keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >     <mailto:keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >
> >      >
> >      >
> >      >
> >      > _______________________________________________
> >      > keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >      >
> >
> >     --
> >     Bill Burke
> >     JBoss, a division of Red Hat
> >     http://bill.burkecentral.com
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140601/25da2369/attachment-0001.html 

From bburke at redhat.com  Sun Jun  1 07:28:14 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 01 Jun 2014 07:28:14 -0400
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>
References: <CA+HCLu9kMp2ZVV754R8TdR+FtfV+Eb=tMcT1MnjMzcc2RAV=4Q@mail.gmail.com>	<5387A0D2.7090107@redhat.com>	<CA+HCLu9ZJOOBF515pxR1d2nCnHR4cEYo3Ub44pBn3i8OJxRkiQ@mail.gmail.com>	<5388AC35.8090906@redhat.com>	<CA+HCLu8+prDRWXhKCXdO65gwfoYM0K5Q5=DMq8VE=BBGePCh+A@mail.gmail.com>	<5388D875.5030405@redhat.com>	<CA+HCLu_nCnMvt4tZjCUe4OYGy3NE=ivOSPiPowcxEQmOf2-FkQ@mail.gmail.com>	<538A2F02.3090303@redhat.com>
	<CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>
Message-ID: <538B0E4E.7010806@redhat.com>

We already support some form of multi-tenancy.  One keycloak server can 
serve up multiple realms.


For multitenant-apps was thinking of a app or service that needs to 
support multiple isolated realms.

For bearer-only services, there would just be a list of realms that are 
supported and the keycloak adapter would just look into the bearer token 
to know which realm to validate the token with.  For browser apps, they 
need to be able to know which realm you are authenticating against, so I 
thought the desired realm would be extracted from the URL.

I balk at your use-case because I don't like the idea of cross-realm users.


On 6/1/2014 4:02 AM, Nils Preusker wrote:
> The only issue is that we might need to be able to assign different
> roles to the same user in different application instances.

What you could do, is not use the keycloak adapter and just hand code 
your interactions via our oauth client api.  Then your application 
service could figure out which realm and application instance the user 
was logging however it wanted and and pass that information along when 
you start the oauth protocol flow.  Following me?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From n.preusker at gmail.com  Sun Jun  1 12:57:25 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Sun, 1 Jun 2014 18:57:25 +0200
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <538B0E4E.7010806@redhat.com>
References: <CA+HCLu9kMp2ZVV754R8TdR+FtfV+Eb=tMcT1MnjMzcc2RAV=4Q@mail.gmail.com>
	<5387A0D2.7090107@redhat.com>
	<CA+HCLu9ZJOOBF515pxR1d2nCnHR4cEYo3Ub44pBn3i8OJxRkiQ@mail.gmail.com>
	<5388AC35.8090906@redhat.com>
	<CA+HCLu8+prDRWXhKCXdO65gwfoYM0K5Q5=DMq8VE=BBGePCh+A@mail.gmail.com>
	<5388D875.5030405@redhat.com>
	<CA+HCLu_nCnMvt4tZjCUe4OYGy3NE=ivOSPiPowcxEQmOf2-FkQ@mail.gmail.com>
	<538A2F02.3090303@redhat.com>
	<CA+HCLu_ww8YCjkgZD3=O3XCHH_9FornLZcHNqa8WaafjfB7P1w@mail.gmail.com>
	<538B0E4E.7010806@redhat.com>
Message-ID: <45BBF5B2-8A80-4D5F-B56D-B8CF186ACF0D@gmail.com>

Hi Bill,

The more I think about it the more it makes sense to me that the tenant or application instance is indeed part of the applications data model and not part of keycloak. Especially since we want to add tenants at runtime, it wouldn't be possible to have a check without hitting the db. 

About cross realm users, I totally agree! I also don't like the idea and I'm hoping and guessing that we won't really need it in the end. 

Thanks for the discussion! 
Nils

> On 01 Jun 2014, at 13:28, Bill Burke <bburke at redhat.com> wrote:
> 
> We already support some form of multi-tenancy.  One keycloak server can 
> serve up multiple realms.
> 
> 
> For multitenant-apps was thinking of a app or service that needs to 
> support multiple isolated realms.
> 
> For bearer-only services, there would just be a list of realms that are 
> supported and the keycloak adapter would just look into the bearer token 
> to know which realm to validate the token with.  For browser apps, they 
> need to be able to know which realm you are authenticating against, so I 
> thought the desired realm would be extracted from the URL.
> 
> I balk at your use-case because I don't like the idea of cross-realm users.
> 
> 
>> On 6/1/2014 4:02 AM, Nils Preusker wrote:
>> The only issue is that we might need to be able to assign different
>> roles to the same user in different application instances.
> 
> What you could do, is not use the keycloak adapter and just hand code 
> your interactions via our oauth client api.  Then your application 
> service could figure out which realm and application instance the user 
> was logging however it wanted and and pass that information along when 
> you start the oauth protocol flow.  Following me?
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From smysnk at gmail.com  Sun Jun  1 16:42:32 2014
From: smysnk at gmail.com (Josh)
Date: Sun, 1 Jun 2014 14:42:32 -0600
Subject: [keycloak-user] Wildfly 8.1.0 Error
Message-ID: <CAMTm=fHzVFAw+5taEvRJ546Dbv15=jamjzrQVAdonuydMjuwPg@mail.gmail.com>

Hi guys,

Installing the keycloak adapter on Wildfly 8.1.0, I seem to be getting this
error:

14:35:36,335 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
MSC000001: Failed to start service
jboss.deployment.unit."service.war".INSTALL:
org.jboss.msc.service.StartException in service
jboss.deployment.unit."service.war".INSTALL: JBAS018733: Failed to process
phase INSTALL of deployment "service.war"

at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166)
[wildfly-server-8.1.0.Final.jar:8.1.0.Final]

at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_25]

at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_25]

at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]

Caused by:
org.jboss.as.server.deployment.DeploymentUnitProcessingException:
JBAS017325: Error loading SCI from module: org.keycloak.keycloak-core:main

at
org.wildfly.extension.undertow.deployment.ServletContainerInitializerDeploymentProcessor.deploy(ServletContainerInitializerDeploymentProcessor.java:117)

at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159)
[wildfly-server-8.1.0.Final.jar:8.1.0.Final]

... 5 more

Caused by: org.jboss.modules.ModuleNotFoundException:
net.iharder.base64:main

at org.jboss.modules.Module.addPaths(Module.java:1050)
[jboss-modules.jar:1.3.3.Final]

at org.jboss.modules.Module.link(Module.java:1406)
[jboss-modules.jar:1.3.3.Final]

at org.jboss.modules.Module.relinkIfNecessary(Module.java:1434)
[jboss-modules.jar:1.3.3.Final]

at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:242)
[jboss-modules.jar:1.3.3.Final]

at
org.wildfly.extension.undertow.deployment.ServletContainerInitializerDeploymentProcessor.deploy(ServletContainerInitializerDeploymentProcessor.java:110)

... 6 more


Any ideas?

- Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140601/e9b9aa6e/attachment.html 

From bburke at redhat.com  Sun Jun  1 18:20:38 2014
From: bburke at redhat.com (Bill Burke)
Date: Sun, 01 Jun 2014 18:20:38 -0400
Subject: [keycloak-user] Wildfly 8.1.0 Error
In-Reply-To: <CAMTm=fHzVFAw+5taEvRJ546Dbv15=jamjzrQVAdonuydMjuwPg@mail.gmail.com>
References: <CAMTm=fHzVFAw+5taEvRJ546Dbv15=jamjzrQVAdonuydMjuwPg@mail.gmail.com>
Message-ID: <538BA736.7070703@redhat.com>

Are you sure you

a) Installed Keycloak adapter correctly
b) Are *not* including keycloak jars in your WAR?

On 6/1/2014 4:42 PM, Josh wrote:
> Hi guys,
>
> Installing the keycloak adapter on Wildfly 8.1.0, I seem to be getting
> this error:
>
> 14:35:36,335 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
> MSC000001: Failed to start service
> jboss.deployment.unit."service.war".INSTALL:
> org.jboss.msc.service.StartException in service
> jboss.deployment.unit."service.war".INSTALL: JBAS018733: Failed to
> process phase INSTALL of deployment "service.war"
>
> at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166)
> [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
>
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_25]
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_25]
>
> at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
>
> Caused by:
> org.jboss.as.server.deployment.DeploymentUnitProcessingException:
> JBAS017325: Error loading SCI from module: org.keycloak.keycloak-core:main
>
> at
> org.wildfly.extension.undertow.deployment.ServletContainerInitializerDeploymentProcessor.deploy(ServletContainerInitializerDeploymentProcessor.java:117)
>
> at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159)
> [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
>
> ... 5 more
>
> Caused by: org.jboss.modules.ModuleNotFoundException:
> net.iharder.base64:main
>
> at org.jboss.modules.Module.addPaths(Module.java:1050)
> [jboss-modules.jar:1.3.3.Final]
>
> at org.jboss.modules.Module.link(Module.java:1406)
> [jboss-modules.jar:1.3.3.Final]
>
> at org.jboss.modules.Module.relinkIfNecessary(Module.java:1434)
> [jboss-modules.jar:1.3.3.Final]
>
> at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:242)
> [jboss-modules.jar:1.3.3.Final]
>
> at
> org.wildfly.extension.undertow.deployment.ServletContainerInitializerDeploymentProcessor.deploy(ServletContainerInitializerDeploymentProcessor.java:110)
>
> ... 6 more
>
>
> Any ideas?
>
> - Josh
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From smysnk at gmail.com  Sun Jun  1 23:05:22 2014
From: smysnk at gmail.com (Josh)
Date: Sun, 1 Jun 2014 21:05:22 -0600
Subject: [keycloak-user] Wildfly 8.1.0 Error
In-Reply-To: <538BA736.7070703@redhat.com>
References: <CAMTm=fHzVFAw+5taEvRJ546Dbv15=jamjzrQVAdonuydMjuwPg@mail.gmail.com>
	<538BA736.7070703@redhat.com>
Message-ID: <CAMTm=fGN=VYkm8Xi_XOL8i2wf9Y1iGC4J4nqGP3WNvNmk=G-tQ@mail.gmail.com>

My bad, I forgot the /net folder.


On Sun, Jun 1, 2014 at 4:20 PM, Bill Burke <bburke at redhat.com> wrote:

> Are you sure you
>
> a) Installed Keycloak adapter correctly
> b) Are *not* including keycloak jars in your WAR?
>
> On 6/1/2014 4:42 PM, Josh wrote:
> > Hi guys,
> >
> > Installing the keycloak adapter on Wildfly 8.1.0, I seem to be getting
> > this error:
> >
> > 14:35:36,335 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
> > MSC000001: Failed to start service
> > jboss.deployment.unit."service.war".INSTALL:
> > org.jboss.msc.service.StartException in service
> > jboss.deployment.unit."service.war".INSTALL: JBAS018733: Failed to
> > process phase INSTALL of deployment "service.war"
> >
> > at
> >
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166)
> > [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
> >
> > at
> >
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> > [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> >
> > at
> >
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> > [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> >
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > [rt.jar:1.7.0_25]
> >
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > [rt.jar:1.7.0_25]
> >
> > at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
> >
> > Caused by:
> > org.jboss.as.server.deployment.DeploymentUnitProcessingException:
> > JBAS017325: Error loading SCI from module:
> org.keycloak.keycloak-core:main
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.ServletContainerInitializerDeploymentProcessor.deploy(ServletContainerInitializerDeploymentProcessor.java:117)
> >
> > at
> >
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159)
> > [wildfly-server-8.1.0.Final.jar:8.1.0.Final]
> >
> > ... 5 more
> >
> > Caused by: org.jboss.modules.ModuleNotFoundException:
> > net.iharder.base64:main
> >
> > at org.jboss.modules.Module.addPaths(Module.java:1050)
> > [jboss-modules.jar:1.3.3.Final]
> >
> > at org.jboss.modules.Module.link(Module.java:1406)
> > [jboss-modules.jar:1.3.3.Final]
> >
> > at org.jboss.modules.Module.relinkIfNecessary(Module.java:1434)
> > [jboss-modules.jar:1.3.3.Final]
> >
> > at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:242)
> > [jboss-modules.jar:1.3.3.Final]
> >
> > at
> >
> org.wildfly.extension.undertow.deployment.ServletContainerInitializerDeploymentProcessor.deploy(ServletContainerInitializerDeploymentProcessor.java:110)
> >
> > ... 6 more
> >
> >
> > Any ideas?
> >
> > - Josh
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140601/a42aacd5/attachment.html 

From smysnk at gmail.com  Mon Jun  2 02:40:11 2014
From: smysnk at gmail.com (Josh)
Date: Mon, 2 Jun 2014 00:40:11 -0600
Subject: [keycloak-user] Obtaining the KeycloakSecurityContext from a jaxrs
	/ Bearer Only service
Message-ID: <CAMTm=fE1mbwpMPMVHueFjy_h63sMJiHScd1SdS98aBKzGFUWXQ@mail.gmail.com>

Hi,

Looking through the examples I see a few client examples obtaining
a KeycloakSecurityContext from the HttpServletRequest object via
getAttribute.

ie.

KeycloakSecurityContext session = (KeycloakSecurityContext)
req.getAttribute(KeycloakSecurityContext.class.getName());

Wondering how this would be done for examples like the "database-service"
jax-rs example?

My goal is to be able to have access to the IDToken information for a rest
call.

--

Thanks,

Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140602/c41693c7/attachment-0001.html 

From mposolda at redhat.com  Mon Jun  2 03:38:07 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 02 Jun 2014 09:38:07 +0200
Subject: [keycloak-user] JPA Authentication Provider
In-Reply-To: <CAMTm=fFR3GrMw1=y=ELWrDWmUTo+ybQMFgbN6-iO0BREGG8Rfw@mail.gmail.com>
References: <CAMTm=fFR3GrMw1=y=ELWrDWmUTo+ybQMFgbN6-iO0BREGG8Rfw@mail.gmail.com>
Message-ID: <538C29DF.9050108@redhat.com>

Hi Josh,

yes, it's possible to create your own JPA authentication provider, which 
will use hibernate model of your own application and authenticate users 
based on your user data. I hope I understand correctly that this is 
something you are trying achieve?

For declare own datasource, it's easiest to add datasource into file 
JBOSS_HOME/standalone/configuration/standalone.xml (look at 
JBoss/Wildfly documentation and/or existing datasource declarations how 
to do it) and then either create new file META-INF/persistence.xml 
inside your JAR and/or extend existing keycloak file 
JBOSS_HOME/standalone/deployments/auth-server.war/WEB-INF/classes/META-INF/persistence.xml 
and declare your own persistence unit, which will point to the 
datasource declared in standalone.xml . Again look at docs or existing 
persistence units for inspiration. Finally in code of your provider, you 
can do something like:

EntityManagerFactory emf =Persistence.createEntityManagerFactory("name-of-your-persistence-unit");

You can take a look at existing Keycloak sources for inspiration.

Marek


On 30.5.2014 22:39, Josh wrote:
> Hi guys,
>
> Wondering if it would be possible to create a JPA authentication 
> provider?
>
> What I am trying to do is share the hibernate user model between 
> keycloak authentication provider and my application.  I've got as far 
> as extracting the models into their own project so they can be used as 
> dependency between my application / authentication provider.
>
> Still wrapping my head around JavaEE architecture so forgive me if 
> this next sentence doesn't make any sense... The properties 
> authentication adapter in beta1 examples is a jar which can't really 
> declare it's own data sources.  So wondering how I would implement a 
> provider that defines its own datasource?
>
> Thanks,
>
> Josh
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140602/a2a7257f/attachment.html 

From nep7une.w at gmail.com  Mon Jun  2 03:41:59 2014
From: nep7une.w at gmail.com (nep7une w)
Date: Mon, 2 Jun 2014 15:41:59 +0800
Subject: [keycloak-user] Getting NPE for lookupSecurePort
In-Reply-To: <CANcST0NjiVzRee-yyyWu5M+Di4e=vDFKywqkRa8rLScR0No2Ng@mail.gmail.com>
References: <CANcST0NjiVzRee-yyyWu5M+Di4e=vDFKywqkRa8rLScR0No2Ng@mail.gmail.com>
Message-ID: <CANcST0Ot3tNr0LWzurk1=mO_u8vQgBGHkCyuihvQcowaGSOS=Q@mail.gmail.com>

Rp.

On Mon, Jun 2, 2014 at 9:18 AM, nep7une w <nep7une.w at gmail.com> wrote:

> Hi Bill,
>
> I am facing NullPointerException when testing keycloak beta1 with wildfly
> 8 over HTTPS(port 28081) , part of the error log shows as below, plz help:
>
>
>
> ERROR [io.undertow.request] (default task-7) UT005023: Exception handling
> request to /ex06_1/: java.lang.NullPointerException
>  at
> org.wildfly.extension.undertow.Server.lookupSecurePort(Server.java:113)
>  at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$2.getConfidentialPort(UndertowDeploymentInfoService.java:454)
>  at
> org.keycloak.adapters.wildfly.WildflyAuthenticationMechanism.createRequestAuthenticator(WildflyAuthenticationMechanism.java:27)
> [keycloak-wildfly-adapter-1.0-beta-1.jar:]
>  at
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:37)
> [keycloak-undertow-adapter-1.0-beta-1.jar:]
>
> Regards,
> Nep
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140602/22aa3cac/attachment.html 

From stian at redhat.com  Mon Jun  2 04:43:06 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jun 2014 04:43:06 -0400 (EDT)
Subject: [keycloak-user] Keycloak artifacts now in Maven Central
Message-ID: <1203373801.18646058.1401698586013.JavaMail.zimbra@redhat.com>

Keycloak artifacts are now in Maven Central! This includes the appliance, war and adapters zips.

From stian at redhat.com  Mon Jun  2 05:06:14 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jun 2014 05:06:14 -0400 (EDT)
Subject: [keycloak-user] OpenShift Cartridge updated to Beta1
Message-ID: <1545629965.18652322.1401699974285.JavaMail.zimbra@redhat.com>

The OpenShift Cartridge has just been updated to Keycloak 1.0.beta1

From bburke at redhat.com  Mon Jun  2 08:06:55 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 02 Jun 2014 08:06:55 -0400
Subject: [keycloak-user] Obtaining the KeycloakSecurityContext from a
 jaxrs / Bearer Only service
In-Reply-To: <CAMTm=fE1mbwpMPMVHueFjy_h63sMJiHScd1SdS98aBKzGFUWXQ@mail.gmail.com>
References: <CAMTm=fE1mbwpMPMVHueFjy_h63sMJiHScd1SdS98aBKzGFUWXQ@mail.gmail.com>
Message-ID: <538C68DF.6050204@redhat.com>

In beta-1 you can do the following in JAX-RS:

@Context SecurityContext securityContext;

KeycloakPrincipal principal = 
(KeycloakPrincipal)securityContext.getUserPrincipal();



On 6/2/2014 2:40 AM, Josh wrote:
> Hi,
>
> Looking through the examples I see a few client examples obtaining
> a KeycloakSecurityContext from the HttpServletRequest object via
> getAttribute.
>
> ie.
>
> KeycloakSecurityContext session = (KeycloakSecurityContext)
> req.getAttribute(KeycloakSecurityContext.class.getName());
>
> Wondering how this would be done for examples like the
> "database-service" jax-rs example?
>
> My goal is to be able to have access to the IDToken information for a
> rest call.
>
> --
>
> Thanks,
>
> Josh
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Jun  2 11:26:16 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 02 Jun 2014 11:26:16 -0400
Subject: [keycloak-user] Getting NPE for lookupSecurePort
In-Reply-To: <CANcST0Ot3tNr0LWzurk1=mO_u8vQgBGHkCyuihvQcowaGSOS=Q@mail.gmail.com>
References: <CANcST0NjiVzRee-yyyWu5M+Di4e=vDFKywqkRa8rLScR0No2Ng@mail.gmail.com>
	<CANcST0Ot3tNr0LWzurk1=mO_u8vQgBGHkCyuihvQcowaGSOS=Q@mail.gmail.com>
Message-ID: <538C9798.3030904@redhat.com>

Fixed in master.  I'll do a release tomorrow to get this out.

On 6/2/2014 3:41 AM, nep7une w wrote:
> Rp.
>
> On Mon, Jun 2, 2014 at 9:18 AM, nep7une w <nep7une.w at gmail.com
> <mailto:nep7une.w at gmail.com>> wrote:
>
>     Hi Bill,
>     I am facing NullPointerException when testing keycloak beta1 with
>     wildfly 8 over HTTPS(port 28081) , part of the error log shows as
>     below, plz help:
>     ERROR [io.undertow.request] (default task-7) UT005023: Exception
>     handling request to /ex06_1/: java.lang.NullPointerException
>     at
>     org.wildfly.extension.undertow.Server.lookupSecurePort(Server.java:113)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$2.getConfidentialPort(UndertowDeploymentInfoService.java:454)
>     at
>     org.keycloak.adapters.wildfly.WildflyAuthenticationMechanism.createRequestAuthenticator(WildflyAuthenticationMechanism.java:27)
>     [keycloak-wildfly-adapter-1.0-beta-1.jar:]
>     at
>     org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:37)
>     [keycloak-undertow-adapter-1.0-beta-1.jar:]
>     Regards,
>     Nep
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From smysnk at gmail.com  Mon Jun  2 12:28:18 2014
From: smysnk at gmail.com (Josh)
Date: Mon, 2 Jun 2014 10:28:18 -0600
Subject: [keycloak-user] Obtaining the KeycloakSecurityContext from a
 jaxrs / Bearer Only service
In-Reply-To: <538C68DF.6050204@redhat.com>
References: <CAMTm=fE1mbwpMPMVHueFjy_h63sMJiHScd1SdS98aBKzGFUWXQ@mail.gmail.com>
	<538C68DF.6050204@redhat.com>
Message-ID: <CAMTm=fFftOVt=05eOD1T5PzFqyyXugFWYH3Hsd4=dX5i_C5dAw@mail.gmail.com>

Awesome! Easy enough.


On Mon, Jun 2, 2014 at 6:06 AM, Bill Burke <bburke at redhat.com> wrote:

> In beta-1 you can do the following in JAX-RS:
>
> @Context SecurityContext securityContext;
>
> KeycloakPrincipal principal =
> (KeycloakPrincipal)securityContext.getUserPrincipal();
>
>
>
> On 6/2/2014 2:40 AM, Josh wrote:
> > Hi,
> >
> > Looking through the examples I see a few client examples obtaining
> > a KeycloakSecurityContext from the HttpServletRequest object via
> > getAttribute.
> >
> > ie.
> >
> > KeycloakSecurityContext session = (KeycloakSecurityContext)
> > req.getAttribute(KeycloakSecurityContext.class.getName());
> >
> > Wondering how this would be done for examples like the
> > "database-service" jax-rs example?
> >
> > My goal is to be able to have access to the IDToken information for a
> > rest call.
> >
> > --
> >
> > Thanks,
> >
> > Josh
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140602/914ae885/attachment-0001.html 

From bburke at redhat.com  Mon Jun  2 13:25:45 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 02 Jun 2014 13:25:45 -0400
Subject: [keycloak-user] Beta 2 released
Message-ID: <538CB399.5000901@redhat.com>

We had a couple of blocker bugs centered around SSL and Wildfly.  Fixes 
are in, and beta 2 is released.

Check out jira release notes for more details.

Bill

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jim.boettcher at hp.com  Mon Jun  2 15:41:28 2014
From: jim.boettcher at hp.com (Boettcher, Jim)
Date: Mon, 2 Jun 2014 19:41:28 +0000
Subject: [keycloak-user] Problem with keycloak.js
Message-ID: <567C02B1AFF42E499D63011F4C931ABE240F15A0@G5W2731.americas.hpqcorp.net>

Hi,

We have written an AngularJS client that uses the keycloak.js adapter to get a bearer token and then makes REST calls using the token. The client also stores the token and refresh token to local storage and uses the token from local storage if it is found. This all worked well with the pre-beta1 keycloak.js adapter.
With the beta1 keycloak.js adapter it works the first time we access the page, we get redirected to the login page and get the tokens back. However the client app seems to hang when we use the token found in local storage. After looking at the code it seems that a line might be missing in the function processInit().
Starting at line 58 I made the following code change:
if (initOptions.token || initOptions.refreshToken) {
    setToken(initOptions.token, initOptions.refreshToken);
    initPromise.setSuccess();  //Added this line to get things working

After this change our code started working again.
Can someone take a look at this and advise us if this is correct?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140602/c0c5f6d5/attachment.html 

From n.preusker at gmail.com  Tue Jun  3 04:22:41 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Tue, 3 Jun 2014 10:22:41 +0200
Subject: [keycloak-user] Keycloak artifacts now in Maven Central
In-Reply-To: <1203373801.18646058.1401698586013.JavaMail.zimbra@redhat.com>
References: <1203373801.18646058.1401698586013.JavaMail.zimbra@redhat.com>
Message-ID: <CA+HCLu8kbn=WkLGLcEMQqzAfL6+Uc6WHstcUsmED-f3Q-=psxA@mail.gmail.com>

Thank you, I really appreciate this one!

Cheers,
Nils


On Mon, Jun 2, 2014 at 10:43 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Keycloak artifacts are now in Maven Central! This includes the appliance,
> war and adapters zips.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140603/5c4315b8/attachment.html 

From stian at redhat.com  Tue Jun  3 04:23:59 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jun 2014 04:23:59 -0400 (EDT)
Subject: [keycloak-user] Problem with keycloak.js
In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE240F15A0@G5W2731.americas.hpqcorp.net>
References: <567C02B1AFF42E499D63011F4C931ABE240F15A0@G5W2731.americas.hpqcorp.net>
Message-ID: <1238317841.19336394.1401783839145.JavaMail.zimbra@redhat.com>

Yep, that is indeed what's missing. Can you do a PR for this please?

----- Original Message -----
> From: "Jim Boettcher" <jim.boettcher at hp.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 2 June, 2014 8:41:28 PM
> Subject: [keycloak-user] Problem with keycloak.js
> 
> 
> 
> Hi,
> 
> 
> 
> We have written an AngularJS client that uses the keycloak.js adapter to get
> a bearer token and then makes REST calls using the token. The client also
> stores the token and refresh token to local storage and uses the token from
> local storage if it is found. This all worked well with the pre-beta1
> keycloak.js adapter.
> 
> With the beta1 keycloak.js adapter it works the first time we access the
> page, we get redirected to the login page and get the tokens back. However
> the client app seems to hang when we use the token found in local storage.
> After looking at the code it seems that a line might be missing in the
> function processInit().
> 
> Starting at line 58 I made the following code change:
> 
> if (initOptions.token || initOptions.refreshToken) {
> 
> setToken(initOptions.token, initOptions.refreshToken);
> 
> initPromise.setSuccess(); //Added this line to get things working
> 
> 
> 
> After this change our code started working again.
> 
> Can someone take a look at this and advise us if this is correct?
> 
> 
> 
> Thank you
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Wed Jun  4 15:02:26 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 4 Jun 2014 16:02:26 -0300
Subject: [keycloak-user] Problem when having no auth-method
Message-ID: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>

Hi,

I was trying to deploy some of my company's applications on keycloak, and
in one of them I got this error:

Caused by: java.lang.NullPointerException
at
org.keycloak.subsystem.extension.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:73)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113)
[jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
... 5 more

I went to investigate and I found that on line 73 of
KeycloakAdapterConfigDeploymentProcessor there was this:

loginConfig.getAuthMethod().equalsIgnoreCase("KEYCLOAK")

and I did some digging and it happens that in this particular project,
there is no auth-method identified on web.xml, so loginConfig.getAuthMethod
returned null.

All I did was change the comparison to this:

"KEYCLOAK".equalsIgnoreCase(loginConfig.getAuthMethod())

And it all works. I don't know if this defines a problem in the scope of
your project, but it would be good to inform you


-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140604/f0bc4fb1/attachment.html 

From bburke at redhat.com  Wed Jun  4 15:09:12 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 04 Jun 2014 15:09:12 -0400
Subject: [keycloak-user] Problem when having no auth-method
In-Reply-To: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>
References: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>
Message-ID: <538F6ED8.8010700@redhat.com>

https://issues.jboss.org/browse/KEYCLOAK-519

On 6/4/2014 3:02 PM, Rodrigo Sasaki wrote:
> Hi,
>
> I was trying to deploy some of my company's applications on keycloak,
> and in one of them I got this error:
>
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.subsystem.extension.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:73)
> at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113)
> [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
> ... 5 more
>
> I went to investigate and I found that on line 73 of
> KeycloakAdapterConfigDeploymentProcessor there was this:
>
> loginConfig.getAuthMethod().equalsIgnoreCase("KEYCLOAK")
>
> and I did some digging and it happens that in this particular project,
> there is no auth-method identified on web.xml, so
> loginConfig.getAuthMethod returned null.
>
> All I did was change the comparison to this:
>
> "KEYCLOAK".equalsIgnoreCase(loginConfig.getAuthMethod())
>
> And it all works. I don't know if this defines a problem in the scope of
> your project, but it would be good to inform you
>
>
> --
> Rodrigo Sasaki

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Thu Jun  5 04:35:13 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 5 Jun 2014 04:35:13 -0400 (EDT)
Subject: [keycloak-user] Problem when having no auth-method
In-Reply-To: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>
References: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>
Message-ID: <1512721922.20718471.1401957313311.JavaMail.zimbra@redhat.com>

That looks good to me, do you fancy submitting a PR?

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 4 June, 2014 8:02:26 PM
> Subject: [keycloak-user] Problem when having no auth-method
> 
> Hi,
> 
> I was trying to deploy some of my company's applications on keycloak, and in
> one of them I got this error:
> 
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.subsystem.extension.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:73)
> at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113)
> [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
> ... 5 more
> 
> I went to investigate and I found that on line 73 of
> KeycloakAdapterConfigDeploymentProcessor there was this:
> 
> loginConfig.getAuthMethod().equalsIgnoreCase("KEYCLOAK")
> 
> and I did some digging and it happens that in this particular project, there
> is no auth-method identified on web.xml, so loginConfig.getAuthMethod
> returned null.
> 
> All I did was change the comparison to this:
> 
> "KEYCLOAK".equalsIgnoreCase(loginConfig.getAuthMethod())
> 
> And it all works. I don't know if this defines a problem in the scope of your
> project, but it would be good to inform you
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Thu Jun  5 08:02:37 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 5 Jun 2014 09:02:37 -0300
Subject: [keycloak-user] Problem when having no auth-method
In-Reply-To: <1512721922.20718471.1401957313311.JavaMail.zimbra@redhat.com>
References: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>
	<1512721922.20718471.1401957313311.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwCfQo-Rg9ZKRay-684eTqWTPo9n3Z_iawSGy-00_Srq8g@mail.gmail.com>

Sure, I'll look into it right now



On Thu, Jun 5, 2014 at 5:35 AM, Stian Thorgersen <stian at redhat.com> wrote:

> That looks good to me, do you fancy submitting a PR?
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 4 June, 2014 8:02:26 PM
> > Subject: [keycloak-user] Problem when having no auth-method
> >
> > Hi,
> >
> > I was trying to deploy some of my company's applications on keycloak,
> and in
> > one of them I got this error:
> >
> > Caused by: java.lang.NullPointerException
> > at
> >
> org.keycloak.subsystem.extension.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:73)
> > at
> >
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113)
> > [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
> > ... 5 more
> >
> > I went to investigate and I found that on line 73 of
> > KeycloakAdapterConfigDeploymentProcessor there was this:
> >
> > loginConfig.getAuthMethod().equalsIgnoreCase("KEYCLOAK")
> >
> > and I did some digging and it happens that in this particular project,
> there
> > is no auth-method identified on web.xml, so loginConfig.getAuthMethod
> > returned null.
> >
> > All I did was change the comparison to this:
> >
> > "KEYCLOAK".equalsIgnoreCase(loginConfig.getAuthMethod())
> >
> > And it all works. I don't know if this defines a problem in the scope of
> your
> > project, but it would be good to inform you
> >
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140605/1a10dc5e/attachment-0001.html 

From rodrigopsasaki at gmail.com  Thu Jun  5 08:29:12 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 5 Jun 2014 09:29:12 -0300
Subject: [keycloak-user] Problem when having no auth-method
In-Reply-To: <CANLOgwCfQo-Rg9ZKRay-684eTqWTPo9n3Z_iawSGy-00_Srq8g@mail.gmail.com>
References: <CANLOgwBQn=oFGKTc3zt61AcRKgLrAyqRqJNaQ56-yUdUh+9ggw@mail.gmail.com>
	<1512721922.20718471.1401957313311.JavaMail.zimbra@redhat.com>
	<CANLOgwCfQo-Rg9ZKRay-684eTqWTPo9n3Z_iawSGy-00_Srq8g@mail.gmail.com>
Message-ID: <CANLOgwD6GXaHKYaCPyAD7AZ1Z4qcQAGWtP3b_cCvcp3nJcWdLw@mail.gmail.com>

Submitted the PR,

please let me know if I failed at anything regarding this, this is my first
PR


On Thu, Jun 5, 2014 at 9:02 AM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> Sure, I'll look into it right now
>
>
>
> On Thu, Jun 5, 2014 at 5:35 AM, Stian Thorgersen <stian at redhat.com> wrote:
>
>> That looks good to me, do you fancy submitting a PR?
>>
>> ----- Original Message -----
>> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> > To: keycloak-user at lists.jboss.org
>> > Sent: Wednesday, 4 June, 2014 8:02:26 PM
>> > Subject: [keycloak-user] Problem when having no auth-method
>> >
>> > Hi,
>> >
>> > I was trying to deploy some of my company's applications on keycloak,
>> and in
>> > one of them I got this error:
>> >
>> > Caused by: java.lang.NullPointerException
>> > at
>> >
>> org.keycloak.subsystem.extension.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:73)
>> > at
>> >
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113)
>> > [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
>> > ... 5 more
>> >
>> > I went to investigate and I found that on line 73 of
>> > KeycloakAdapterConfigDeploymentProcessor there was this:
>> >
>> > loginConfig.getAuthMethod().equalsIgnoreCase("KEYCLOAK")
>> >
>> > and I did some digging and it happens that in this particular project,
>> there
>> > is no auth-method identified on web.xml, so loginConfig.getAuthMethod
>> > returned null.
>> >
>> > All I did was change the comparison to this:
>> >
>> > "KEYCLOAK".equalsIgnoreCase(loginConfig.getAuthMethod())
>> >
>> > And it all works. I don't know if this defines a problem in the scope
>> of your
>> > project, but it would be good to inform you
>> >
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140605/c3a0378e/attachment.html 

From conrad at mindless.com  Mon Jun  9 01:45:35 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 9 Jun 2014 06:45:35 +0100
Subject: [keycloak-user] NPE When trying to authorise unknown user
Message-ID: <716A863D-A107-46AA-B689-7427E174CAC7@mindless.com>

Hi Keycloak people,

First of all another really big thank you. I think this project is awesome and its really come on a long way from the alpha releases. Thanks for all the hard work.

I have encountered an issue, that might be a bug. If it is please can you tell me where to report it.

Basically I am doing a direct access grant like the example in Chapter 13 of the documents. If I send in a username that does exist in the database but with a wrong password then it fails to authorise me correctly, but If I send in a username that does not exist in the database for that realm, then Keycloak throws an NPE rather than not authorising. 

Here is a stack trace.


I hope this helps


Conrad

[0m06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-56) --> authenticate()
06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-56) try bearer
06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-56) NOT_ATTEMPTED: bearer only
06:01:34,629 ERROR [io.undertow.request] (default task-57) UT005023: Exception handling request to /auth/realms/shift/tokens/grants/access: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
	at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.8.Final.jar:]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.0-beta-2.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:41) [keycloak-services-1.0-beta-2.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
Caused by: java.lang.NullPointerException
	at org.keycloak.audit.Audit.user(Audit.java:54) [keycloak-audit-api-1.0-beta-2.jar:]
	at org.keycloak.services.resources.TokenService.grantAccessToken(TokenService.java:244) [keycloak-services-1.0-beta-2.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0]
	at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.8.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.8.Final.jar:]
	... 39 more

From conrad at mindless.com  Mon Jun  9 01:46:33 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 9 Jun 2014 06:46:33 +0100
Subject: [keycloak-user] Error thrown with invalid bearer token
Message-ID: <861DEEF5-BA2D-4358-805A-D15DE73886D8@mindless.com>

Hi again

I think I my have found another bug. If I send in a bearer token that is invalid keycloak  throws an error rather than returning an ?Unauthorised' response


[0m06:26:20,551 ERROR [io.undertow.request] (default task-105) UT005023: Exception handling request to /shift-server/shift/users: java.lang.RuntimeException: java.lang.RuntimeException: Illegal base64url string!
	at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:39) [keycloak-core-1.0-beta-2.jar:]
	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:20) [keycloak-core-1.0-beta-2.jar:]
	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) [keycloak-core-1.0-beta-2.jar:]
	at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:63) [keycloak-adapter-core-1.0-beta-2.jar:]
	at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:37) [keycloak-adapter-core-1.0-beta-2.jar:]
	at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:38) [keycloak-undertow-adapter-1.0-beta-2.jar:]
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:54) [keycloak-undertow-adapter-1.0-beta-2.jar:]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
Caused by: java.lang.RuntimeException: Illegal base64url string!
	at org.keycloak.util.Base64Url.decode(Base64Url.java:33) [keycloak-core-1.0-beta-2.jar:]
	at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:30) [keycloak-core-1.0-beta-2.jar:]
	... 35 more


Conrad

From mposolda at redhat.com  Mon Jun  9 02:17:05 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 09 Jun 2014 08:17:05 +0200
Subject: [keycloak-user] NPE When trying to authorise unknown user
In-Reply-To: <716A863D-A107-46AA-B689-7427E174CAC7@mindless.com>
References: <716A863D-A107-46AA-B689-7427E174CAC7@mindless.com>
Message-ID: <53955161.5070709@redhat.com>

Hi,

this looks like a bug. Feel free to create JIRA here: 
https://issues.jboss.org/browse/KEYCLOAK

Marek

On 9.6.2014 07:45, Conrad Winchester wrote:
> Hi Keycloak people,
>
> First of all another really big thank you. I think this project is awesome and its really come on a long way from the alpha releases. Thanks for all the hard work.
>
> I have encountered an issue, that might be a bug. If it is please can you tell me where to report it.
>
> Basically I am doing a direct access grant like the example in Chapter 13 of the documents. If I send in a username that does exist in the database but with a wrong password then it fails to authorise me correctly, but If I send in a username that does not exist in the database for that realm, then Keycloak throws an NPE rather than not authorising.
>
> Here is a stack trace.
>
>
> I hope this helps
>
>
> Conrad
>
> [0m06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-56) --> authenticate()
> 06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-56) try bearer
> 06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator] (default task-56) NOT_ATTEMPTED: bearer only
> 06:01:34,629 ERROR [io.undertow.request] (default task-57) UT005023: Exception handling request to /auth/realms/shift/tokens/grants/access: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
> 	at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.0-beta-2.jar:]
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:41) [keycloak-services-1.0-beta-2.jar:]
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
> 	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
> Caused by: java.lang.NullPointerException
> 	at org.keycloak.audit.Audit.user(Audit.java:54) [keycloak-audit-api-1.0-beta-2.jar:]
> 	at org.keycloak.services.resources.TokenService.grantAccessToken(TokenService.java:244) [keycloak-services-1.0-beta-2.jar:]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0]
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0]
> 	at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0]
> 	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.8.Final.jar:]
> 	... 39 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Mon Jun  9 02:21:08 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 09 Jun 2014 08:21:08 +0200
Subject: [keycloak-user] Error thrown with invalid bearer token
In-Reply-To: <861DEEF5-BA2D-4358-805A-D15DE73886D8@mindless.com>
References: <861DEEF5-BA2D-4358-805A-D15DE73886D8@mindless.com>
Message-ID: <53955254.6010809@redhat.com>

This seems to be already reported here 
https://issues.jboss.org/browse/KEYCLOAK-518 . I've added your 
stacktrace into comment in JIRA as it's not completely same as the one 
in JIRA.

Marek

On 9.6.2014 07:46, Conrad Winchester wrote:
> Hi again
>
> I think I my have found another bug. If I send in a bearer token that is invalid keycloak  throws an error rather than returning an ?Unauthorised' response
>
>
> [0m06:26:20,551 ERROR [io.undertow.request] (default task-105) UT005023: Exception handling request to /shift-server/shift/users: java.lang.RuntimeException: java.lang.RuntimeException: Illegal base64url string!
> 	at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:39) [keycloak-core-1.0-beta-2.jar:]
> 	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:20) [keycloak-core-1.0-beta-2.jar:]
> 	at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:16) [keycloak-core-1.0-beta-2.jar:]
> 	at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:63) [keycloak-adapter-core-1.0-beta-2.jar:]
> 	at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:37) [keycloak-adapter-core-1.0-beta-2.jar:]
> 	at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:38) [keycloak-undertow-adapter-1.0-beta-2.jar:]
> 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:54) [keycloak-undertow-adapter-1.0-beta-2.jar:]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
> 	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
> Caused by: java.lang.RuntimeException: Illegal base64url string!
> 	at org.keycloak.util.Base64Url.decode(Base64Url.java:33) [keycloak-core-1.0-beta-2.jar:]
> 	at org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:30) [keycloak-core-1.0-beta-2.jar:]
> 	... 35 more
>
>
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From rodrigopsasaki at gmail.com  Mon Jun  9 07:59:41 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 9 Jun 2014 08:59:41 -0300
Subject: [keycloak-user] REST API - Bearer Exception
Message-ID: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>

Hi,

I'm trying to work with the Keycloak REST API, I logged into the
administration console, and then tried accessing */auth/admin/realms* and
got this exception:

*Failed executing GET /admin/realms:
org.jboss.resteasy.spi.UnauthorizedException: Bearer*

How should I build my request to be able to get a response? How should I
authenticate myself in this situation?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140609/1a0f4671/attachment.html 

From rodrigopsasaki at gmail.com  Mon Jun  9 10:43:18 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 9 Jun 2014 11:43:18 -0300
Subject: [keycloak-user] Multiple Social Providers for Single Account
Message-ID: <CANLOgwBrgjUQG4gv_R7gYQOfBMBTVM5H_VwsuX_nRRqa-D5_GA@mail.gmail.com>

I've been trying to work with the Social Providers feature of Keycloak, but
I've had some problems.

First of all I'm using the beta-2 version, and I created Facebook and
Google links to applications I have there and it worked fine.

If I create a new user logging in with Facebook it works
If I create a new user logging in with Google it works aswell.

When I try linking things, that's where things go wrong.

I have created a new Keycloak user, and accessed:

*http://localhost:8080/auth/realms/myrealm/account
<http://localhost:8080/auth/realms/myrealm/account>*

and on that URL I associated my Google and Facebook accounts, when I do it
like that, it all works fine, but when I tried to see if it worked
automatically it all went south.

I deleted the social links from this account, and then tried to login to a
keycloak secured application via Facebook, and the e-mail of my Facebook
account is the same of the keycloak accunt, which led to an exception

*org.keycloak.models.ModelDuplicateException:
javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: ERROR: duplicate key
value violates unique constraint "userentity_realm_email_key"*

The same happens if I have no account at all, and create one with Facebook,
then try logging in with Google.

Is there something I'm missing, or is this flow still being worked on?

I have read this wiki, and I think it's the item 5 that isn't working
correctly

https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts


-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140609/e932315a/attachment.html 

From jim.boettcher at hp.com  Mon Jun  9 14:51:31 2014
From: jim.boettcher at hp.com (Boettcher, Jim)
Date: Mon, 9 Jun 2014 18:51:31 +0000
Subject: [keycloak-user] Add additional rights mapping step to request chain
Message-ID: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>

Hi,

We are using the keycloak-as7-adapter from beta2 and have configured the adapter to use bearer token.
We would like to add in some extra processing after the bearer token has been validated in order to map user rights for the user identified by the bearer token using some proprietary code. This is currently done with a custom LoginModule configured for the security-domain of the app.
Can you suggest how we might go about adding this extra rights mapping to the request chain after the keycloak adapter has validated the bearer token?

Thank you,
Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140609/01abca6f/attachment.html 

From bburke at redhat.com  Mon Jun  9 15:11:09 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 09 Jun 2014 15:11:09 -0400
Subject: [keycloak-user] Add additional rights mapping step to request
 chain
In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>
References: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>
Message-ID: <539606CD.4030100@redhat.com>

For "rights" you mean user role mappings?  I'd have to create an SPI for 
that.

FYI, you can't modify the token itself as it is digitally signed.

On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> Hi,
>
> We are using the keycloak-as7-adapter from beta2 and have configured the
> adapter to use bearer token.
>
> We would like to add in some extra processing after the bearer token has
> been validated in order to map user rights for the user identified by
> the bearer token using some proprietary code. This is currently done
> with a custom LoginModule configured for the security-domain of the app.
>
> Can you suggest how we might go about adding this extra rights mapping
> to the request chain after the keycloak adapter has validated the bearer
> token?
>
> Thank you,
>
> Jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Jun  9 15:13:58 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 09 Jun 2014 15:13:58 -0400
Subject: [keycloak-user] Multiple Social Providers for Single Account
In-Reply-To: <CANLOgwBrgjUQG4gv_R7gYQOfBMBTVM5H_VwsuX_nRRqa-D5_GA@mail.gmail.com>
References: <CANLOgwBrgjUQG4gv_R7gYQOfBMBTVM5H_VwsuX_nRRqa-D5_GA@mail.gmail.com>
Message-ID: <53960776.1010706@redhat.com>

Stian wrote this code and is at a face to face meeting this week.  Can 
you wait until next week for an answer?  I could look into it, but I'm 
focused on some caching features and pushing out Beta 3 at the moment.

On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
> I've been trying to work with the Social Providers feature of Keycloak,
> but I've had some problems.
>
> First of all I'm using the beta-2 version, and I created Facebook and
> Google links to applications I have there and it worked fine.
>
> If I create a new user logging in with Facebook it works
> If I create a new user logging in with Google it works aswell.
>
> When I try linking things, that's where things go wrong.
>
> I have created a new Keycloak user, and accessed:
>
> *http://localhost:8080/auth/realms/myrealm/account*
>
> and on that URL I associated my Google and Facebook accounts, when I do
> it like that, it all works fine, but when I tried to see if it worked
> automatically it all went south.
>
> I deleted the social links from this account, and then tried to login to
> a keycloak secured application via Facebook, and the e-mail of my
> Facebook account is the same of the keycloak accunt, which led to an
> exception
>
> /org.keycloak.models.ModelDuplicateException:
> javax.persistence.PersistenceException:
> org.hibernate.exception.ConstraintViolationException: ERROR: duplicate
> key value violates unique constraint "userentity_realm_email_key"/
>
> The same happens if I have no account at all, and create one with
> Facebook, then try logging in with Google.
>
> Is there something I'm missing, or is this flow still being worked on?
>
> I have read this wiki, and I think it's the item 5 that isn't working
> correctly
>
> https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts
>
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Mon Jun  9 15:28:50 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 9 Jun 2014 16:28:50 -0300
Subject: [keycloak-user] Multiple Social Providers for Single Account
In-Reply-To: <53960776.1010706@redhat.com>
References: <CANLOgwBrgjUQG4gv_R7gYQOfBMBTVM5H_VwsuX_nRRqa-D5_GA@mail.gmail.com>
	<53960776.1010706@redhat.com>
Message-ID: <CANLOgwDoPhK3ZtAUHKGwOFKQ=ShhUELoms1ixNMdEWaJUF6DJA@mail.gmail.com>

I guess it can wait, it would be good to get this sorted but I know you're
all very busy.

I'll download the master branch again and see what I can find


On Mon, Jun 9, 2014 at 4:13 PM, Bill Burke <bburke at redhat.com> wrote:

> Stian wrote this code and is at a face to face meeting this week.  Can
> you wait until next week for an answer?  I could look into it, but I'm
> focused on some caching features and pushing out Beta 3 at the moment.
>
> On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
> > I've been trying to work with the Social Providers feature of Keycloak,
> > but I've had some problems.
> >
> > First of all I'm using the beta-2 version, and I created Facebook and
> > Google links to applications I have there and it worked fine.
> >
> > If I create a new user logging in with Facebook it works
> > If I create a new user logging in with Google it works aswell.
> >
> > When I try linking things, that's where things go wrong.
> >
> > I have created a new Keycloak user, and accessed:
> >
> > *http://localhost:8080/auth/realms/myrealm/account*
> >
> > and on that URL I associated my Google and Facebook accounts, when I do
> > it like that, it all works fine, but when I tried to see if it worked
> > automatically it all went south.
> >
> > I deleted the social links from this account, and then tried to login to
> > a keycloak secured application via Facebook, and the e-mail of my
> > Facebook account is the same of the keycloak accunt, which led to an
> > exception
> >
> > /org.keycloak.models.ModelDuplicateException:
> > javax.persistence.PersistenceException:
> > org.hibernate.exception.ConstraintViolationException: ERROR: duplicate
> > key value violates unique constraint "userentity_realm_email_key"/
> >
> > The same happens if I have no account at all, and create one with
> > Facebook, then try logging in with Google.
> >
> > Is there something I'm missing, or is this flow still being worked on?
> >
> > I have read this wiki, and I think it's the item 5 that isn't working
> > correctly
> >
> >
> https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts
> >
> >
> > --
> > Rodrigo Sasaki
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140609/3c2b6ee9/attachment-0001.html 

From jim.boettcher at hp.com  Mon Jun  9 15:45:14 2014
From: jim.boettcher at hp.com (Boettcher, Jim)
Date: Mon, 9 Jun 2014 19:45:14 +0000
Subject: [keycloak-user] Add additional rights mapping step to request
 chain
In-Reply-To: <539606CD.4030100@redhat.com>
References: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>
	<539606CD.4030100@redhat.com>
Message-ID: <567C02B1AFF42E499D63011F4C931ABE241069CB@G5W2731.americas.hpqcorp.net>

These are specific rights that are associated to different roles, such as the "backup right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of extension or add on or post processor to the keycloak-as7-adapter that is installed and configured as a module for JBoss.

Thanks
-Jim

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain

For "rights" you mean user role mappings?  I'd have to create an SPI for that.

FYI, you can't modify the token itself as it is digitally signed.

On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> Hi,
>
> We are using the keycloak-as7-adapter from beta2 and have configured 
> the adapter to use bearer token.
>
> We would like to add in some extra processing after the bearer token 
> has been validated in order to map user rights for the user identified 
> by the bearer token using some proprietary code. This is currently 
> done with a custom LoginModule configured for the security-domain of the app.
>
> Can you suggest how we might go about adding this extra rights mapping 
> to the request chain after the keycloak adapter has validated the 
> bearer token?
>
> Thank you,
>
> Jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From conrad at mindless.com  Tue Jun 10 01:16:24 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Tue, 10 Jun 2014 06:16:24 +0100
Subject: [keycloak-user] Recommended way to identify user from token
Message-ID: <2A3B4BB9-8F31-4DF7-A164-8D7C8E2E0F22@mindless.com>

Hi,

I have keyclick integrated into my application and have it protecting several end points. A user can login to get access to the protected resources by adding the bearer token into the authorisation header.

I was wondering what the recommended way is to actually identify the user who has authenticated. Is this the way to do it?


 	@Context
  	private SecurityContext securityContext;
.
.
.
      KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();
      logger.info("Logged in user: "+ principal.getName());

I noticed the the name is the ?id? of the user from the keycloak table.

Are there any other ways to get data from the token?

Thanks

Conrad

From conrad at mindless.com  Tue Jun 10 02:26:34 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Tue, 10 Jun 2014 07:26:34 +0100
Subject: [keycloak-user] Proxying Registration
Message-ID: <427C0D4F-29A7-4F79-9AE3-C5D9FA91171F@mindless.com>

Hi again,

a requirement of the application I am working on is for one person to very easily be able to add another using their email address.

We must not use the keycloak realm registration page and so I was wondering what the best way to proxy a realm user registration is?

I am trying to use the rest api like this

----

HttpPost post = new HttpPost(
                   KeycloakUriBuilder
                           .fromUri("http://localhost:8080/auth")
                           .path("/realms/shift/tokens/registrations")
                           .queryParam("client_id","security-admin-console")
                           .build());

           List<NameValuePair> formparams = new ArrayList<>();

           formparams.add(new BasicNameValuePair("username", user.getEmail()));
           formparams.add(new BasicNameValuePair("password", user.getPassword()));
           formparams.add(new BasicNameValuePair("email",user.getEmail()));

           UrlEncodedFormEntity form = new UrlEncodedFormEntity(formparams, "UTF-8");
           post.setEntity(form);

           HttpResponse response = client.execute(post);

??

But I am not sure what the returned entity is, nor how to get the ID of the newly registered user.

Is there another way to do this? 

Any help would be greatly appreciated

Thanks


Conrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140610/7a3c579b/attachment.html 

From stian at redhat.com  Tue Jun 10 06:42:10 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 10 Jun 2014 06:42:10 -0400 (EDT)
Subject: [keycloak-user] NPE When trying to authorise unknown user
In-Reply-To: <716A863D-A107-46AA-B689-7427E174CAC7@mindless.com>
References: <716A863D-A107-46AA-B689-7427E174CAC7@mindless.com>
Message-ID: <714285225.23396365.1402396930114.JavaMail.zimbra@redhat.com>

Even better, you can also submit a PR on Github for it.

----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 9 June, 2014 6:45:35 AM
> Subject: [keycloak-user] NPE When trying to authorise unknown user
> 
> Hi Keycloak people,
> 
> First of all another really big thank you. I think this project is awesome
> and its really come on a long way from the alpha releases. Thanks for all
> the hard work.
> 
> I have encountered an issue, that might be a bug. If it is please can you
> tell me where to report it.
> 
> Basically I am doing a direct access grant like the example in Chapter 13 of
> the documents. If I send in a username that does exist in the database but
> with a wrong password then it fails to authorise me correctly, but If I send
> in a username that does not exist in the database for that realm, then
> Keycloak throws an NPE rather than not authorising.
> 
> Here is a stack trace.
> 
> 
> I hope this helps
> 
> 
> Conrad
> 
> [0m[0m06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator]
> (default task-56) --> authenticate()
> [0m[0m06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator]
> (default task-56) try bearer
> [0m[0m06:01:34,613 INFO  [org.keycloak.adapters.RequestAuthenticator]
> (default task-56) NOT_ATTEMPTED: bearer only
> [0m[31m06:01:34,629 ERROR [io.undertow.request] (default task-57) UT005023:
> Exception handling request to /auth/realms/shift/tokens/grants/access:
> org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
> 	at
> 	org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> 	[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> 	at
> 	io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> 	[keycloak-services-1.0-beta-2.jar:]
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:41)
> 	[keycloak-services-1.0-beta-2.jar:]
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 	at
> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 	at
> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 	at
> 	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	[rt.jar:1.8.0]
> 	at
> 	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	[rt.jar:1.8.0]
> 	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
> Caused by: java.lang.NullPointerException
> 	at org.keycloak.audit.Audit.user(Audit.java:54)
> 	[keycloak-audit-api-1.0-beta-2.jar:]
> 	at
> 	org.keycloak.services.resources.TokenService.grantAccessToken(TokenService.java:244)
> 	[keycloak-services-1.0-beta-2.jar:]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	[rt.jar:1.8.0]
> 	at
> 	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	[rt.jar:1.8.0]
> 	at
> 	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	[rt.jar:1.8.0]
> 	at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0]
> 	at
> 	org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	at
> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> 	[resteasy-jaxrs-3.0.8.Final.jar:]
> 	... 39 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From bburke at redhat.com  Tue Jun 10 09:14:19 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Jun 2014 09:14:19 -0400
Subject: [keycloak-user] Recommended way to identify user from token
In-Reply-To: <2A3B4BB9-8F31-4DF7-A164-8D7C8E2E0F22@mindless.com>
References: <2A3B4BB9-8F31-4DF7-A164-8D7C8E2E0F22@mindless.com>
Message-ID: <539704AB.2050309@redhat.com>

KeycloakPrincipal.getKeycloakSecurityContext().getIDToken()

IDToken has a bunch of different claims you can configure the token 
service to stuff in it.  By default I think it is just username that is 
stuffed in the IDToken.

On 6/10/2014 1:16 AM, Conrad Winchester wrote:
> Hi,
>
> I have keyclick integrated into my application and have it protecting several end points. A user can login to get access to the protected resources by adding the bearer token into the authorisation header.
>
> I was wondering what the recommended way is to actually identify the user who has authenticated. Is this the way to do it?
>
>
>   	@Context
>    	private SecurityContext securityContext;
> .
> .
> .
>        KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();
>        logger.info("Logged in user: "+ principal.getName());
>
> I noticed the the name is the ?id? of the user from the keycloak table.
>
> Are there any other ways to get data from the token?
>
> Thanks
>
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Tue Jun 10 09:15:20 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Jun 2014 09:15:20 -0400
Subject: [keycloak-user] Proxying Registration
In-Reply-To: <427C0D4F-29A7-4F79-9AE3-C5D9FA91171F@mindless.com>
References: <427C0D4F-29A7-4F79-9AE3-C5D9FA91171F@mindless.com>
Message-ID: <539704E8.5070900@redhat.com>

We need to add a better REST api for user registration.  I'll add that 
to beta 3 or beta 4 as a JIRA.

BUT....

We can't you use the Keycloak registration page?  It is completely 
configurable to have the same look and feel as your application.

On 6/10/2014 2:26 AM, Conrad Winchester wrote:
> Hi again,
>
> a requirement of the application I am working on is for one person to
> very easily be able to add another using their email address.
>
> We must not use the keycloak realm registration page and so I was
> wondering what the best way to proxy a realm user registration is?
>
> I am trying to use the rest api like this
>
> ----
>
> HttpPost post = new HttpPost(
>                     KeycloakUriBuilder
>                             .fromUri("http://localhost:8080/auth")
>                             .path("/realms/shift/tokens/registrations")
>                             .queryParam("client_id","security-admin-console")
>                             .build());
>
>             List<NameValuePair> formparams = new ArrayList<>();
>
>             formparams.add(new BasicNameValuePair("username",
> user.getEmail()));
>             formparams.add(new BasicNameValuePair("password",
> user.getPassword()));
>             formparams.add(new BasicNameValuePair("email",user.getEmail()));
>
>             UrlEncodedFormEntity form = new
> UrlEncodedFormEntity(formparams, "UTF-8");
>             post.setEntity(form);
>
>             HttpResponse response = client.execute(post);
>
> ??
>
> But I am not sure what the returned entity is, nor how to get the ID of
> the newly registered user.
>
> Is there another way to do this?
>
> Any help would be greatly appreciated
>
> Thanks
>
>
> Conrad
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Tue Jun 10 09:16:56 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 10 Jun 2014 09:16:56 -0400 (EDT)
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>
Message-ID: <1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>

To access the REST API you need to pass the token in the http headers. How to obtain the token in the first place depends on the type of the application you're trying to invoke the API from. Look at the docs/examples that corresponds to the type of your app (JavaScript, command-line, jax-rs, etc). You also need to make sure the application/client has scope mappings on the required roles.  

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 9 June, 2014 12:59:41 PM
> Subject: [keycloak-user] REST API - Bearer Exception
> 
> Hi,
> 
> I'm trying to work with the Keycloak REST API, I logged into the
> administration console, and then tried accessing /auth/admin/realms and got
> this exception:
> 
> Failed executing GET /admin/realms:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> 
> How should I build my request to be able to get a response? How should I
> authenticate myself in this situation?
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Tue Jun 10 15:02:27 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 10 Jun 2014 16:02:27 -0300
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>
	<1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>

I'd like to manage users and roles, creating and updating them.

I obtained a token like this:

*POST /realms/myrealm/tokens/grants/access*

*username: rodrigosasaki*
*password: password*
*client_id: myclient*
*client_secret: generated_secret*

and I got a token back, but then I tried accessing the roles of the realm
on this URL

/admin/realms/myrealm/roles

And it says I'm not authorized to access this, I'd like to know what roles
or configuration I should create to be able to manipulate this information,
just as I do on the admin-console


On Tue, Jun 10, 2014 at 10:16 AM, Stian Thorgersen <stian at redhat.com> wrote:

> To access the REST API you need to pass the token in the http headers. How
> to obtain the token in the first place depends on the type of the
> application you're trying to invoke the API from. Look at the docs/examples
> that corresponds to the type of your app (JavaScript, command-line, jax-rs,
> etc). You also need to make sure the application/client has scope mappings
> on the required roles.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 9 June, 2014 12:59:41 PM
> > Subject: [keycloak-user] REST API - Bearer Exception
> >
> > Hi,
> >
> > I'm trying to work with the Keycloak REST API, I logged into the
> > administration console, and then tried accessing /auth/admin/realms and
> got
> > this exception:
> >
> > Failed executing GET /admin/realms:
> > org.jboss.resteasy.spi.UnauthorizedException: Bearer
> >
> > How should I build my request to be able to get a response? How should I
> > authenticate myself in this situation?
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140610/bab5ee31/attachment.html 

From bburke at redhat.com  Tue Jun 10 15:26:20 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Jun 2014 15:26:20 -0400
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>	<1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>
	<CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>
Message-ID: <53975BDC.8010200@redhat.com>

Does rodrigosasaki have realm admin privileges?  The role is under 
applications->myrealm-management->realm-admin

On 6/10/2014 3:02 PM, Rodrigo Sasaki wrote:
> I'd like to manage users and roles, creating and updating them.
>
> I obtained a token like this:
>
> *POST /realms/myrealm/tokens/grants/access*
> *
> *
> *username: rodrigosasaki*
> *password: password*
> *client_id: myclient*
> *client_secret: generated_secret*
>
> and I got a token back, but then I tried accessing the roles of the
> realm on this URL
>
> /admin/realms/myrealm/roles
>
> And it says I'm not authorized to access this, I'd like to know what
> roles or configuration I should create to be able to manipulate this
> information, just as I do on the admin-console
>
>
> On Tue, Jun 10, 2014 at 10:16 AM, Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>> wrote:
>
>     To access the REST API you need to pass the token in the http
>     headers. How to obtain the token in the first place depends on the
>     type of the application you're trying to invoke the API from. Look
>     at the docs/examples that corresponds to the type of your app
>     (JavaScript, command-line, jax-rs, etc). You also need to make sure
>     the application/client has scope mappings on the required roles.
>
>     ----- Original Message -----
>      > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>     <mailto:rodrigopsasaki at gmail.com>>
>      > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      > Sent: Monday, 9 June, 2014 12:59:41 PM
>      > Subject: [keycloak-user] REST API - Bearer Exception
>      >
>      > Hi,
>      >
>      > I'm trying to work with the Keycloak REST API, I logged into the
>      > administration console, and then tried accessing
>     /auth/admin/realms and got
>      > this exception:
>      >
>      > Failed executing GET /admin/realms:
>      > org.jboss.resteasy.spi.UnauthorizedException: Bearer
>      >
>      > How should I build my request to be able to get a response? How
>     should I
>      > authenticate myself in this situation?
>      >
>      > --
>      > Rodrigo Sasaki
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Tue Jun 10 16:14:14 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 10 Jun 2014 17:14:14 -0300
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <53975BDC.8010200@redhat.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>
	<1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>
	<CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>
	<53975BDC.8010200@redhat.com>
Message-ID: <CANLOgwCGuQXfovk2EZPFJbbTOHJyJUp6tJD0mj9jDMXUx19SSQ@mail.gmail.com>

Yes it had them, but it didn't work.

When I tried generating the token with the client_id set to the
security-admin-console application it worked fine.

Is that the correct way to do this?


On Tue, Jun 10, 2014 at 4:26 PM, Bill Burke <bburke at redhat.com> wrote:

> Does rodrigosasaki have realm admin privileges?  The role is under
> applications->myrealm-management->realm-admin
>
> On 6/10/2014 3:02 PM, Rodrigo Sasaki wrote:
> > I'd like to manage users and roles, creating and updating them.
> >
> > I obtained a token like this:
> >
> > *POST /realms/myrealm/tokens/grants/access*
> > *
> > *
> > *username: rodrigosasaki*
> > *password: password*
> > *client_id: myclient*
> > *client_secret: generated_secret*
> >
> > and I got a token back, but then I tried accessing the roles of the
> > realm on this URL
> >
> > /admin/realms/myrealm/roles
> >
> > And it says I'm not authorized to access this, I'd like to know what
> > roles or configuration I should create to be able to manipulate this
> > information, just as I do on the admin-console
> >
> >
> > On Tue, Jun 10, 2014 at 10:16 AM, Stian Thorgersen <stian at redhat.com
> > <mailto:stian at redhat.com>> wrote:
> >
> >     To access the REST API you need to pass the token in the http
> >     headers. How to obtain the token in the first place depends on the
> >     type of the application you're trying to invoke the API from. Look
> >     at the docs/examples that corresponds to the type of your app
> >     (JavaScript, command-line, jax-rs, etc). You also need to make sure
> >     the application/client has scope mappings on the required roles.
> >
> >     ----- Original Message -----
> >      > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
> >     <mailto:rodrigopsasaki at gmail.com>>
> >      > To: keycloak-user at lists.jboss.org
> >     <mailto:keycloak-user at lists.jboss.org>
> >      > Sent: Monday, 9 June, 2014 12:59:41 PM
> >      > Subject: [keycloak-user] REST API - Bearer Exception
> >      >
> >      > Hi,
> >      >
> >      > I'm trying to work with the Keycloak REST API, I logged into the
> >      > administration console, and then tried accessing
> >     /auth/admin/realms and got
> >      > this exception:
> >      >
> >      > Failed executing GET /admin/realms:
> >      > org.jboss.resteasy.spi.UnauthorizedException: Bearer
> >      >
> >      > How should I build my request to be able to get a response? How
> >     should I
> >      > authenticate myself in this situation?
> >      >
> >      > --
> >      > Rodrigo Sasaki
> >      >
> >      > _______________________________________________
> >      > keycloak-user mailing list
> >      > keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.jboss.org>
> >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140610/b517c6f8/attachment.html 

From bburke at redhat.com  Tue Jun 10 16:22:51 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Jun 2014 16:22:51 -0400
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <CANLOgwCGuQXfovk2EZPFJbbTOHJyJUp6tJD0mj9jDMXUx19SSQ@mail.gmail.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>	<1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>	<CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>	<53975BDC.8010200@redhat.com>
	<CANLOgwCGuQXfovk2EZPFJbbTOHJyJUp6tJD0mj9jDMXUx19SSQ@mail.gmail.com>
Message-ID: <5397691B.5010002@redhat.com>

You need to add a scope to "myclient" that allows "myclient" to ask for 
admin privileges.

On 6/10/2014 4:14 PM, Rodrigo Sasaki wrote:
> Yes it had them, but it didn't work.
>
> When I tried generating the token with the client_id set to the
> security-admin-console application it worked fine.
>
> Is that the correct way to do this?
>
>
> On Tue, Jun 10, 2014 at 4:26 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Does rodrigosasaki have realm admin privileges?  The role is under
>     applications->myrealm-management->realm-admin
>
>     On 6/10/2014 3:02 PM, Rodrigo Sasaki wrote:
>      > I'd like to manage users and roles, creating and updating them.
>      >
>      > I obtained a token like this:
>      >
>      > *POST /realms/myrealm/tokens/grants/access*
>      > *
>      > *
>      > *username: rodrigosasaki*
>      > *password: password*
>      > *client_id: myclient*
>      > *client_secret: generated_secret*
>      >
>      > and I got a token back, but then I tried accessing the roles of the
>      > realm on this URL
>      >
>      > /admin/realms/myrealm/roles
>      >
>      > And it says I'm not authorized to access this, I'd like to know what
>      > roles or configuration I should create to be able to manipulate this
>      > information, just as I do on the admin-console
>      >
>      >
>      > On Tue, Jun 10, 2014 at 10:16 AM, Stian Thorgersen
>     <stian at redhat.com <mailto:stian at redhat.com>
>      > <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>      >
>      >     To access the REST API you need to pass the token in the http
>      >     headers. How to obtain the token in the first place depends
>     on the
>      >     type of the application you're trying to invoke the API from.
>     Look
>      >     at the docs/examples that corresponds to the type of your app
>      >     (JavaScript, command-line, jax-rs, etc). You also need to
>     make sure
>      >     the application/client has scope mappings on the required roles.
>      >
>      >     ----- Original Message -----
>      >      > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>     <mailto:rodrigopsasaki at gmail.com>
>      >     <mailto:rodrigopsasaki at gmail.com
>     <mailto:rodrigopsasaki at gmail.com>>>
>      >      > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      >     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      >      > Sent: Monday, 9 June, 2014 12:59:41 PM
>      >      > Subject: [keycloak-user] REST API - Bearer Exception
>      >      >
>      >      > Hi,
>      >      >
>      >      > I'm trying to work with the Keycloak REST API, I logged
>     into the
>      >      > administration console, and then tried accessing
>      >     /auth/admin/realms and got
>      >      > this exception:
>      >      >
>      >      > Failed executing GET /admin/realms:
>      >      > org.jboss.resteasy.spi.UnauthorizedException: Bearer
>      >      >
>      >      > How should I build my request to be able to get a
>     response? How
>      >     should I
>      >      > authenticate myself in this situation?
>      >      >
>      >      > --
>      >      > Rodrigo Sasaki
>      >      >
>      >      > _______________________________________________
>      >      > keycloak-user mailing list
>      >      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>      >
>      >
>      >
>      > --
>      > Rodrigo Sasaki
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
> Rodrigo Sasaki

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Tue Jun 10 17:05:07 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 10 Jun 2014 18:05:07 -0300
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <5397691B.5010002@redhat.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>
	<1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>
	<CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>
	<53975BDC.8010200@redhat.com>
	<CANLOgwCGuQXfovk2EZPFJbbTOHJyJUp6tJD0mj9jDMXUx19SSQ@mail.gmail.com>
	<5397691B.5010002@redhat.com>
Message-ID: <CANLOgwCSgd=d7bxSRYJ7K+xYeuaFepbLXZubdp1B6ZkrGo4PJg@mail.gmail.com>

I always forget that part.

Do I always have to provide a user when I want to do this? Is it possible
for an OAuth Client to authenticate based on name and client secret to get
an access token?


On Tue, Jun 10, 2014 at 5:22 PM, Bill Burke <bburke at redhat.com> wrote:

> You need to add a scope to "myclient" that allows "myclient" to ask for
> admin privileges.
>
>
> On 6/10/2014 4:14 PM, Rodrigo Sasaki wrote:
>
>> Yes it had them, but it didn't work.
>>
>> When I tried generating the token with the client_id set to the
>> security-admin-console application it worked fine.
>>
>> Is that the correct way to do this?
>>
>>
>> On Tue, Jun 10, 2014 at 4:26 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Does rodrigosasaki have realm admin privileges?  The role is under
>>     applications->myrealm-management->realm-admin
>>
>>     On 6/10/2014 3:02 PM, Rodrigo Sasaki wrote:
>>      > I'd like to manage users and roles, creating and updating them.
>>      >
>>      > I obtained a token like this:
>>      >
>>      > *POST /realms/myrealm/tokens/grants/access*
>>      > *
>>      > *
>>      > *username: rodrigosasaki*
>>      > *password: password*
>>      > *client_id: myclient*
>>      > *client_secret: generated_secret*
>>      >
>>      > and I got a token back, but then I tried accessing the roles of the
>>      > realm on this URL
>>      >
>>      > /admin/realms/myrealm/roles
>>      >
>>      > And it says I'm not authorized to access this, I'd like to know
>> what
>>      > roles or configuration I should create to be able to manipulate
>> this
>>      > information, just as I do on the admin-console
>>      >
>>      >
>>      > On Tue, Jun 10, 2014 at 10:16 AM, Stian Thorgersen
>>     <stian at redhat.com <mailto:stian at redhat.com>
>>      > <mailto:stian at redhat.com <mailto:stian at redhat.com>>> wrote:
>>      >
>>      >     To access the REST API you need to pass the token in the http
>>      >     headers. How to obtain the token in the first place depends
>>     on the
>>      >     type of the application you're trying to invoke the API from.
>>     Look
>>      >     at the docs/examples that corresponds to the type of your app
>>      >     (JavaScript, command-line, jax-rs, etc). You also need to
>>     make sure
>>      >     the application/client has scope mappings on the required
>> roles.
>>      >
>>      >     ----- Original Message -----
>>      >      > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>>     <mailto:rodrigopsasaki at gmail.com>
>>      >     <mailto:rodrigopsasaki at gmail.com
>>     <mailto:rodrigopsasaki at gmail.com>>>
>>      >      > To: keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>      >     <mailto:keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >      > Sent: Monday, 9 June, 2014 12:59:41 PM
>>      >      > Subject: [keycloak-user] REST API - Bearer Exception
>>      >      >
>>      >      > Hi,
>>      >      >
>>      >      > I'm trying to work with the Keycloak REST API, I logged
>>     into the
>>      >      > administration console, and then tried accessing
>>      >     /auth/admin/realms and got
>>      >      > this exception:
>>      >      >
>>      >      > Failed executing GET /admin/realms:
>>      >      > org.jboss.resteasy.spi.UnauthorizedException: Bearer
>>      >      >
>>      >      > How should I build my request to be able to get a
>>     response? How
>>      >     should I
>>      >      > authenticate myself in this situation?
>>      >      >
>>      >      > --
>>      >      > Rodrigo Sasaki
>>      >      >
>>      >      > _______________________________________________
>>      >      > keycloak-user mailing list
>>      >      > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     <mailto:keycloak-user at lists.jboss.org
>>
>>     <mailto:keycloak-user at lists.jboss.org>>
>>      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>      >
>>      >
>>      >
>>      > --
>>      > Rodrigo Sasaki
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140610/0e21d37d/attachment.html 

From bburke at redhat.com  Tue Jun 10 17:11:49 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Jun 2014 17:11:49 -0400
Subject: [keycloak-user] REST API - Bearer Exception
In-Reply-To: <CANLOgwCSgd=d7bxSRYJ7K+xYeuaFepbLXZubdp1B6ZkrGo4PJg@mail.gmail.com>
References: <CANLOgwAb3M-tp_tTa0Cs0UR64h-BNfvrREDr45eUORGMagn=Zg@mail.gmail.com>	<1330824434.23491289.1402406216557.JavaMail.zimbra@redhat.com>	<CANLOgwBKUUqF_20fdxOAKEbVE1Suz5kR_YUAeJf11MEnZhSnRA@mail.gmail.com>	<53975BDC.8010200@redhat.com>	<CANLOgwCGuQXfovk2EZPFJbbTOHJyJUp6tJD0mj9jDMXUx19SSQ@mail.gmail.com>	<5397691B.5010002@redhat.com>
	<CANLOgwCSgd=d7bxSRYJ7K+xYeuaFepbLXZubdp1B6ZkrGo4PJg@mail.gmail.com>
Message-ID: <53977495.6090401@redhat.com>

You have to provide a user.

On 6/10/2014 5:05 PM, Rodrigo Sasaki wrote:
> I always forget that part.
>
> Do I always have to provide a user when I want to do this? Is it
> possible for an OAuth Client to authenticate based on name and client
> secret to get an access token?
>
>
> On Tue, Jun 10, 2014 at 5:22 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     You need to add a scope to "myclient" that allows "myclient" to ask
>     for admin privileges.
>
>
>     On 6/10/2014 4:14 PM, Rodrigo Sasaki wrote:
>
>         Yes it had them, but it didn't work.
>
>         When I tried generating the token with the client_id set to the
>         security-admin-console application it worked fine.
>
>         Is that the correct way to do this?
>
>
>         On Tue, Jun 10, 2014 at 4:26 PM, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              Does rodrigosasaki have realm admin privileges?  The role
>         is under
>              applications->myrealm-__management->realm-admin
>
>              On 6/10/2014 3:02 PM, Rodrigo Sasaki wrote:
>               > I'd like to manage users and roles, creating and
>         updating them.
>               >
>               > I obtained a token like this:
>               >
>               > *POST /realms/myrealm/tokens/grants/__access*
>               > *
>               > *
>               > *username: rodrigosasaki*
>               > *password: password*
>               > *client_id: myclient*
>               > *client_secret: generated_secret*
>               >
>               > and I got a token back, but then I tried accessing the
>         roles of the
>               > realm on this URL
>               >
>               > /admin/realms/myrealm/roles
>               >
>               > And it says I'm not authorized to access this, I'd like
>         to know what
>               > roles or configuration I should create to be able to
>         manipulate this
>               > information, just as I do on the admin-console
>               >
>               >
>               > On Tue, Jun 10, 2014 at 10:16 AM, Stian Thorgersen
>              <stian at redhat.com <mailto:stian at redhat.com>
>         <mailto:stian at redhat.com <mailto:stian at redhat.com>>
>               > <mailto:stian at redhat.com <mailto:stian at redhat.com>
>         <mailto:stian at redhat.com <mailto:stian at redhat.com>>>> wrote:
>               >
>               >     To access the REST API you need to pass the token in
>         the http
>               >     headers. How to obtain the token in the first place
>         depends
>              on the
>               >     type of the application you're trying to invoke the
>         API from.
>              Look
>               >     at the docs/examples that corresponds to the type of
>         your app
>               >     (JavaScript, command-line, jax-rs, etc). You also
>         need to
>              make sure
>               >     the application/client has scope mappings on the
>         required roles.
>               >
>               >     ----- Original Message -----
>               >      > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>         <mailto:rodrigopsasaki at gmail.com>
>              <mailto:rodrigopsasaki at gmail.__com
>         <mailto:rodrigopsasaki at gmail.com>>
>               >     <mailto:rodrigopsasaki at gmail.__com
>         <mailto:rodrigopsasaki at gmail.com>
>              <mailto:rodrigopsasaki at gmail.__com
>         <mailto:rodrigopsasaki at gmail.com>>>>
>               >      > To: keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>               >     <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>               >      > Sent: Monday, 9 June, 2014 12:59:41 PM
>               >      > Subject: [keycloak-user] REST API - Bearer Exception
>               >      >
>               >      > Hi,
>               >      >
>               >      > I'm trying to work with the Keycloak REST API, I
>         logged
>              into the
>               >      > administration console, and then tried accessing
>               >     /auth/admin/realms and got
>               >      > this exception:
>               >      >
>               >      > Failed executing GET /admin/realms:
>               >      > org.jboss.resteasy.spi.__UnauthorizedException:
>         Bearer
>               >      >
>               >      > How should I build my request to be able to get a
>              response? How
>               >     should I
>               >      > authenticate myself in this situation?
>               >      >
>               >      > --
>               >      > Rodrigo Sasaki
>               >      >
>               >      > _________________________________________________
>               >      > keycloak-user mailing list
>               >      > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>              <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>              <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>
>              <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>               >      >
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>               >
>               >
>               >
>               >
>               > --
>               > Rodrigo Sasaki
>               >
>               >
>               > _________________________________________________
>               > keycloak-user mailing list
>               > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>               >
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>              _________________________________________________
>              keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>         --
>         Rodrigo Sasaki
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>
>
>
> --
> Rodrigo Sasaki

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bardacp at gmail.com  Wed Jun 11 04:08:06 2014
From: bardacp at gmail.com (Peter Bardac)
Date: Wed, 11 Jun 2014 10:08:06 +0200
Subject: [keycloak-user] Permissions API
Message-ID: <CAFNvyRyHLQF7+bdRPXbDRj2mO=3CsCE88JN7x_DV-xC8BNptsw@mail.gmail.com>

Are there any plans for supporting Permissions API from Picketlink
described here:
http://docs.jboss.org/picketlink/2/latest/reference/html/chap-Identity_Management_-_Permissions_API_and_Permission_Management.html
in Keycloak?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140611/33d0210d/attachment.html 

From conrad at mindless.com  Wed Jun 11 05:26:18 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Wed, 11 Jun 2014 10:26:18 +0100
Subject: [keycloak-user] Devoxx UK
Message-ID: <5D59AA15-8295-4AF1-AC03-49897263B6C0@mindless.com>

I just had a thought!

I?m at Devoxx in London over the next couple of days.

Is anybody from the Keycloak team going to be there?


Conrad

From bburke at redhat.com  Wed Jun 11 07:57:45 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 11 Jun 2014 07:57:45 -0400
Subject: [keycloak-user] Permissions API
In-Reply-To: <CAFNvyRyHLQF7+bdRPXbDRj2mO=3CsCE88JN7x_DV-xC8BNptsw@mail.gmail.com>
References: <CAFNvyRyHLQF7+bdRPXbDRj2mO=3CsCE88JN7x_DV-xC8BNptsw@mail.gmail.com>
Message-ID: <53984439.1080301@redhat.com>

If we did, it wouldn't be for a long time.  As is it, IMO, there's not 
much difference between roles and permissions.

On 6/11/2014 4:08 AM, Peter Bardac wrote:
> Are there any plans for supporting Permissions API from Picketlink
> described here:
> http://docs.jboss.org/picketlink/2/latest/reference/html/chap-Identity_Management_-_Permissions_API_and_Permission_Management.html
> in Keycloak?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Jun 11 07:58:31 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 11 Jun 2014 07:58:31 -0400
Subject: [keycloak-user] Devoxx UK
In-Reply-To: <5D59AA15-8295-4AF1-AC03-49897263B6C0@mindless.com>
References: <5D59AA15-8295-4AF1-AC03-49897263B6C0@mindless.com>
Message-ID: <53984467.9080508@redhat.com>

Stian submitted a talk but it was denied.  Nobody is located in London.

On 6/11/2014 5:26 AM, Conrad Winchester wrote:
> I just had a thought!
>
> I?m at Devoxx in London over the next couple of days.
>
> Is anybody from the Keycloak team going to be there?
>
>
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Jun 11 08:01:16 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 11 Jun 2014 08:01:16 -0400
Subject: [keycloak-user] Permissions API
In-Reply-To: <53984439.1080301@redhat.com>
References: <CAFNvyRyHLQF7+bdRPXbDRj2mO=3CsCE88JN7x_DV-xC8BNptsw@mail.gmail.com>
	<53984439.1080301@redhat.com>
Message-ID: <5398450C.6060405@redhat.com>

We would of course accept contributions from the community!

On 6/11/2014 7:57 AM, Bill Burke wrote:
> If we did, it wouldn't be for a long time.  As is it, IMO, there's not
> much difference between roles and permissions.
>
> On 6/11/2014 4:08 AM, Peter Bardac wrote:
>> Are there any plans for supporting Permissions API from Picketlink
>> described here:
>> http://docs.jboss.org/picketlink/2/latest/reference/html/chap-Identity_Management_-_Permissions_API_and_Permission_Management.html
>> in Keycloak?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From conrad at mindless.com  Wed Jun 11 14:45:24 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Wed, 11 Jun 2014 19:45:24 +0100
Subject: [keycloak-user] Email Verification
Message-ID: <7FD14D7D-709A-4431-8F0A-87F6C34B6725@mindless.com>

Hi all,

sorry to keep asking questions, but I?m stuck again.

What is the correct configuration to get keycloak to send out email address verification emails?


Conrad

From jim.boettcher at hp.com  Wed Jun 11 17:02:03 2014
From: jim.boettcher at hp.com (Boettcher, Jim)
Date: Wed, 11 Jun 2014 21:02:03 +0000
Subject: [keycloak-user] Add additional rights mapping step to request
 chain
References: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>
	<539606CD.4030100@redhat.com> 
Message-ID: <567C02B1AFF42E499D63011F4C931ABE24108D4A@G5W2731.americas.hpqcorp.net>

Hi,

I was thinking of creating a custom Valve and doing the extra rights mapping work in the invoke method, but with JBoss 7.1.1 I couldn't figure out how to get my custom Valve to be invoked after Keycloaks. I configured  my custom Valve by adding a <valve>...</valve> element to the jboss-web.xml of my app, but with this my custom Valve was always invoked before Keycloak.

So instead I created a Servlet Filter and do the extra rights mapping work in the doFilter method by getting the AccessToken from the Request like this:
AccessToken token = ((KeycloakPrincipal)((HttpServletRequest)request).getUserPrincipal()).getKeycloakSecurityContext().getToken();
Based on the info in the AccessToken I can do the extra work I need.

Does this seem like a reasonable approach?

Thanks
-Jim

-----Original Message-----
From: Boettcher, Jim 
Sent: Monday, June 09, 2014 3:45 PM
To: 'Bill Burke'; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Add additional rights mapping step to request chain

These are specific rights that are associated to different roles, such as the "backup right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of extension or add on or post processor to the keycloak-as7-adapter that is installed and configured as a module for JBoss.

Thanks
-Jim

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain

For "rights" you mean user role mappings?  I'd have to create an SPI for that.

FYI, you can't modify the token itself as it is digitally signed.

On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> Hi,
>
> We are using the keycloak-as7-adapter from beta2 and have configured 
> the adapter to use bearer token.
>
> We would like to add in some extra processing after the bearer token 
> has been validated in order to map user rights for the user identified 
> by the bearer token using some proprietary code. This is currently 
> done with a custom LoginModule configured for the security-domain of the app.
>
> Can you suggest how we might go about adding this extra rights mapping 
> to the request chain after the keycloak adapter has validated the 
> bearer token?
>
> Thank you,
>
> Jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From juraci at kroehling.de  Thu Jun 12 02:16:32 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Thu, 12 Jun 2014 08:16:32 +0200
Subject: [keycloak-user] Docker images
Message-ID: <539945C0.5050407@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

All,

Very soon, the official Docker images will be hosted on the Docker's
indexer, under the JBoss' namespace. As such, it's a good idea to
spend some minutes thinking about the image names (as the URL is
dependent on it).

My proposal would be:

- - keycloak (wildfly + auth server war, no KC subsystem)
- - keycloak-full ("keycloak" image + KC subsystem)
- - keycloak-wildfly (wildfly + KC subsystem, no auth-server)
- - keycloak-examples ("keycloak-full" image + examples)

If you have comments about the naming and/or contents, let me know.

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTmUXAAAoJEDnJtskdmzLMB5EH/0r1Pb/sZBtf0qm7yQ8pPvbn
RDNbo6JYtQWcK04Etg3sPbKA1JOE/BkSbn3WXZuDffq74E8XsafCtOXkEppbok7a
o/RgFnadRJMfqutRU/TzFpNVofaeJjwYQIUfOATT2GO/PKwk57DXJ9fFndWQzhn/
hoKgDq8jL0TK2a9zzGPEeeFdFLGMiwgHK5ps7wfUm70OQ99FjO3QWFagaPZvRHI8
yaKiGfjDlLWT2EBU2pY9BsgryS+23g6069jfEcTSB8XR+kYcuPMstedGwYOq7aDb
40ziOQP8x+RMyGV+tVEy+8PkvAHEkRjNUxC13T981fpS5xLjCxRFRSnu8VHoeY8=
=G+M+
-----END PGP SIGNATURE-----

From bburke at redhat.com  Thu Jun 12 08:49:25 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 12 Jun 2014 08:49:25 -0400
Subject: [keycloak-user] Docker images
In-Reply-To: <539945C0.5050407@kroehling.de>
References: <539945C0.5050407@kroehling.de>
Message-ID: <5399A1D5.1030405@redhat.com>



On 6/12/2014 2:16 AM, Juraci Paix?o Kr?hling wrote:
>
> - - keycloak (wildfly + auth server war, no KC subsystem)

I would say no to this one.  Eventually, the whole wildfly instance will 
be secured by KC and we will need the subsystem.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ssilvert at redhat.com  Thu Jun 12 08:52:48 2014
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 12 Jun 2014 08:52:48 -0400
Subject: [keycloak-user] Docker images
In-Reply-To: <5399A1D5.1030405@redhat.com>
References: <539945C0.5050407@kroehling.de> <5399A1D5.1030405@redhat.com>
Message-ID: <5399A2A0.40702@redhat.com>

On 6/12/2014 8:49 AM, Bill Burke wrote:
>
> On 6/12/2014 2:16 AM, Juraci Paix?o Kr?hling wrote:
>> - - keycloak (wildfly + auth server war, no KC subsystem)
> I would say no to this one.  Eventually, the whole wildfly instance will
> be secured by KC and we will need the subsystem.
>
>
I'll add my -1 as well.

From juraci at kroehling.de  Thu Jun 12 09:12:41 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Thu, 12 Jun 2014 15:12:41 +0200
Subject: [keycloak-user] Docker images
In-Reply-To: <5399A2A0.40702@redhat.com>
References: <539945C0.5050407@kroehling.de> <5399A1D5.1030405@redhat.com>
	<5399A2A0.40702@redhat.com>
Message-ID: <5399A749.80008@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ok, so, what about this then:

- - keycloak (wildfly + auth server war + KC subsystem)
- - keycloak-wildfly (wildfly + KC subsystem, no auth-server)
- - keycloak-examples ("keycloak-full" image + examples)

What about the names? Do they match the expectation?

- - Juca.

On 06/12/2014 02:52 PM, Stan Silvert wrote:
> On 6/12/2014 8:49 AM, Bill Burke wrote:
>> 
>> On 6/12/2014 2:16 AM, Juraci Paix?o Kr?hling wrote:
>>> - - keycloak (wildfly + auth server war, no KC subsystem)
>> I would say no to this one.  Eventually, the whole wildfly
>> instance will be secured by KC and we will need the subsystem.
>> 
>> 
> I'll add my -1 as well.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTmadJAAoJEDnJtskdmzLMT80H/0951MgR5r18RWnzCLsN2nfn
ZTZcgPrz/OKiaYvqINYPXza0kskhexW7bxV+AeJigIpTdlliuFz6d9cchTyxyDT9
1KyVCeQyFPBgr3n1JyK6k0Z3Oud/8W2MvRjkW+rDoB2H9O/Y/aow6d4ADkVuDp27
0bG0WIrIWnFD8Agv+CcrY9+kbkXGXXyJRBQqv6qLJL/+7OU3MLy7evhgb2nbtJrY
MiynWxcwVc8GWaaB+h8chwE/ZAtvjfvF/5X4MwBcR1bqzW/hF20bUdLgCSDG3QId
zzaUCI/pcpfbMGvwPN9Yyd6KYUic8tfpWSqEx+jluVd7uRI0RVg4ew93srLE0dI=
=In75
-----END PGP SIGNATURE-----

From juraci at kroehling.de  Thu Jun 12 09:16:13 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Thu, 12 Jun 2014 15:16:13 +0200
Subject: [keycloak-user] Docker images
In-Reply-To: <5399A749.80008@kroehling.de>
References: <539945C0.5050407@kroehling.de>
	<5399A1D5.1030405@redhat.com>	<5399A2A0.40702@redhat.com>
	<5399A749.80008@kroehling.de>
Message-ID: <5399A81D.3000606@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/12/2014 03:12 PM, Juraci Paix?o Kr?hling wrote:
> Ok, so, what about this then:
> 
> - keycloak (wildfly + auth server war + KC subsystem) -
> keycloak-wildfly (wildfly + KC subsystem, no auth-server) -
> keycloak-examples ("keycloak-full" image + examples)

s/keycloak-full/keycloak/

> 
> What about the names? Do they match the expectation?
> 
> - Juca.
> 
> On 06/12/2014 02:52 PM, Stan Silvert wrote:
>> On 6/12/2014 8:49 AM, Bill Burke wrote:
>>> 
>>> On 6/12/2014 2:16 AM, Juraci Paix?o Kr?hling wrote:
>>>> - - keycloak (wildfly + auth server war, no KC subsystem)
>>> I would say no to this one.  Eventually, the whole wildfly 
>>> instance will be secured by KC and we will need the subsystem.
>>> 
>>> 
>> I'll add my -1 as well.
> 
> 
> 
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTmagdAAoJEDnJtskdmzLMuiUH/0lSyb/DArDsn5oLeeGDaLEF
qqcaoW0jpW547LopYr8ksNgaaz2u0jWQyEED4bdeiUItRNBZ9WBX6w7T6P6fewZZ
V+pgvyoYjWM18e+oXWJqHxB4DpNo861OL590oa4stS285oKcFRZSSJWXH3zPnnZT
fRPXSoIpnmmpc5Agj9IB5T0sKMoh7cTkgdVh6KkZMcf8HFiz2GTqw4BTKtxZ+Mrb
uvJ1C8LH0ok4Xdbxlaj2PxX5dSwjZX7yibX9Rco2fLC2Z7NrizU+bvsr5CaWoBH5
ts/ikivCq5MhasBFwbUf925GlO3fo5JRyM6pXXklfPudPLOk9Uahk2d6owOam/s=
=yw7i
-----END PGP SIGNATURE-----

From juraci at kroehling.de  Thu Jun 12 10:44:18 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Thu, 12 Jun 2014 16:44:18 +0200
Subject: [keycloak-user] Docker images
In-Reply-To: <5399A81D.3000606@kroehling.de>
References: <539945C0.5050407@kroehling.de>	<5399A1D5.1030405@redhat.com>	<5399A2A0.40702@redhat.com>	<5399A749.80008@kroehling.de>
	<5399A81D.3000606@kroehling.de>
Message-ID: <5399BCC2.4060908@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

So, I've uploaded the following images to my namespace on Docker. If
those look good, I'll get them available on jboss' namespace
(jboss/keycloak, for instance).

https://hub.docker.com/u/jpkroehling/

keycloak-wildfly
- - Wildfly 8.1.0.Final + KC subsystem

keycloak (this should be the default one, hence the shorter name)
- - "keycloak-wildfly" + Auth-server

keycloak-examples
- - "keycloak" + examples

Those can be tested with these commands:

$ docker run -it -p 8080:8080 jpkroehling/keycloak
$ docker run -it -p 8080:8080 jpkroehling/keycloak-wildfly
$ docker run -it -p 8080:8080 jpkroehling/keycloak-examples

- - Juca.

On 06/12/2014 03:16 PM, Juraci Paix?o Kr?hling wrote:
>> keycloak (wildfly + auth server war + KC subsystem) - 
>> keycloak-wildfly (wildfly + KC subsystem, no auth-server) - 
>> keycloak-examples ("keycloak-full" image + examples)
> 
> s/keycloak-full/keycloak/
> 
> 
>> What about the names? Do they match the expectation?
> 
>> - Juca.
> 
>> On 06/12/2014 02:52 PM, Stan Silvert wrote:
>>> On 6/12/2014 8:49 AM, Bill Burke wrote:
>>>> 
>>>> On 6/12/2014 2:16 AM, Juraci Paix?o Kr?hling wrote:
>>>>> - - keycloak (wildfly + auth server war, no KC subsystem)
>>>> I would say no to this one.  Eventually, the whole wildfly 
>>>> instance will be secured by KC and we will need the
>>>> subsystem.
>>>> 
>>>> 
>>> I'll add my -1 as well.
> 
> 
> 
>> _______________________________________________ keycloak-user 
>> mailing list keycloak-user at lists.jboss.org 
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTmbzCAAoJEDnJtskdmzLMPc0H/3MIg4gJeJa1hUqtJtkWvIF3
MlJG+OeaJRgw/ueZ7RxBRtCFbwK0y0z6J5vThG9ihHswbGzpWTh5eOBEvoT9mr71
VnizO4fFeY3TBe+237ONtGx5ZLxMQUIjh+zo+DiWs66QHdo46gi5XIDTRJV8j75B
VhOg7sFN0Ndo2A74/rAsHyH89sOkDCyYlNDWFN03Jw1WY2dwaOhz6D0SBOfGUDit
Vlia+W5t9ubg1+aDxByjFG2TQoNVJX8tuwqChcDjE81v8QahJAu9I79ayREfO4gv
EUZ9/4wkQcmKWYNIVN0QRDiA6ne5HZ7uekSv1KBzymi0/GBokC7nfsuWn6uwb5E=
=aSEH
-----END PGP SIGNATURE-----

From smysnk at gmail.com  Fri Jun 13 03:41:32 2014
From: smysnk at gmail.com (Josh)
Date: Fri, 13 Jun 2014 01:41:32 -0600
Subject: [keycloak-user] Significant SSL issue: Support for reverse proxies
Message-ID: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>

Hi guys,

So looking to help solve this issue possibly or at least get it on the
radar, I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497

To breifly recap the issue, when logging in via reverse proxy it keeps
forwarding the browser from https back to regular http.

Eg. Apache virtualhost configured as:

<VirtualHost *:443>
ServerName auth.domain.com
SSLEngine On

<Proxy *>
        Order deny,allow
        Allow from all
</Proxy>

ProxyVia                Off
ProxyPreserveHost       On
ProxyRequests           Off

ProxyPass               /       http://keycloak.core.docker:8080/
ProxyPassReverse        /       http://keycloak.core.docker:8080/


</VirtualHost>

If I were to start looking into the code base, where would I start?  Trying
to find for example during the login process how the forward url is formed?

Thanks,

Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140613/baa0bee4/attachment.html 

From juraci at kroehling.de  Fri Jun 13 03:50:59 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Fri, 13 Jun 2014 09:50:59 +0200
Subject: [keycloak-user] Significant SSL issue: Support for reverse
	proxies
In-Reply-To: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
Message-ID: <539AAD63.1010004@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I faced the exact same issue earlier this week, but with nginx. On a
quick look, the problem seems to be on the JavaScript adapter, which
seems to think that it's being served via non-SSL.

As I haven't had enough time to debug and do a proper fix, the quick
solution was to configure Wildfly to serve Keycloak via SSL and proxy
the request to 8443 instead of 8080. It works, but it's suboptimal.
There are instructions on the documentation on how to setup Wildfly to
serve requests via SSL.

- - Juca.

On 06/13/2014 09:41 AM, Josh wrote:
> Hi guys,
> 
> So looking to help solve this issue possibly or at least get it on
> the radar, I've reported it here:
> https://issues.jboss.org/browse/KEYCLOAK-497
> 
> To breifly recap the issue, when logging in via reverse proxy it
> keeps forwarding the browser from https back to regular http.
> 
> Eg. Apache virtualhost configured as:
> 
> <VirtualHost *:443> ServerName auth.domain.com
> <http://auth.domain.com> SSLEngine On
> 
> <Proxy *> Order deny,allow Allow from all </Proxy>
> 
> ProxyVia                Off ProxyPreserveHost       On 
> ProxyRequests           Off
> 
> ProxyPass               /       http://keycloak.core.docker:8080/ 
> ProxyPassReverse        /       http://keycloak.core.docker:8080/
> 
> 
> </VirtualHost>
> 
> If I were to start looking into the code base, where would I
> start? Trying to find for example during the login process how the
> forward url is formed?
> 
> Thanks,
> 
> Josh
> 
> 
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTmq1jAAoJEDnJtskdmzLM+iIIAI/TPlujrVqrFM6u7XqarUB/
RVtgPzsF3cjeKJZQYAxJhBO7eMHYlGsfFwROylV1F397PNvQdOE5E+TBXI/pDwXr
t5PVVVw9ehUVkf2gGLLXWkrniUCxbetKvColKIbRMGSpJuIOnUkLkP6J1J2wHGhl
u5oLYNxLZfhP0Ag5/U9+3Mnezti0yKD7Z1818BtV45+9cCqwV45XqbcwNyoeBCPC
+8iOmg5aFlNki1D/zGZNOkgziLzq8+lmK2yrpZGvSRZ10ShbCj80v72nkBB101Ac
6SYofgywL2CcDCOK1/MEo71pUzaUrXLoNbTT/4v18TSXvCF9M0RUSJSEr8MRvYk=
=jExe
-----END PGP SIGNATURE-----

From bburke at redhat.com  Fri Jun 13 08:42:04 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 13 Jun 2014 08:42:04 -0400
Subject: [keycloak-user] Significant SSL issue: Support for reverse
	proxies
In-Reply-To: <539AAD63.1010004@kroehling.de>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
	<539AAD63.1010004@kroehling.de>
Message-ID: <539AF19C.5070003@redhat.com>

Was the adapter not configured right?  It should be pointed to the auth 
server's reverse-proxy URL.

On 6/13/2014 3:50 AM, Juraci Paix?o Kr?hling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> I faced the exact same issue earlier this week, but with nginx. On a
> quick look, the problem seems to be on the JavaScript adapter, which
> seems to think that it's being served via non-SSL.
>
> As I haven't had enough time to debug and do a proper fix, the quick
> solution was to configure Wildfly to serve Keycloak via SSL and proxy
> the request to 8443 instead of 8080. It works, but it's suboptimal.
> There are instructions on the documentation on how to setup Wildfly to
> serve requests via SSL.
>
> - - Juca.
>
> On 06/13/2014 09:41 AM, Josh wrote:
>> Hi guys,
>>
>> So looking to help solve this issue possibly or at least get it on
>> the radar, I've reported it here:
>> https://issues.jboss.org/browse/KEYCLOAK-497
>>
>> To breifly recap the issue, when logging in via reverse proxy it
>> keeps forwarding the browser from https back to regular http.
>>
>> Eg. Apache virtualhost configured as:
>>
>> <VirtualHost *:443> ServerName auth.domain.com
>> <http://auth.domain.com> SSLEngine On
>>
>> <Proxy *> Order deny,allow Allow from all </Proxy>
>>
>> ProxyVia                Off ProxyPreserveHost       On
>> ProxyRequests           Off
>>
>> ProxyPass               /       http://keycloak.core.docker:8080/
>> ProxyPassReverse        /       http://keycloak.core.docker:8080/
>>
>>
>> </VirtualHost>
>>
>> If I were to start looking into the code base, where would I
>> start? Trying to find for example during the login process how the
>> forward url is formed?
>>
>> Thanks,
>>
>> Josh
>>
>>
>> _______________________________________________ keycloak-user
>> mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCgAGBQJTmq1jAAoJEDnJtskdmzLM+iIIAI/TPlujrVqrFM6u7XqarUB/
> RVtgPzsF3cjeKJZQYAxJhBO7eMHYlGsfFwROylV1F397PNvQdOE5E+TBXI/pDwXr
> t5PVVVw9ehUVkf2gGLLXWkrniUCxbetKvColKIbRMGSpJuIOnUkLkP6J1J2wHGhl
> u5oLYNxLZfhP0Ag5/U9+3Mnezti0yKD7Z1818BtV45+9cCqwV45XqbcwNyoeBCPC
> +8iOmg5aFlNki1D/zGZNOkgziLzq8+lmK2yrpZGvSRZ10ShbCj80v72nkBB101Ac
> 6SYofgywL2CcDCOK1/MEo71pUzaUrXLoNbTT/4v18TSXvCF9M0RUSJSEr8MRvYk=
> =jExe
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Fri Jun 13 08:57:27 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 13 Jun 2014 14:57:27 +0200
Subject: [keycloak-user] Multiple Social Providers for Single Account
In-Reply-To: <CANLOgwDoPhK3ZtAUHKGwOFKQ=ShhUELoms1ixNMdEWaJUF6DJA@mail.gmail.com>
References: <CANLOgwBrgjUQG4gv_R7gYQOfBMBTVM5H_VwsuX_nRRqa-D5_GA@mail.gmail.com>	<53960776.1010706@redhat.com>
	<CANLOgwDoPhK3ZtAUHKGwOFKQ=ShhUELoms1ixNMdEWaJUF6DJA@mail.gmail.com>
Message-ID: <539AF537.3040702@redhat.com>

Hi,

At this moment, if you have Facebook and Google account and both have 
same email address "foo at gmail.com" , you need to either:

1) Register user first with Facebook, which will create new user account 
in Keycloak with email address "foo at gmail.com" and this account will be 
linked with Facebook. Then you can link this user with Google in Account 
Management UI. In this way, user with email "foo at gmail.com" will be 
linked to both Facebook and Google and from this point he can login to both.

2) Manually register user with email "foo at gmail.com" and then link him 
in Account Management with both Facebook and Google.

What you can't do ATM is to register user with Facebook first (like in 
first part of flow 1), then logout and then try to register him with 
Google. In this case user is not yet linked to Google, but user account 
with email address "foo at gmail.com" already exists in Keycloak. So that's 
why it fails because there is enforcement to have unique email addresses 
in Keycloak.

  I agree that it would be nice to have support for this flow. I think 
when trying to SignIn with Google in case that user with this email 
already exists, Keycloak should display screen with some message like: 
"User with address foo at gmail.com already exists. Do you want to link 
your account with this one?" . In case that user choose "Yes" he will 
need to login into Keycloak via some different form. If user choose "No" 
registration will be finished as failed. Support for this flow is a bit 
tricky and IMO it won't be possible to do it in Keycloak 1.0.Final, but 
probably somewhere later. What we can do in 1.0.Final IMO is just do a 
small fix in UI that there is no exception message like 
"ModelDuplicateException" displayed somewhere in UI, but instead some 
more friendly message will be shown like: "Your email foo at gmail.com 
already exists in Keycloak. Login first and then link your account with 
this"

Marek


On 9.6.2014 21:28, Rodrigo Sasaki wrote:
> I guess it can wait, it would be good to get this sorted but I know 
> you're all very busy.
>
> I'll download the master branch again and see what I can find
>
>
> On Mon, Jun 9, 2014 at 4:13 PM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     Stian wrote this code and is at a face to face meeting this week.  Can
>     you wait until next week for an answer?  I could look into it, but I'm
>     focused on some caching features and pushing out Beta 3 at the moment.
>
>     On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
>     > I've been trying to work with the Social Providers feature of
>     Keycloak,
>     > but I've had some problems.
>     >
>     > First of all I'm using the beta-2 version, and I created
>     Facebook and
>     > Google links to applications I have there and it worked fine.
>     >
>     > If I create a new user logging in with Facebook it works
>     > If I create a new user logging in with Google it works aswell.
>     >
>     > When I try linking things, that's where things go wrong.
>     >
>     > I have created a new Keycloak user, and accessed:
>     >
>     > *http://localhost:8080/auth/realms/myrealm/account*
>     >
>     > and on that URL I associated my Google and Facebook accounts,
>     when I do
>     > it like that, it all works fine, but when I tried to see if it
>     worked
>     > automatically it all went south.
>     >
>     > I deleted the social links from this account, and then tried to
>     login to
>     > a keycloak secured application via Facebook, and the e-mail of my
>     > Facebook account is the same of the keycloak accunt, which led to an
>     > exception
>     >
>     > /org.keycloak.models.ModelDuplicateException:
>     > javax.persistence.PersistenceException:
>     > org.hibernate.exception.ConstraintViolationException: ERROR:
>     duplicate
>     > key value violates unique constraint "userentity_realm_email_key"/
>     >
>     > The same happens if I have no account at all, and create one with
>     > Facebook, then try logging in with Google.
>     >
>     > Is there something I'm missing, or is this flow still being
>     worked on?
>     >
>     > I have read this wiki, and I think it's the item 5 that isn't
>     working
>     > correctly
>     >
>     >
>     https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts
>     >
>     >
>     > --
>     > Rodrigo Sasaki
>     >
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> -- 
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140613/2cb52ca3/attachment.html 

From mposolda at redhat.com  Fri Jun 13 09:37:03 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 13 Jun 2014 15:37:03 +0200
Subject: [keycloak-user] Recommended way to identify user from token
In-Reply-To: <2A3B4BB9-8F31-4DF7-A164-8D7C8E2E0F22@mindless.com>
References: <2A3B4BB9-8F31-4DF7-A164-8D7C8E2E0F22@mindless.com>
Message-ID: <539AFE7F.5060404@redhat.com>

IDToken idToken = securityContext.getIdToken()

Then idToken has methods like "getName()", "getPreferredUsername()", "getEmail()" etc. You can use just those, which are mapped as allowed Claims for this client (You can configure claims in Keycloak admin console). Those, which are not mapped as claims will return null.

Marek


On 10.6.2014 07:16, Conrad Winchester wrote:
> Hi,
>
> I have keyclick integrated into my application and have it protecting several end points. A user can login to get access to the protected resources by adding the bearer token into the authorisation header.
>
> I was wondering what the recommended way is to actually identify the user who has authenticated. Is this the way to do it?
>
>
>   	@Context
>    	private SecurityContext securityContext;
> .
> .
> .
>        KeycloakPrincipal principal = (KeycloakPrincipal)securityContext.getUserPrincipal();
>        logger.info("Logged in user: "+ principal.getName());
>
> I noticed the the name is the ?id? of the user from the keycloak table.
>
> Are there any other ways to get data from the token?
>
> Thanks
>
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Fri Jun 13 09:41:06 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 13 Jun 2014 15:41:06 +0200
Subject: [keycloak-user] Email Verification
In-Reply-To: <7FD14D7D-709A-4431-8F0A-87F6C34B6725@mindless.com>
References: <7FD14D7D-709A-4431-8F0A-87F6C34B6725@mindless.com>
Message-ID: <539AFF72.5070202@redhat.com>

In Keycloak admin console, you need to enable "Verify Email" switch in 
Realm settings. You also need to correctly setup SMTP for the realm 
according to your environment . See 
http://docs.jboss.org/keycloak/docs/1.0-beta-1/userguide/html/ch10.html 
for details.

Marek

On 11.6.2014 20:45, Conrad Winchester wrote:
> Hi all,
>
> sorry to keep asking questions, but I?m stuck again.
>
> What is the correct configuration to get keycloak to send out email address verification emails?
>
>
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From rodrigopsasaki at gmail.com  Fri Jun 13 10:39:55 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 13 Jun 2014 11:39:55 -0300
Subject: [keycloak-user] Roles Integration
Message-ID: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>

Hi,

I needed to migrate accounts from an old database to authenticate with
Keycloak, and I implemented my own provider of the Authentication SPI,
which worked fine.

Now what should I do if I need to migrate the roles from those accounts
aswell? Is there a suggested flow that I should follow?

Thanks,

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140613/979c8268/attachment.html 

From smysnk at gmail.com  Fri Jun 13 13:06:23 2014
From: smysnk at gmail.com (Josh)
Date: Fri, 13 Jun 2014 11:06:23 -0600
Subject: [keycloak-user] Significant SSL issue: Support for reverse
	proxies
In-Reply-To: <539AF19C.5070003@redhat.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
	<539AAD63.1010004@kroehling.de> <539AF19C.5070003@redhat.com>
Message-ID: <CAMTm=fEBexGNyqh_YY0HShQS5xneKzWH1RPCYXR9-5mTXTKxRA@mail.gmail.com>

I'm talking more about the login, registration, administration on the key
cloak server, all the links revert https back to http.  I haven't got
around to testing the adapters yet.


On Fri, Jun 13, 2014 at 6:42 AM, Bill Burke <bburke at redhat.com> wrote:

> Was the adapter not configured right?  It should be pointed to the auth
> server's reverse-proxy URL.
>
> On 6/13/2014 3:50 AM, Juraci Paix?o Kr?hling wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > I faced the exact same issue earlier this week, but with nginx. On a
> > quick look, the problem seems to be on the JavaScript adapter, which
> > seems to think that it's being served via non-SSL.
> >
> > As I haven't had enough time to debug and do a proper fix, the quick
> > solution was to configure Wildfly to serve Keycloak via SSL and proxy
> > the request to 8443 instead of 8080. It works, but it's suboptimal.
> > There are instructions on the documentation on how to setup Wildfly to
> > serve requests via SSL.
> >
> > - - Juca.
> >
> > On 06/13/2014 09:41 AM, Josh wrote:
> >> Hi guys,
> >>
> >> So looking to help solve this issue possibly or at least get it on
> >> the radar, I've reported it here:
> >> https://issues.jboss.org/browse/KEYCLOAK-497
> >>
> >> To breifly recap the issue, when logging in via reverse proxy it
> >> keeps forwarding the browser from https back to regular http.
> >>
> >> Eg. Apache virtualhost configured as:
> >>
> >> <VirtualHost *:443> ServerName auth.domain.com
> >> <http://auth.domain.com> SSLEngine On
> >>
> >> <Proxy *> Order deny,allow Allow from all </Proxy>
> >>
> >> ProxyVia                Off ProxyPreserveHost       On
> >> ProxyRequests           Off
> >>
> >> ProxyPass               /       http://keycloak.core.docker:8080/
> >> ProxyPassReverse        /       http://keycloak.core.docker:8080/
> >>
> >>
> >> </VirtualHost>
> >>
> >> If I were to start looking into the code base, where would I
> >> start? Trying to find for example during the login process how the
> >> forward url is formed?
> >>
> >> Thanks,
> >>
> >> Josh
> >>
> >>
> >> _______________________________________________ keycloak-user
> >> mailing list keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.22 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQEcBAEBCgAGBQJTmq1jAAoJEDnJtskdmzLM+iIIAI/TPlujrVqrFM6u7XqarUB/
> > RVtgPzsF3cjeKJZQYAxJhBO7eMHYlGsfFwROylV1F397PNvQdOE5E+TBXI/pDwXr
> > t5PVVVw9ehUVkf2gGLLXWkrniUCxbetKvColKIbRMGSpJuIOnUkLkP6J1J2wHGhl
> > u5oLYNxLZfhP0Ag5/U9+3Mnezti0yKD7Z1818BtV45+9cCqwV45XqbcwNyoeBCPC
> > +8iOmg5aFlNki1D/zGZNOkgziLzq8+lmK2yrpZGvSRZ10ShbCj80v72nkBB101Ac
> > 6SYofgywL2CcDCOK1/MEo71pUzaUrXLoNbTT/4v18TSXvCF9M0RUSJSEr8MRvYk=
> > =jExe
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140613/e573658f/attachment.html 

From juraci at kroehling.de  Fri Jun 13 14:47:54 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Fri, 13 Jun 2014 20:47:54 +0200
Subject: [keycloak-user] Significant SSL issue: Support for reverse
	proxies
In-Reply-To: <539AF19C.5070003@redhat.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>	<539AAD63.1010004@kroehling.de>
	<539AF19C.5070003@redhat.com>
Message-ID: <539B475A.1050002@kroehling.de>

On 06/13/2014 02:42 PM, Bill Burke wrote:
> Was the adapter not configured right?  It should be pointed to the 
> auth server's reverse-proxy URL.

Sorry, it seems I was wrong in saying that I had the exact same
problem. The problem wasn't an infinite redirect (I had this problem
earlier, but on my app sending redirects to the /auth).

The problem I had *this time* were in fact two:

- I have a redirect from http to https on nginx, and
Strict-Transport-Security on the https. With this setup, the first
request is always sent to https, and all subsequent requests are
automatically to https. On an out-of-the-box installation, when
hitting the admin console, Keycloak uses a redirect_uri with the
https, which renders an "invalid_uri".

- Manually changing the redirect_uri query parameter to http renders
makes it work, in the sense that I can login as admin/admin and change
the password. After that, I get a blank screen. On Firebug, I see that
Firefox blocks mixed content (ie: javascript from http://localhost
requested from https://localhost). The exact message on the console is:

> Blocked loading mixed active content
"http://192.168.122.202/auth/realms/master/tokens/access/codes"

keycloak.js line 278

Which is the place where I put the breakpoint and found out that the
generated URL is http, even though keycloak.js itself is loaded from
https.

But my setup is as I mentioned earlier: nginx in front of wildfly,
with nginx being the only part caring about SSL. Making the proxy talk
with Wildfly also on SSL makes the problem go away.

- Juca.

From conrad at mindless.com  Sun Jun 15 04:25:05 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Sun, 15 Jun 2014 09:25:05 +0100
Subject: [keycloak-user] Email Verification
In-Reply-To: <539AFF72.5070202@redhat.com>
References: <7FD14D7D-709A-4431-8F0A-87F6C34B6725@mindless.com>
	<539AFF72.5070202@redhat.com>
Message-ID: <FE131135-4EE4-4CF8-B31A-6ECD41317116@mindless.com>

Thanks Marek

Unfortunately thats what I have done, and I am not seeing the activation emails.

I presume it is known to work.

Conrad


> On 13 Jun 2014, at 14:41, Marek Posolda <mposolda at redhat.com> wrote:
> 
> In Keycloak admin console, you need to enable "Verify Email" switch in 
> Realm settings. You also need to correctly setup SMTP for the realm 
> according to your environment . See 
> http://docs.jboss.org/keycloak/docs/1.0-beta-1/userguide/html/ch10.html 
> for details.
> 
> Marek
> 
> On 11.6.2014 20:45, Conrad Winchester wrote:
>> Hi all,
>> 
>> sorry to keep asking questions, but I?m stuck again.
>> 
>> What is the correct configuration to get keycloak to send out email address verification emails?
>> 
>> 
>> Conrad
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From stian at redhat.com  Mon Jun 16 05:01:59 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 16 Jun 2014 05:01:59 -0400 (EDT)
Subject: [keycloak-user] Roles Integration
In-Reply-To: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
Message-ID: <1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>

The only way to do that at the moment would be to import the data into the Keycloak database. The easiest way to do this would be to export your database to json and import into Keycloak.

If this is something you want to do, let me know and we can give you some instructions, maybe also an example, on how to do this.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 13 June, 2014 3:39:55 PM
> Subject: [keycloak-user] Roles Integration
> 
> Hi,
> 
> I needed to migrate accounts from an old database to authenticate with
> Keycloak, and I implemented my own provider of the Authentication SPI, which
> worked fine.
> 
> Now what should I do if I need to migrate the roles from those accounts
> aswell? Is there a suggested flow that I should follow?
> 
> Thanks,
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Jun 16 05:25:58 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 16 Jun 2014 05:25:58 -0400 (EDT)
Subject: [keycloak-user] Email Verification
In-Reply-To: <FE131135-4EE4-4CF8-B31A-6ECD41317116@mindless.com>
References: <7FD14D7D-709A-4431-8F0A-87F6C34B6725@mindless.com>
	<539AFF72.5070202@redhat.com>
	<FE131135-4EE4-4CF8-B31A-6ECD41317116@mindless.com>
Message-ID: <209286578.26376395.1402910758137.JavaMail.zimbra@redhat.com>

Have you tried to login to the account? As the activation emails have a limited life span they are not actually sent until the user tries to login.

----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Sunday, 15 June, 2014 9:25:05 AM
> Subject: Re: [keycloak-user] Email Verification
> 
> Thanks Marek
> 
> Unfortunately thats what I have done, and I am not seeing the activation
> emails.
> 
> I presume it is known to work.
> 
> Conrad
> 
> 
> > On 13 Jun 2014, at 14:41, Marek Posolda <mposolda at redhat.com> wrote:
> > 
> > In Keycloak admin console, you need to enable "Verify Email" switch in
> > Realm settings. You also need to correctly setup SMTP for the realm
> > according to your environment . See
> > http://docs.jboss.org/keycloak/docs/1.0-beta-1/userguide/html/ch10.html
> > for details.
> > 
> > Marek
> > 
> > On 11.6.2014 20:45, Conrad Winchester wrote:
> >> Hi all,
> >> 
> >> sorry to keep asking questions, but I?m stuck again.
> >> 
> >> What is the correct configuration to get keycloak to send out email
> >> address verification emails?
> >> 
> >> 
> >> Conrad
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Mon Jun 16 05:33:22 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 16 Jun 2014 05:33:22 -0400 (EDT)
Subject: [keycloak-user] Significant SSL issue: Support for reverse
 proxies
In-Reply-To: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
Message-ID: <889050222.26378615.1402911202579.JavaMail.zimbra@redhat.com>

When does it forward the browser from https to http?

As Bill pointed out, does auth-server-url in your keycloak.json point to your proxy with https?

What adapter are you using?

----- Original Message -----
> From: "Josh" <smysnk at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 13 June, 2014 8:41:32 AM
> Subject: [keycloak-user] Significant SSL issue: Support for reverse proxies
> 
> Hi guys,
> 
> So looking to help solve this issue possibly or at least get it on the radar,
> I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> 
> To breifly recap the issue, when logging in via reverse proxy it keeps
> forwarding the browser from https back to regular http.
> 
> Eg. Apache virtualhost configured as:
> 
> <VirtualHost *:443>
> ServerName auth.domain.com
> SSLEngine On
> 
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> 
> ProxyVia Off
> ProxyPreserveHost On
> ProxyRequests Off
> 
> ProxyPass / http://keycloak.core.docker:8080/
> ProxyPassReverse / http://keycloak.core.docker:8080/
> 
> 
> </VirtualHost>
> 
> If I were to start looking into the code base, where would I start? Trying to
> find for example during the login process how the forward url is formed?
> 
> Thanks,
> 
> Josh
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Mon Jun 16 10:27:43 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 16 Jun 2014 11:27:43 -0300
Subject: [keycloak-user] Roles Integration
In-Reply-To: <1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>

That's an interesting suggestion, but how would I do that if the databases
are very different?

Just remembering that I want to integrate the user role mappings, and not
just the roles themselves.

Should I create a JSON from my database following a specific format to
import it into Keycloak?


On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen <stian at redhat.com> wrote:

> The only way to do that at the moment would be to import the data into the
> Keycloak database. The easiest way to do this would be to export your
> database to json and import into Keycloak.
>
> If this is something you want to do, let me know and we can give you some
> instructions, maybe also an example, on how to do this.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 13 June, 2014 3:39:55 PM
> > Subject: [keycloak-user] Roles Integration
> >
> > Hi,
> >
> > I needed to migrate accounts from an old database to authenticate with
> > Keycloak, and I implemented my own provider of the Authentication SPI,
> which
> > worked fine.
> >
> > Now what should I do if I need to migrate the roles from those accounts
> > aswell? Is there a suggested flow that I should follow?
> >
> > Thanks,
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/851c311b/attachment.html 

From stian at redhat.com  Mon Jun 16 10:32:43 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 16 Jun 2014 10:32:43 -0400 (EDT)
Subject: [keycloak-user] Roles Integration
In-Reply-To: <CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>
	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
Message-ID: <1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 16 June, 2014 3:27:43 PM
> Subject: Re: [keycloak-user] Roles Integration
> 
> That's an interesting suggestion, but how would I do that if the databases
> are very different?
> 
> Just remembering that I want to integrate the user role mappings, and not
> just the roles themselves.

Makes sense, roles are not worth much if no users have mappings to them ;)

> 
> Should I create a JSON from my database following a specific format to
> import it into Keycloak?

Yes, that's the idea. Roughly how many users and roles do you have?

> 
> 
> On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > The only way to do that at the moment would be to import the data into the
> > Keycloak database. The easiest way to do this would be to export your
> > database to json and import into Keycloak.
> >
> > If this is something you want to do, let me know and we can give you some
> > instructions, maybe also an example, on how to do this.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Friday, 13 June, 2014 3:39:55 PM
> > > Subject: [keycloak-user] Roles Integration
> > >
> > > Hi,
> > >
> > > I needed to migrate accounts from an old database to authenticate with
> > > Keycloak, and I implemented my own provider of the Authentication SPI,
> > which
> > > worked fine.
> > >
> > > Now what should I do if I need to migrate the roles from those accounts
> > > aswell? Is there a suggested flow that I should follow?
> > >
> > > Thanks,
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Mon Jun 16 10:44:51 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 16 Jun 2014 11:44:51 -0300
Subject: [keycloak-user] Roles Integration
In-Reply-To: <1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>
	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>

We have about 15 roles and over 20 million users


On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 16 June, 2014 3:27:43 PM
> > Subject: Re: [keycloak-user] Roles Integration
> >
> > That's an interesting suggestion, but how would I do that if the
> databases
> > are very different?
> >
> > Just remembering that I want to integrate the user role mappings, and not
> > just the roles themselves.
>
> Makes sense, roles are not worth much if no users have mappings to them ;)
>
> >
> > Should I create a JSON from my database following a specific format to
> > import it into Keycloak?
>
> Yes, that's the idea. Roughly how many users and roles do you have?
>
> >
> >
> > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > The only way to do that at the moment would be to import the data into
> the
> > > Keycloak database. The easiest way to do this would be to export your
> > > database to json and import into Keycloak.
> > >
> > > If this is something you want to do, let me know and we can give you
> some
> > > instructions, maybe also an example, on how to do this.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Friday, 13 June, 2014 3:39:55 PM
> > > > Subject: [keycloak-user] Roles Integration
> > > >
> > > > Hi,
> > > >
> > > > I needed to migrate accounts from an old database to authenticate
> with
> > > > Keycloak, and I implemented my own provider of the Authentication
> SPI,
> > > which
> > > > worked fine.
> > > >
> > > > Now what should I do if I need to migrate the roles from those
> accounts
> > > > aswell? Is there a suggested flow that I should follow?
> > > >
> > > > Thanks,
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/40d146c7/attachment.html 

From bburke at redhat.com  Mon Jun 16 11:28:54 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Jun 2014 11:28:54 -0400
Subject: [keycloak-user] Roles Integration
In-Reply-To: <CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
Message-ID: <539F0D36.9080100@redhat.com>

Nice!  You will be a great reference for us.  We'll make it happen. 
Just remind us of this every time we're lax answering your questions :)

On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
> We have about 15 roles and over 20 million users
>
>
> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>> wrote:
>
>
>
>     ----- Original Message -----
>      > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>     <mailto:rodrigopsasaki at gmail.com>>
>      > To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
>      > Cc: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      > Sent: Monday, 16 June, 2014 3:27:43 PM
>      > Subject: Re: [keycloak-user] Roles Integration
>      >
>      > That's an interesting suggestion, but how would I do that if the
>     databases
>      > are very different?
>      >
>      > Just remembering that I want to integrate the user role mappings,
>     and not
>      > just the roles themselves.
>
>     Makes sense, roles are not worth much if no users have mappings to
>     them ;)
>
>      >
>      > Should I create a JSON from my database following a specific
>     format to
>      > import it into Keycloak?
>
>     Yes, that's the idea. Roughly how many users and roles do you have?
>
>      >
>      >
>      > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
>     <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>      >
>      > > The only way to do that at the moment would be to import the
>     data into the
>      > > Keycloak database. The easiest way to do this would be to
>     export your
>      > > database to json and import into Keycloak.
>      > >
>      > > If this is something you want to do, let me know and we can
>     give you some
>      > > instructions, maybe also an example, on how to do this.
>      > >
>      > > ----- Original Message -----
>      > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>     <mailto:rodrigopsasaki at gmail.com>>
>      > > > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      > > > Sent: Friday, 13 June, 2014 3:39:55 PM
>      > > > Subject: [keycloak-user] Roles Integration
>      > > >
>      > > > Hi,
>      > > >
>      > > > I needed to migrate accounts from an old database to
>     authenticate with
>      > > > Keycloak, and I implemented my own provider of the
>     Authentication SPI,
>      > > which
>      > > > worked fine.
>      > > >
>      > > > Now what should I do if I need to migrate the roles from
>     those accounts
>      > > > aswell? Is there a suggested flow that I should follow?
>      > > >
>      > > > Thanks,
>      > > >
>      > > > --
>      > > > Rodrigo Sasaki
>      > > >
>      > > > _______________________________________________
>      > > > keycloak-user mailing list
>      > > > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>      > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      > >
>      >
>      >
>      >
>      > --
>      > Rodrigo Sasaki
>      >
>
>
>
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Jun 16 11:34:36 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 16 Jun 2014 11:34:36 -0400
Subject: [keycloak-user] Roles Integration
In-Reply-To: <539F0D36.9080100@redhat.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com>
Message-ID: <539F0E8C.6090202@redhat.com>

These 20 Million users: Are they stored in a RDBMS?  LDAP?

On 6/16/2014 11:28 AM, Bill Burke wrote:
> Nice!  You will be a great reference for us.  We'll make it happen.
> Just remind us of this every time we're lax answering your questions :)
>
> On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
>> We have about 15 roles and over 20 million users
>>
>>
>> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen <stian at redhat.com
>> <mailto:stian at redhat.com>> wrote:
>>
>>
>>
>>      ----- Original Message -----
>>       > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>>      <mailto:rodrigopsasaki at gmail.com>>
>>       > To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
>>       > Cc: keycloak-user at lists.jboss.org
>>      <mailto:keycloak-user at lists.jboss.org>
>>       > Sent: Monday, 16 June, 2014 3:27:43 PM
>>       > Subject: Re: [keycloak-user] Roles Integration
>>       >
>>       > That's an interesting suggestion, but how would I do that if the
>>      databases
>>       > are very different?
>>       >
>>       > Just remembering that I want to integrate the user role mappings,
>>      and not
>>       > just the roles themselves.
>>
>>      Makes sense, roles are not worth much if no users have mappings to
>>      them ;)
>>
>>       >
>>       > Should I create a JSON from my database following a specific
>>      format to
>>       > import it into Keycloak?
>>
>>      Yes, that's the idea. Roughly how many users and roles do you have?
>>
>>       >
>>       >
>>       > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
>>      <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>       >
>>       > > The only way to do that at the moment would be to import the
>>      data into the
>>       > > Keycloak database. The easiest way to do this would be to
>>      export your
>>       > > database to json and import into Keycloak.
>>       > >
>>       > > If this is something you want to do, let me know and we can
>>      give you some
>>       > > instructions, maybe also an example, on how to do this.
>>       > >
>>       > > ----- Original Message -----
>>       > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>>      <mailto:rodrigopsasaki at gmail.com>>
>>       > > > To: keycloak-user at lists.jboss.org
>>      <mailto:keycloak-user at lists.jboss.org>
>>       > > > Sent: Friday, 13 June, 2014 3:39:55 PM
>>       > > > Subject: [keycloak-user] Roles Integration
>>       > > >
>>       > > > Hi,
>>       > > >
>>       > > > I needed to migrate accounts from an old database to
>>      authenticate with
>>       > > > Keycloak, and I implemented my own provider of the
>>      Authentication SPI,
>>       > > which
>>       > > > worked fine.
>>       > > >
>>       > > > Now what should I do if I need to migrate the roles from
>>      those accounts
>>       > > > aswell? Is there a suggested flow that I should follow?
>>       > > >
>>       > > > Thanks,
>>       > > >
>>       > > > --
>>       > > > Rodrigo Sasaki
>>       > > >
>>       > > > _______________________________________________
>>       > > > keycloak-user mailing list
>>       > > > keycloak-user at lists.jboss.org
>>      <mailto:keycloak-user at lists.jboss.org>
>>       > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>       > >
>>       >
>>       >
>>       >
>>       > --
>>       > Rodrigo Sasaki
>>       >
>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From smysnk at gmail.com  Mon Jun 16 11:42:27 2014
From: smysnk at gmail.com (Josh)
Date: Mon, 16 Jun 2014 09:42:27 -0600
Subject: [keycloak-user] Significant SSL issue: Support for reverse
	proxies
In-Reply-To: <889050222.26378615.1402911202579.JavaMail.zimbra@redhat.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
	<889050222.26378615.1402911202579.JavaMail.zimbra@redhat.com>
Message-ID: <CAMTm=fGPq4a2cj+DXd82YdR=RK+-xn3cAjA4imtHyiwHahjsmw@mail.gmail.com>

The first would be at the "Welcome to Keycloak" page, clicking on
Administration Console.  The link itself is not redirecting to http, but as
part of the login page it looks like it forwards back to http. (eg.
https://auth.psidox.com/auth/ -> https://auth.psidox.com/auth/admin/ ->
http://auth.psidox.com/auth/admin/master/console ->
http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&response_type=code
)

I haven't really gotten too far beyond the login page.

- Josh


On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian at redhat.com> wrote:

> When does it forward the browser from https to http?
>
> As Bill pointed out, does auth-server-url in your keycloak.json point to
> your proxy with https?
>
> What adapter are you using?
>
> ----- Original Message -----
> > From: "Josh" <smysnk at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 13 June, 2014 8:41:32 AM
> > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> proxies
> >
> > Hi guys,
> >
> > So looking to help solve this issue possibly or at least get it on the
> radar,
> > I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> >
> > To breifly recap the issue, when logging in via reverse proxy it keeps
> > forwarding the browser from https back to regular http.
> >
> > Eg. Apache virtualhost configured as:
> >
> > <VirtualHost *:443>
> > ServerName auth.domain.com
> > SSLEngine On
> >
> > <Proxy *>
> > Order deny,allow
> > Allow from all
> > </Proxy>
> >
> > ProxyVia Off
> > ProxyPreserveHost On
> > ProxyRequests Off
> >
> > ProxyPass / http://keycloak.core.docker:8080/
> > ProxyPassReverse / http://keycloak.core.docker:8080/
> >
> >
> > </VirtualHost>
> >
> > If I were to start looking into the code base, where would I start?
> Trying to
> > find for example during the login process how the forward url is formed?
> >
> > Thanks,
> >
> > Josh
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/7d794a40/attachment-0001.html 

From rodrigopsasaki at gmail.com  Mon Jun 16 11:44:38 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 16 Jun 2014 12:44:38 -0300
Subject: [keycloak-user] Roles Integration
In-Reply-To: <539F0E8C.6090202@redhat.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>
	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com> <539F0E8C.6090202@redhat.com>
Message-ID: <CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>

They are all stored in a table on a RDBMS


On Mon, Jun 16, 2014 at 12:34 PM, Bill Burke <bburke at redhat.com> wrote:

> These 20 Million users: Are they stored in a RDBMS?  LDAP?
>
> On 6/16/2014 11:28 AM, Bill Burke wrote:
> > Nice!  You will be a great reference for us.  We'll make it happen.
> > Just remind us of this every time we're lax answering your questions :)
> >
> > On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
> >> We have about 15 roles and over 20 million users
> >>
> >>
> >> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen <stian at redhat.com
> >> <mailto:stian at redhat.com>> wrote:
> >>
> >>
> >>
> >>      ----- Original Message -----
> >>       > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
> >>      <mailto:rodrigopsasaki at gmail.com>>
> >>       > To: "Stian Thorgersen" <stian at redhat.com <mailto:
> stian at redhat.com>>
> >>       > Cc: keycloak-user at lists.jboss.org
> >>      <mailto:keycloak-user at lists.jboss.org>
> >>       > Sent: Monday, 16 June, 2014 3:27:43 PM
> >>       > Subject: Re: [keycloak-user] Roles Integration
> >>       >
> >>       > That's an interesting suggestion, but how would I do that if the
> >>      databases
> >>       > are very different?
> >>       >
> >>       > Just remembering that I want to integrate the user role
> mappings,
> >>      and not
> >>       > just the roles themselves.
> >>
> >>      Makes sense, roles are not worth much if no users have mappings to
> >>      them ;)
> >>
> >>       >
> >>       > Should I create a JSON from my database following a specific
> >>      format to
> >>       > import it into Keycloak?
> >>
> >>      Yes, that's the idea. Roughly how many users and roles do you have?
> >>
> >>       >
> >>       >
> >>       > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
> >>      <stian at redhat.com <mailto:stian at redhat.com>> wrote:
> >>       >
> >>       > > The only way to do that at the moment would be to import the
> >>      data into the
> >>       > > Keycloak database. The easiest way to do this would be to
> >>      export your
> >>       > > database to json and import into Keycloak.
> >>       > >
> >>       > > If this is something you want to do, let me know and we can
> >>      give you some
> >>       > > instructions, maybe also an example, on how to do this.
> >>       > >
> >>       > > ----- Original Message -----
> >>       > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
> >>      <mailto:rodrigopsasaki at gmail.com>>
> >>       > > > To: keycloak-user at lists.jboss.org
> >>      <mailto:keycloak-user at lists.jboss.org>
> >>       > > > Sent: Friday, 13 June, 2014 3:39:55 PM
> >>       > > > Subject: [keycloak-user] Roles Integration
> >>       > > >
> >>       > > > Hi,
> >>       > > >
> >>       > > > I needed to migrate accounts from an old database to
> >>      authenticate with
> >>       > > > Keycloak, and I implemented my own provider of the
> >>      Authentication SPI,
> >>       > > which
> >>       > > > worked fine.
> >>       > > >
> >>       > > > Now what should I do if I need to migrate the roles from
> >>      those accounts
> >>       > > > aswell? Is there a suggested flow that I should follow?
> >>       > > >
> >>       > > > Thanks,
> >>       > > >
> >>       > > > --
> >>       > > > Rodrigo Sasaki
> >>       > > >
> >>       > > > _______________________________________________
> >>       > > > keycloak-user mailing list
> >>       > > > keycloak-user at lists.jboss.org
> >>      <mailto:keycloak-user at lists.jboss.org>
> >>       > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>       > >
> >>       >
> >>       >
> >>       >
> >>       > --
> >>       > Rodrigo Sasaki
> >>       >
> >>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/d888624d/attachment.html 

From peterson.dean at gmail.com  Mon Jun 16 13:17:36 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 16 Jun 2014 12:17:36 -0500
Subject: [keycloak-user] KeycloakLogger error on Maven install
Message-ID: <CAFGzvPn7-ywYAuYWut6ZF_d8hxoZUHs0MiSvu7dJvg9NDC3w=A@mail.gmail.com>

It has been a while since I tried to upgrade.  Now when I perform a maven
install on Keycloak-parent I get a no class def error on the wildfly
subsystem.  I get the same thing when I try to run maven install directly
on the wildfly subsystem piece too:
java.lang.NoClassDefFoundError: Could not initialize class
org.keycloak.subsystem.logging.KeycloakLogger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/3f08dc83/attachment.html 

From peterson.dean at gmail.com  Mon Jun 16 13:44:58 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 16 Jun 2014 12:44:58 -0500
Subject: [keycloak-user] Nevermind
Message-ID: <CAFGzvPmPw74q0TUySxnRhajP0P6uPRNwm=BSgtuxYm3bOofJ=g@mail.gmail.com>

Nevermind about the KeycloakLogger error.  I ran a few other maven commands
other than maven install to get around the error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/8496564a/attachment.html 

From rodrigopsasaki at gmail.com  Mon Jun 16 15:21:06 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 16 Jun 2014 16:21:06 -0300
Subject: [keycloak-user] Roles Integration
In-Reply-To: <CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<1457410597.26367866.1402909319119.JavaMail.zimbra@redhat.com>
	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com> <539F0E8C.6090202@redhat.com>
	<CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>
Message-ID: <CANLOgwBhx3LZng7BfVttH6iVPVnpDQxLvE4rmCf+jAcjg=7spA@mail.gmail.com>

Just to be more specific, our mapping here is really simple.

We have 1 table with the users, one with the roles, and a third one that
maps them both together.

Thank you for trying to help!


On Mon, Jun 16, 2014 at 12:44 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> They are all stored in a table on a RDBMS
>
>
> On Mon, Jun 16, 2014 at 12:34 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> These 20 Million users: Are they stored in a RDBMS?  LDAP?
>>
>> On 6/16/2014 11:28 AM, Bill Burke wrote:
>> > Nice!  You will be a great reference for us.  We'll make it happen.
>> > Just remind us of this every time we're lax answering your questions :)
>> >
>> > On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
>> >> We have about 15 roles and over 20 million users
>> >>
>> >>
>> >> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen <stian at redhat.com
>> >> <mailto:stian at redhat.com>> wrote:
>> >>
>> >>
>> >>
>> >>      ----- Original Message -----
>> >>       > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>> >>      <mailto:rodrigopsasaki at gmail.com>>
>> >>       > To: "Stian Thorgersen" <stian at redhat.com <mailto:
>> stian at redhat.com>>
>> >>       > Cc: keycloak-user at lists.jboss.org
>> >>      <mailto:keycloak-user at lists.jboss.org>
>> >>       > Sent: Monday, 16 June, 2014 3:27:43 PM
>> >>       > Subject: Re: [keycloak-user] Roles Integration
>> >>       >
>> >>       > That's an interesting suggestion, but how would I do that if
>> the
>> >>      databases
>> >>       > are very different?
>> >>       >
>> >>       > Just remembering that I want to integrate the user role
>> mappings,
>> >>      and not
>> >>       > just the roles themselves.
>> >>
>> >>      Makes sense, roles are not worth much if no users have mappings to
>> >>      them ;)
>> >>
>> >>       >
>> >>       > Should I create a JSON from my database following a specific
>> >>      format to
>> >>       > import it into Keycloak?
>> >>
>> >>      Yes, that's the idea. Roughly how many users and roles do you
>> have?
>> >>
>> >>       >
>> >>       >
>> >>       > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
>> >>      <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>> >>       >
>> >>       > > The only way to do that at the moment would be to import the
>> >>      data into the
>> >>       > > Keycloak database. The easiest way to do this would be to
>> >>      export your
>> >>       > > database to json and import into Keycloak.
>> >>       > >
>> >>       > > If this is something you want to do, let me know and we can
>> >>      give you some
>> >>       > > instructions, maybe also an example, on how to do this.
>> >>       > >
>> >>       > > ----- Original Message -----
>> >>       > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
>> >>      <mailto:rodrigopsasaki at gmail.com>>
>> >>       > > > To: keycloak-user at lists.jboss.org
>> >>      <mailto:keycloak-user at lists.jboss.org>
>> >>       > > > Sent: Friday, 13 June, 2014 3:39:55 PM
>> >>       > > > Subject: [keycloak-user] Roles Integration
>> >>       > > >
>> >>       > > > Hi,
>> >>       > > >
>> >>       > > > I needed to migrate accounts from an old database to
>> >>      authenticate with
>> >>       > > > Keycloak, and I implemented my own provider of the
>> >>      Authentication SPI,
>> >>       > > which
>> >>       > > > worked fine.
>> >>       > > >
>> >>       > > > Now what should I do if I need to migrate the roles from
>> >>      those accounts
>> >>       > > > aswell? Is there a suggested flow that I should follow?
>> >>       > > >
>> >>       > > > Thanks,
>> >>       > > >
>> >>       > > > --
>> >>       > > > Rodrigo Sasaki
>> >>       > > >
>> >>       > > > _______________________________________________
>> >>       > > > keycloak-user mailing list
>> >>       > > > keycloak-user at lists.jboss.org
>> >>      <mailto:keycloak-user at lists.jboss.org>
>> >>       > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>       > >
>> >>       >
>> >>       >
>> >>       >
>> >>       > --
>> >>       > Rodrigo Sasaki
>> >>       >
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Rodrigo Sasaki
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/7262bac2/attachment-0001.html 

From peterson.dean at gmail.com  Mon Jun 16 18:42:23 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 16 Jun 2014 17:42:23 -0500
Subject: [keycloak-user] Cannot insert duplicate key in object
	'dbo.RoleEntity'
Message-ID: <CAFGzvPmEdsZ+mpJdg3V1xLuchWgy9LeH9MsRDJDgmXeUX3O=kQ@mail.gmail.com>

I have tried to create a new Realm using beta-2 and the latest master code.
 I always get the same error:

Violation of UNIQUE KEY constraint 'UK_2cek0xo8yixluudnb1njcl94d'. Cannot
insert duplicate key in object 'dbo.RoleEntity'. The duplicate key value is
(view-realm, <NULL>).
17:30:07,680 INFO
 [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default
task-8) HHH000010: On release of batch it still contained JDBC statements
17:30:07,741 ERROR [io.undertow.request] (default task-8) UT005023:
Exception handling request to /auth/admin/realms:
java.lang.IllegalStateException: Transaction not active
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140616/21acb2a6/attachment.html 

From mposolda at redhat.com  Tue Jun 17 03:26:57 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 17 Jun 2014 09:26:57 +0200
Subject: [keycloak-user] Cannot insert duplicate key in object
	'dbo.RoleEntity'
In-Reply-To: <CAFGzvPmEdsZ+mpJdg3V1xLuchWgy9LeH9MsRDJDgmXeUX3O=kQ@mail.gmail.com>
References: <CAFGzvPmEdsZ+mpJdg3V1xLuchWgy9LeH9MsRDJDgmXeUX3O=kQ@mail.gmail.com>
Message-ID: <539FEDC1.5030001@redhat.com>

Hi,

which database are you using? Still MS-SQL?


On 17.6.2014 00:42, Dean Peterson wrote:
> I have tried to create a new Realm using beta-2 and the latest master 
> code.  I always get the same error:
>
> Violation of UNIQUE KEY constraint 'UK_2cek0xo8yixluudnb1njcl94d'. 
> Cannot insert duplicate key in object 'dbo.RoleEntity'. The duplicate 
> key value is (view-realm, <NULL>).
> 17:30:07,680 INFO 
>  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default 
> task-8) HHH000010: On release of batch it still contained JDBC statements
> 17:30:07,741 ERROR [io.undertow.request] (default task-8) UT005023: 
> Exception handling request to /auth/admin/realms: 
> java.lang.IllegalStateException: Transaction not active
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/06167b92/attachment.html 

From stian at redhat.com  Tue Jun 17 05:12:24 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Jun 2014 05:12:24 -0400 (EDT)
Subject: [keycloak-user] Roles Integration
In-Reply-To: <CANLOgwBhx3LZng7BfVttH6iVPVnpDQxLvE4rmCf+jAcjg=7spA@mail.gmail.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com> <539F0E8C.6090202@redhat.com>
	<CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>
	<CANLOgwBhx3LZng7BfVttH6iVPVnpDQxLvE4rmCf+jAcjg=7spA@mail.gmail.com>
Message-ID: <1932865719.27020073.1402996344070.JavaMail.zimbra@redhat.com>

We're currently working on performance testing and need to investigate how Keycloak handles with large amounts of users. We'll also look at importing such a large amount of users into the db.

We'll look at this over the next week and get back to you :)

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 16 June, 2014 8:21:06 PM
> Subject: Re: [keycloak-user] Roles Integration
> 
> Just to be more specific, our mapping here is really simple.
> 
> We have 1 table with the users, one with the roles, and a third one that maps
> them both together.
> 
> Thank you for trying to help!
> 
> 
> On Mon, Jun 16, 2014 at 12:44 PM, Rodrigo Sasaki < rodrigopsasaki at gmail.com >
> wrote:
> 
> 
> 
> They are all stored in a table on a RDBMS
> 
> 
> On Mon, Jun 16, 2014 at 12:34 PM, Bill Burke < bburke at redhat.com > wrote:
> 
> 
> These 20 Million users: Are they stored in a RDBMS? LDAP?
> 
> On 6/16/2014 11:28 AM, Bill Burke wrote:
> > Nice! You will be a great reference for us. We'll make it happen.
> > Just remind us of this every time we're lax answering your questions :)
> > 
> > On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
> >> We have about 15 roles and over 20 million users
> >> 
> >> 
> >> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen < stian at redhat.com
> >> <mailto: stian at redhat.com >> wrote:
> >> 
> >> 
> >> 
> >> ----- Original Message -----
> >> > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> >> <mailto: rodrigopsasaki at gmail.com >>
> >> > To: "Stian Thorgersen" < stian at redhat.com <mailto: stian at redhat.com >>
> >> > Cc: keycloak-user at lists.jboss.org
> >> <mailto: keycloak-user at lists.jboss.org >
> >> > Sent: Monday, 16 June, 2014 3:27:43 PM
> >> > Subject: Re: [keycloak-user] Roles Integration
> >> > 
> >> > That's an interesting suggestion, but how would I do that if the
> >> databases
> >> > are very different?
> >> > 
> >> > Just remembering that I want to integrate the user role mappings,
> >> and not
> >> > just the roles themselves.
> >> 
> >> Makes sense, roles are not worth much if no users have mappings to
> >> them ;)
> >> 
> >> > 
> >> > Should I create a JSON from my database following a specific
> >> format to
> >> > import it into Keycloak?
> >> 
> >> Yes, that's the idea. Roughly how many users and roles do you have?
> >> 
> >> > 
> >> > 
> >> > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
> >> < stian at redhat.com <mailto: stian at redhat.com >> wrote:
> >> > 
> >> > > The only way to do that at the moment would be to import the
> >> data into the
> >> > > Keycloak database. The easiest way to do this would be to
> >> export your
> >> > > database to json and import into Keycloak.
> >> > > 
> >> > > If this is something you want to do, let me know and we can
> >> give you some
> >> > > instructions, maybe also an example, on how to do this.
> >> > > 
> >> > > ----- Original Message -----
> >> > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> >> <mailto: rodrigopsasaki at gmail.com >>
> >> > > > To: keycloak-user at lists.jboss.org
> >> <mailto: keycloak-user at lists.jboss.org >
> >> > > > Sent: Friday, 13 June, 2014 3:39:55 PM
> >> > > > Subject: [keycloak-user] Roles Integration
> >> > > > 
> >> > > > Hi,
> >> > > > 
> >> > > > I needed to migrate accounts from an old database to
> >> authenticate with
> >> > > > Keycloak, and I implemented my own provider of the
> >> Authentication SPI,
> >> > > which
> >> > > > worked fine.
> >> > > > 
> >> > > > Now what should I do if I need to migrate the roles from
> >> those accounts
> >> > > > aswell? Is there a suggested flow that I should follow?
> >> > > > 
> >> > > > Thanks,
> >> > > > 
> >> > > > --
> >> > > > Rodrigo Sasaki
> >> > > > 
> >> > > > _______________________________________________
> >> > > > keycloak-user mailing list
> >> > > > keycloak-user at lists.jboss.org
> >> <mailto: keycloak-user at lists.jboss.org >
> >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> > > 
> >> > 
> >> > 
> >> > 
> >> > --
> >> > Rodrigo Sasaki
> >> > 
> >> 
> >> 
> >> 
> >> 
> >> --
> >> Rodrigo Sasaki
> >> 
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> 
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Jun 17 06:52:06 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Jun 2014 06:52:06 -0400 (EDT)
Subject: [keycloak-user] Multiple Social Providers for Single Account
In-Reply-To: <CANLOgwCzfJBZ+jNTW=ZTO-AFTWLLBb61hi8LSAPopLzpzmGRCw@mail.gmail.com>
References: <CANLOgwBrgjUQG4gv_R7gYQOfBMBTVM5H_VwsuX_nRRqa-D5_GA@mail.gmail.com>
	<53960776.1010706@redhat.com>
	<CANLOgwDoPhK3ZtAUHKGwOFKQ=ShhUELoms1ixNMdEWaJUF6DJA@mail.gmail.com>
	<6cfn0jdftf386rvfmlweyjat.1402398688756@email.android.com>
	<CANLOgwBzgA21neiU4Gfeh8rHKsfdNRatpQdGf6E4UHuJ-gpVDQ@mail.gmail.com>
	<83hkqyp97kcvkt9001e0rv0l.1402488436248@email.android.com>
	<CANLOgwCzfJBZ+jNTW=ZTO-AFTWLLBb61hi8LSAPopLzpzmGRCw@mail.gmail.com>
Message-ID: <1720663750.27066374.1403002326947.JavaMail.zimbra@redhat.com>

Seems I replied without the list, so including list as cc.

I've looked at your alterations and I'm not confident with letting users link to an existing account without login in to that account first. We should be able to do this relatively easily though.

If you're interested in looking at doing this work let me know and I can give you some pointers. Basically the idea is if an account with the same email exists:

* Use callback url from social provider, including query params, as redirect-uri
* Return login form with message saying user with email exists, please login to link accounts
* Login form is submitted and processed by token service as usual
* Login form redirects to social callback uri
* Social callback uri creates social link (which it can do now as the user is authenticated)
* Redirect to app

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <sthorger at redhat.com>
> Sent: Wednesday, 11 June, 2014 1:41:13 PM
> Subject: Re: [keycloak-user] Multiple Social Providers for Single Account
> 
> That is totally fine, I'm just hoping I can help you guys somehow,
> contribute with something too
> 
> 
> On Wed, Jun 11, 2014 at 9:07 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> 
> > I'll have a look at it and get back to you. It won't be until beginning of
> > next week though.
> >
> > Rodrigo Sasaki <rodrigopsasaki at gmail.com> wrote:
> >
> >
> > We need this feature now, so we're making some alterations to make it work
> > for us.
> >
> > Although we'd like to contribute to the Keycloak project if you feel our
> > alteration is fitting. We have done some tests, and we changed the
> > SocialResource class to treat this special flow.
> >
> > What we did is add a step to find the user by e-mail, before going into
> > the block where it creates a new user from scratch. I'm not a security
> > specialist, that's why I'd like you to take a look at it, because there may
> > exist security flaws that I'm not aware of, and if we can come up with
> > something that looks good, we could submit a PR for the project.
> >
> > Here's how our code looks now, we built it on top of the beta-2 source:
> > http://pastebin.com/H9S0fWjH
> >
> > I highlighted the part where alterations begin and end.
> >
> > I hope we can help each other in this.
> >
> > Best regards,
> > Rodrigo
> >
> >
> > On Tue, Jun 10, 2014 at 8:11 AM, Stian Thorgersen <sthorger at redhat.com>
> > wrote:
> >
> >> Currently the only way we support to link multiple accounts is through
> >> the account managent. There's no automatic linking, so the problem you're
> >> seeing is at the moment the expected behavior as we only allow one account
> >> per email.
> >>
> >> We would like to improve this flow in the future, and any suggestions on
> >> how it could/should work would be great. It would most likely not be added
> >> until after 1.0.final.
> >>
> >> Rodrigo Sasaki <rodrigopsasaki at gmail.com> wrote:
> >>
> >>
> >> I guess it can wait, it would be good to get this sorted but I know
> >> you're all very busy.
> >>
> >> I'll download the master branch again and see what I can find
> >>
> >>
> >> On Mon, Jun 9, 2014 at 4:13 PM, Bill Burke <bburke at redhat.com> wrote:
> >>
> >>> Stian wrote this code and is at a face to face meeting this week.  Can
> >>> you wait until next week for an answer?  I could look into it, but I'm
> >>> focused on some caching features and pushing out Beta 3 at the moment.
> >>>
> >>> On 6/9/2014 10:43 AM, Rodrigo Sasaki wrote:
> >>> > I've been trying to work with the Social Providers feature of Keycloak,
> >>> > but I've had some problems.
> >>> >
> >>> > First of all I'm using the beta-2 version, and I created Facebook and
> >>> > Google links to applications I have there and it worked fine.
> >>> >
> >>> > If I create a new user logging in with Facebook it works
> >>> > If I create a new user logging in with Google it works aswell.
> >>> >
> >>> > When I try linking things, that's where things go wrong.
> >>> >
> >>> > I have created a new Keycloak user, and accessed:
> >>> >
> >>> > *http://localhost:8080/auth/realms/myrealm/account*
> >>> >
> >>> > and on that URL I associated my Google and Facebook accounts, when I do
> >>> > it like that, it all works fine, but when I tried to see if it worked
> >>> > automatically it all went south.
> >>> >
> >>> > I deleted the social links from this account, and then tried to login
> >>> to
> >>> > a keycloak secured application via Facebook, and the e-mail of my
> >>> > Facebook account is the same of the keycloak accunt, which led to an
> >>> > exception
> >>> >
> >>> > /org.keycloak.models.ModelDuplicateException:
> >>> > javax.persistence.PersistenceException:
> >>> > org.hibernate.exception.ConstraintViolationException: ERROR: duplicate
> >>> > key value violates unique constraint "userentity_realm_email_key"/
> >>> >
> >>> > The same happens if I have no account at all, and create one with
> >>> > Facebook, then try logging in with Google.
> >>> >
> >>> > Is there something I'm missing, or is this flow still being worked on?
> >>> >
> >>> > I have read this wiki, and I think it's the item 5 that isn't working
> >>> > correctly
> >>> >
> >>> >
> >>> https://github.com/keycloak/keycloak/wiki/Registration-Authentication-with-social-providers-and-linking-of-social-accounts
> >>> >
> >>> >
> >>> > --
> >>> > Rodrigo Sasaki
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > keycloak-user mailing list
> >>> > keycloak-user at lists.jboss.org
> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> >
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From stian at redhat.com  Tue Jun 17 06:58:34 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Jun 2014 06:58:34 -0400 (EDT)
Subject: [keycloak-user] Significant SSL issue: Support for reverse
 proxies
In-Reply-To: <CAMTm=fGPq4a2cj+DXd82YdR=RK+-xn3cAjA4imtHyiwHahjsmw@mail.gmail.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
	<889050222.26378615.1402911202579.JavaMail.zimbra@redhat.com>
	<CAMTm=fGPq4a2cj+DXd82YdR=RK+-xn3cAjA4imtHyiwHahjsmw@mail.gmail.com>
Message-ID: <1668041774.27068134.1403002714309.JavaMail.zimbra@redhat.com>

This is quite likely an issue with either Apache or WildFly not being configured correctly. 

Have you enabled proxy-address-forwarding in WildFly/Undertow (see https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration for more info)?

----- Original Message -----
> From: "Josh" <smysnk at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 16 June, 2014 4:42:27 PM
> Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse proxies
> 
> The first would be at the "Welcome to Keycloak" page, clicking on
> Administration Console.  The link itself is not redirecting to http, but as
> part of the login page it looks like it forwards back to http. (eg.
> https://auth.psidox.com/auth/ -> https://auth.psidox.com/auth/admin/ ->
> http://auth.psidox.com/auth/admin/master/console ->
> http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&response_type=code
> )
> 
> I haven't really gotten too far beyond the login page.
> 
> - Josh
> 
> 
> On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > When does it forward the browser from https to http?
> >
> > As Bill pointed out, does auth-server-url in your keycloak.json point to
> > your proxy with https?
> >
> > What adapter are you using?
> >
> > ----- Original Message -----
> > > From: "Josh" <smysnk at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Friday, 13 June, 2014 8:41:32 AM
> > > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> > proxies
> > >
> > > Hi guys,
> > >
> > > So looking to help solve this issue possibly or at least get it on the
> > radar,
> > > I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> > >
> > > To breifly recap the issue, when logging in via reverse proxy it keeps
> > > forwarding the browser from https back to regular http.
> > >
> > > Eg. Apache virtualhost configured as:
> > >
> > > <VirtualHost *:443>
> > > ServerName auth.domain.com
> > > SSLEngine On
> > >
> > > <Proxy *>
> > > Order deny,allow
> > > Allow from all
> > > </Proxy>
> > >
> > > ProxyVia Off
> > > ProxyPreserveHost On
> > > ProxyRequests Off
> > >
> > > ProxyPass / http://keycloak.core.docker:8080/
> > > ProxyPassReverse / http://keycloak.core.docker:8080/
> > >
> > >
> > > </VirtualHost>
> > >
> > > If I were to start looking into the code base, where would I start?
> > Trying to
> > > find for example during the login process how the forward url is formed?
> > >
> > > Thanks,
> > >
> > > Josh
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From rodrigopsasaki at gmail.com  Tue Jun 17 07:23:08 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 17 Jun 2014 08:23:08 -0300
Subject: [keycloak-user] Roles Integration
In-Reply-To: <1932865719.27020073.1402996344070.JavaMail.zimbra@redhat.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<CANLOgwA_ggcvPUDozd5oDXXWbF0bxmkNk=wFOh-8_bRq3D+yzA@mail.gmail.com>
	<1481369054.26574261.1402929163263.JavaMail.zimbra@redhat.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com> <539F0E8C.6090202@redhat.com>
	<CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>
	<CANLOgwBhx3LZng7BfVttH6iVPVnpDQxLvE4rmCf+jAcjg=7spA@mail.gmail.com>
	<1932865719.27020073.1402996344070.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwCijuc_tE3CQ0LE5X2JghV34QtyAsD5DvKgT3Lb5v5X4w@mail.gmail.com>

That would be really awesome, thanks :)

But just for now, could you tell me how to do it with the JSON like you
previously suggested? That way I can import a sample of my users in my dev
environment so I can keep on testing it out.


On Tue, Jun 17, 2014 at 6:12 AM, Stian Thorgersen <stian at redhat.com> wrote:

> We're currently working on performance testing and need to investigate how
> Keycloak handles with large amounts of users. We'll also look at importing
> such a large amount of users into the db.
>
> We'll look at this over the next week and get back to you :)
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Bill Burke" <bburke at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 16 June, 2014 8:21:06 PM
> > Subject: Re: [keycloak-user] Roles Integration
> >
> > Just to be more specific, our mapping here is really simple.
> >
> > We have 1 table with the users, one with the roles, and a third one that
> maps
> > them both together.
> >
> > Thank you for trying to help!
> >
> >
> > On Mon, Jun 16, 2014 at 12:44 PM, Rodrigo Sasaki <
> rodrigopsasaki at gmail.com >
> > wrote:
> >
> >
> >
> > They are all stored in a table on a RDBMS
> >
> >
> > On Mon, Jun 16, 2014 at 12:34 PM, Bill Burke < bburke at redhat.com >
> wrote:
> >
> >
> > These 20 Million users: Are they stored in a RDBMS? LDAP?
> >
> > On 6/16/2014 11:28 AM, Bill Burke wrote:
> > > Nice! You will be a great reference for us. We'll make it happen.
> > > Just remind us of this every time we're lax answering your questions :)
> > >
> > > On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
> > >> We have about 15 roles and over 20 million users
> > >>
> > >>
> > >> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen < stian at redhat.com
> > >> <mailto: stian at redhat.com >> wrote:
> > >>
> > >>
> > >>
> > >> ----- Original Message -----
> > >> > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > >> <mailto: rodrigopsasaki at gmail.com >>
> > >> > To: "Stian Thorgersen" < stian at redhat.com <mailto: stian at redhat.com
> >>
> > >> > Cc: keycloak-user at lists.jboss.org
> > >> <mailto: keycloak-user at lists.jboss.org >
> > >> > Sent: Monday, 16 June, 2014 3:27:43 PM
> > >> > Subject: Re: [keycloak-user] Roles Integration
> > >> >
> > >> > That's an interesting suggestion, but how would I do that if the
> > >> databases
> > >> > are very different?
> > >> >
> > >> > Just remembering that I want to integrate the user role mappings,
> > >> and not
> > >> > just the roles themselves.
> > >>
> > >> Makes sense, roles are not worth much if no users have mappings to
> > >> them ;)
> > >>
> > >> >
> > >> > Should I create a JSON from my database following a specific
> > >> format to
> > >> > import it into Keycloak?
> > >>
> > >> Yes, that's the idea. Roughly how many users and roles do you have?
> > >>
> > >> >
> > >> >
> > >> > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
> > >> < stian at redhat.com <mailto: stian at redhat.com >> wrote:
> > >> >
> > >> > > The only way to do that at the moment would be to import the
> > >> data into the
> > >> > > Keycloak database. The easiest way to do this would be to
> > >> export your
> > >> > > database to json and import into Keycloak.
> > >> > >
> > >> > > If this is something you want to do, let me know and we can
> > >> give you some
> > >> > > instructions, maybe also an example, on how to do this.
> > >> > >
> > >> > > ----- Original Message -----
> > >> > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > >> <mailto: rodrigopsasaki at gmail.com >>
> > >> > > > To: keycloak-user at lists.jboss.org
> > >> <mailto: keycloak-user at lists.jboss.org >
> > >> > > > Sent: Friday, 13 June, 2014 3:39:55 PM
> > >> > > > Subject: [keycloak-user] Roles Integration
> > >> > > >
> > >> > > > Hi,
> > >> > > >
> > >> > > > I needed to migrate accounts from an old database to
> > >> authenticate with
> > >> > > > Keycloak, and I implemented my own provider of the
> > >> Authentication SPI,
> > >> > > which
> > >> > > > worked fine.
> > >> > > >
> > >> > > > Now what should I do if I need to migrate the roles from
> > >> those accounts
> > >> > > > aswell? Is there a suggested flow that I should follow?
> > >> > > >
> > >> > > > Thanks,
> > >> > > >
> > >> > > > --
> > >> > > > Rodrigo Sasaki
> > >> > > >
> > >> > > > _______________________________________________
> > >> > > > keycloak-user mailing list
> > >> > > > keycloak-user at lists.jboss.org
> > >> <mailto: keycloak-user at lists.jboss.org >
> > >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > Rodrigo Sasaki
> > >> >
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> Rodrigo Sasaki
> > >>
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/5d309e7d/attachment-0001.html 

From stian at redhat.com  Tue Jun 17 07:33:17 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 17 Jun 2014 07:33:17 -0400 (EDT)
Subject: [keycloak-user] Roles Integration
In-Reply-To: <CANLOgwCijuc_tE3CQ0LE5X2JghV34QtyAsD5DvKgT3Lb5v5X4w@mail.gmail.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com> <539F0E8C.6090202@redhat.com>
	<CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>
	<CANLOgwBhx3LZng7BfVttH6iVPVnpDQxLvE4rmCf+jAcjg=7spA@mail.gmail.com>
	<1932865719.27020073.1402996344070.JavaMail.zimbra@redhat.com>
	<CANLOgwCijuc_tE3CQ0LE5X2JghV34QtyAsD5DvKgT3Lb5v5X4w@mail.gmail.com>
Message-ID: <874239368.27084167.1403004797316.JavaMail.zimbra@redhat.com>

Currently we don't support importing users into an existing realm, but you can import a complete realm config including users.

Have a look at https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/resources/testrealm.json. This includes the realm, a few apps/clients, roles, scope mappings, users and user role mappings. You can import this either by running keycloak with -Dkeycloak.import=<path to json file> or through the admin console by selecting add realm and using the upload option.

It will only work if the realm doesn't already exist, and it's not very efficient at the moment (everything is loaded into memory and written to the db in one transaction).

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 17 June, 2014 12:23:08 PM
> Subject: Re: [keycloak-user] Roles Integration
> 
> That would be really awesome, thanks :)
> 
> But just for now, could you tell me how to do it with the JSON like you
> previously suggested? That way I can import a sample of my users in my dev
> environment so I can keep on testing it out.
> 
> 
> On Tue, Jun 17, 2014 at 6:12 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > We're currently working on performance testing and need to investigate how
> > Keycloak handles with large amounts of users. We'll also look at importing
> > such a large amount of users into the db.
> >
> > We'll look at this over the next week and get back to you :)
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Bill Burke" <bburke at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 16 June, 2014 8:21:06 PM
> > > Subject: Re: [keycloak-user] Roles Integration
> > >
> > > Just to be more specific, our mapping here is really simple.
> > >
> > > We have 1 table with the users, one with the roles, and a third one that
> > maps
> > > them both together.
> > >
> > > Thank you for trying to help!
> > >
> > >
> > > On Mon, Jun 16, 2014 at 12:44 PM, Rodrigo Sasaki <
> > rodrigopsasaki at gmail.com >
> > > wrote:
> > >
> > >
> > >
> > > They are all stored in a table on a RDBMS
> > >
> > >
> > > On Mon, Jun 16, 2014 at 12:34 PM, Bill Burke < bburke at redhat.com >
> > wrote:
> > >
> > >
> > > These 20 Million users: Are they stored in a RDBMS? LDAP?
> > >
> > > On 6/16/2014 11:28 AM, Bill Burke wrote:
> > > > Nice! You will be a great reference for us. We'll make it happen.
> > > > Just remind us of this every time we're lax answering your questions :)
> > > >
> > > > On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
> > > >> We have about 15 roles and over 20 million users
> > > >>
> > > >>
> > > >> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen < stian at redhat.com
> > > >> <mailto: stian at redhat.com >> wrote:
> > > >>
> > > >>
> > > >>
> > > >> ----- Original Message -----
> > > >> > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > > >> <mailto: rodrigopsasaki at gmail.com >>
> > > >> > To: "Stian Thorgersen" < stian at redhat.com <mailto: stian at redhat.com
> > >>
> > > >> > Cc: keycloak-user at lists.jboss.org
> > > >> <mailto: keycloak-user at lists.jboss.org >
> > > >> > Sent: Monday, 16 June, 2014 3:27:43 PM
> > > >> > Subject: Re: [keycloak-user] Roles Integration
> > > >> >
> > > >> > That's an interesting suggestion, but how would I do that if the
> > > >> databases
> > > >> > are very different?
> > > >> >
> > > >> > Just remembering that I want to integrate the user role mappings,
> > > >> and not
> > > >> > just the roles themselves.
> > > >>
> > > >> Makes sense, roles are not worth much if no users have mappings to
> > > >> them ;)
> > > >>
> > > >> >
> > > >> > Should I create a JSON from my database following a specific
> > > >> format to
> > > >> > import it into Keycloak?
> > > >>
> > > >> Yes, that's the idea. Roughly how many users and roles do you have?
> > > >>
> > > >> >
> > > >> >
> > > >> > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
> > > >> < stian at redhat.com <mailto: stian at redhat.com >> wrote:
> > > >> >
> > > >> > > The only way to do that at the moment would be to import the
> > > >> data into the
> > > >> > > Keycloak database. The easiest way to do this would be to
> > > >> export your
> > > >> > > database to json and import into Keycloak.
> > > >> > >
> > > >> > > If this is something you want to do, let me know and we can
> > > >> give you some
> > > >> > > instructions, maybe also an example, on how to do this.
> > > >> > >
> > > >> > > ----- Original Message -----
> > > >> > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > > >> <mailto: rodrigopsasaki at gmail.com >>
> > > >> > > > To: keycloak-user at lists.jboss.org
> > > >> <mailto: keycloak-user at lists.jboss.org >
> > > >> > > > Sent: Friday, 13 June, 2014 3:39:55 PM
> > > >> > > > Subject: [keycloak-user] Roles Integration
> > > >> > > >
> > > >> > > > Hi,
> > > >> > > >
> > > >> > > > I needed to migrate accounts from an old database to
> > > >> authenticate with
> > > >> > > > Keycloak, and I implemented my own provider of the
> > > >> Authentication SPI,
> > > >> > > which
> > > >> > > > worked fine.
> > > >> > > >
> > > >> > > > Now what should I do if I need to migrate the roles from
> > > >> those accounts
> > > >> > > > aswell? Is there a suggested flow that I should follow?
> > > >> > > >
> > > >> > > > Thanks,
> > > >> > > >
> > > >> > > > --
> > > >> > > > Rodrigo Sasaki
> > > >> > > >
> > > >> > > > _______________________________________________
> > > >> > > > keycloak-user mailing list
> > > >> > > > keycloak-user at lists.jboss.org
> > > >> <mailto: keycloak-user at lists.jboss.org >
> > > >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >> > >
> > > >> >
> > > >> >
> > > >> >
> > > >> > --
> > > >> > Rodrigo Sasaki
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Rodrigo Sasaki
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> keycloak-user mailing list
> > > >> keycloak-user at lists.jboss.org
> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>
> > > >
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Tue Jun 17 07:36:06 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 17 Jun 2014 08:36:06 -0300
Subject: [keycloak-user] Roles Integration
In-Reply-To: <874239368.27084167.1403004797316.JavaMail.zimbra@redhat.com>
References: <CANLOgwCd2FuLisCyUgaR5C5j9J83DWHWve=gKPAFP0w0E63bXw@mail.gmail.com>
	<CANLOgwB5DprYU-e=a2_-ntOBz-m+BPaX_UVcZxJD_CbUyz=-7A@mail.gmail.com>
	<539F0D36.9080100@redhat.com> <539F0E8C.6090202@redhat.com>
	<CANLOgwBtvy9bCFc6knihF-CC1xP8fatXmHfad4ZKD=Axrzin0g@mail.gmail.com>
	<CANLOgwBhx3LZng7BfVttH6iVPVnpDQxLvE4rmCf+jAcjg=7spA@mail.gmail.com>
	<1932865719.27020073.1402996344070.JavaMail.zimbra@redhat.com>
	<CANLOgwCijuc_tE3CQ0LE5X2JghV34QtyAsD5DvKgT3Lb5v5X4w@mail.gmail.com>
	<874239368.27084167.1403004797316.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwCg1ccxJM28DVmMPi1ns69FkqRKo0Tm2AgTfz-ZwnCZqg@mail.gmail.com>

Oh, interesting. I'll look into that.

I'll make sure to not include so many users, it's just so I can keep
testing keycloak with our application here :)

Thank you very much!


On Tue, Jun 17, 2014 at 8:33 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Currently we don't support importing users into an existing realm, but you
> can import a complete realm config including users.
>
> Have a look at
> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/resources/testrealm.json.
> This includes the realm, a few apps/clients, roles, scope mappings, users
> and user role mappings. You can import this either by running keycloak with
> -Dkeycloak.import=<path to json file> or through the admin console by
> selecting add realm and using the upload option.
>
> It will only work if the realm doesn't already exist, and it's not very
> efficient at the moment (everything is loaded into memory and written to
> the db in one transaction).
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Sent: Tuesday, 17 June, 2014 12:23:08 PM
> > Subject: Re: [keycloak-user] Roles Integration
> >
> > That would be really awesome, thanks :)
> >
> > But just for now, could you tell me how to do it with the JSON like you
> > previously suggested? That way I can import a sample of my users in my
> dev
> > environment so I can keep on testing it out.
> >
> >
> > On Tue, Jun 17, 2014 at 6:12 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > We're currently working on performance testing and need to investigate
> how
> > > Keycloak handles with large amounts of users. We'll also look at
> importing
> > > such a large amount of users into the db.
> > >
> > > We'll look at this over the next week and get back to you :)
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: "Bill Burke" <bburke at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Monday, 16 June, 2014 8:21:06 PM
> > > > Subject: Re: [keycloak-user] Roles Integration
> > > >
> > > > Just to be more specific, our mapping here is really simple.
> > > >
> > > > We have 1 table with the users, one with the roles, and a third one
> that
> > > maps
> > > > them both together.
> > > >
> > > > Thank you for trying to help!
> > > >
> > > >
> > > > On Mon, Jun 16, 2014 at 12:44 PM, Rodrigo Sasaki <
> > > rodrigopsasaki at gmail.com >
> > > > wrote:
> > > >
> > > >
> > > >
> > > > They are all stored in a table on a RDBMS
> > > >
> > > >
> > > > On Mon, Jun 16, 2014 at 12:34 PM, Bill Burke < bburke at redhat.com >
> > > wrote:
> > > >
> > > >
> > > > These 20 Million users: Are they stored in a RDBMS? LDAP?
> > > >
> > > > On 6/16/2014 11:28 AM, Bill Burke wrote:
> > > > > Nice! You will be a great reference for us. We'll make it happen.
> > > > > Just remind us of this every time we're lax answering your
> questions :)
> > > > >
> > > > > On 6/16/2014 10:44 AM, Rodrigo Sasaki wrote:
> > > > >> We have about 15 roles and over 20 million users
> > > > >>
> > > > >>
> > > > >> On Mon, Jun 16, 2014 at 11:32 AM, Stian Thorgersen <
> stian at redhat.com
> > > > >> <mailto: stian at redhat.com >> wrote:
> > > > >>
> > > > >>
> > > > >>
> > > > >> ----- Original Message -----
> > > > >> > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > > > >> <mailto: rodrigopsasaki at gmail.com >>
> > > > >> > To: "Stian Thorgersen" < stian at redhat.com <mailto:
> stian at redhat.com
> > > >>
> > > > >> > Cc: keycloak-user at lists.jboss.org
> > > > >> <mailto: keycloak-user at lists.jboss.org >
> > > > >> > Sent: Monday, 16 June, 2014 3:27:43 PM
> > > > >> > Subject: Re: [keycloak-user] Roles Integration
> > > > >> >
> > > > >> > That's an interesting suggestion, but how would I do that if the
> > > > >> databases
> > > > >> > are very different?
> > > > >> >
> > > > >> > Just remembering that I want to integrate the user role
> mappings,
> > > > >> and not
> > > > >> > just the roles themselves.
> > > > >>
> > > > >> Makes sense, roles are not worth much if no users have mappings to
> > > > >> them ;)
> > > > >>
> > > > >> >
> > > > >> > Should I create a JSON from my database following a specific
> > > > >> format to
> > > > >> > import it into Keycloak?
> > > > >>
> > > > >> Yes, that's the idea. Roughly how many users and roles do you
> have?
> > > > >>
> > > > >> >
> > > > >> >
> > > > >> > On Mon, Jun 16, 2014 at 6:01 AM, Stian Thorgersen
> > > > >> < stian at redhat.com <mailto: stian at redhat.com >> wrote:
> > > > >> >
> > > > >> > > The only way to do that at the moment would be to import the
> > > > >> data into the
> > > > >> > > Keycloak database. The easiest way to do this would be to
> > > > >> export your
> > > > >> > > database to json and import into Keycloak.
> > > > >> > >
> > > > >> > > If this is something you want to do, let me know and we can
> > > > >> give you some
> > > > >> > > instructions, maybe also an example, on how to do this.
> > > > >> > >
> > > > >> > > ----- Original Message -----
> > > > >> > > > From: "Rodrigo Sasaki" < rodrigopsasaki at gmail.com
> > > > >> <mailto: rodrigopsasaki at gmail.com >>
> > > > >> > > > To: keycloak-user at lists.jboss.org
> > > > >> <mailto: keycloak-user at lists.jboss.org >
> > > > >> > > > Sent: Friday, 13 June, 2014 3:39:55 PM
> > > > >> > > > Subject: [keycloak-user] Roles Integration
> > > > >> > > >
> > > > >> > > > Hi,
> > > > >> > > >
> > > > >> > > > I needed to migrate accounts from an old database to
> > > > >> authenticate with
> > > > >> > > > Keycloak, and I implemented my own provider of the
> > > > >> Authentication SPI,
> > > > >> > > which
> > > > >> > > > worked fine.
> > > > >> > > >
> > > > >> > > > Now what should I do if I need to migrate the roles from
> > > > >> those accounts
> > > > >> > > > aswell? Is there a suggested flow that I should follow?
> > > > >> > > >
> > > > >> > > > Thanks,
> > > > >> > > >
> > > > >> > > > --
> > > > >> > > > Rodrigo Sasaki
> > > > >> > > >
> > > > >> > > > _______________________________________________
> > > > >> > > > keycloak-user mailing list
> > > > >> > > > keycloak-user at lists.jboss.org
> > > > >> <mailto: keycloak-user at lists.jboss.org >
> > > > >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >> > >
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > --
> > > > >> > Rodrigo Sasaki
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Rodrigo Sasaki
> > > > >>
> > > > >>
> > > > >> _______________________________________________
> > > > >> keycloak-user mailing list
> > > > >> keycloak-user at lists.jboss.org
> > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >>
> > > > >
> > > >
> > > > --
> > > > Bill Burke
> > > > JBoss, a division of Red Hat
> > > > http://bill.burkecentral.com
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/68bc6920/attachment-0001.html 

From peterson.dean at gmail.com  Tue Jun 17 10:08:18 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Tue, 17 Jun 2014 09:08:18 -0500
Subject: [keycloak-user] Cannot insert duplicate key in object
	'dbo.RoleEntity'
In-Reply-To: <539FEDC1.5030001@redhat.com>
References: <CAFGzvPmEdsZ+mpJdg3V1xLuchWgy9LeH9MsRDJDgmXeUX3O=kQ@mail.gmail.com>
	<539FEDC1.5030001@redhat.com>
Message-ID: <CAFGzvP=efijmQcvQDNDkoW-tmXuTRxKuU5P2X0nqQqCZAa=eRA@mail.gmail.com>

Yes, I am still using MS-SQL. I am impressed you remembered.


On Tue, Jun 17, 2014 at 2:26 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> which database are you using? Still MS-SQL?
>
>
>
> On 17.6.2014 00:42, Dean Peterson wrote:
>
> I have tried to create a new Realm using beta-2 and the latest master
> code.  I always get the same error:
>
>  Violation of UNIQUE KEY constraint 'UK_2cek0xo8yixluudnb1njcl94d'.
> Cannot insert duplicate key in object 'dbo.RoleEntity'. The duplicate key
> value is (view-realm, <NULL>).
> 17:30:07,680 INFO
>  [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default
> task-8) HHH000010: On release of batch it still contained JDBC statements
> 17:30:07,741 ERROR [io.undertow.request] (default task-8) UT005023:
> Exception handling request to /auth/admin/realms:
> java.lang.IllegalStateException: Transaction not active
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/a701a3cc/attachment.html 

From smysnk at gmail.com  Tue Jun 17 13:19:10 2014
From: smysnk at gmail.com (Josh)
Date: Tue, 17 Jun 2014 11:19:10 -0600
Subject: [keycloak-user] Significant SSL issue: Support for reverse
	proxies
In-Reply-To: <1668041774.27068134.1403002714309.JavaMail.zimbra@redhat.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
	<889050222.26378615.1402911202579.JavaMail.zimbra@redhat.com>
	<CAMTm=fGPq4a2cj+DXd82YdR=RK+-xn3cAjA4imtHyiwHahjsmw@mail.gmail.com>
	<1668041774.27068134.1403002714309.JavaMail.zimbra@redhat.com>
Message-ID: <CAMTm=fGQ2eMm00Chhc66bXX7rKMwD0M6pWHc=oJU7h-NFHfFEA@mail.gmail.com>

Excellent, just tested it out and it is working as expected.

I also had to add 'RequestHeader set X-Forwarded-Proto "https"' to my
Apache virtualhost configuration.

Some documentation somewhere that this is required would be useful for the
next guy.

Thanks,
Josh


On Tue, Jun 17, 2014 at 4:58 AM, Stian Thorgersen <stian at redhat.com> wrote:

> This is quite likely an issue with either Apache or WildFly not being
> configured correctly.
>
> Have you enabled proxy-address-forwarding in WildFly/Undertow (see
> https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration
> for more info)?
>
> ----- Original Message -----
> > From: "Josh" <smysnk at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Monday, 16 June, 2014 4:42:27 PM
> > Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse
> proxies
> >
> > The first would be at the "Welcome to Keycloak" page, clicking on
> > Administration Console.  The link itself is not redirecting to http, but
> as
> > part of the login page it looks like it forwards back to http. (eg.
> > https://auth.psidox.com/auth/ -> https://auth.psidox.com/auth/admin/ ->
> > http://auth.psidox.com/auth/admin/master/console ->
> >
> http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&response_type=code
> > )
> >
> > I haven't really gotten too far beyond the login page.
> >
> > - Josh
> >
> >
> > On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > When does it forward the browser from https to http?
> > >
> > > As Bill pointed out, does auth-server-url in your keycloak.json point
> to
> > > your proxy with https?
> > >
> > > What adapter are you using?
> > >
> > > ----- Original Message -----
> > > > From: "Josh" <smysnk at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Friday, 13 June, 2014 8:41:32 AM
> > > > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> > > proxies
> > > >
> > > > Hi guys,
> > > >
> > > > So looking to help solve this issue possibly or at least get it on
> the
> > > radar,
> > > > I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> > > >
> > > > To breifly recap the issue, when logging in via reverse proxy it
> keeps
> > > > forwarding the browser from https back to regular http.
> > > >
> > > > Eg. Apache virtualhost configured as:
> > > >
> > > > <VirtualHost *:443>
> > > > ServerName auth.domain.com
> > > > SSLEngine On
> > > >
> > > > <Proxy *>
> > > > Order deny,allow
> > > > Allow from all
> > > > </Proxy>
> > > >
> > > > ProxyVia Off
> > > > ProxyPreserveHost On
> > > > ProxyRequests Off
> > > >
> > > > ProxyPass / http://keycloak.core.docker:8080/
> > > > ProxyPassReverse / http://keycloak.core.docker:8080/
> > > >
> > > >
> > > > </VirtualHost>
> > > >
> > > > If I were to start looking into the code base, where would I start?
> > > Trying to
> > > > find for example during the login process how the forward url is
> formed?
> > > >
> > > > Thanks,
> > > >
> > > > Josh
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/4eca79ff/attachment.html 

From peterson.dean at gmail.com  Tue Jun 17 14:52:11 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Tue, 17 Jun 2014 13:52:11 -0500
Subject: [keycloak-user] Another Show Stopper (Cannot insert duplicate key
	in object 'dbo.UserEntity')
Message-ID: <CAFGzvPnpF+aiy63hUxoq-FF25TdeCZBbaWumWGKXnUq=0gOLmQ@mail.gmail.com>

I receive this error registering a new user in my application with entirely
new/fresh ms-sql tables with jpa backed keycloak entities:

 com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE KEY
constraint 'UK_qyr7vp9oe4mrwm2jfmt5c5k7q'. Cannot insert duplicate key in
object 'dbo.UserEntity'. The duplicate key value is (master, <NULL>)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140617/7689b9e7/attachment.html 

From juraci at kroehling.de  Wed Jun 18 05:44:38 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Wed, 18 Jun 2014 11:44:38 +0200
Subject: [keycloak-user] Docker images
In-Reply-To: <5399BCC2.4060908@kroehling.de>
References: <539945C0.5050407@kroehling.de>	<5399A1D5.1030405@redhat.com>	<5399A2A0.40702@redhat.com>	<5399A749.80008@kroehling.de>	<5399A81D.3000606@kroehling.de>
	<5399BCC2.4060908@kroehling.de>
Message-ID: <53A15F86.1050403@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

All,

The images have been integrated as a trusted and automated build
inside the JBoss namespace: https://registry.hub.docker.com/repos/jboss/

- - Juca.

On 06/12/2014 04:44 PM, Juraci Paix?o Kr?hling wrote:
> So, I've uploaded the following images to my namespace on Docker.
> If those look good, I'll get them available on jboss' namespace 
> (jboss/keycloak, for instance).
> 
> https://hub.docker.com/u/jpkroehling/
> 
> keycloak-wildfly - Wildfly 8.1.0.Final + KC subsystem
> 
> keycloak (this should be the default one, hence the shorter name) -
> "keycloak-wildfly" + Auth-server
> 
> keycloak-examples - "keycloak" + examples
> 
> Those can be tested with these commands:
> 
> $ docker run -it -p 8080:8080 jpkroehling/keycloak $ docker run -it
> -p 8080:8080 jpkroehling/keycloak-wildfly $ docker run -it -p
> 8080:8080 jpkroehling/keycloak-examples
> 
> - Juca.
> 
> On 06/12/2014 03:16 PM, Juraci Paix?o Kr?hling wrote:
>>> keycloak (wildfly + auth server war + KC subsystem) - 
>>> keycloak-wildfly (wildfly + KC subsystem, no auth-server) - 
>>> keycloak-examples ("keycloak-full" image + examples)
> 
>> s/keycloak-full/keycloak/
> 
> 
>>> What about the names? Do they match the expectation?
> 
>>> - Juca.
> 
>>> On 06/12/2014 02:52 PM, Stan Silvert wrote:
>>>> On 6/12/2014 8:49 AM, Bill Burke wrote:
>>>>> 
>>>>> On 6/12/2014 2:16 AM, Juraci Paix?o Kr?hling wrote:
>>>>>> - - keycloak (wildfly + auth server war, no KC
>>>>>> subsystem)
>>>>> I would say no to this one.  Eventually, the whole wildfly
>>>>>  instance will be secured by KC and we will need the 
>>>>> subsystem.
>>>>> 
>>>>> 
>>>> I'll add my -1 as well.
> 
> 
> 
>>> _______________________________________________ keycloak-user 
>>> mailing list keycloak-user at lists.jboss.org 
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
>> _______________________________________________ keycloak-user 
>> mailing list keycloak-user at lists.jboss.org 
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJToV+GAAoJEDnJtskdmzLMDi4H+wbj0/RMsfn7oKymvGp/Pr2j
PaAksS+AIyW2RX6kRRFQOijt31bc39L/8/02++FmQFDyM6t85B8aJcMu7rFBAt22
KTDJWqdRd27JteflvPu8JI8hkRIZZyBjEnzjWFfj50CQDzM3AXasQmFo4Zi/q4lZ
hQYnMga83Zv8o76JrJ08Srt+fA/ZOAuwvNTE5M7bzDPb1zYeU/hvOvUIHuYeHUjW
JJn/bfvfBvgpAIG8qTfYvae33TpXnyYvbbhIGVNrl4WdjRsrY2BVSgsoRcOuwz1P
uG6Tg+RwFqGnlpyUPFOGF32tFqeNSLjwQM8N7aLCtSexuSXJnBM5wNr7YrXZsQs=
=T0Ld
-----END PGP SIGNATURE-----

From stian at redhat.com  Wed Jun 18 06:13:57 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 18 Jun 2014 06:13:57 -0400 (EDT)
Subject: [keycloak-user] Significant SSL issue: Support for reverse
 proxies
In-Reply-To: <CAMTm=fGQ2eMm00Chhc66bXX7rKMwD0M6pWHc=oJU7h-NFHfFEA@mail.gmail.com>
References: <CAMTm=fF5AkPPs3hmXO8_CTZQTKEakiCz4U9wtTcS6w=zHQPHrA@mail.gmail.com>
	<889050222.26378615.1402911202579.JavaMail.zimbra@redhat.com>
	<CAMTm=fGPq4a2cj+DXd82YdR=RK+-xn3cAjA4imtHyiwHahjsmw@mail.gmail.com>
	<1668041774.27068134.1403002714309.JavaMail.zimbra@redhat.com>
	<CAMTm=fGQ2eMm00Chhc66bXX7rKMwD0M6pWHc=oJU7h-NFHfFEA@mail.gmail.com>
Message-ID: <723983758.28518910.1403086437950.JavaMail.zimbra@redhat.com>

I've updated the documentation. One more thing you should enable is the confidential transport-guarantee for Keycloak to make sure all http traffic is redirected to https. To make sure it redirects to the correct port you also need to specify redirect-socket. I've included the added documentation below so you don't have to build this from source.


Added Documentation:

3.3.4.2. Enable SSL on a Reverse Proxy

Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml.

First add proxy-address-forwarding and redirect-socket to the http-listener element:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
    ...
    <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>
    ...
</subsystem>

Then add a new socket-binding element to the socket-binding-group element:

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    <socket-binding name="proxy-https" port="443"/>
    ...
</socket-binding-group>

Check the WildFly documentation [https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration] for more information.


----- Original Message -----
> From: "Josh" <smysnk at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 17 June, 2014 6:19:10 PM
> Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse proxies
> 
> Excellent, just tested it out and it is working as expected.
> 
> I also had to add 'RequestHeader set X-Forwarded-Proto "https"' to my
> Apache virtualhost configuration.
> 
> Some documentation somewhere that this is required would be useful for the
> next guy.
> 
> Thanks,
> Josh
> 
> 
> On Tue, Jun 17, 2014 at 4:58 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > This is quite likely an issue with either Apache or WildFly not being
> > configured correctly.
> >
> > Have you enabled proxy-address-forwarding in WildFly/Undertow (see
> > https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration
> > for more info)?
> >
> > ----- Original Message -----
> > > From: "Josh" <smysnk at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 16 June, 2014 4:42:27 PM
> > > Subject: Re: [keycloak-user] Significant SSL issue: Support for reverse
> > proxies
> > >
> > > The first would be at the "Welcome to Keycloak" page, clicking on
> > > Administration Console.  The link itself is not redirecting to http, but
> > as
> > > part of the login page it looks like it forwards back to http. (eg.
> > > https://auth.psidox.com/auth/ -> https://auth.psidox.com/auth/admin/ ->
> > > http://auth.psidox.com/auth/admin/master/console ->
> > >
> > http://auth.psidox.com/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fauth.psidox.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=2ae3dfaa-fe7c-4973-8932-ffea553d8dfe&response_type=code
> > > )
> > >
> > > I haven't really gotten too far beyond the login page.
> > >
> > > - Josh
> > >
> > >
> > > On Mon, Jun 16, 2014 at 3:33 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > > When does it forward the browser from https to http?
> > > >
> > > > As Bill pointed out, does auth-server-url in your keycloak.json point
> > to
> > > > your proxy with https?
> > > >
> > > > What adapter are you using?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Josh" <smysnk at gmail.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Friday, 13 June, 2014 8:41:32 AM
> > > > > Subject: [keycloak-user] Significant SSL issue: Support for reverse
> > > > proxies
> > > > >
> > > > > Hi guys,
> > > > >
> > > > > So looking to help solve this issue possibly or at least get it on
> > the
> > > > radar,
> > > > > I've reported it here: https://issues.jboss.org/browse/KEYCLOAK-497
> > > > >
> > > > > To breifly recap the issue, when logging in via reverse proxy it
> > keeps
> > > > > forwarding the browser from https back to regular http.
> > > > >
> > > > > Eg. Apache virtualhost configured as:
> > > > >
> > > > > <VirtualHost *:443>
> > > > > ServerName auth.domain.com
> > > > > SSLEngine On
> > > > >
> > > > > <Proxy *>
> > > > > Order deny,allow
> > > > > Allow from all
> > > > > </Proxy>
> > > > >
> > > > > ProxyVia Off
> > > > > ProxyPreserveHost On
> > > > > ProxyRequests Off
> > > > >
> > > > > ProxyPass / http://keycloak.core.docker:8080/
> > > > > ProxyPassReverse / http://keycloak.core.docker:8080/
> > > > >
> > > > >
> > > > > </VirtualHost>
> > > > >
> > > > > If I were to start looking into the code base, where would I start?
> > > > Trying to
> > > > > find for example during the login process how the forward url is
> > formed?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Josh
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
> 

From mposolda at redhat.com  Wed Jun 18 08:55:44 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 18 Jun 2014 14:55:44 +0200
Subject: [keycloak-user] Another Show Stopper (Cannot insert duplicate
 key in object 'dbo.UserEntity')
In-Reply-To: <CAFGzvPnpF+aiy63hUxoq-FF25TdeCZBbaWumWGKXnUq=0gOLmQ@mail.gmail.com>
References: <CAFGzvPnpF+aiy63hUxoq-FF25TdeCZBbaWumWGKXnUq=0gOLmQ@mail.gmail.com>
Message-ID: <53A18C50.9000408@redhat.com>

This issue and also the second issue you reported yesterday are now 
fixed in Keycloak master and will be available in next Keycloak Beta-3 
release, which will be available in few days (maybe even later today).

Marek

On 17.6.2014 20:52, Dean Peterson wrote:
> I receive this error registering a new user in my application with 
> entirely new/fresh ms-sql tables with jpa backed keycloak entities:
>
>  com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE 
> KEY constraint 'UK_qyr7vp9oe4mrwm2jfmt5c5k7q'. Cannot insert duplicate 
> key in object 'dbo.UserEntity'. The duplicate key value is (master, 
> <NULL>)
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140618/625817eb/attachment.html 

From peterson.dean at gmail.com  Wed Jun 18 16:26:14 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Wed, 18 Jun 2014 15:26:14 -0500
Subject: [keycloak-user] Another Show Stopper (Cannot insert duplicate
 key in object 'dbo.UserEntity')
In-Reply-To: <53A18C50.9000408@redhat.com>
References: <CAFGzvPnpF+aiy63hUxoq-FF25TdeCZBbaWumWGKXnUq=0gOLmQ@mail.gmail.com>
	<53A18C50.9000408@redhat.com>
Message-ID: <CAFGzvPmk3WxEPToFFgJu1Yg7R5rmoUcMG9RBUdxohGej5xre5w@mail.gmail.com>

Thank you! Everything seems to be working now.


On Wed, Jun 18, 2014 at 7:55 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  This issue and also the second issue you reported yesterday are now
> fixed in Keycloak master and will be available in next Keycloak Beta-3
> release, which will be available in few days (maybe even later today).
>
> Marek
>
>
> On 17.6.2014 20:52, Dean Peterson wrote:
>
> I receive this error registering a new user in my application with
> entirely new/fresh ms-sql tables with jpa backed keycloak entities:
>
>   com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE
> KEY constraint 'UK_qyr7vp9oe4mrwm2jfmt5c5k7q'. Cannot insert duplicate key
> in object 'dbo.UserEntity'. The duplicate key value is (master, <NULL>)
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140618/6efb3e45/attachment.html 

From bburke at redhat.com  Thu Jun 19 10:46:55 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Jun 2014 10:46:55 -0400
Subject: [keycloak-user] beta 3 released
Message-ID: <53A2F7DF.7000401@redhat.com>

Mostly a bunch of bug fixes.  Follow links on keycloak.org to download, 
view release notes, etc.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From peterson.dean at gmail.com  Thu Jun 19 14:29:49 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 19 Jun 2014 13:29:49 -0500
Subject: [keycloak-user] ldap setup
Message-ID: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>

Hello,

I am trying to get ldap to work and it seems the query in picketlink's
LDAPIdentityStore.java on line 186 uses id or uid to find the user in an
Active Directory.  Our Active Directory stores the username as the property
sAMAccountName.  I believe this prevents keycloak's new ldap integration
from working.  Am I missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140619/74d452b3/attachment.html 

From asgeirf at gmail.com  Thu Jun 19 16:01:49 2014
From: asgeirf at gmail.com (Asgeir Frimannsson)
Date: Thu, 19 Jun 2014 22:01:49 +0200
Subject: [keycloak-user] auth-server.war in 1.0-beta-3 packages 1.0-beta-2
	libraries
Message-ID: <CAJe-TVu-YKPr=rPCC=XJ2eONgPDY_jW79yEZTka6AEdW1CepbA@mail.gmail.com>

Hi all,

In keycloak-war-dist-all-1.0-beta-3.zip:

There seems to be both beta-2 and beta-3 libraries packaged in
./deployments/auth-server.war/WEB-INF/lib/, causing e.g. JPA to pick up the
wrong classes.

cheers,
asgeir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140619/28b8819b/attachment.html 

From mposolda at redhat.com  Fri Jun 20 01:35:46 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Jun 2014 07:35:46 +0200
Subject: [keycloak-user] ldap setup
In-Reply-To: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>
References: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>
Message-ID: <53A3C832.1050408@redhat.com>

We already seem to have other person with very similar usecase like you. 
I am working on it and will let you know.

Marek

On 19.6.2014 20:29, Dean Peterson wrote:
> Hello,
>
> I am trying to get ldap to work and it seems the query in picketlink's 
> LDAPIdentityStore.java on line 186 uses id or uid to find the user in 
> an Active Directory.  Our Active Directory stores the username as the 
> property sAMAccountName.  I believe this prevents keycloak's new ldap 
> integration from working.  Am I missing something?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140620/e264cab9/attachment.html 

From smysnk at gmail.com  Fri Jun 20 03:41:20 2014
From: smysnk at gmail.com (Josh)
Date: Fri, 20 Jun 2014 01:41:20 -0600
Subject: [keycloak-user] Keycloak beta-3 appliance, issues on startup
Message-ID: <CAMTm=fG-gLDhq8dsyWL_o0dzJ5phLX1bW5b6XmC63=Vmb-yedw@mail.gmail.com>

Hi guys,

So using the latest beta-3 application zip.  Upon boot I seem to be getting
the following exception:

..

   1. Caused by: java.lang.AbstractMethodError:
   org.keycloak.models.jpa.RealmAdapter.addScopeMapping(Lorg/keycloak/models/ClientModel;Lorg/keycloak/models/RoleModel;)V
   2.         at
   org.keycloak.services.managers.RealmManager.setupAdminConsole(RealmManager.java:122)
   3.         at
   org.keycloak.services.managers.RealmManager.createRealm(RealmManager.java:98)
   4.         at
   org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:53)

(Full paste bin: http://pastebin.com/u1kzTEjd  )

Please advise.

Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140620/042dccf5/attachment.html 

From stian at redhat.com  Fri Jun 20 05:15:03 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 20 Jun 2014 05:15:03 -0400 (EDT)
Subject: [keycloak-user] Keycloak beta-3 appliance, issues on startup
In-Reply-To: <CAMTm=fG-gLDhq8dsyWL_o0dzJ5phLX1bW5b6XmC63=Vmb-yedw@mail.gmail.com>
References: <CAMTm=fG-gLDhq8dsyWL_o0dzJ5phLX1bW5b6XmC63=Vmb-yedw@mail.gmail.com>
Message-ID: <1566453687.29949341.1403255703389.JavaMail.zimbra@redhat.com>

The files I uploaded to SourceForge was not valid - I've uploaded the correct files now, so if you re-download it should be fine.

----- Original Message -----
> From: "Josh" <smysnk at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 20 June, 2014 8:41:20 AM
> Subject: [keycloak-user] Keycloak beta-3 appliance, issues on startup
> 
> Hi guys,
> 
> So using the latest beta-3 application zip. Upon boot I seem to be getting
> the following exception:
> 
> ..
> 
> 
>     1.
> Caused by: java.lang.AbstractMethodError:
> org.keycloak.models.jpa.RealmAdapter.addScopeMapping(Lorg/keycloak/models/ClientModel;Lorg/keycloak/models/RoleModel;)V
> 
>     2.
> at
> org.keycloak.services.managers.RealmManager.setupAdminConsole(RealmManager.java:122)
> 
>     3.
> at
> org.keycloak.services.managers.RealmManager.createRealm(RealmManager.java:98)
> 
>     4.
> at
> org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:53)
> 
> 
> (Full paste bin: http://pastebin.com/u1kzTEjd )
> 
> Please advise.
> 
> Josh
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Fri Jun 20 05:15:20 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 20 Jun 2014 05:15:20 -0400 (EDT)
Subject: [keycloak-user] auth-server.war in 1.0-beta-3 packages
 1.0-beta-2	libraries
In-Reply-To: <CAJe-TVu-YKPr=rPCC=XJ2eONgPDY_jW79yEZTka6AEdW1CepbA@mail.gmail.com>
References: <CAJe-TVu-YKPr=rPCC=XJ2eONgPDY_jW79yEZTka6AEdW1CepbA@mail.gmail.com>
Message-ID: <114700187.29949782.1403255720534.JavaMail.zimbra@redhat.com>

The files I uploaded to SourceForge was not valid - I've uploaded the correct files now, so if you re-download it should be fine.

----- Original Message -----
> From: "Asgeir Frimannsson" <asgeirf at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 19 June, 2014 9:01:49 PM
> Subject: [keycloak-user] auth-server.war in 1.0-beta-3 packages 1.0-beta-2	libraries
> 
> Hi all,
> 
> In keycloak-war-dist-all-1.0-beta-3.zip:
> 
> There seems to be both beta-2 and beta-3 libraries packaged in
> ./deployments/auth-server.war/WEB-INF/lib/, causing e.g. JPA to pick up the
> wrong classes.
> 
> cheers,
> asgeir
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Fri Jun 20 05:17:50 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 20 Jun 2014 05:17:50 -0400 (EDT)
Subject: [keycloak-user] Beta-3 release in SourceForge was broken
In-Reply-To: <412984124.29950470.1403255803715.JavaMail.zimbra@redhat.com>
Message-ID: <1711910285.29950938.1403255870098.JavaMail.zimbra@redhat.com>

All,

The files for 1.0-beta-3 I uploaded yesterday to SourceForge was broken (both appliance-dist and war-dist). I've uploaded fixed files now, so if you've already downloaded the release, please download again!

Cheers,
Stian

From bburke at redhat.com  Fri Jun 20 08:19:09 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 20 Jun 2014 08:19:09 -0400
Subject: [keycloak-user] ldap setup
In-Reply-To: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>
References: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>
Message-ID: <53A426BD.4030902@redhat.com>

Marek,

BTW, we need a more user friendly interface for ldap setup than passing 
a system property on startup.

On 6/19/2014 2:29 PM, Dean Peterson wrote:
> Hello,
>
> I am trying to get ldap to work and it seems the query in picketlink's
> LDAPIdentityStore.java on line 186 uses id or uid to find the user in an
> Active Directory.  Our Active Directory stores the username as the
> property sAMAccountName.  I believe this prevents keycloak's new ldap
> integration from working.  Am I missing something?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From peterson.dean at gmail.com  Fri Jun 20 11:40:29 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Fri, 20 Jun 2014 10:40:29 -0500
Subject: [keycloak-user] ldap setup
In-Reply-To: <53A3C832.1050408@redhat.com>
References: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>
	<53A3C832.1050408@redhat.com>
Message-ID: <CAFGzvPnKeZT50OAgfXf_pE5C+5sgM6Ggf6SBxooBhR_2iXo7OQ@mail.gmail.com>

That sounds great, thanks!


On Fri, Jun 20, 2014 at 12:35 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  We already seem to have other person with very similar usecase like you.
> I am working on it and will let you know.
>
> Marek
>
>
> On 19.6.2014 20:29, Dean Peterson wrote:
>
> Hello,
>
>  I am trying to get ldap to work and it seems the query in picketlink's
> LDAPIdentityStore.java on line 186 uses id or uid to find the user in an
> Active Directory.  Our Active Directory stores the username as the property
> sAMAccountName.  I believe this prevents keycloak's new ldap integration
> from working.  Am I missing something?
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140620/738a8832/attachment.html 

From smysnk at gmail.com  Fri Jun 20 13:30:02 2014
From: smysnk at gmail.com (Josh)
Date: Fri, 20 Jun 2014 11:30:02 -0600
Subject: [keycloak-user] Bower for keycloak.js
Message-ID: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>

Hi guys,

I have created a little github project to make keycloak.js available to bower
package manager <http://bower.io/>.

Project here:
https://github.com/smysnk/keycloak-adapter-bower

Usage:
$ bower install keycloak

- Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140620/50544965/attachment.html 

From bburke at redhat.com  Fri Jun 20 15:13:47 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 20 Jun 2014 15:13:47 -0400
Subject: [keycloak-user] Bower for keycloak.js
In-Reply-To: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
References: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
Message-ID: <53A487EB.3060709@redhat.com>

Cool thanks.  What is bower used for?

On 6/20/2014 1:30 PM, Josh wrote:
> Hi guys,
>
> I have created a little github project to make keycloak.js available to
> bower package manager <http://bower.io/>.
>
> Project here:
> https://github.com/smysnk/keycloak-adapter-bower
>
> Usage:
> $ bower install keycloak
>
> - Josh
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From n.preusker at gmail.com  Fri Jun 20 15:20:07 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Fri, 20 Jun 2014 21:20:07 +0200
Subject: [keycloak-user] Bower for keycloak.js
In-Reply-To: <53A487EB.3060709@redhat.com>
References: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
	<53A487EB.3060709@redhat.com>
Message-ID: <CA+HCLu8c+U=8MyzCXKrWs780CBxfMRVrdNVM==77TOy6=jbsMA@mail.gmail.com>

Great, thanks Josh!

@Bill: Bower is a bit like maven for java script. It basically manages your
dependencies.


On Fri, Jun 20, 2014 at 9:13 PM, Bill Burke <bburke at redhat.com> wrote:

> Cool thanks.  What is bower used for?
>
> On 6/20/2014 1:30 PM, Josh wrote:
> > Hi guys,
> >
> > I have created a little github project to make keycloak.js available to
> > bower package manager <http://bower.io/>.
> >
> > Project here:
> > https://github.com/smysnk/keycloak-adapter-bower
> >
> > Usage:
> > $ bower install keycloak
> >
> > - Josh
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140620/d9f82e74/attachment.html 

From rodrigopsasaki at gmail.com  Fri Jun 20 16:00:57 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Fri, 20 Jun 2014 17:00:57 -0300
Subject: [keycloak-user] Java Keycloak REST API Wrapper
Message-ID: <CANLOgwAZtR1Pe1+zHsOfCsDjFzyv=OJyMK2MgjZa1nHEk4i=mg@mail.gmail.com>

Hi,

I'm working on a Java-based wrapper for the REST API, to make it look more
OO, abstracting the access to servers.

It uses methods such as

    User bill = realm.getUser("bburke")
    List<RoleRepresentation> roles =
bill.getApplicationRoleMappings("customer-portal");

It's still in it's early stages, but if you find it interesting, I'd be
happy to create a repo for other Java users to use it, and adapt it based
on suggestions aswell.

Best regards,

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140620/d8051372/attachment.html 

From stian at redhat.com  Mon Jun 23 04:40:40 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 23 Jun 2014 04:40:40 -0400 (EDT)
Subject: [keycloak-user] Bower for keycloak.js
In-Reply-To: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
References: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
Message-ID: <1351976998.31398570.1403512840666.JavaMail.zimbra@redhat.com>

Hi Josh,

That's great - thanks for contributing this. I would like to transfer this to https://github.com/keycloak though, I hope your happy with that.

Thanks,
Stian

----- Original Message -----
> From: "Josh" <smysnk at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 20 June, 2014 6:30:02 PM
> Subject: [keycloak-user] Bower for keycloak.js
> 
> Hi guys,
> 
> I have created a little github project to make keycloak.js available to bower
> package manager .
> 
> Project here:
> https://github.com/smysnk/keycloak-adapter-bower
> 
> Usage:
> $ bower install keycloak
> 
> - Josh
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Jun 23 04:42:44 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 23 Jun 2014 04:42:44 -0400 (EDT)
Subject: [keycloak-user] Java Keycloak REST API Wrapper
In-Reply-To: <CANLOgwAZtR1Pe1+zHsOfCsDjFzyv=OJyMK2MgjZa1nHEk4i=mg@mail.gmail.com>
References: <CANLOgwAZtR1Pe1+zHsOfCsDjFzyv=OJyMK2MgjZa1nHEk4i=mg@mail.gmail.com>
Message-ID: <1843524834.31400020.1403512964696.JavaMail.zimbra@redhat.com>

That's great! Absolutely something we want. Once it's in a usable state I'd like to pull it in to our main Keycloak repo and include it as part of our build and release.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 20 June, 2014 9:00:57 PM
> Subject: [keycloak-user] Java Keycloak REST API Wrapper
> 
> Hi,
> 
> I'm working on a Java-based wrapper for the REST API, to make it look more
> OO, abstracting the access to servers.
> 
> It uses methods such as
> 
> User bill = realm.getUser("bburke")
> List<RoleRepresentation> roles =
> bill.getApplicationRoleMappings("customer-portal");
> 
> It's still in it's early stages, but if you find it interesting, I'd be happy
> to create a repo for other Java users to use it, and adapt it based on
> suggestions aswell.
> 
> Best regards,
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From gadnex at gmail.com  Mon Jun 23 06:24:56 2014
From: gadnex at gmail.com (Willy Gadney)
Date: Mon, 23 Jun 2014 12:24:56 +0200
Subject: [keycloak-user] Problem installing keycloak-war-dist-all-1.0-beta-3
 on Wildfly 8.0 and WildFly 8.1
Message-ID: <CADgwE2JVjOcXXZRm+CzFenBr7X-P3aASp0bm9-7+NtsqmSt5FA@mail.gmail.com>

I am having some issues trying to install *keycloak-war-dist-all-1.0-beta-3*
on *Wildfly 8.0* and *WildFly 8.1*. I am able to install
*keycloak-war-dist-all-1.0-beta-1* to both *Wildfly 8.0* and *WildFly
8.1* using
the same installation process.

I have tested the installation on two different machines:
- Windows 8 with Java JDK 1.8.0 (Also tested with JDK 1.7.51)
- Windows 7 with Java JDK 1.8.0

The steps I take to do the installation are as follows:
1)     Unzip *wildfly-8.1.0.Final.zip* to *C:\TEMP*.
2) Unzip *keycloak-war-dist-all-1.0-beta-3.zip* to *C:\TEMP*.
3) Copy the *configuration* and *deployments* folders from the
*C:\TEMP\keycloak-war-dist-all-1.0-beta-3* to
*C:\TEMP\wildfly-8.1.0.Final\standalone*.
4) On my Windows 7 machine I need to change the WildFly http port since I
have Oracle XE installed that occupies port 8080.
5) Start the WildFly 8.1 by running
*C:\TEMP\wildfly-8.1.0.Final\bin\standalone.bat*.

The content of the
C:\TEMP\wildfly-8.1.0.Final\standalone\deployments\auth-server.war.failed
is as follows:

"{\"JBAS014671: Failed services\" =>
{\"jboss.persistenceunit.\\\"auth-server.war#jpa-keycloak-identity-store\\\"\"
=> \"org.jboss.msc.service.StartException in service
jboss.persistenceunit.\\\"auth-server.war#jpa-keycloak-identity-store\\\":
javax.persistence.PersistenceException: [PersistenceUnit:
jpa-keycloak-identity-store] Unable to build Hibernate SessionFactory
    Caused by: javax.persistence.PersistenceException: [PersistenceUnit:
jpa-keycloak-identity-store] Unable to build Hibernate SessionFactory
    Caused by: org.hibernate.AnnotationException: Use of @OneToMany or
@ManyToMany targeting an unmapped class:
org.keycloak.models.jpa.entities.ApplicationEntity.roles[org.keycloak.models.jpa.entities.ApplicationRoleEntity]\"}}"

I am not sure if I am doing anything wrong or whether there is an issue
with the *keycloak-war-dist-all-1.0-beta-3.zip* distribution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140623/b2dbc18f/attachment-0001.html 

From gadnex at gmail.com  Mon Jun 23 06:33:34 2014
From: gadnex at gmail.com (Willy Gadney)
Date: Mon, 23 Jun 2014 12:33:34 +0200
Subject: [keycloak-user] Solution: Problem installing
 keycloak-war-dist-all-1.0-beta-3 on Wildfly 8.0 and WildFly 8.1 (Willy
 Gadney)
Message-ID: <CADgwE2LBoTfLy=cwZV=dXQrAA5dA6-icodiOrvbQqkCwpRQNfA@mail.gmail.com>

Hi,

I just saw that the forum message *Beta-3 release in SourceForge was broken
(Stian Thorgersen)* and realized this was the source of my issue.

I will re-download Beta-3 and try again.

Regards,
William Gadney
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140623/5e155a1f/attachment.html 

From jim.boettcher at hp.com  Mon Jun 23 11:51:58 2014
From: jim.boettcher at hp.com (Boettcher, Jim)
Date: Mon, 23 Jun 2014 15:51:58 +0000
Subject: [keycloak-user] Add additional rights mapping step to request
 chain
References: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>
	<539606CD.4030100@redhat.com> 
Message-ID: <567C02B1AFF42E499D63011F4C931ABE2410A83B@G5W2731.americas.hpqcorp.net>

Hi,

This has become a show stopper for us. We really need to be able to map the user identified by the bearer token to their roles by using our own role mapping code that executes on our JBoss 7.1.1 application server not the roles from the token. We are developing some new services that must work with our older code and the role mapping that is done with the older code.
You mention that you would have to create an SPI for this. Are there any plans for creating the SPI?
If the SPI is not planned to be in the 1.0 final release, Is there some way I could hook in our custom processing on my own. Looking at the code for the AS7-adapter I did not see an obvious place to do this. For an interim solution we would consider modifying / extending the keycloak code in order to hook in our custom role mapping. Can you suggest a good place in the code that I might try to do this custom work?

Thank you for your help,
Jim

-----Original Message-----
From: Boettcher, Jim 
Sent: Monday, June 09, 2014 3:45 PM
To: 'Bill Burke'; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Add additional rights mapping step to request chain

These are specific rights that are associated to different roles, such as the "backup right" can be associated to a backup role or an admin role.
We were looking to do this on the application server side perhaps as some sort of extension or add on or post processor to the keycloak-as7-adapter that is installed and configured as a module for JBoss.

Thanks
-Jim

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Monday, June 09, 2014 3:11 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Add additional rights mapping step to request chain

For "rights" you mean user role mappings?  I'd have to create an SPI for that.

FYI, you can't modify the token itself as it is digitally signed.

On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> Hi,
>
> We are using the keycloak-as7-adapter from beta2 and have configured 
> the adapter to use bearer token.
>
> We would like to add in some extra processing after the bearer token 
> has been validated in order to map user rights for the user identified 
> by the bearer token using some proprietary code. This is currently 
> done with a custom LoginModule configured for the security-domain of the app.
>
> Can you suggest how we might go about adding this extra rights mapping 
> to the request chain after the keycloak adapter has validated the 
> bearer token?
>
> Thank you,
>
> Jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From smysnk at gmail.com  Mon Jun 23 14:56:57 2014
From: smysnk at gmail.com (Josh)
Date: Mon, 23 Jun 2014 12:56:57 -0600
Subject: [keycloak-user] Bower for keycloak.js
In-Reply-To: <1351976998.31398570.1403512840666.JavaMail.zimbra@redhat.com>
References: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
	<1351976998.31398570.1403512840666.JavaMail.zimbra@redhat.com>
Message-ID: <CAMTm=fFQ0vu_yg0_5GqDTp1siDyMNQr=KgNdFeXu2+Z3zd3gXw@mail.gmail.com>

You bet, I actually had the thought that it would be better as part of the
release cycle.  I'll have to figure out how to transfer bower repositories
because there was no login required to register a bower repo and currently
I have taken "keycloak" which would be optimal for the project.


On Mon, Jun 23, 2014 at 2:40 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Hi Josh,
>
> That's great - thanks for contributing this. I would like to transfer this
> to https://github.com/keycloak though, I hope your happy with that.
>
> Thanks,
> Stian
>
> ----- Original Message -----
> > From: "Josh" <smysnk at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 20 June, 2014 6:30:02 PM
> > Subject: [keycloak-user] Bower for keycloak.js
> >
> > Hi guys,
> >
> > I have created a little github project to make keycloak.js available to
> bower
> > package manager .
> >
> > Project here:
> > https://github.com/smysnk/keycloak-adapter-bower
> >
> > Usage:
> > $ bower install keycloak
> >
> > - Josh
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140623/fc5a8f94/attachment.html 

From conrad at mindless.com  Mon Jun 23 15:10:02 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 23 Jun 2014 20:10:02 +0100
Subject: [keycloak-user] Keycloak immediately undeployed
Message-ID: <6C0743D1-3D58-4514-A190-3C052F247A60@mindless.com>

Hi all,

I have been using keycloak in development for a couple of weeks now and it has been running fine.

I now need to deploy it into a UAT environment, but after installing wildly and integrating keycloak I get an issue when starting up.

Basically everything starts fine, but auth-server is immediately underplayed

2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.1.0.Final "Kenny" started in 8047ms - Started 303 of 356 services (91 services are lazy, passive or on-demand)
2014-06-23 19:49:41,051 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-3) JBAS017535: Unregistered web context: /auth
2014-06-23 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 21) JBAS011410: Stopping Persistence Unit (phase 2 of 2) Service 'auth-server.war#jpa-keycloak-identity-store'
2014-06-23 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 22) JBAS011410: Stopping Persistence Unit (phase 2 of 2) Service 'auth-server.war#jpa-keycloak-audit-store'
2014-06-23 19:49:41,106 INFO  [org.jboss.weld.deployer] (MSC service thread 1-4) JBAS016009: Stopping weld service for deployment auth-server.war
2014-06-23 19:49:41,128 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 22) JBAS011410: Stopping Persistence Unit (phase 1 of 2) Service 'auth-server.war#jpa-keycloak-identity-store'
2014-06-23 19:49:41,129 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 21) JBAS011410: Stopping Persistence Unit (phase 1 of 2) Service 'auth-server.war#jpa-keycloak-audit-store'
2014-06-23 19:49:41,141 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015877: Stopped deployment auth-server.war (runtime-name: auth-server.war) in 96ms
2014-06-23 19:49:41,175 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS018558: Undeployed "auth-server.war" (runtime-name: "auth-server.war")
2014-06-23 19:49:46,178 INFO  [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015003: Found auth-server.war in deployment directory. To trigger deployment create a file called auth-server.war.dodeploy

The main difference between this and dev is that in UAT keycloak has to be behind an apache proxy

ProxyPass /auth/ http://localhost:8080/auth/
ProxyPassReverse /auth/ http://localhost:8080/auth/

Can anybody help? I am completely stumped - Is it something to do with apache already running on port 80?

Thanks

Conrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140623/cf403e76/attachment.html 

From smysnk at gmail.com  Mon Jun 23 17:38:44 2014
From: smysnk at gmail.com (Josh)
Date: Mon, 23 Jun 2014 15:38:44 -0600
Subject: [keycloak-user] Bower for keycloak.js
In-Reply-To: <CAMTm=fFQ0vu_yg0_5GqDTp1siDyMNQr=KgNdFeXu2+Z3zd3gXw@mail.gmail.com>
References: <CAMTm=fE6v5MYK+fL0VB00J1mZfdD4pasU1Sr_xHpsGk5ssssXA@mail.gmail.com>
	<1351976998.31398570.1403512840666.JavaMail.zimbra@redhat.com>
	<CAMTm=fFQ0vu_yg0_5GqDTp1siDyMNQr=KgNdFeXu2+Z3zd3gXw@mail.gmail.com>
Message-ID: <CAMTm=fFmbpkd4+n=sUSa51DugOitZpnoL7ZzRnrwy_TGq3mzNA@mail.gmail.com>

Looks like it's a manual process at the moment to get registry moved to a
different github endpont.  Let me know when you have the project setup and
I'll contact the bower guys.

- Josh


On Mon, Jun 23, 2014 at 12:56 PM, Josh <smysnk at gmail.com> wrote:

> You bet, I actually had the thought that it would be better as part of the
> release cycle.  I'll have to figure out how to transfer bower repositories
> because there was no login required to register a bower repo and currently
> I have taken "keycloak" which would be optimal for the project.
>
>
> On Mon, Jun 23, 2014 at 2:40 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> Hi Josh,
>>
>> That's great - thanks for contributing this. I would like to transfer
>> this to https://github.com/keycloak though, I hope your happy with that.
>>
>> Thanks,
>> Stian
>>
>> ----- Original Message -----
>> > From: "Josh" <smysnk at gmail.com>
>> > To: keycloak-user at lists.jboss.org
>> > Sent: Friday, 20 June, 2014 6:30:02 PM
>> > Subject: [keycloak-user] Bower for keycloak.js
>> >
>> > Hi guys,
>> >
>> > I have created a little github project to make keycloak.js available to
>> bower
>> > package manager .
>> >
>> > Project here:
>> > https://github.com/smysnk/keycloak-adapter-bower
>> >
>> > Usage:
>> > $ bower install keycloak
>> >
>> > - Josh
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140623/b88e4dc9/attachment.html 

From conrad at mindless.com  Tue Jun 24 02:39:20 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Tue, 24 Jun 2014 07:39:20 +0100
Subject: [keycloak-user] Keycloak immediately undeployed
In-Reply-To: <6C0743D1-3D58-4514-A190-3C052F247A60@mindless.com>
References: <6C0743D1-3D58-4514-A190-3C052F247A60@mindless.com>
Message-ID: <02CCC29B-443C-4D85-909C-0487B2C0FE66@mindless.com>

Hi all,

I made some progress. This was apparently occurring because I had lingering Wildly Processes. I killed them all, cleaned up, restarted and was able to see my keycloak welcome screen at

http://<server>/auth/

through my reverse proxy - nice!

Unfortunately, when I click to go through to the administration console I end up at 

http://localhost:8080/auth/realms/master/tokens/ 

I am having difficulty changing the (localhost:8080). Can anybody please advise

Thanks

Conrad


> On 23 Jun 2014, at 20:10, Conrad Winchester <conrad at mindless.com> wrote:
> 
> Hi all,
> 
> I have been using keycloak in development for a couple of weeks now and it has been running fine.
> 
> I now need to deploy it into a UAT environment, but after installing wildly and integrating keycloak I get an issue when starting up.
> 
> Basically everything starts fine, but auth-server is immediately underplayed
> 
> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.1.0.Final "Kenny" started in 8047ms - Started 303 of 356 services (91 services are lazy, passive or on-demand)
> 2014-06-23 19:49:41,051 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-3) JBAS017535: Unregistered web context: /auth
> 2014-06-23 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 21) JBAS011410: Stopping Persistence Unit (phase 2 of 2) Service 'auth-server.war#jpa-keycloak-identity-store'
> 2014-06-23 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 22) JBAS011410: Stopping Persistence Unit (phase 2 of 2) Service 'auth-server.war#jpa-keycloak-audit-store'
> 2014-06-23 19:49:41,106 INFO  [org.jboss.weld.deployer] (MSC service thread 1-4) JBAS016009: Stopping weld service for deployment auth-server.war
> 2014-06-23 19:49:41,128 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 22) JBAS011410: Stopping Persistence Unit (phase 1 of 2) Service 'auth-server.war#jpa-keycloak-identity-store'
> 2014-06-23 19:49:41,129 INFO  [org.jboss.as.jpa] (ServerService Thread Pool -- 21) JBAS011410: Stopping Persistence Unit (phase 1 of 2) Service 'auth-server.war#jpa-keycloak-audit-store'
> 2014-06-23 19:49:41,141 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015877: Stopped deployment auth-server.war (runtime-name: auth-server.war) in 96ms
> 2014-06-23 19:49:41,175 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS018558: Undeployed "auth-server.war" (runtime-name: "auth-server.war")
> 2014-06-23 19:49:46,178 INFO  [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015003: Found auth-server.war in deployment directory. To trigger deployment create a file called auth-server.war.dodeploy
> 
> The main difference between this and dev is that in UAT keycloak has to be behind an apache proxy
> 
> ProxyPass /auth/ http://localhost:8080/auth/
> ProxyPassReverse /auth/ http://localhost:8080/auth/
> 
> Can anybody help? I am completely stumped - Is it something to do with apache already running on port 80?
> 
> Thanks
> 
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140624/badd75d5/attachment-0001.html 

From juraci at kroehling.de  Tue Jun 24 04:21:20 2014
From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=)
Date: Tue, 24 Jun 2014 10:21:20 +0200
Subject: [keycloak-user] Keycloak immediately undeployed
In-Reply-To: <02CCC29B-443C-4D85-909C-0487B2C0FE66@mindless.com>
References: <6C0743D1-3D58-4514-A190-3C052F247A60@mindless.com>
	<02CCC29B-443C-4D85-909C-0487B2C0FE66@mindless.com>
Message-ID: <53A93500.6030404@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Are you sending the proper host/protocol/... headers to Wildfly? In
nginx, it would be something like this:

proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;

- - Juca.

On 06/24/2014 08:39 AM, Conrad Winchester wrote:
> Hi all,
> 
> I made some progress. This was apparently occurring because I had 
> lingering Wildly Processes. I killed them all, cleaned up,
> restarted and was able to see my keycloak welcome screen at
> 
> http://<server>/auth/
> 
> through my reverse proxy - nice!
> 
> Unfortunately, when I click to go through to the administration
> console I end up at
> 
> http://localhost:8080/auth/realms/master/tokens/
> 
> I am having difficulty changing the (localhost:8080). Can anybody
> please advise
> 
> Thanks
> 
> Conrad
> 
> 
>> On 23 Jun 2014, at 20:10, Conrad Winchester <conrad at mindless.com 
>> <mailto:conrad at mindless.com>> wrote:
>> 
>> Hi all,
>> 
>> I have been using keycloak in development for a couple of weeks
>> now and it has been running fine.
>> 
>> I now need to deploy it into a UAT environment, but after
>> installing wildly and integrating keycloak I get an issue when
>> starting up.
>> 
>> Basically everything starts fine, but auth-server is immediately 
>> underplayed
>> 
>> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot
>> Thread) JBAS015961: Http management interface listening on
>> http://127.0.0.1:9990/management 2014-06-23 19:49:36,038 INFO
>> [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console
>> listening on http://127.0.0.1:9990 <http://127.0.0.1:9990/> 
>> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot
>> Thread) JBAS015874: WildFly 8.1.0.Final "Kenny" started in 8047ms
>> - Started 303 of 356 services (91 services are lazy, passive or
>> on-demand) 2014-06-23 19:49:41,051 INFO
>> [org.wildfly.extension.undertow] (MSC service thread 1-3)
>> JBAS017535: Unregistered web context: /auth 2014-06-23
>> 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool
>> -- 21) JBAS011410: Stopping Persistence Unit (phase 2 of 2) 
>> Service 'auth-server.war#jpa-keycloak-identity-store' 2014-06-23
>> 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool
>> -- 22) JBAS011410: Stopping Persistence Unit (phase 2 of 2) 
>> Service 'auth-server.war#jpa-keycloak-audit-store' 2014-06-23
>> 19:49:41,106 INFO  [org.jboss.weld.deployer] (MSC service thread
>> 1-4) JBAS016009: Stopping weld service for deployment 
>> auth-server.war 2014-06-23 19:49:41,128 INFO  [org.jboss.as.jpa]
>> (ServerService Thread Pool -- 22) JBAS011410: Stopping
>> Persistence Unit (phase 1 of 2) Service
>> 'auth-server.war#jpa-keycloak-identity-store' 2014-06-23
>> 19:49:41,129 INFO  [org.jboss.as.jpa] (ServerService Thread Pool
>> -- 21) JBAS011410: Stopping Persistence Unit (phase 1 of 2) 
>> Service 'auth-server.war#jpa-keycloak-audit-store' 2014-06-23
>> 19:49:41,141 INFO  [org.jboss.as.server.deployment] (MSC service
>> thread 1-1) JBAS015877: Stopped deployment auth-server.war 
>> (runtime-name: auth-server.war) in 96ms 2014-06-23 19:49:41,175
>> INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2)
>> JBAS018558: Undeployed "auth-server.war" (runtime-name:
>> "auth-server.war") 2014-06-23 19:49:46,178 INFO
>> [org.jboss.as.server.deployment.scanner] 
>> (DeploymentScanner-threads - 1) JBAS015003: Found auth-server.war
>> in deployment directory. To trigger deployment create a file
>> called auth-server.war.dodeploy
>> 
>> The main difference between this and dev is that in UAT keycloak
>> has to be behind an apache proxy
>> 
>> ProxyPass /auth/ http://localhost:8080/auth/ ProxyPassReverse
>> /auth/ http://localhost:8080/auth/
>> 
>> Can anybody help? I am completely stumped - Is it something to do
>> with apache already running on port 80?
>> 
>> Thanks
>> 
>> Conrad _______________________________________________ 
>> keycloak-user mailing list keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org> 
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> _______________________________________________ keycloak-user
> mailing list keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJTqTUAAAoJEDnJtskdmzLMrgUIAKb5QFRefLCFgmPnWhBbBfND
CQYll5zfTv90aGiuDH4bArGbNVqGlXFYoBOlnPkJpsrLEyB5THO8IeULL4bD9Q5b
9JGw0wRyRZkUZEResQkIJfAcZdjjBnfv4fTU8tuqjJO45+KmRtJuqt0k2xYlzV45
Fi8w1yVfl+CCCbOys6lXRDEUk2TDgLChAAU/ef8ThMEV+WSIDjtX9PogH+0hMPle
9BBtBQk0duPXtGhvGBQufckU67F//BHTey6PZWFkcFmUOnK8uLU6SIg9/fsJi7de
M53vB7Znr6zm/XNEkv0VC32hdlVcA1sOZPsF12LXXuk/CAxiH1vf22avqWKdQRs=
=fXZO
-----END PGP SIGNATURE-----

From stian at redhat.com  Tue Jun 24 04:34:12 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Jun 2014 04:34:12 -0400 (EDT)
Subject: [keycloak-user] Keycloak immediately undeployed
In-Reply-To: <02CCC29B-443C-4D85-909C-0487B2C0FE66@mindless.com>
References: <6C0743D1-3D58-4514-A190-3C052F247A60@mindless.com>
	<02CCC29B-443C-4D85-909C-0487B2C0FE66@mindless.com>
Message-ID: <453120406.32368829.1403598852577.JavaMail.zimbra@redhat.com>

Please look at the documentation: http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/server-installation.html#d4e255

----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: "Conrad Winchester" <conrad at mindless.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 24 June, 2014 7:39:20 AM
> Subject: Re: [keycloak-user] Keycloak immediately undeployed
> 
> Hi all,
> 
> I made some progress. This was apparently occurring because I had lingering
> Wildly Processes. I killed them all, cleaned up, restarted and was able to
> see my keycloak welcome screen at
> 
> http://<server>/auth/
> 
> through my reverse proxy - nice!
> 
> Unfortunately, when I click to go through to the administration console I end
> up at
> 
> http://localhost:8080/auth/realms/master/tokens/
> 
> I am having difficulty changing the (localhost:8080). Can anybody please
> advise
> 
> Thanks
> 
> Conrad
> 
> 
> 
> 
> 
> On 23 Jun 2014, at 20:10, Conrad Winchester < conrad at mindless.com > wrote:
> 
> Hi all,
> 
> I have been using keycloak in development for a couple of weeks now and it
> has been running fine.
> 
> I now need to deploy it into a UAT environment, but after installing wildly
> and integrating keycloak I get an issue when starting up.
> 
> Basically everything starts fine, but auth-server is immediately underplayed
> 
> 2014-06-23 19:49:36,038 INFO [org.jboss.as] (Controller Boot Thread)
> JBAS015961: Http management interface listening on
> http://127.0.0.1:9990/management
> 2014-06-23 19:49:36,038 INFO [org.jboss.as] (Controller Boot Thread)
> JBAS015951: Admin console listening on http://127.0.0.1:9990
> 2014-06-23 19:49:36,038 INFO [org.jboss.as] (Controller Boot Thread)
> JBAS015874: WildFly 8.1.0.Final "Kenny" started in 8047ms - Started 303 of
> 356 services (91 services are lazy, passive or on-demand)
> 2014-06-23 19:49:41,051 INFO [org.wildfly.extension.undertow] (MSC service
> thread 1-3) JBAS017535: Unregistered web context: /auth
> 2014-06-23 19:49:41,104 INFO [org.jboss.as.jpa] (ServerService Thread Pool --
> 21) JBAS011410: Stopping Persistence Unit (phase 2 of 2) Service
> 'auth-server.war#jpa-keycloak-identity-store'
> 2014-06-23 19:49:41,104 INFO [org.jboss.as.jpa] (ServerService Thread Pool --
> 22) JBAS011410: Stopping Persistence Unit (phase 2 of 2) Service
> 'auth-server.war#jpa-keycloak-audit-store'
> 2014-06-23 19:49:41,106 INFO [org.jboss.weld.deployer] (MSC service thread
> 1-4) JBAS016009: Stopping weld service for deployment auth-server.war
> 2014-06-23 19:49:41,128 INFO [org.jboss.as.jpa] (ServerService Thread Pool --
> 22) JBAS011410: Stopping Persistence Unit (phase 1 of 2) Service
> 'auth-server.war#jpa-keycloak-identity-store'
> 2014-06-23 19:49:41,129 INFO [org.jboss.as.jpa] (ServerService Thread Pool --
> 21) JBAS011410: Stopping Persistence Unit (phase 1 of 2) Service
> 'auth-server.war#jpa-keycloak-audit-store'
> 2014-06-23 19:49:41,141 INFO [org.jboss.as.server.deployment] (MSC service
> thread 1-1) JBAS015877: Stopped deployment auth-server.war (runtime-name:
> auth-server.war) in 96ms
> 2014-06-23 19:49:41,175 INFO [org.jboss.as.server] (DeploymentScanner-threads
> - 2) JBAS018558: Undeployed "auth-server.war" (runtime-name:
> "auth-server.war")
> 2014-06-23 19:49:46,178 INFO [org.jboss.as.server.deployment.scanner]
> (DeploymentScanner-threads - 1) JBAS015003: Found auth-server.war in
> deployment directory. To trigger deployment create a file called
> auth-server.war.dodeploy
> 
> The main difference between this and dev is that in UAT keycloak has to be
> behind an apache proxy
> 
> ProxyPass /auth/ http://localhost:8080/auth/
> ProxyPassReverse /auth/ http://localhost:8080/auth/
> 
> Can anybody help? I am completely stumped - Is it something to do with apache
> already running on port 80?
> 
> Thanks
> 
> Conrad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Tue Jun 24 04:50:25 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 24 Jun 2014 04:50:25 -0400 (EDT)
Subject: [keycloak-user] Add additional rights mapping step to request
 chain
In-Reply-To: <567C02B1AFF42E499D63011F4C931ABE2410A83B@G5W2731.americas.hpqcorp.net>
References: <567C02B1AFF42E499D63011F4C931ABE24104980@G5W2731.americas.hpqcorp.net>
	<539606CD.4030100@redhat.com>
	<567C02B1AFF42E499D63011F4C931ABE2410A83B@G5W2731.americas.hpqcorp.net>
Message-ID: <622002341.32388999.1403599825357.JavaMail.zimbra@redhat.com>

Have a look at:

* org.keycloak.adapters.as7.CatalinaRequestAuthenticator#getRolesFromToken

This is where the roles from the token is retrieved and you should be able to modify this to add the additional roles you require.

An alternative, and I would say a preferred approach, would be to add these roles on the Keycloak server side rather than in the adapter. This should be feasible in the future in one of two ways:

* Users SPI - we're currently splitting the model into config, users and sessions. Users will contain users, credentials and role mappings. As this will be an SPI you'll be able to extend this to add any additional role mappings here.
* Sync SPI - this will be post-1.0.final so won't be ready until September/October. This will allow syncing users, credentials and role mappings to/from an external data source in the Keycloak database.

----- Original Message -----
> From: "Jim Boettcher" <jim.boettcher at hp.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Monday, 23 June, 2014 4:51:58 PM
> Subject: Re: [keycloak-user] Add additional rights mapping step to request chain
> 
> Hi,
> 
> This has become a show stopper for us. We really need to be able to map the
> user identified by the bearer token to their roles by using our own role
> mapping code that executes on our JBoss 7.1.1 application server not the
> roles from the token. We are developing some new services that must work
> with our older code and the role mapping that is done with the older code.
> You mention that you would have to create an SPI for this. Are there any
> plans for creating the SPI?
> If the SPI is not planned to be in the 1.0 final release, Is there some way I
> could hook in our custom processing on my own. Looking at the code for the
> AS7-adapter I did not see an obvious place to do this. For an interim
> solution we would consider modifying / extending the keycloak code in order
> to hook in our custom role mapping. Can you suggest a good place in the code
> that I might try to do this custom work?
> 
> Thank you for your help,
> Jim
> 
> -----Original Message-----
> From: Boettcher, Jim
> Sent: Monday, June 09, 2014 3:45 PM
> To: 'Bill Burke'; keycloak-user at lists.jboss.org
> Subject: RE: [keycloak-user] Add additional rights mapping step to request
> chain
> 
> These are specific rights that are associated to different roles, such as the
> "backup right" can be associated to a backup role or an admin role.
> We were looking to do this on the application server side perhaps as some
> sort of extension or add on or post processor to the keycloak-as7-adapter
> that is installed and configured as a module for JBoss.
> 
> Thanks
> -Jim
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
> Sent: Monday, June 09, 2014 3:11 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Add additional rights mapping step to request
> chain
> 
> For "rights" you mean user role mappings?  I'd have to create an SPI for
> that.
> 
> FYI, you can't modify the token itself as it is digitally signed.
> 
> On 6/9/2014 2:51 PM, Boettcher, Jim wrote:
> > Hi,
> >
> > We are using the keycloak-as7-adapter from beta2 and have configured
> > the adapter to use bearer token.
> >
> > We would like to add in some extra processing after the bearer token
> > has been validated in order to map user rights for the user identified
> > by the bearer token using some proprietary code. This is currently
> > done with a custom LoginModule configured for the security-domain of the
> > app.
> >
> > Can you suggest how we might go about adding this extra rights mapping
> > to the request chain after the keycloak adapter has validated the
> > bearer token?
> >
> > Thank you,
> >
> > Jim
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From mposolda at redhat.com  Tue Jun 24 04:51:28 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jun 2014 10:51:28 +0200
Subject: [keycloak-user] ldap setup
In-Reply-To: <CAFGzvPnKeZT50OAgfXf_pE5C+5sgM6Ggf6SBxooBhR_2iXo7OQ@mail.gmail.com>
References: <CAFGzvP=5qbNoPK8Q4dB4K_StrL-tPmb3G_fr3ezV1QM7-QY91g@mail.gmail.com>	<53A3C832.1050408@redhat.com>
	<CAFGzvPnKeZT50OAgfXf_pE5C+5sgM6Ggf6SBxooBhR_2iXo7OQ@mail.gmail.com>
Message-ID: <53A93C10.3020702@redhat.com>

Hi,

ATM There is fix in latest Keycloak master . Among other improvements, 
you can now configure in admin console the name of LDAP attribute, which 
is used as username in Keycloak. So for AD, you can select 
"sAMAccountName" . I believe that this will help to have things working 
in your environment. Please let me know if it helps.

Thanks,
Marek

On 20.6.2014 17:40, Dean Peterson wrote:
> That sounds great, thanks!
>
>
> On Fri, Jun 20, 2014 at 12:35 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     We already seem to have other person with very similar usecase
>     like you. I am working on it and will let you know.
>
>     Marek
>
>
>     On 19.6.2014 20:29, Dean Peterson wrote:
>>     Hello,
>>
>>     I am trying to get ldap to work and it seems the query in
>>     picketlink's LDAPIdentityStore.java on line 186 uses id or uid to
>>     find the user in an Active Directory.  Our Active Directory
>>     stores the username as the property sAMAccountName.  I believe
>>     this prevents keycloak's new ldap integration from working.  Am I
>>     missing something?
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140624/2fb47fe3/attachment.html 

From conrad at mindless.com  Tue Jun 24 15:20:40 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Tue, 24 Jun 2014 20:20:40 +0100
Subject: [keycloak-user] Keycloak immediately undeployed
In-Reply-To: <53A93500.6030404@kroehling.de>
References: <6C0743D1-3D58-4514-A190-3C052F247A60@mindless.com>
	<02CCC29B-443C-4D85-909C-0487B2C0FE66@mindless.com>
	<53A93500.6030404@kroehling.de>
Message-ID: <FB759405-712F-4540-8B42-64E836CE3CAC@mindless.com>

Thanks for the pointer,

for those using apache the setting is

ProxyPreserveHost On

This seems to fix the issue

Conrad


> On 24 Jun 2014, at 09:21, Juraci Paix?o Kr?hling <juraci at kroehling.de> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Are you sending the proper host/protocol/... headers to Wildfly? In
> nginx, it would be something like this:
> 
> proxy_pass http://localhost:8080;
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header Host $http_host;
> 
> - - Juca.
> 
> On 06/24/2014 08:39 AM, Conrad Winchester wrote:
>> Hi all,
>> 
>> I made some progress. This was apparently occurring because I had 
>> lingering Wildly Processes. I killed them all, cleaned up,
>> restarted and was able to see my keycloak welcome screen at
>> 
>> http://<server>/auth/
>> 
>> through my reverse proxy - nice!
>> 
>> Unfortunately, when I click to go through to the administration
>> console I end up at
>> 
>> http://localhost:8080/auth/realms/master/tokens/
>> 
>> I am having difficulty changing the (localhost:8080). Can anybody
>> please advise
>> 
>> Thanks
>> 
>> Conrad
>> 
>> 
>>> On 23 Jun 2014, at 20:10, Conrad Winchester <conrad at mindless.com 
>>> <mailto:conrad at mindless.com>> wrote:
>>> 
>>> Hi all,
>>> 
>>> I have been using keycloak in development for a couple of weeks
>>> now and it has been running fine.
>>> 
>>> I now need to deploy it into a UAT environment, but after
>>> installing wildly and integrating keycloak I get an issue when
>>> starting up.
>>> 
>>> Basically everything starts fine, but auth-server is immediately 
>>> underplayed
>>> 
>>> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot
>>> Thread) JBAS015961: Http management interface listening on
>>> http://127.0.0.1:9990/management 2014-06-23 19:49:36,038 INFO
>>> [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console
>>> listening on http://127.0.0.1:9990 <http://127.0.0.1:9990/> 
>>> 2014-06-23 19:49:36,038 INFO  [org.jboss.as] (Controller Boot
>>> Thread) JBAS015874: WildFly 8.1.0.Final "Kenny" started in 8047ms
>>> - Started 303 of 356 services (91 services are lazy, passive or
>>> on-demand) 2014-06-23 19:49:41,051 INFO
>>> [org.wildfly.extension.undertow] (MSC service thread 1-3)
>>> JBAS017535: Unregistered web context: /auth 2014-06-23
>>> 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool
>>> -- 21) JBAS011410: Stopping Persistence Unit (phase 2 of 2) 
>>> Service 'auth-server.war#jpa-keycloak-identity-store' 2014-06-23
>>> 19:49:41,104 INFO  [org.jboss.as.jpa] (ServerService Thread Pool
>>> -- 22) JBAS011410: Stopping Persistence Unit (phase 2 of 2) 
>>> Service 'auth-server.war#jpa-keycloak-audit-store' 2014-06-23
>>> 19:49:41,106 INFO  [org.jboss.weld.deployer] (MSC service thread
>>> 1-4) JBAS016009: Stopping weld service for deployment 
>>> auth-server.war 2014-06-23 19:49:41,128 INFO  [org.jboss.as.jpa]
>>> (ServerService Thread Pool -- 22) JBAS011410: Stopping
>>> Persistence Unit (phase 1 of 2) Service
>>> 'auth-server.war#jpa-keycloak-identity-store' 2014-06-23
>>> 19:49:41,129 INFO  [org.jboss.as.jpa] (ServerService Thread Pool
>>> -- 21) JBAS011410: Stopping Persistence Unit (phase 1 of 2) 
>>> Service 'auth-server.war#jpa-keycloak-audit-store' 2014-06-23
>>> 19:49:41,141 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-1) JBAS015877: Stopped deployment auth-server.war 
>>> (runtime-name: auth-server.war) in 96ms 2014-06-23 19:49:41,175
>>> INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2)
>>> JBAS018558: Undeployed "auth-server.war" (runtime-name:
>>> "auth-server.war") 2014-06-23 19:49:46,178 INFO
>>> [org.jboss.as.server.deployment.scanner] 
>>> (DeploymentScanner-threads - 1) JBAS015003: Found auth-server.war
>>> in deployment directory. To trigger deployment create a file
>>> called auth-server.war.dodeploy
>>> 
>>> The main difference between this and dev is that in UAT keycloak
>>> has to be behind an apache proxy
>>> 
>>> ProxyPass /auth/ http://localhost:8080/auth/ ProxyPassReverse
>>> /auth/ http://localhost:8080/auth/
>>> 
>>> Can anybody help? I am completely stumped - Is it something to do
>>> with apache already running on port 80?
>>> 
>>> Thanks
>>> 
>>> Conrad _______________________________________________ 
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org> 
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 
>> 
>> _______________________________________________ keycloak-user
>> mailing list keycloak-user at lists.jboss.org 
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBCgAGBQJTqTUAAAoJEDnJtskdmzLMrgUIAKb5QFRefLCFgmPnWhBbBfND
> CQYll5zfTv90aGiuDH4bArGbNVqGlXFYoBOlnPkJpsrLEyB5THO8IeULL4bD9Q5b
> 9JGw0wRyRZkUZEResQkIJfAcZdjjBnfv4fTU8tuqjJO45+KmRtJuqt0k2xYlzV45
> Fi8w1yVfl+CCCbOys6lXRDEUk2TDgLChAAU/ef8ThMEV+WSIDjtX9PogH+0hMPle
> 9BBtBQk0duPXtGhvGBQufckU67F//BHTey6PZWFkcFmUOnK8uLU6SIg9/fsJi7de
> M53vB7Znr6zm/XNEkv0VC32hdlVcA1sOZPsF12LXXuk/CAxiH1vf22avqWKdQRs=
> =fXZO
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140624/66f52519/attachment-0001.html 

From conrad at mindless.com  Wed Jun 25 02:24:17 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Wed, 25 Jun 2014 07:24:17 +0100
Subject: [keycloak-user] Linkage Errors
Message-ID: <5BA939F2-F877-4832-B934-8BA6AB278F94@mindless.com>

Hi all,

So, trying to get a keycloak enabled server out of Intellij and onto a UAT box is proving to be a bit of a nightmare :-(

I am using the following dependencies for my project (removed some that are not part of the problem)


dependencies {

    providedCompile 'org.jboss.spec:jboss-javaee-7.0:1.0.0.Final'
    providedCompile 'org.jboss.resteasy:resteasy-multipart-provider:3.0.6.Final'
    providedCompile 'org.jboss.resteasy:resteasy-jackson2-provider:3.0.6.Final'

    compile 'org.keycloak:keycloak-core:1.0-beta-3'

}

and I have my own version of the HttpClientBuilder utility class copied from the keycloak source in my application.

When running inside IntelliJ everything works fine, however when I try to run my way standalone on a UAT server I am getting the following linkage error. When I don?t include the keyclick core I don?t get the error, but I need keycloak code for the KeycloakPrincipal class.

I think it might be to do with conflicting versions of the org.apache.httpcomponents:httpclient library (4.2.1 vs 4.01), but am a little out of my depth. I have been struggling all night with this and would appreciate any help.

Thanks

Conrad


2014-06-25 07:05:16,047 INFO  [org.jboss.weld.deployer] (MSC service thread 1-1) JBAS016005: Starting Services for CDI deployment: shift-server.war
2014-06-25 07:05:16,073 INFO  [org.jboss.weld.Version] (MSC service thread 1-1) WELD-000900: 2.1.2 (Final)
2014-06-25 07:05:16,118 INFO  [org.jboss.weld.deployer] (MSC service thread 1-4) JBAS016008: Starting weld service for deployment shift-server.war
2014-06-25 07:05:16,477 INFO  [org.jboss.weld.Bootstrap] (weld-worker-1) WELD-000119: Not generating any bean definitions from com.shift.service.oauth.KeycloakAuthAdapter because of underlying class loading error: Type org.apache.http.HttpEntity from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
2014-06-25 07:05:16,482 WARN  [org.jboss.modules] (weld-worker-2) Failed to define class com.shift.keycloak.HttpClientBuilder$VerifierWrapper in Module "deployment.shift-server.war:main" from Service Module Loader: java.lang.LinkageError: Failed to link com/shift/keycloak/HttpClientBuilder$VerifierWrapper (Module "deployment.shift-server.war:main" from Service Module Loader)
	at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:487) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.Module.loadModuleClass(Module.java:568) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
	at java.lang.Class.getDeclaringClass0(Native Method) [rt.jar:1.8.0]
	at java.lang.Class.getDeclaringClass(Class.java:1222) [rt.jar:1.8.0]
	at java.lang.Class.getEnclosingClass(Class.java:1264) [rt.jar:1.8.0]
	at java.lang.Class.getSimpleBinaryName(Class.java:1430) [rt.jar:1.8.0]
	at java.lang.Class.isMemberClass(Class.java:1420) [rt.jar:1.8.0]
	at org.jboss.weld.util.reflection.Reflections.getNesting(Reflections.java:134) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.initParameters(BackedAnnotatedConstructor.java:50) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.initParameters(BackedAnnotatedConstructor.java:28) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedCallable.<init>(BackedAnnotatedCallable.java:34) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.<init>(BackedAnnotatedConstructor.java:38) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.of(BackedAnnotatedConstructor.java:32) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.computeValue(BackedAnnotatedType.java:165) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.computeValue(BackedAnnotatedType.java:158) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.util.LazyValueHolder.get(LazyValueHolder.java:35) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$EagerlyInitializedLazyValueHolder.<init>(BackedAnnotatedType.java:154) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.<init>(BackedAnnotatedType.java:158) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.<init>(BackedAnnotatedType.java:158) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType.<init>(BackedAnnotatedType.java:64) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType.of(BackedAnnotatedType.java:47) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.resources.ClassTransformer$TransformClassToBackedAnnotatedType.load(ClassTransformer.java:83) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.resources.ClassTransformer$TransformClassToBackedAnnotatedType.load(ClassTransformer.java:80) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2317)
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2195)
	at com.google.common.cache.LocalCache.get(LocalCache.java:3934)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3938)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4821)
	at org.jboss.weld.util.cache.LoadingCacheUtils.getCacheValue(LoadingCacheUtils.java:52) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.util.cache.LoadingCacheUtils.getCastCacheValue(LoadingCacheUtils.java:80) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.resources.ClassTransformer.getBackedAnnotatedType(ClassTransformer.java:175) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.resources.ClassTransformer.getBackedAnnotatedType(ClassTransformer.java:194) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.BeanDeployer.loadAnnotatedType(BeanDeployer.java:119) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.BeanDeployer.addClass(BeanDeployer.java:96) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:62) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:53) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/ssl/X509HostnameVerifier
	at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0]
	at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) [jboss-modules.jar:1.3.3.Final]
	... 50 more
Caused by: java.lang.ClassNotFoundException: org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader]
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
	... 54 more

2014-06-25 07:05:16,489 INFO  [org.jboss.weld.Bootstrap] (weld-worker-2) WELD-000119: Not generating any bean definitions from com.shift.keycloak.HttpClientBuilder$PassthroughTrustManager because of underlying class loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
2014-06-25 07:05:16,511 WARN  [org.jboss.modules] (weld-worker-1) Failed to define class com.shift.keycloak.HttpClientBuilder$VerifierWrapper in Module "deployment.shift-server.war:main" from Service Module Loader: java.lang.LinkageError: Failed to link com/shift/keycloak/HttpClientBuilder$VerifierWrapper (Module "deployment.shift-server.war:main" from Service Module Loader)
	at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:487) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.Module.loadModuleClass(Module.java:568) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.as.weld.WeldModuleResourceLoader.classForName(WeldModuleResourceLoader.java:68) [wildfly-weld-8.1.0.Final.jar:8.1.0.Final]
	at org.jboss.weld.bootstrap.BeanDeployer.loadClass(BeanDeployer.java:106) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.BeanDeployer.addClass(BeanDeployer.java:94) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:62) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:53) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/ssl/X509HostnameVerifier
	at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0]
	at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) [jboss-modules.jar:1.3.3.Final]
	... 19 more
Caused by: java.lang.ClassNotFoundException: org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader]
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
	... 23 more

2014-06-25 07:05:16,514 INFO  [org.jboss.weld.Bootstrap] (weld-worker-1) WELD-000119: Not generating any bean definitions from com.shift.keycloak.HttpClientBuilder$VerifierWrapper because of underlying class loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
2014-06-25 07:05:16,530 INFO  [org.jboss.weld.Bootstrap] (weld-worker-2) WELD-000119: Not generating any bean definitions from com.shift.keycloak.HttpClientBuilder because of underlying class loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.


I am getting a linkage error  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140625/f7504cd5/attachment-0001.html 

From mposolda at redhat.com  Wed Jun 25 03:19:28 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 25 Jun 2014 09:19:28 +0200
Subject: [keycloak-user] Linkage Errors
In-Reply-To: <5BA939F2-F877-4832-B934-8BA6AB278F94@mindless.com>
References: <5BA939F2-F877-4832-B934-8BA6AB278F94@mindless.com>
Message-ID: <53AA7800.3000009@redhat.com>

Hi,

I think the problem is in the fact that you are using:
compile 'org.keycloak:keycloak-core:1.0-beta-3'

because if you do this, then keycloak-core.jar (and maybe some other 
files) is copied into your WAR under WEB-INF/lib, which is not good. You 
shouldn't have keycloak and httpcomponent jars inside WEB-INF/lib, but 
instead all your dependencies should be specified in 
WEB-INF/jboss-deployment-structure.xml to reference dependencies 
provided by Application server. Keycloak modules should be added as 
modules into JBoss AS as specified in documentation.

I would suggest to look at our example applications here 
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/ 
(they are also part of distribution). For example if you look at 
customer-app application, you can notice that it has all dependencies as 
'provided' in pom.xml : 
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/pom.xml#L32 
and in jboss-deployment-structure it has dependency on httpcomponents, 
which is something you will need as well (note ClassNotFoundException in 
your stacktrace): 
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/WEB-INF/jboss-deployment-structure.xml#L6 
. Keycloak dependencies (like keycloak-core) don't need to be specified 
in jboss-deployment-structure.xml as long as you install keycloak 
modules and add jboss subsystem into standalone.xml as described in 
Keycloak docs and in README of examples.

Good luck,
Marek

On 25.6.2014 08:24, Conrad Winchester wrote:
> Hi all,
>
> So, trying to get a keycloak enabled server out of Intellij and onto a 
> UAT box is proving to be a bit of a nightmare :-(
>
> I am using the following dependencies for my project (removed some 
> that are not part of the problem)
>
>
> dependencies {
>
>     providedCompile 'org.jboss.spec:jboss-javaee-7.0:1.0.0.Final'
>     providedCompile 
> 'org.jboss.resteasy:resteasy-multipart-provider:3.0.6.Final'
>     providedCompile 
> 'org.jboss.resteasy:resteasy-jackson2-provider:3.0.6.Final'
>
>     compile 'org.keycloak:keycloak-core:1.0-beta-3'
>
> }
>
> and I have my own version of the HttpClientBuilder utility class 
> copied from the keycloak source in my application.
>
> When running inside IntelliJ everything works fine, however when I try 
> to run my way standalone on a UAT server I am getting the following 
> linkage error. When I don't include the keyclick core I don't get the 
> error, but I need keycloak code for the KeycloakPrincipal class.
>
> I think it might be to do with conflicting versions of the 
> org.apache.httpcomponents:httpclient library (4.2.1 vs 4.01), but am a 
> little out of my depth. I have been struggling all night with this and 
> would appreciate any help.
>
> Thanks
>
> Conrad
>
>
> 2014-06-25 07:05:16,047 INFO  [org.jboss.weld.deployer] (MSC service 
> thread 1-1) JBAS016005: Starting Services for CDI deployment: 
> shift-server.war
> 2014-06-25 07:05:16,073 INFO  [org.jboss.weld.Version] (MSC service 
> thread 1-1) WELD-000900: 2.1.2 (Final)
> 2014-06-25 07:05:16,118 INFO  [org.jboss.weld.deployer] (MSC service 
> thread 1-4) JBAS016008: Starting weld service for deployment 
> shift-server.war
> 2014-06-25 07:05:16,477 INFO  [org.jboss.weld.Bootstrap] 
> (weld-worker-1) WELD-000119: Not generating any bean definitions from 
> com.shift.service.oauth.KeycloakAuthAdapter because of underlying 
> class loading error: Type org.apache.http.HttpEntity from [Module 
> "deployment.shift-server.war:main" from Service Module Loader] not 
> found.  If this is unexpected, enable DEBUG logging to see the full error.
> 2014-06-25 07:05:16,482 WARN  [org.jboss.modules] (weld-worker-2) 
> Failed to define class 
> com.shift.keycloak.HttpClientBuilder$VerifierWrapper in Module 
> "deployment.shift-server.war:main" from Service Module Loader: 
> java.lang.LinkageError: Failed to link 
> com/shift/keycloak/HttpClientBuilder$VerifierWrapper (Module 
> "deployment.shift-server.war:main" from Service Module Loader)
> at 
> org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:487) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92) 
> [jboss-modules.jar:1.3.3.Final]
> at org.jboss.modules.Module.loadModuleClass(Module.java:568) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) 
> [jboss-modules.jar:1.3.3.Final]
> at java.lang.Class.getDeclaringClass0(Native Method) [rt.jar:1.8.0]
> at java.lang.Class.getDeclaringClass(Class.java:1222) [rt.jar:1.8.0]
> at java.lang.Class.getEnclosingClass(Class.java:1264) [rt.jar:1.8.0]
> at java.lang.Class.getSimpleBinaryName(Class.java:1430) [rt.jar:1.8.0]
> at java.lang.Class.isMemberClass(Class.java:1420) [rt.jar:1.8.0]
> at 
> org.jboss.weld.util.reflection.Reflections.getNesting(Reflections.java:134) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.initParameters(BackedAnnotatedConstructor.java:50) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.initParameters(BackedAnnotatedConstructor.java:28) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedCallable.<init>(BackedAnnotatedCallable.java:34) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.<init>(BackedAnnotatedConstructor.java:38) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.of(BackedAnnotatedConstructor.java:32) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.computeValue(BackedAnnotatedType.java:165) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.computeValue(BackedAnnotatedType.java:158) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at org.jboss.weld.util.LazyValueHolder.get(LazyValueHolder.java:35) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$EagerlyInitializedLazyValueHolder.<init>(BackedAnnotatedType.java:154) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.<init>(BackedAnnotatedType.java:158) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.<init>(BackedAnnotatedType.java:158) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType.<init>(BackedAnnotatedType.java:64) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.annotated.slim.backed.BackedAnnotatedType.of(BackedAnnotatedType.java:47) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.resources.ClassTransformer$TransformClassToBackedAnnotatedType.load(ClassTransformer.java:83) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.resources.ClassTransformer$TransformClassToBackedAnnotatedType.load(ClassTransformer.java:80) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)
> at 
> com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2317)
> at 
> com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280)
> at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2195)
> at com.google.common.cache.LocalCache.get(LocalCache.java:3934)
> at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3938)
> at 
> com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4821)
> at 
> org.jboss.weld.util.cache.LoadingCacheUtils.getCacheValue(LoadingCacheUtils.java:52) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.util.cache.LoadingCacheUtils.getCastCacheValue(LoadingCacheUtils.java:80) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.resources.ClassTransformer.getBackedAnnotatedType(ClassTransformer.java:175) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.resources.ClassTransformer.getBackedAnnotatedType(ClassTransformer.java:194) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.BeanDeployer.loadAnnotatedType(BeanDeployer.java:119) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.BeanDeployer.addClass(BeanDeployer.java:96) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:62) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:60) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:60) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:53) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0]
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
> [rt.jar:1.8.0]
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
> [rt.jar:1.8.0]
> at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
> Caused by: java.lang.NoClassDefFoundError: 
> org/apache/http/conn/ssl/X509HostnameVerifier
> at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0]
> at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0]
> at 
> org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) 
> [jboss-modules.jar:1.3.3.Final]
> ... 50 more
> Caused by: java.lang.ClassNotFoundException: 
> org.apache.http.conn.ssl.X509HostnameVerifier from [Module 
> "deployment.shift-server.war:main" from Service Module Loader]
> at 
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) 
> [jboss-modules.jar:1.3.3.Final]
> ... 54 more
>
> 2014-06-25 07:05:16,489 INFO  [org.jboss.weld.Bootstrap] 
> (weld-worker-2) WELD-000119: Not generating any bean definitions from 
> com.shift.keycloak.HttpClientBuilder$PassthroughTrustManager because 
> of underlying class loading error: Type 
> org.apache.http.conn.ssl.X509HostnameVerifier from [Module 
> "deployment.shift-server.war:main" from Service Module Loader] not 
> found.  If this is unexpected, enable DEBUG logging to see the full error.
> 2014-06-25 07:05:16,511 WARN  [org.jboss.modules] (weld-worker-1) 
> Failed to define class 
> com.shift.keycloak.HttpClientBuilder$VerifierWrapper in Module 
> "deployment.shift-server.war:main" from Service Module Loader: 
> java.lang.LinkageError: Failed to link 
> com/shift/keycloak/HttpClientBuilder$VerifierWrapper (Module 
> "deployment.shift-server.war:main" from Service Module Loader)
> at 
> org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:487) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92) 
> [jboss-modules.jar:1.3.3.Final]
> at org.jboss.modules.Module.loadModuleClass(Module.java:568) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.as.weld.WeldModuleResourceLoader.classForName(WeldModuleResourceLoader.java:68) 
> [wildfly-weld-8.1.0.Final.jar:8.1.0.Final]
> at 
> org.jboss.weld.bootstrap.BeanDeployer.loadClass(BeanDeployer.java:106) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.BeanDeployer.addClass(BeanDeployer.java:94) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:62) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:60) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:60) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at 
> org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:53) 
> [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
> at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0]
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
> [rt.jar:1.8.0]
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
> [rt.jar:1.8.0]
> at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
> Caused by: java.lang.NoClassDefFoundError: 
> org/apache/http/conn/ssl/X509HostnameVerifier
> at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0]
> at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0]
> at 
> org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) 
> [jboss-modules.jar:1.3.3.Final]
> ... 19 more
> Caused by: java.lang.ClassNotFoundException: 
> org.apache.http.conn.ssl.X509HostnameVerifier from [Module 
> "deployment.shift-server.war:main" from Service Module Loader]
> at 
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) 
> [jboss-modules.jar:1.3.3.Final]
> at 
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) 
> [jboss-modules.jar:1.3.3.Final]
> ... 23 more
>
> 2014-06-25 07:05:16,514 INFO  [org.jboss.weld.Bootstrap] 
> (weld-worker-1) WELD-000119: Not generating any bean definitions from 
> com.shift.keycloak.HttpClientBuilder$VerifierWrapper because of 
> underlying class loading error: Type 
> org.apache.http.conn.ssl.X509HostnameVerifier from [Module 
> "deployment.shift-server.war:main" from Service Module Loader] not 
> found.  If this is unexpected, enable DEBUG logging to see the full error.
> 2014-06-25 07:05:16,530 INFO  [org.jboss.weld.Bootstrap] 
> (weld-worker-2) WELD-000119: Not generating any bean definitions from 
> com.shift.keycloak.HttpClientBuilder because of underlying class 
> loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from 
> [Module "deployment.shift-server.war:main" from Service Module Loader] 
> not found.  If this is unexpected, enable DEBUG logging to see the 
> full error.
>
>
> I am getting a linkage error
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140625/97b11b47/attachment-0001.html 

From conrad at mindless.com  Wed Jun 25 07:35:16 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Wed, 25 Jun 2014 12:35:16 +0100
Subject: [keycloak-user] Linkage Errors
In-Reply-To: <53AA7800.3000009@redhat.com>
References: <5BA939F2-F877-4832-B934-8BA6AB278F94@mindless.com>
	<53AA7800.3000009@redhat.com>
Message-ID: <D613F605-8FD2-41C6-AB5F-A5004E7240A5@mindless.com>

Thank you

That was awesome advice - thank you

BTW You guys rock :-)

Conrad

> On 25 Jun 2014, at 08:19, Marek Posolda <mposolda at redhat.com> wrote:
> 
> Hi,
> 
> I think the problem is in the fact that you are using:
> compile 'org.keycloak:keycloak-core:1.0-beta-3'
> 
> because if you do this, then keycloak-core.jar (and maybe some other files) is copied into your WAR under WEB-INF/lib, which is not good. You shouldn't have keycloak and httpcomponent jars inside WEB-INF/lib, but instead all your dependencies should be specified in WEB-INF/jboss-deployment-structure.xml to reference dependencies provided by Application server. Keycloak modules should be added as modules into JBoss AS as specified in documentation. 
> 
> I would suggest to look at our example applications here https://github.com/keycloak/keycloak/tree/master/examples/demo-template/ (they are also part of distribution). For example if you look at customer-app application, you can notice that it has all dependencies as 'provided' in pom.xml : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/pom.xml#L32 and in jboss-deployment-structure it has dependency on httpcomponents, which is something you will need as well (note ClassNotFoundException in your stacktrace): https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/WEB-INF/jboss-deployment-structure.xml#L6 . Keycloak dependencies (like keycloak-core) don't need to be specified in jboss-deployment-structure.xml as long as you install keycloak modules and add jboss subsystem into standalone.xml as described in Keycloak docs and in README of examples. 
> 
> Good luck,
> Marek
> 
> On 25.6.2014 08:24, Conrad Winchester wrote:
>> Hi all,
>> 
>> So, trying to get a keycloak enabled server out of Intellij and onto a UAT box is proving to be a bit of a nightmare :-(
>> 
>> I am using the following dependencies for my project (removed some that are not part of the problem)
>> 
>> 
>> dependencies {
>> 
>>     providedCompile 'org.jboss.spec:jboss-javaee-7.0:1.0.0.Final'
>>     providedCompile 'org.jboss.resteasy:resteasy-multipart-provider:3.0.6.Final'
>>     providedCompile 'org.jboss.resteasy:resteasy-jackson2-provider:3.0.6.Final'
>> 
>>     compile 'org.keycloak:keycloak-core:1.0-beta-3'
>> 
>> }
>> 
>> and I have my own version of the HttpClientBuilder utility class copied from the keycloak source in my application.
>> 
>> When running inside IntelliJ everything works fine, however when I try to run my way standalone on a UAT server I am getting the following linkage error. When I don?t include the keyclick core I don?t get the error, but I need keycloak code for the KeycloakPrincipal class.
>> 
>> I think it might be to do with conflicting versions of the org.apache.httpcomponents:httpclient library (4.2.1 vs 4.01), but am a little out of my depth. I have been struggling all night with this and would appreciate any help.
>> 
>> Thanks
>> 
>> Conrad
>> 
>> 
>> 2014-06-25 07:05:16,047 INFO  [org.jboss.weld.deployer] (MSC service thread 1-1) JBAS016005: Starting Services for CDI deployment: shift-server.war
>> 2014-06-25 07:05:16,073 INFO  [org.jboss.weld.Version] (MSC service thread 1-1) WELD-000900: 2.1.2 (Final)
>> 2014-06-25 07:05:16,118 INFO  [org.jboss.weld.deployer] (MSC service thread 1-4) JBAS016008: Starting weld service for deployment shift-server.war
>> 2014-06-25 07:05:16,477 INFO  [org.jboss.weld.Bootstrap] (weld-worker-1) WELD-000119: Not generating any bean definitions from com.shift.service.oauth.KeycloakAuthAdapter because of underlying class loading error: Type org.apache.http.HttpEntity from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
>> 2014-06-25 07:05:16,482 WARN  [org.jboss.modules] (weld-worker-2) Failed to define class com.shift.keycloak.HttpClientBuilder$VerifierWrapper in Module "deployment.shift-server.war:main" from Service Module Loader: java.lang.LinkageError: Failed to link com/shift/keycloak/HttpClientBuilder$VerifierWrapper (Module "deployment.shift-server.war:main" from Service Module Loader)
>>  at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:487) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.Module.loadModuleClass(Module.java:568) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
>>  at java.lang.Class.getDeclaringClass0(Native Method) [rt.jar:1.8.0]
>>  at java.lang.Class.getDeclaringClass(Class.java:1222) [rt.jar:1.8.0]
>>  at java.lang.Class.getEnclosingClass(Class.java:1264) [rt.jar:1.8.0]
>>  at java.lang.Class.getSimpleBinaryName(Class.java:1430) [rt.jar:1.8.0]
>>  at java.lang.Class.isMemberClass(Class.java:1420) [rt.jar:1.8.0]
>>  at org.jboss.weld.util.reflection.Reflections.getNesting(Reflections.java:134) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.initParameters(BackedAnnotatedConstructor.java:50) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.initParameters(BackedAnnotatedConstructor.java:28) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedCallable.<init>(BackedAnnotatedCallable.java:34) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.<init>(BackedAnnotatedConstructor.java:38) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedConstructor.of(BackedAnnotatedConstructor.java:32) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.computeValue(BackedAnnotatedType.java:165) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.computeValue(BackedAnnotatedType.java:158) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.util.LazyValueHolder.get(LazyValueHolder.java:35) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$EagerlyInitializedLazyValueHolder.<init>(BackedAnnotatedType.java:154) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.<init>(BackedAnnotatedType.java:158) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType$BackedAnnotatedConstructors.<init>(BackedAnnotatedType.java:158) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType.<init>(BackedAnnotatedType.java:64) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.annotated.slim.backed.BackedAnnotatedType.of(BackedAnnotatedType.java:47) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.resources.ClassTransformer$TransformClassToBackedAnnotatedType.load(ClassTransformer.java:83) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.resources.ClassTransformer$TransformClassToBackedAnnotatedType.load(ClassTransformer.java:80) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)
>>  at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2317)
>>  at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280)
>>  at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2195)
>>  at com.google.common.cache.LocalCache.get(LocalCache.java:3934)
>>  at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3938)
>>  at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4821)
>>  at org.jboss.weld.util.cache.LoadingCacheUtils.getCacheValue(LoadingCacheUtils.java:52) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.util.cache.LoadingCacheUtils.getCastCacheValue(LoadingCacheUtils.java:80) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.resources.ClassTransformer.getBackedAnnotatedType(ClassTransformer.java:175) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.resources.ClassTransformer.getBackedAnnotatedType(ClassTransformer.java:194) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.BeanDeployer.loadAnnotatedType(BeanDeployer.java:119) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.BeanDeployer.addClass(BeanDeployer.java:96) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:62) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:53) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0]
>>  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
>>  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
>>  at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
>> Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/ssl/X509HostnameVerifier
>>  at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0]
>>  at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0]
>>  at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) [jboss-modules.jar:1.3.3.Final]
>>  ... 50 more
>> Caused by: java.lang.ClassNotFoundException: org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader]
>>  at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
>>  ... 54 more
>> 
>> 2014-06-25 07:05:16,489 INFO  [org.jboss.weld.Bootstrap] (weld-worker-2) WELD-000119: Not generating any bean definitions from com.shift.keycloak.HttpClientBuilder$PassthroughTrustManager because of underlying class loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
>> 2014-06-25 07:05:16,511 WARN  [org.jboss.modules] (weld-worker-1) Failed to define class com.shift.keycloak.HttpClientBuilder$VerifierWrapper in Module "deployment.shift-server.war:main" from Service Module Loader: java.lang.LinkageError: Failed to link com/shift/keycloak/HttpClientBuilder$VerifierWrapper (Module "deployment.shift-server.war:main" from Service Module Loader)
>>  at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:487) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.Module.loadModuleClass(Module.java:568) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.as.weld.WeldModuleResourceLoader.classForName(WeldModuleResourceLoader.java:68) [wildfly-weld-8.1.0.Final.jar:8.1.0.Final]
>>  at org.jboss.weld.bootstrap.BeanDeployer.loadClass(BeanDeployer.java:106) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.BeanDeployer.addClass(BeanDeployer.java:94) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:62) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.bootstrap.ConcurrentBeanDeployer$1.doWork(ConcurrentBeanDeployer.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:60) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at org.jboss.weld.executor.IterativeWorkerTaskFactory$1.call(IterativeWorkerTaskFactory.java:53) [weld-core-impl-2.1.2.Final.jar:2014-01-09 09:23]
>>  at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0]
>>  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0]
>>  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0]
>>  at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
>> Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/ssl/X509HostnameVerifier
>>  at java.lang.ClassLoader.defineClass1(Native Method) [rt.jar:1.8.0]
>>  at java.lang.ClassLoader.defineClass(ClassLoader.java:760) [rt.jar:1.8.0]
>>  at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482) [jboss-modules.jar:1.3.3.Final]
>>  ... 19 more
>> Caused by: java.lang.ClassNotFoundException: org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader]
>>  at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final]
>>  at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final]
>>  ... 23 more
>> 
>> 2014-06-25 07:05:16,514 INFO  [org.jboss.weld.Bootstrap] (weld-worker-1) WELD-000119: Not generating any bean definitions from com.shift.keycloak.HttpClientBuilder$VerifierWrapper because of underlying class loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
>> 2014-06-25 07:05:16,530 INFO  [org.jboss.weld.Bootstrap] (weld-worker-2) WELD-000119: Not generating any bean definitions from com.shift.keycloak.HttpClientBuilder because of underlying class loading error: Type org.apache.http.conn.ssl.X509HostnameVerifier from [Module "deployment.shift-server.war:main" from Service Module Loader] not found.  If this is unexpected, enable DEBUG logging to see the full error.
>> 
>> 
>> I am getting a linkage error  
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140625/d11a7cd1/attachment-0001.html 

From spousty at redhat.com  Mon Jun 30 11:56:54 2014
From: spousty at redhat.com (Steven Pousty)
Date: Mon, 30 Jun 2014 08:56:54 -0700
Subject: [keycloak-user] Error with WAR deploy in JBoss EAP 6.1
Message-ID: <53B188C6.2080701@redhat.com>

Greetings all:
I am trying to do the war deploy in EAP 6.1 on Fedora 20 (64 bit)

After copying over the files to deployments and configuration, when I 
try to boot eap I get the following error

18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread 
1-8) JBAS015876: Starting deployment of "auth-server.war" (runtime-name: 
"auth-server.war")
18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread 
1-7) JBAS015876: Starting deployment of "keycloak-ds.xml" (runtime-name: 
"keycloak-ds.xml")
18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-2) 
JBAS017100: Listening on 127.0.0.1:9999 <http://127.0.0.1:9999>
18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-1) 
JBAS017100: Listening on 127.0.0.1:4447 <http://127.0.0.1:4447>
18:42:50,382 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC 
service thread 1-4) JBAS010400: Bound data source 
[java:jboss/datasources/ExampleDS]
18:42:50,505 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC 
service thread 1-2) JBAS010400: Bound data source 
[java:jboss/datasources/KeycloakDS]
18:42:51,658 INFO  [org.jboss.as.jpa] (MSC service thread 1-2) 
JBAS011401: Read persistence.xml for jpa-keycloak-identity-store
18:42:51,659 INFO  [org.jboss.as.jpa] (MSC service thread 1-2) 
JBAS011401: Read persistence.xml for jpa-keycloak-audit-store
18:42:51,816 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) 
MSC000001: Failed to start service 
jboss.module.service."deployment.auth-server.war".main: 
org.jboss.msc.service.StartException in service 
jboss.module.service."deployment.auth-server.war".main: JBAS018759: 
Failed to load module: deployment.auth-server.war:main
     at 
org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:92) 
[jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
     at 
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) 
[jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
     at 
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) 
[jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
[rt.jar:1.7.0_21]
     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
[rt.jar:1.7.0_21]
     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
Caused by: org.jboss.modules.ModuleNotFoundException: org.bouncycastle:main
     at org.jboss.modules.Module.addPaths(Module.java:949) 
[jboss-modules.jar:1.2.0.Final-redhat-1]
     at org.jboss.modules.Module.link(Module.java:1304) 
[jboss-modules.jar:1.2.0.Final-redhat-1]
     at org.jboss.modules.Module.relinkIfNecessary(Module.java:1332) 
[jboss-modules.jar:1.2.0.Final-redhat-1]
     at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:226) 
[jboss-modules.jar:1.2.0.Final-redhat-1]
     at 
org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:71) 
[jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
     ... 5 more


I know about the messed up WAR file that was accidentally uploaded but 
this WAR file was downloaded yesterday. Anyone have any idea on what I 
should try next?

Thanks
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140630/b424deec/attachment.html 

From bburke at redhat.com  Mon Jun 30 12:05:43 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Jun 2014 12:05:43 -0400
Subject: [keycloak-user] Error with WAR deploy in JBoss EAP 6.1
In-Reply-To: <53B188C6.2080701@redhat.com>
References: <53B188C6.2080701@redhat.com>
Message-ID: <53B18AD7.4050004@redhat.com>

Install the EAP adapter.  It has the bouncycastle module.

On 6/30/2014 11:56 AM, Steven Pousty wrote:
> Greetings all:
> I am trying to do the war deploy in EAP 6.1 on Fedora 20 (64 bit)
>
> After copying over the files to deployments and configuration, when I
> try to boot eap I get the following error
>
> 18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-8) JBAS015876: Starting deployment of "auth-server.war" (runtime-name:
> "auth-server.war")
> 18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-7) JBAS015876: Starting deployment of "keycloak-ds.xml" (runtime-name:
> "keycloak-ds.xml")
> 18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-2)
> JBAS017100: Listening on 127.0.0.1:9999 <http://127.0.0.1:9999>
> 18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-1)
> JBAS017100: Listening on 127.0.0.1:4447 <http://127.0.0.1:4447>
> 18:42:50,382 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-4) JBAS010400: Bound data source
> [java:jboss/datasources/ExampleDS]
> 18:42:50,505 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) JBAS010400: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 18:42:51,658 INFO  [org.jboss.as.jpa] (MSC service thread 1-2)
> JBAS011401: Read persistence.xml for jpa-keycloak-identity-store
> 18:42:51,659 INFO  [org.jboss.as.jpa] (MSC service thread 1-2)
> JBAS011401: Read persistence.xml for jpa-keycloak-audit-store
> 18:42:51,816 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
> MSC000001: Failed to start service
> jboss.module.service."deployment.auth-server.war".main:
> org.jboss.msc.service.StartException in service
> jboss.module.service."deployment.auth-server.war".main: JBAS018759:
> Failed to load module: deployment.auth-server.war:main
>      at
> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:92)
> [jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>      at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
> [jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
>      at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
> [jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
>      at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_21]
>      at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_21]
>      at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
> Caused by: org.jboss.modules.ModuleNotFoundException: org.bouncycastle:main
>      at org.jboss.modules.Module.addPaths(Module.java:949)
> [jboss-modules.jar:1.2.0.Final-redhat-1]
>      at org.jboss.modules.Module.link(Module.java:1304)
> [jboss-modules.jar:1.2.0.Final-redhat-1]
>      at org.jboss.modules.Module.relinkIfNecessary(Module.java:1332)
> [jboss-modules.jar:1.2.0.Final-redhat-1]
>      at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:226)
> [jboss-modules.jar:1.2.0.Final-redhat-1]
>      at
> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:71)
> [jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>      ... 5 more
>
>
> I know about the messed up WAR file that was accidentally uploaded but
> this WAR file was downloaded yesterday. Anyone have any idea on what I
> should try next?
>
> Thanks
> Steve
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From spousty at redhat.com  Mon Jun 30 12:15:52 2014
From: spousty at redhat.com (Steven Pousty)
Date: Mon, 30 Jun 2014 09:15:52 -0700
Subject: [keycloak-user] Error with WAR deploy in JBoss EAP 6.1
In-Reply-To: <53B18AD7.4050004@redhat.com>
References: <53B188C6.2080701@redhat.com> <53B18AD7.4050004@redhat.com>
Message-ID: <53B18D38.40600@redhat.com>

Where do I get that - is it mentioned in the doc?

On 06/30/2014 09:05 AM, Bill Burke wrote:
> Install the EAP adapter.  It has the bouncycastle module.
>
> On 6/30/2014 11:56 AM, Steven Pousty wrote:
>> Greetings all:
>> I am trying to do the war deploy in EAP 6.1 on Fedora 20 (64 bit)
>>
>> After copying over the files to deployments and configuration, when I
>> try to boot eap I get the following error
>>
>> 18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread
>> 1-8) JBAS015876: Starting deployment of "auth-server.war" (runtime-name:
>> "auth-server.war")
>> 18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread
>> 1-7) JBAS015876: Starting deployment of "keycloak-ds.xml" (runtime-name:
>> "keycloak-ds.xml")
>> 18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-2)
>> JBAS017100: Listening on 127.0.0.1:9999 <http://127.0.0.1:9999>
>> 18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-1)
>> JBAS017100: Listening on 127.0.0.1:4447 <http://127.0.0.1:4447>
>> 18:42:50,382 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
>> service thread 1-4) JBAS010400: Bound data source
>> [java:jboss/datasources/ExampleDS]
>> 18:42:50,505 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
>> service thread 1-2) JBAS010400: Bound data source
>> [java:jboss/datasources/KeycloakDS]
>> 18:42:51,658 INFO  [org.jboss.as.jpa] (MSC service thread 1-2)
>> JBAS011401: Read persistence.xml for jpa-keycloak-identity-store
>> 18:42:51,659 INFO  [org.jboss.as.jpa] (MSC service thread 1-2)
>> JBAS011401: Read persistence.xml for jpa-keycloak-audit-store
>> 18:42:51,816 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
>> MSC000001: Failed to start service
>> jboss.module.service."deployment.auth-server.war".main:
>> org.jboss.msc.service.StartException in service
>> jboss.module.service."deployment.auth-server.war".main: JBAS018759:
>> Failed to load module: deployment.auth-server.war:main
>>       at
>> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:92)
>> [jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
>> [jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
>> [jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
>>       at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_21]
>>       at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_21]
>>       at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
>> Caused by: org.jboss.modules.ModuleNotFoundException: org.bouncycastle:main
>>       at org.jboss.modules.Module.addPaths(Module.java:949)
>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>       at org.jboss.modules.Module.link(Module.java:1304)
>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>       at org.jboss.modules.Module.relinkIfNecessary(Module.java:1332)
>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>       at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:226)
>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>       at
>> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:71)
>> [jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>>       ... 5 more
>>
>>
>> I know about the messed up WAR file that was accidentally uploaded but
>> this WAR file was downloaded yesterday. Anyone have any idea on what I
>> should try next?
>>
>> Thanks
>> Steve
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From spousty at redhat.com  Mon Jun 30 17:12:33 2014
From: spousty at redhat.com (Steven Pousty)
Date: Mon, 30 Jun 2014 14:12:33 -0700
Subject: [keycloak-user] Error with WAR deploy in JBoss EAP 6.1
In-Reply-To: <53B18D38.40600@redhat.com>
References: <53B188C6.2080701@redhat.com> <53B18AD7.4050004@redhat.com>
	<53B18D38.40600@redhat.com>
Message-ID: <53B1D2C1.1080404@redhat.com>

Is this what you are talking about and shouldn't this be a bug if the 
normal install doesn't include this?

http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/ch07.html#d4e547



On 06/30/2014 09:15 AM, Steven Pousty wrote:
> Where do I get that - is it mentioned in the doc?
>
> On 06/30/2014 09:05 AM, Bill Burke wrote:
>> Install the EAP adapter.  It has the bouncycastle module.
>>
>> On 6/30/2014 11:56 AM, Steven Pousty wrote:
>>> Greetings all:
>>> I am trying to do the war deploy in EAP 6.1 on Fedora 20 (64 bit)
>>>
>>> After copying over the files to deployments and configuration, when I
>>> try to boot eap I get the following error
>>>
>>> 18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread
>>> 1-8) JBAS015876: Starting deployment of "auth-server.war" (runtime-name:
>>> "auth-server.war")
>>> 18:42:50,359 INFO  [org.jboss.as.server.deployment] (MSC service thread
>>> 1-7) JBAS015876: Starting deployment of "keycloak-ds.xml" (runtime-name:
>>> "keycloak-ds.xml")
>>> 18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-2)
>>> JBAS017100: Listening on 127.0.0.1:9999 <http://127.0.0.1:9999>
>>> 18:42:50,366 INFO  [org.jboss.as.remoting] (MSC service thread 1-1)
>>> JBAS017100: Listening on 127.0.0.1:4447 <http://127.0.0.1:4447>
>>> 18:42:50,382 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
>>> service thread 1-4) JBAS010400: Bound data source
>>> [java:jboss/datasources/ExampleDS]
>>> 18:42:50,505 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
>>> service thread 1-2) JBAS010400: Bound data source
>>> [java:jboss/datasources/KeycloakDS]
>>> 18:42:51,658 INFO  [org.jboss.as.jpa] (MSC service thread 1-2)
>>> JBAS011401: Read persistence.xml for jpa-keycloak-identity-store
>>> 18:42:51,659 INFO  [org.jboss.as.jpa] (MSC service thread 1-2)
>>> JBAS011401: Read persistence.xml for jpa-keycloak-audit-store
>>> 18:42:51,816 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
>>> MSC000001: Failed to start service
>>> jboss.module.service."deployment.auth-server.war".main:
>>> org.jboss.msc.service.StartException in service
>>> jboss.module.service."deployment.auth-server.war".main: JBAS018759:
>>> Failed to load module: deployment.auth-server.war:main
>>>        at
>>> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:92)
>>> [jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>>>        at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
>>> [jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
>>>        at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
>>> [jboss-msc-1.0.4.GA-redhat-1.jar:1.0.4.GA-redhat-1]
>>>        at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_21]
>>>        at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_21]
>>>        at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
>>> Caused by: org.jboss.modules.ModuleNotFoundException: org.bouncycastle:main
>>>        at org.jboss.modules.Module.addPaths(Module.java:949)
>>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>>        at org.jboss.modules.Module.link(Module.java:1304)
>>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>>        at org.jboss.modules.Module.relinkIfNecessary(Module.java:1332)
>>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>>        at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:226)
>>> [jboss-modules.jar:1.2.0.Final-redhat-1]
>>>        at
>>> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:71)
>>> [jboss-as-server-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>>>        ... 5 more
>>>
>>>
>>> I know about the messed up WAR file that was accidentally uploaded but
>>> this WAR file was downloaded yesterday. Anyone have any idea on what I
>>> should try next?
>>>
>>> Thanks
>>> Steve
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From rodrigopsasaki at gmail.com  Mon Jun 30 18:01:42 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 30 Jun 2014 19:01:42 -0300
Subject: [keycloak-user] Defining a new user password through REST API
Message-ID: <CANLOgwCDOTUauJuAym+8r_36x69d28on7upzc_gVz6BqJTCd6w@mail.gmail.com>

Hello again!

Is there a way for me to define a password for a user through the REST API
without him having to define a new one on the next login?

The only method I found to be close to what I want was the one that resets
the password, but I would like to redefine it without the user having
anything to do with it.

Is it possible?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140630/68f20ec7/attachment.html